From b369ecf99ff2ff1e70265f54b170c209baf06b4c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 26 2010 20:15:46 +0000 Subject: - Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning --- diff --git a/modules-minimum.conf b/modules-minimum.conf index fa24579..3197745 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # diff --git a/modules-mls.conf b/modules-mls.conf index bb5cb43..be8b528 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -33,11 +33,11 @@ alsa = base ada = module # Layer: services -# Module: cgroup +# Module: cachefilesd # -# Tools and libraries to control and monitor control groups +# CacheFiles userspace management daemon # -cgroup = module +cachefilesd = module # Layer: apps # Module: cpufreqselector @@ -46,6 +46,13 @@ cgroup = module # cpufreqselector = module +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + # Layer: modules # Module: awstats # @@ -219,13 +226,20 @@ certwatch = module certmaster = module # Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: services # Module: chronyd # # Daemon for maintaining clock time # chronyd = module -# Layer: services +q# Layer: services # Module: cipe # # Encrypted tunnel daemon @@ -433,12 +447,26 @@ domain = base # dovecot = module +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + # Layer: apps # Module: gpg # # Policy for GNU Privacy Guard and related programs. # -gpg = off +gpg = module # Layer: services # Module: gpsd @@ -507,6 +535,20 @@ finger = module # firstboot = base +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + # Layer: system # Module: fstools # @@ -557,11 +599,11 @@ gnomeclock = module hal = module # Layer: services -# Module: plymouthd +# Module: plymouth # # Plymouth # -plymouthd = module +plymouth = module # Layer: services # Module: policykit @@ -570,6 +612,13 @@ plymouthd = module # policykit = module +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # @@ -802,7 +851,7 @@ lvm = base # Layer: admin # Module: mcelog # -# Policy for mcelog. +# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. # mcelog = base @@ -871,6 +920,20 @@ mount = base # mozilla = module +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + # Layer: apps # Module: nsplugin # @@ -1143,6 +1206,13 @@ razor = module readahead = base # Layer: services +# Module: rgmanager +# +# Red Hat Resource Group Manager +# +rgmanager = module + +# Layer: services # Module: rhgb # # X windows login display manager @@ -1214,6 +1284,13 @@ rshd = module rsync = module # Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services # Module: rwho # # who is logged in on local machines @@ -1234,6 +1311,13 @@ sasl = module # sendmail = base +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + # Layer: services # Module: samba # @@ -1244,6 +1328,13 @@ sendmail = base samba = module # Layer: apps +# Module: sandbox +# +# Experimental policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps # Module: sambagui # # policy for system-config-samba @@ -1527,6 +1618,13 @@ timidity = off tftp = module # Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services # Module: uucp # # Unix to Unix Copy diff --git a/modules-targeted.conf b/modules-targeted.conf index fa24579..3197745 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # diff --git a/policy-F13.patch b/policy-F13.patch index ad7575f..73f0c15 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -744,7 +744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.10/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/rpm.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/admin/rpm.if 2010-02-26 09:12:28.000000000 -0500 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -930,7 +930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +364,51 @@ +@@ -219,7 +364,71 @@ ') files_search_tmp($1) @@ -939,6 +939,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + ++##################################### ++## ++## Allow the specified domain to append ++## to rpm tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_append_tmp',` ++ gen_require(` ++ type rpm_tmp_t; ++ ') ++ ++ files_search_tmps($1) ++ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++') ++ +######################################## +## +## Create, read, write, and delete RPM @@ -982,7 +1002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -241,6 +430,25 @@ +@@ -241,6 +450,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -1008,7 +1028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -265,6 +473,48 @@ +@@ -265,6 +493,48 @@ ######################################## ## @@ -1057,7 +1077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +533,120 @@ +@@ -283,3 +553,120 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1169,7 +1189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +## +## +# -+interface(`rpm_inerited_fifo',` ++interface(`rpm_inherited_fifo',` + gen_require(` + attribute rpm_transition_domain; + ') @@ -1180,19 +1200,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.10/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/rpm.te 2010-02-23 15:54:38.000000000 -0500 -@@ -14,6 +14,10 @@ - domain_system_change_exemption(rpm_t) - domain_interactive_fd(rpm_t) - role system_r types rpm_t; ++++ serefpolicy-3.7.10/policy/modules/admin/rpm.te 2010-02-26 09:13:01.000000000 -0500 +@@ -1,6 +1,8 @@ + + policy_module(rpm, 1.10.0) + +attribute rpm_transition_domain; + + ######################################## + # + # Declarations +@@ -15,6 +17,9 @@ + domain_interactive_fd(rpm_t) + role system_r types rpm_t; + +type debuginfo_exec_t; +domain_entry_file(rpm_t, debuginfo_exec_t) - ++ type rpm_file_t; files_type(rpm_file_t) -@@ -31,11 +35,18 @@ + +@@ -31,11 +36,18 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1211,7 +1239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) -@@ -52,8 +63,9 @@ +@@ -52,8 +64,9 @@ # rpm Local policy # @@ -1223,7 +1251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; -@@ -68,6 +80,8 @@ +@@ -68,6 +81,8 @@ allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; @@ -1232,7 +1260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -83,12 +97,21 @@ +@@ -83,12 +98,21 @@ manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -1254,7 +1282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te corecmd_exec_all_executables(rpm_t) -@@ -108,12 +131,15 @@ +@@ -108,12 +132,15 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1271,7 +1299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te fs_search_auto_mountpoints(rpm_t) mls_file_read_all_levels(rpm_t) -@@ -132,6 +158,8 @@ +@@ -132,6 +159,8 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) @@ -1280,7 +1308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +183,7 @@ +@@ -155,6 +184,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -1288,7 +1316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,7 +203,19 @@ +@@ -174,7 +204,19 @@ ') optional_policy(` @@ -1309,7 +1337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -182,36 +223,19 @@ +@@ -182,36 +224,19 @@ ') optional_policy(` @@ -1350,7 +1378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +246,15 @@ +@@ -222,12 +247,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -1366,7 +1394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +266,9 @@ +@@ -239,6 +267,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -1376,7 +1404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te dev_list_sysfs(rpm_script_t) -@@ -254,7 +284,9 @@ +@@ -254,7 +285,9 @@ fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) @@ -1386,7 +1414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +304,19 @@ +@@ -272,14 +305,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -1406,7 +1434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,8 +328,10 @@ +@@ -291,8 +329,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -1417,7 +1445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -@@ -308,12 +347,15 @@ +@@ -308,12 +348,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1433,7 +1461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -326,13 +368,22 @@ +@@ -326,13 +369,22 @@ ') optional_policy(` @@ -1584,8 +1612,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.10/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/sudo.if 2010-02-23 15:54:38.000000000 -0500 -@@ -78,7 +78,7 @@ ++++ serefpolicy-3.7.10/policy/modules/admin/sudo.if 2010-02-26 14:44:57.000000000 -0500 +@@ -73,12 +73,16 @@ + # Enter this derived domain from the user domain + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) + ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_sudo_t $3:socket_class_set { read write }; ++ ') ++ + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_file_perms; @@ -1594,7 +1631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) -@@ -135,6 +135,9 @@ +@@ -135,6 +139,9 @@ userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content($1_sudo_t) @@ -1604,6 +1641,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.10/policy/modules/admin/su.if +--- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/admin/su.if 2010-02-26 14:44:23.000000000 -0500 +@@ -58,6 +58,10 @@ + allow $2 $1_su_t:fifo_file rw_file_perms; + allow $2 $1_su_t:process sigchld; + ++ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_su_t $2:socket_class_set { read write }; ++') ++ + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctls($1_su_t) + kernel_search_key($1_su_t) +@@ -183,6 +187,10 @@ + + # Transition from the user domain to this domain. + domtrans_pattern($3, su_exec_t, $1_su_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_su_t $3:socket_class_set { read write }; ++') ++ + + ps_process_pattern($3, $1_su_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te 2010-02-24 17:01:02.000000000 -0500 @@ -1647,8 +1709,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.10/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/usermanage.if 2010-02-23 15:54:38.000000000 -0500 -@@ -113,6 +113,10 @@ ++++ serefpolicy-3.7.10/policy/modules/admin/usermanage.if 2010-02-26 14:43:39.000000000 -0500 +@@ -18,6 +18,10 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit chfn_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +@@ -63,6 +67,10 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit groupadd_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +@@ -113,6 +121,10 @@ files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) @@ -1659,7 +1743,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') ######################################## -@@ -274,6 +278,11 @@ +@@ -247,6 +259,9 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit useradd_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +@@ -274,6 +289,11 @@ usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -1744,8 +1838,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.10/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/vbetool.te 2010-02-23 15:54:38.000000000 -0500 -@@ -25,7 +25,10 @@ ++++ serefpolicy-3.7.10/policy/modules/admin/vbetool.te 2010-02-25 18:25:39.000000000 -0500 +@@ -25,7 +25,13 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -1753,6 +1847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool +tunable_policy(`mmap_low_allowed',` domain_mmap_low(vbetool_t) +') ++ ++mls_file_read_all_levels(vbetool_t) ++mls_file_write_all_levels(vbetool_t) term_use_unallocated_ttys(vbetool_t) @@ -1795,8 +1892,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.f +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.10/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/chrome.if 2010-02-23 15:54:38.000000000 -0500 -@@ -0,0 +1,86 @@ ++++ serefpolicy-3.7.10/policy/modules/apps/chrome.if 2010-02-26 14:30:20.000000000 -0500 +@@ -0,0 +1,90 @@ + +## policy for chrome + @@ -1817,6 +1914,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + + domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit chrome_sandbox_t $1:socket_class_set { read write }; ++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) ++') +') + + @@ -1885,7 +1986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.10/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/chrome.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/apps/chrome.te 2010-02-26 10:42:14.000000000 -0500 @@ -0,0 +1,82 @@ +policy_module(chrome,1.0.0) + @@ -2743,6 +2844,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.10/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 ++++ serefpolicy-3.7.10/policy/modules/apps/gpg.if 2010-02-26 14:31:45.000000000 -0500 +@@ -52,11 +52,8 @@ + + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors ++ dontaudit gpg_t $1:socket_class_set { read write }; + dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; +- dontaudit gpg_t $2:tcp_socket rw_socket_perms; +- dontaudit gpg_t $2:udp_socket rw_socket_perms; +- dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; +- dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms; + ') + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.10/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 +++ serefpolicy-3.7.10/policy/modules/apps/gpg.te 2010-02-23 15:54:38.000000000 -0500 @@ -3031,6 +3148,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + +seutil_domtrans_setfiles_mac(livecd_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.10/policy/modules/apps/loadkeys.if +--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.if 2010-02-26 14:41:38.000000000 -0500 +@@ -17,6 +17,9 @@ + + corecmd_search_bin($1) + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit loadkeys_t $1:socket_class_set { read write }; ++') + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.10/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.te 2010-02-23 15:54:38.000000000 -0500 @@ -3207,8 +3337,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.10/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-02-23 15:54:38.000000000 -0500 -@@ -0,0 +1,358 @@ ++++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-02-26 14:31:12.000000000 -0500 +@@ -0,0 +1,363 @@ + +## policy for nsplugin + @@ -3376,6 +3506,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + + domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) + domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit nsplugin_t $1:socket_class_set { read write }; ++ dontaudit nsplugin_config_t $1:socket_class_set { read write }; ++') +') + +####################################### @@ -4161,8 +4296,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te 2010-02-23 15:54:38.000000000 -0500 -@@ -11,6 +11,15 @@ ++++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te 2010-02-26 11:04:50.000000000 -0500 +@@ -8,9 +8,19 @@ + + type pulseaudio_t; + type pulseaudio_exec_t; ++init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; @@ -4178,7 +4317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud ######################################## # # pulseaudio local policy -@@ -18,7 +27,7 @@ +@@ -18,7 +28,7 @@ allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; allow pulseaudio_t self:fifo_file rw_file_perms; @@ -4187,7 +4326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; allow pulseaudio_t self:tcp_socket create_stream_socket_perms; allow pulseaudio_t self:udp_socket create_socket_perms; -@@ -26,6 +35,7 @@ +@@ -26,6 +36,7 @@ can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -4195,7 +4334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -66,11 +76,17 @@ +@@ -66,11 +77,17 @@ bluetooth_stream_connect(pulseaudio_t) ') @@ -4216,7 +4355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) -@@ -93,6 +109,10 @@ +@@ -93,6 +110,10 @@ ') optional_policy(` @@ -4227,7 +4366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -103,6 +123,9 @@ +@@ -103,6 +124,9 @@ ') optional_policy(` @@ -4330,7 +4469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.10/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/qemu.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/apps/qemu.te 2010-02-26 10:43:41.000000000 -0500 @@ -50,6 +50,8 @@ # # qemu local policy @@ -4351,11 +4490,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te ######################################## # # Unconfined qemu local policy -@@ -110,6 +116,8 @@ +@@ -110,6 +116,9 @@ typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) unconfined_domain_noaudit(unconfined_qemu_t) + userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t) ++ userdom_unpriv_usertype(unconfined, unconfined_qemu_t) allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; @@ -5079,7 +5219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i fs_cifs_domtrans($1_screen_t, $3) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.10/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/seunshare.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/apps/seunshare.if 2010-02-26 14:42:02.000000000 -0500 @@ -2,59 +2,14 @@ ######################################## @@ -5144,7 +5284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar ## ## ## Role allowed access. -@@ -66,15 +21,28 @@ +@@ -66,15 +21,26 @@ ## ## # @@ -5174,9 +5314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + + ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms; -+ dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms; -+ dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms; ++ dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.10/policy/modules/apps/seunshare.te @@ -5383,7 +5521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc 2010-02-26 11:12:57.000000000 -0500 @@ -44,15 +44,17 @@ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) @@ -5424,7 +5562,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -214,6 +220,7 @@ +@@ -158,6 +164,7 @@ + /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -214,6 +221,7 @@ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) @@ -5432,7 +5578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) -@@ -228,12 +235,15 @@ +@@ -228,12 +236,15 @@ /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -5448,7 +5594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -323,3 +333,21 @@ +@@ -323,3 +334,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6077,7 +6223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.10/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/domain.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/kernel/domain.if 2010-02-25 16:40:56.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -6124,10 +6270,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ') ######################################## -@@ -791,6 +759,24 @@ +@@ -791,6 +759,42 @@ ######################################## ## ++## Get the process group ID of all domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_getpgid_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:process getpgid; ++') ++ ++######################################## ++## +## Get the scheduler information of all domains. +## +## @@ -6149,7 +6313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Do not audit attempts to get the ## session ID of all domains. ## -@@ -1039,6 +1025,54 @@ +@@ -1039,6 +1043,54 @@ ######################################## ## @@ -6204,7 +6368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## -@@ -1248,18 +1282,34 @@ +@@ -1248,18 +1300,34 @@ ## ## # @@ -6242,7 +6406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -@@ -1280,6 +1330,24 @@ +@@ -1280,6 +1348,24 @@ ######################################## ## @@ -6267,7 +6431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Unconfined access to domains. ## ## -@@ -1304,3 +1372,39 @@ +@@ -1304,3 +1390,39 @@ typeattribute $1 process_uncond_exempt; ') @@ -6309,7 +6473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.10/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-26 09:13:18.000000000 -0500 @@ -5,6 +5,21 @@ # # Declarations @@ -6401,7 +6565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +186,74 @@ +@@ -153,3 +186,75 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -6435,9 +6599,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +optional_policy(` + rpm_use_fds(domain) + rpm_read_pipes(domain) ++ rpm_append_tmp(domain) + rpm_dontaudit_leaks(domain) + rpm_read_script_tmp_files(domain) -+ rpm_inerited_fifo(domain) ++ rpm_inherited_fifo(domain) +') + + @@ -8031,7 +8196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.10/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-25 17:44:00.000000000 -0500 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8044,6 +8209,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.10/policy/modules/roles/auditadm.te +--- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.10/policy/modules/roles/auditadm.te 2010-02-26 09:06:07.000000000 -0500 +@@ -33,6 +33,8 @@ + seutil_run_runinit(auditadm_t, auditadm_r) + seutil_read_bin_policy(auditadm_t) + ++userdom_dontaudit_search_admin_dir(auditadm_t) ++ + optional_policy(` + consoletype_exec(auditadm_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/dbadm.if serefpolicy-3.7.10/policy/modules/roles/dbadm.if --- nsaserefpolicy/policy/modules/roles/dbadm.if 2010-02-12 10:33:09.000000000 -0500 +++ serefpolicy-3.7.10/policy/modules/roles/dbadm.if 2010-02-23 15:54:38.000000000 -0500 @@ -8254,7 +8431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.10/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/sysadm.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/roles/sysadm.te 2010-02-26 09:04:40.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8264,7 +8441,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r) -@@ -34,11 +34,16 @@ +@@ -28,17 +28,25 @@ + + corecmd_exec_shell(sysadm_t) + ++domain_dontaudit_read_all_domains_state(sysadm_t) ++ + mls_process_read_up(sysadm_t) ++mls_file_read_to_clearance(sysadm_t) + + ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) @@ -8281,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -70,7 +75,9 @@ +@@ -70,7 +78,9 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -8292,7 +8478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -86,9 +93,11 @@ +@@ -86,9 +96,11 @@ auditadm_role_change(sysadm_r) ') @@ -8304,7 +8490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` backup_run(sysadm_t, sysadm_r) -@@ -98,17 +107,25 @@ +@@ -98,17 +110,25 @@ bind_run_ndc(sysadm_t, sysadm_r) ') @@ -8330,7 +8516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` certwatch_run(sysadm_t, sysadm_r) -@@ -126,16 +143,18 @@ +@@ -126,16 +146,18 @@ consoletype_run(sysadm_t, sysadm_r) ') @@ -8351,7 +8537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -165,9 +184,11 @@ +@@ -165,9 +187,11 @@ ethereal_run_tethereal(sysadm_t, sysadm_r) ') @@ -8363,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` firstboot_run(sysadm_t, sysadm_r) -@@ -177,6 +198,7 @@ +@@ -177,6 +201,7 @@ fstools_run(sysadm_t, sysadm_r) ') @@ -8371,7 +8557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` games_role(sysadm_r, sysadm_t) ') -@@ -192,6 +214,7 @@ +@@ -192,6 +217,7 @@ optional_policy(` gpg_role(sysadm_r, sysadm_t) ') @@ -8379,7 +8565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` hostname_run(sysadm_t, sysadm_r) -@@ -205,6 +228,9 @@ +@@ -205,6 +231,9 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -8389,7 +8575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,12 +238,18 @@ +@@ -212,12 +241,18 @@ ') optional_policy(` @@ -8408,7 +8594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` kudzu_run(sysadm_t, sysadm_r) -@@ -227,9 +259,11 @@ +@@ -227,9 +262,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -8420,7 +8606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` logrotate_run(sysadm_t, sysadm_r) -@@ -254,6 +288,7 @@ +@@ -254,6 +291,7 @@ mount_run(sysadm_t, sysadm_r) ') @@ -8428,7 +8614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') -@@ -261,6 +296,7 @@ +@@ -261,6 +299,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') @@ -8436,7 +8622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) -@@ -308,8 +344,14 @@ +@@ -308,8 +347,14 @@ ') optional_policy(` @@ -8451,7 +8637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` quota_run(sysadm_t, sysadm_r) -@@ -319,9 +361,11 @@ +@@ -319,9 +364,11 @@ raid_domtrans_mdadm(sysadm_t) ') @@ -8463,7 +8649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rpc_domtrans_nfsd(sysadm_t) -@@ -331,9 +375,11 @@ +@@ -331,9 +378,11 @@ rpm_run(sysadm_t, sysadm_r) ') @@ -8475,7 +8661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -357,9 +403,11 @@ +@@ -357,9 +406,11 @@ seutil_run_runinit(sysadm_t, sysadm_r) ') @@ -8487,7 +8673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -369,6 +417,7 @@ +@@ -369,6 +420,7 @@ staff_role_change(sysadm_r) ') @@ -8495,7 +8681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` su_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -376,15 +425,18 @@ +@@ -376,15 +428,18 @@ optional_policy(` sudo_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -8514,7 +8700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +445,21 @@ +@@ -393,17 +448,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -8536,7 +8722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +473,11 @@ +@@ -417,9 +476,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -8548,7 +8734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +485,15 @@ +@@ -427,9 +488,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -8564,7 +8750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +504,26 @@ +@@ -440,13 +507,26 @@ ') optional_policy(` @@ -9278,7 +9464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te 2010-02-26 10:43:24.000000000 -0500 @@ -0,0 +1,432 @@ +policy_module(unconfineduser, 1.0.0) + @@ -9901,7 +10087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.10/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/abrt.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/abrt.if 2010-02-26 14:29:34.000000000 -0500 @@ -19,6 +19,29 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10069,7 +10255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.10/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/abrt.te 2010-02-24 11:05:21.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/abrt.te 2010-02-26 11:55:11.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -12792,6 +12978,233 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue corenet_all_recvfrom_unlabeled(bluetooth_t) corenet_all_recvfrom_netlabel(bluetooth_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc +--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc 2010-02-26 15:11:32.000000000 -0500 +@@ -0,0 +1,28 @@ ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the contexts to be assigned to various files and directories of ++# importance to the CacheFiles kernel module and userspace management daemon. ++# ++ ++# cachefilesd executable will have: ++# label: system_u:object_r:cachefilesd_exec_t ++# MLS sensitivity: s0 ++# MCS categories: ++ ++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) ++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) ++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) ++ ++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.10/policy/modules/services/cachefilesd.if +--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.if 2010-02-26 15:09:20.000000000 -0500 +@@ -0,0 +1,41 @@ ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the policy interface for the CacheFiles userspace management daemon. ++# ++ ++## policy for cachefilesd ++ ++######################################## ++## ++## Execute a domain transition to run cachefilesd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cachefilesd_domtrans',` ++ gen_require(` ++ type cachefilesd_t, cachefilesd_exec_t; ++ ') ++ ++ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t) ++ ++ allow $1 cachefilesd_t:fd use; ++ allow cachefilesd_t $1:fd use; ++ allow cachefilesd_t $1:fifo_file rw_file_perms; ++ allow cachefilesd_t $1:process sigchld; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.10/policy/modules/services/cachefilesd.te +--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.te 2010-02-26 15:09:20.000000000 -0500 +@@ -0,0 +1,146 @@ ++############################################################################### ++# ++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# This security policy governs access by the CacheFiles kernel module and ++# userspace management daemon to the files and directories in the on-disk ++# cache, on behalf of the processes accessing the cache through a network ++# filesystem such as NFS ++# ++policy_module(cachefilesd,1.0.17) ++ ++############################################################################### ++# ++# Declarations ++# ++require { type kernel_t; } ++ ++# ++# Files in the cache are created by the cachefiles module with security ID ++# cachefiles_var_t ++# ++type cachefiles_var_t; ++files_type(cachefiles_var_t) ++ ++# ++# The /dev/cachefiles character device has security ID cachefiles_dev_t ++# ++type cachefiles_dev_t; ++dev_node(cachefiles_dev_t) ++ ++# ++# The cachefilesd daemon normally runs with security ID cachefilesd_t ++# ++type cachefilesd_t; ++type cachefilesd_exec_t; ++domain_type(cachefilesd_t) ++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) ++ ++# ++# The cachefilesd daemon pid file context ++# ++type cachefilesd_var_run_t; ++files_pid_file(cachefilesd_var_run_t) ++ ++# ++# The CacheFiles kernel module causes processes accessing the cache files to do ++# so acting as security ID cachefiles_kernel_t ++# ++type cachefiles_kernel_t; ++domain_type(cachefiles_kernel_t) ++domain_obj_id_change_exemption(cachefiles_kernel_t) ++role system_r types cachefiles_kernel_t; ++ ++############################################################################### ++# ++# Permit RPM to deal with files in the cache ++# ++rpm_use_script_fds(cachefilesd_t) ++ ++############################################################################### ++# ++# cachefilesd local policy ++# ++# These define what cachefilesd is permitted to do. This doesn't include very ++# much: startup stuff, logging, pid file, scanning the cache superstructure and ++# deleting files from the cache. It is not permitted to read/write files in ++# the cache. ++# ++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow ++# rules. ++# ++allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override }; ++ ++# Basic access ++files_read_etc_files(cachefilesd_t) ++libs_use_ld_so(cachefilesd_t) ++libs_use_shared_libs(cachefilesd_t) ++miscfiles_read_localization(cachefilesd_t) ++logging_send_syslog_msg(cachefilesd_t) ++init_dontaudit_use_script_ptys(cachefilesd_t) ++term_dontaudit_use_generic_ptys(cachefilesd_t) ++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) ++ ++# Allow manipulation of pid file ++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; ++manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) ++manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) ++files_pid_file(cachefilesd_var_run_t) ++files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) ++ ++# Allow access to cachefiles device file ++allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; ++ ++# Allow access to cache superstructure ++allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms; ++allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; ++ ++# Permit statfs on the backing filesystem ++fs_getattr_xattr_fs(cachefilesd_t) ++ ++############################################################################### ++# ++# When cachefilesd invokes the kernel module to begin caching, it has to tell ++# the kernel module the security context in which it should act, and this ++# policy has to approve that. ++# ++# There are two parts to this: ++# ++# (1) the security context used by the module to access files in the cache, ++# as set by the 'secctx' command in /etc/cachefilesd.conf, and ++# ++allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override }; ++ ++# ++# (2) the label that will be assigned to new files and directories created in ++# the cache by the module, which will be the same as the label on the ++# directory pointed to by the 'dir' command. ++# ++allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as }; ++ ++############################################################################### ++# ++# cachefiles kernel module local policy ++# ++# This governs what the kernel module is allowed to do the contents of the ++# cache. ++# ++allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; ++allow cachefiles_kernel_t initrc_t:process sigchld; ++ ++manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++ ++fs_getattr_xattr_fs(cachefiles_kernel_t) ++ ++dev_search_sysfs(cachefiles_kernel_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.10/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500 +++ serefpolicy-3.7.10/policy/modules/services/ccs.te 2010-02-23 15:54:38.000000000 -0500 @@ -15162,7 +15575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.10/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/devicekit.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/devicekit.fc 2010-02-25 14:52:32.000000000 -0500 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -15174,11 +15587,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) - /var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.10/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/devicekit.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/devicekit.if 2010-02-25 14:53:23.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -15206,9 +15620,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## All of the rules required to administrate ## an devicekit environment ## +@@ -162,7 +182,7 @@ + interface(`devicekit_admin',` + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; +- type devicekit_var_run_t; ++ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + ') + + allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.10/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/devicekit.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/devicekit.te 2010-02-26 09:03:13.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15230,7 +15653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -71,29 +75,58 @@ +@@ -71,29 +75,61 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -15286,12 +15709,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) ++mls_file_read_all_levels(devicekit_disk_t) ++mls_file_write_to_clearance(devicekit_disk_t) ++ +term_use_all_terms(devicekit_disk_t) + auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -102,6 +135,16 @@ +@@ -102,6 +138,16 @@ userdom_search_user_home_dirs(devicekit_disk_t) optional_policy(` @@ -15308,7 +15734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi fstools_domtrans(devicekit_disk_t) ') -@@ -110,6 +153,7 @@ +@@ -110,6 +156,7 @@ ') optional_policy(` @@ -15316,7 +15742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -120,18 +164,12 @@ +@@ -120,18 +167,12 @@ ') optional_policy(` @@ -15338,7 +15764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') ######################################## -@@ -139,9 +177,11 @@ +@@ -139,9 +180,11 @@ # DeviceKit-Power local policy # @@ -15351,7 +15777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +191,7 @@ +@@ -151,6 +194,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -15359,7 +15785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,7 +200,9 @@ +@@ -159,7 +203,9 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15369,7 +15795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +210,16 @@ +@@ -167,12 +213,16 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15386,7 +15812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +227,10 @@ +@@ -180,6 +230,10 @@ ') optional_policy(` @@ -15397,7 +15823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +254,23 @@ +@@ -203,17 +257,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -17673,7 +18099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.10/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/mta.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/mta.if 2010-02-26 14:53:51.000000000 -0500 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -17708,7 +18134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ') -@@ -356,6 +376,7 @@ +@@ -356,11 +376,35 @@ ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; @@ -17716,10 +18142,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. domtrans_pattern($1, mta_exec_type, system_mail_t) allow mta_user_agent $1:fd use; -@@ -365,6 +386,25 @@ - - ######################################## - ## + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_fifo_file_perms; ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit system_mail_t $1:socket_class_set { read write }; ++ ') ++') ++ ++######################################## ++## +## Send mail client a signal +## +## @@ -17735,14 +18167,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + ') + + allow $1 system_mail_t:process signal; -+') -+ -+######################################## -+## - ## Execute send mail in a specified domain. - ## - ## -@@ -454,7 +494,8 @@ + ') + + ######################################## +@@ -454,7 +498,8 @@ type etc_mail_t; ') @@ -17752,7 +18180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -678,7 +719,7 @@ +@@ -678,7 +723,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -17761,7 +18189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -765,6 +806,25 @@ +@@ -765,6 +810,25 @@ ####################################### ## @@ -17789,17 +18217,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.10/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/mta.te 2010-02-23 15:54:38.000000000 -0500 -@@ -63,6 +63,8 @@ ++++ serefpolicy-3.7.10/policy/modules/services/mta.te 2010-02-25 08:06:42.000000000 -0500 +@@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) +files_read_all_tmp_files(system_mail_t) ++files_read_usr_files(system_mail_t) + kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) kernel_request_load_module(system_mail_t) -@@ -75,20 +77,27 @@ +@@ -75,20 +78,27 @@ selinux_getattr_fs(system_mail_t) @@ -17827,7 +18256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -107,6 +116,7 @@ +@@ -107,6 +117,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -17835,7 +18264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -126,6 +136,7 @@ +@@ -126,6 +137,7 @@ optional_policy(` fail2ban_append_log(system_mail_t) @@ -17843,7 +18272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -185,6 +196,10 @@ +@@ -185,6 +197,10 @@ ') optional_policy(` @@ -17854,7 +18283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -216,6 +231,7 @@ +@@ -216,6 +232,7 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -19487,7 +19916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.10/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/nut.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/nut.te 2010-02-26 08:33:54.000000000 -0500 @@ -29,7 +29,8 @@ # Local policy for upsd # @@ -19506,17 +19935,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. # /usr/bin/wall term_write_all_terms(nut_upsmon_t) -@@ -123,7 +125,9 @@ +@@ -123,6 +125,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t) # /sbin/upsdrvctl executes other drivers +# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) corecmd_exec_bin(nut_upsdrvctl_t) -+corecmd_exec_sbin(nut_upsdrvctl_t) dev_read_urand(nut_upsdrvctl_t) - dev_rw_generic_usb_dev(nut_upsdrvctl_t) -@@ -149,5 +153,15 @@ +@@ -149,5 +152,15 @@ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) @@ -21827,7 +22254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.10/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rdisc.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/rdisc.if 2010-02-26 08:34:00.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -21846,7 +22273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + type rdisc_exec_t; + ') + -+ corecmd_search_sbin($1) ++ corecmd_search_bin($1) + can_exec($1,rdisc_exec_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.10/policy/modules/services/rgmanager.fc @@ -21965,8 +22392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.10/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.te 2010-02-23 15:54:38.000000000 -0500 -@@ -0,0 +1,224 @@ ++++ serefpolicy-3.7.10/policy/modules/services/rgmanager.te 2010-02-26 11:53:19.000000000 -0500 +@@ -0,0 +1,223 @@ + +policy_module(rgmanager,1.0.0) + @@ -22007,7 +22434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +# rgmanager local policy +# + -+allow rgmanager_t self:capability { dac_override sys_resource sys_nice ipc_lock }; ++allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +dontaudit rgmanager_t self:capability { sys_ptrace }; +allow rgmanager_t self:process { setsched signal }; +dontaudit rgmanager_t self:process { ptrace }; @@ -22036,7 +22463,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) + +corecmd_exec_bin(rgmanager_t) -+corecmd_exec_sbin(rgmanager_t) +corecmd_exec_shell(rgmanager_t) +consoletype_exec(rgmanager_t) + @@ -22648,8 +23074,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.10/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rhcs.te 2010-02-23 15:54:38.000000000 -0500 -@@ -0,0 +1,247 @@ ++++ serefpolicy-3.7.10/policy/modules/services/rhcs.te 2010-02-26 11:55:16.000000000 -0500 +@@ -0,0 +1,248 @@ + +policy_module(rhcs,1.1.0) + @@ -22754,6 +23180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +files_read_usr_symlinks(fenced_t) + ++corenet_tcp_connect_http_port(fenced_t) +tunable_policy(`fenced_can_network_connect',` + corenet_tcp_connect_all_ports(fenced_t) +') @@ -22833,7 +23260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file }) + -+corecmd_getattr_sbin_files(qdiskd_t) ++corecmd_getattr_bin_files(qdiskd_t) +corecmd_exec_shell(qdiskd_t) + +kernel_read_system_state(qdiskd_t) @@ -25636,7 +26063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.10/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/sssd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/sssd.te 2010-02-25 18:53:37.000000000 -0500 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -25664,7 +26091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -@@ -49,6 +55,9 @@ +@@ -49,12 +55,17 @@ dev_read_urand(sssd_t) @@ -25674,7 +26101,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) -@@ -66,6 +75,8 @@ + + fs_list_inotifyfs(sssd_t) + ++mls_file_read_to_clearance(sssd_t) ++ + auth_use_nsswitch(sssd_t) + auth_domtrans_chk_passwd(sssd_t) + auth_domtrans_upd_passwd(sssd_t) +@@ -66,6 +77,8 @@ miscfiles_read_localization(sssd_t) @@ -26346,7 +26781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.10/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/virt.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/virt.if 2010-02-26 11:14:28.000000000 -0500 @@ -22,6 +22,8 @@ domain_type($1_t) role system_r types $1_t; @@ -26730,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.10/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/xserver.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/services/xserver.if 2010-02-26 14:29:51.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -26827,20 +27262,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +555,12 @@ +@@ -545,6 +555,10 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) +ifdef(`hide_broken_symptoms', ` -+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms; -+ dontaudit xauth_t $1:tcp_socket rw_socket_perms; -+ dontaudit xauth_t $1:udp_socket rw_socket_perms; ++ dontaudit xauth_t $1:socket_class_set { read write }; + fs_dontaudit_rw_anon_inodefs_files(xauth_t) +') ') ######################################## -@@ -598,6 +614,7 @@ +@@ -598,6 +612,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -26848,7 +27281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +822,7 @@ +@@ -805,7 +820,7 @@ ') files_search_pids($1) @@ -26857,7 +27290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1267,329 @@ +@@ -1250,3 +1265,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -28404,7 +28837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.10/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/authlogin.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/authlogin.te 2010-02-25 18:15:10.000000000 -0500 @@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -29054,7 +29487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.10/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/init.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/init.te 2010-02-25 16:45:03.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29121,7 +29554,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -140,6 +158,7 @@ +@@ -122,6 +140,7 @@ + + dev_read_sysfs(init_t) + ++domain_getpgid_all_domains(init_t) + domain_kill_all_domains(init_t) + domain_signal_all_domains(init_t) + domain_signull_all_domains(init_t) +@@ -140,6 +159,7 @@ files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) @@ -29129,7 +29570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) -@@ -167,11 +186,14 @@ +@@ -167,11 +187,14 @@ miscfiles_read_localization(init_t) @@ -29144,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') -@@ -189,10 +211,31 @@ +@@ -189,10 +212,31 @@ ') optional_policy(` @@ -29176,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t unconfined_domain(init_t) ') -@@ -202,9 +245,10 @@ +@@ -202,9 +246,10 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29188,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -217,7 +261,8 @@ +@@ -217,7 +262,8 @@ term_create_pty(initrc_t, initrc_devpts_t) # Going to single user mode @@ -29198,7 +29639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, init_script_file_type) -@@ -230,10 +275,12 @@ +@@ -230,10 +276,12 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29213,7 +29654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) -@@ -246,13 +293,19 @@ +@@ -246,13 +294,19 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29235,7 +29676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -267,21 +320,29 @@ +@@ -267,21 +321,29 @@ dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29266,7 +29707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -291,7 +352,7 @@ +@@ -291,7 +353,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29275,7 +29716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -306,14 +367,15 @@ +@@ -306,14 +368,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29293,7 +29734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -324,7 +386,10 @@ +@@ -324,7 +387,10 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29304,7 +29745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs fs_write_ramfs_pipes(initrc_t) -@@ -333,6 +398,11 @@ +@@ -333,6 +399,11 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29316,7 +29757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -365,7 +435,9 @@ +@@ -365,7 +436,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -29326,7 +29767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -374,19 +446,22 @@ +@@ -374,19 +447,22 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -29350,7 +29791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -431,7 +506,7 @@ +@@ -431,7 +507,7 @@ # /lib/rcscripts/net/system.sh rewrites resolv.conf :( sysnet_create_config(initrc_t) sysnet_write_config(initrc_t) @@ -29359,7 +29800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` arpwatch_manage_data_files(initrc_t) -@@ -450,11 +525,9 @@ +@@ -450,11 +526,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -29372,7 +29813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -464,6 +537,7 @@ +@@ -464,6 +538,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -29380,7 +29821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -472,6 +546,7 @@ +@@ -472,6 +547,7 @@ # Needs to cp localtime to /var dirs files_write_var_dirs(initrc_t) @@ -29388,7 +29829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_rw_tmpfs_chr_files(initrc_t) storage_manage_fixed_disk(initrc_t) -@@ -490,17 +565,32 @@ +@@ -490,17 +566,32 @@ miscfiles_read_hwdata(initrc_t) optional_policy(` @@ -29421,7 +29862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -515,6 +605,34 @@ +@@ -515,6 +606,34 @@ ') ') @@ -29456,7 +29897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -527,6 +645,8 @@ +@@ -527,6 +646,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29465,7 +29906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -567,10 +687,19 @@ +@@ -567,10 +688,19 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29485,7 +29926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -590,6 +719,10 @@ +@@ -590,6 +720,10 @@ ') optional_policy(` @@ -29496,7 +29937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +779,20 @@ +@@ -646,20 +780,20 @@ ') optional_policy(` @@ -29523,7 +29964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -668,6 +801,7 @@ +@@ -668,6 +802,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -29531,7 +29972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -700,7 +834,6 @@ +@@ -700,7 +835,6 @@ ') optional_policy(` @@ -29539,7 +29980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -722,8 +855,6 @@ +@@ -722,8 +856,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29548,7 +29989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -736,13 +867,16 @@ +@@ -736,13 +868,16 @@ squid_manage_logs(initrc_t) ') @@ -29565,7 +30006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -751,6 +885,7 @@ +@@ -751,6 +886,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -29573,7 +30014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -758,7 +893,17 @@ +@@ -758,7 +894,17 @@ ') optional_policy(` @@ -29591,7 +30032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -768,6 +913,25 @@ +@@ -768,6 +914,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -29617,7 +30058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -793,3 +957,31 @@ +@@ -793,3 +958,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -30479,17 +30920,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.10/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/locallogin.te 2010-02-23 15:54:38.000000000 -0500 -@@ -33,7 +33,7 @@ ++++ serefpolicy-3.7.10/policy/modules/system/locallogin.te 2010-02-25 18:19:19.000000000 -0500 +@@ -33,9 +33,8 @@ # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; - allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow local_login_t self:process { setrlimit setexec }; ++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; -@@ -74,6 +74,8 @@ + allow local_login_t self:fifo_file rw_fifo_file_perms; + allow local_login_t self:sock_file read_sock_file_perms; +@@ -74,6 +73,8 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) @@ -30498,7 +30942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -152,6 +154,11 @@ +@@ -152,6 +153,11 @@ fs_read_cifs_symlinks(local_login_t) ') @@ -30510,7 +30954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` alsa_domtrans(local_login_t) ') -@@ -181,7 +188,7 @@ +@@ -181,7 +187,7 @@ ') optional_policy(` @@ -30519,7 +30963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') optional_policy(` -@@ -198,9 +205,10 @@ +@@ -198,9 +204,10 @@ # Sulogin local policy # @@ -30531,7 +30975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall allow sulogin_t self:unix_dgram_socket create_socket_perms; allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; -@@ -220,6 +228,7 @@ +@@ -220,6 +227,7 @@ files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) @@ -30539,17 +30983,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall init_getpgid_script(sulogin_t) -@@ -233,11 +242,23 @@ +@@ -233,14 +241,23 @@ userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) +-sysadm_shell_domtrans(sulogin_t) +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) + +ifdef(`enable_mls',` - sysadm_shell_domtrans(sulogin_t) ++ sysadm_shell_domtrans(sulogin_t) +',` -+ optional_policy(` ++ optional_policy(` + unconfined_shell_domtrans(sulogin_t) + ') +') @@ -30557,13 +31002,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat',`define(`sulogin_no_pam') -+ selinux_compute_user_contexts(sulogin_t) -+') ++allow sulogin_t self:capability sys_tty_config; ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; -@@ -251,11 +272,3 @@ +- allow sulogin_t self:capability sys_tty_config; + init_getpgid(sulogin_t) + ', ` + allow sulogin_t self:process setexec; +@@ -251,11 +268,3 @@ selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -30689,7 +31135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.10/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/logging.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/logging.te 2010-02-25 18:10:25.000000000 -0500 @@ -101,6 +101,7 @@ kernel_read_kernel_sysctls(auditctl_t) @@ -30733,7 +31179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -226,13 +229,18 @@ +@@ -226,13 +229,19 @@ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) @@ -30746,6 +31192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin files_read_etc_files(audisp_t) +files_read_etc_runtime_files(audisp_t) ++mls_file_read_all_levels(audisp_t) mls_file_write_all_levels(audisp_t) +mls_dbus_send_all_levels(audisp_t) + @@ -30753,7 +31200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(audisp_t) -@@ -240,6 +248,14 @@ +@@ -240,6 +249,14 @@ sysnet_dns_name_resolve(audisp_t) @@ -30768,7 +31215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ######################################## # # Audit remote logger local policy -@@ -253,11 +269,16 @@ +@@ -253,11 +270,16 @@ corenet_tcp_sendrecv_generic_node(audisp_remote_t) corenet_tcp_connect_audit_port(audisp_remote_t) corenet_sendrecv_audit_client_packets(audisp_remote_t) @@ -30785,7 +31232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) -@@ -332,13 +353,12 @@ +@@ -332,13 +354,12 @@ allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog @@ -30801,7 +31248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -@@ -462,10 +482,18 @@ +@@ -462,10 +483,18 @@ ') optional_policy(` @@ -30820,7 +31267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin postgresql_stream_connect(syslogd_t) ') -@@ -474,6 +502,10 @@ +@@ -474,6 +503,10 @@ ') optional_policy(` @@ -30831,9 +31278,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin udev_read_db(syslogd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.10/policy/modules/system/lvm.fc +--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.10/policy/modules/system/lvm.fc 2010-02-25 18:42:51.000000000 -0500 +@@ -28,6 +28,7 @@ + # + /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) + /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) + + # + # /sbin +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.10/policy/modules/system/lvm.if +--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/lvm.if 2010-02-26 08:35:35.000000000 -0500 +@@ -34,7 +34,7 @@ + type lvm_exec_t; + ') + +- corecmd_search_sbin($1) ++ corecmd_search_bin($1) + can_exec($1, lvm_exec_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.10/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/lvm.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/lvm.te 2010-02-26 08:56:01.000000000 -0500 @@ -142,6 +142,11 @@ ') @@ -30846,7 +31316,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ccs_stream_connect(clvmd_t) ') -@@ -244,6 +249,7 @@ +@@ -171,6 +176,7 @@ + allow lvm_t self:process { sigchld sigkill sigstop signull signal }; + # LVM will complain a lot if it cannot set its priority. + allow lvm_t self:process setsched; ++allow lvm_t self:sem create_sem_perms; + allow lvm_t self:file rw_file_perms; + allow lvm_t self:fifo_file manage_fifo_file_perms; + allow lvm_t self:unix_dgram_socket create_socket_perms; +@@ -244,6 +250,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -30854,7 +31332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,6 +259,7 @@ +@@ -253,6 +260,7 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -30862,7 +31340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -311,6 +318,11 @@ +@@ -311,6 +319,11 @@ ') optional_policy(` @@ -32754,7 +33232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.10/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/udev.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/udev.te 2010-02-25 18:43:22.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33590,7 +34068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.10/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-02-26 09:05:50.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -36141,7 +36619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.10/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/xen.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/xen.te 2010-02-26 11:35:15.000000000 -0500 @@ -5,6 +5,7 @@ # # Declarations @@ -36203,22 +36681,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xenstored_t) storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) -@@ -421,7 +433,14 @@ +@@ -421,7 +433,22 @@ xen_stream_connect_xenstore(xm_t) optional_policy(` ++ dbus_system_bus(xm_t) ++ optional_policy(` ++ hal_dbus_chat(xm_t) ++ ') ++') ++ ++optional_policy(` + vhostmd_rw_tmpfs_files(xm_t) + vhostmd_stream_connect(xm_t) + vhostmd_dontaudit_rw_stream_connect(xm_t) +') + +optional_policy(` ++ virt_domtrans(xm_t) virt_manage_images(xm_t) + virt_manage_config(xm_t) virt_stream_connect(xm_t) ') -@@ -435,9 +454,14 @@ +@@ -435,9 +462,14 @@ kernel_read_xen_state(xm_ssh_t) kernel_write_xen_state(xm_ssh_t) diff --git a/securetty_types-minimum b/securetty_types-minimum index fe7ce17..7055096 100644 --- a/securetty_types-minimum +++ b/securetty_types-minimum @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t diff --git a/securetty_types-mls b/securetty_types-mls index 242dffe..89bf54d 100644 --- a/securetty_types-mls +++ b/securetty_types-mls @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t diff --git a/securetty_types-targeted b/securetty_types-targeted index fe7ce17..7055096 100644 --- a/securetty_types-targeted +++ b/securetty_types-targeted @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t diff --git a/selinux-policy.spec b/selinux-policy.spec index a1091e8..4f06646 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.10 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,12 +466,19 @@ exit 0 %endif %changelog -* Wed Feb 22 2010 Dan Walsh 3.7.10-4 +* Fri Feb 26 2010 Dan Walsh 3.7.10-5 +- Add MLS fixes found in RHEL6 testing +- Allow domains to append to rpm_tmp_t +- Add cachefilesfd policy +- Dontaudit leaks when transitioning + +* Wed Feb 23 2010 Dan Walsh 3.7.10-4 - Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping - Allow tmpreaper to delete sandbox_file_t - Fix wine dontaudit mmap_zero +- Allow abrt to read var_t symlinks * Tue Feb 22 2010 Dan Walsh 3.7.10-3 - Additional policy for rgmanager