From c20bf802698754f615c3e5f67b12c389c59ead66 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 31 2007 21:06:12 +0000 Subject: - Fix specification for clamav and clamd log files --- diff --git a/policy-20070703.patch b/policy-20070703.patch index f7850cd..edd4688 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3259,7 +3259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-22 07:11:43.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-24 06:40:46.000000000 -0500 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -3353,11 +3353,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -113,10 +154,12 @@ +@@ -112,11 +153,13 @@ + ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; - kernel_read_kernel_sysctls($1_mozilla_t) + kernel_read_fs_sysctls($1_mozilla_t) + kernel_read_kernel_sysctls($1_mozilla_t) kernel_read_network_state($1_mozilla_t) # Access /proc, sysctl - kernel_read_system_state($1_mozilla_t) @@ -3392,7 +3393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) -@@ -184,16 +240,13 @@ +@@ -184,12 +240,8 @@ sysnet_dns_name_resolve($1_mozilla_t) sysnet_read_config($1_mozilla_t) @@ -3407,12 +3408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) - xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) -+ xserver_xdm_sigchld($1_mozilla_t) - - tunable_policy(`allow_execmem',` - allow $1_mozilla_t self:process { execmem execstack }; -@@ -211,131 +264,8 @@ +@@ -211,131 +263,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -3546,7 +3542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,21 +280,27 @@ +@@ -350,21 +279,27 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -3578,7 +3574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -384,25 +320,6 @@ +@@ -384,25 +319,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -3604,7 +3600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -575,3 +492,27 @@ +@@ -575,3 +491,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -3910,8 +3906,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-21 13:30:42.000000000 -0500 -@@ -36,6 +36,11 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-31 06:44:32.000000000 -0500 +@@ -7,6 +7,7 @@ + /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -36,6 +37,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -3923,7 +3927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -108,7 +113,6 @@ +@@ -108,7 +114,6 @@ /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3931,7 +3935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -126,10 +130,10 @@ +@@ -126,10 +131,10 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3944,7 +3948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -163,8 +167,13 @@ +@@ -163,8 +168,13 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -3959,7 +3963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) -@@ -180,6 +189,7 @@ +@@ -180,6 +190,7 @@ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) @@ -3967,7 +3971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -259,3 +269,23 @@ +@@ -259,3 +270,23 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4052,7 +4056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-13 16:59:06.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:13:11.000000000 -0500 @@ -55,6 +55,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -4087,7 +4091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(innd, tcp,119,s0) network_port(ipp, tcp,631,s0, udp,631,s0) network_port(ircd, tcp,6667,s0) -@@ -108,12 +115,15 @@ +@@ -108,12 +115,16 @@ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) @@ -4100,12 +4104,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(monopd, tcp,1234,s0) -network_port(mysqld, tcp,3306,s0) +network_port(msnp, tcp,1863,s0, udp,1863,s0) ++network_port(mythtv, tcp,6543,s0, udp,6543,s0) +network_port(mysqld, tcp,3306,s0, tcp,1186,s0) +portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) network_port(netsupport, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) -@@ -122,6 +132,7 @@ +@@ -122,6 +133,7 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -4113,7 +4118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) -@@ -141,12 +152,12 @@ +@@ -141,12 +153,12 @@ network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) @@ -4128,7 +4133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -@@ -160,13 +171,19 @@ +@@ -160,13 +172,19 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) @@ -4151,7 +4156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-12-31 08:18:10.000000000 -0500 @@ -4,6 +4,7 @@ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4160,7 +4165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -14,22 +15,31 @@ +@@ -14,22 +15,33 @@ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -4181,6 +4186,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) ++/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) ++/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4192,7 +4199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -@@ -41,6 +51,11 @@ +@@ -41,6 +53,11 @@ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) @@ -4204,7 +4211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -@@ -49,6 +64,9 @@ +@@ -49,6 +66,9 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4214,7 +4221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -65,9 +83,11 @@ +@@ -65,9 +85,11 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -4226,7 +4233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -95,11 +115,21 @@ +@@ -95,11 +117,21 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4250,7 +4257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-18 10:37:23.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-27 11:35:15.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -4427,8 +4434,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.0.8/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2007-12-02 21:15:34.000000000 -0500 -@@ -72,6 +72,13 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2007-12-31 08:18:33.000000000 -0500 +@@ -66,12 +66,25 @@ + dev_node(framebuf_device_t) + + # ++# Type for /dev/ipmi/0 ++# ++type ipmi_device_t; ++dev_node(ipmi_device_t) ++ ++# + # Type for /dev/kmsg + # + type kmsg_device_t; dev_node(kmsg_device_t) # @@ -5753,7 +5772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-12-04 08:45:26.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-12-31 07:17:25.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -5782,7 +5801,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -120,10 +115,6 @@ +@@ -96,6 +91,7 @@ + dev_read_urand(httpd_$1_script_t) + + corecmd_exec_all_executables(httpd_$1_script_t) ++ application_exec_all(httpd_$1_script_t) + + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) +@@ -120,10 +116,6 @@ can_exec(httpd_$1_script_t, httpdcontent) ') @@ -5793,7 +5820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -@@ -177,48 +168,6 @@ +@@ -177,48 +169,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') @@ -5842,7 +5869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -265,12 +214,19 @@ +@@ -265,12 +215,19 @@ template(`apache_per_role_template', ` gen_require(` attribute httpdcontent, httpd_script_domains; @@ -5864,7 +5891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typeattribute httpd_$1_script_t httpd_script_domains; userdom_user_home_content($1,httpd_$1_content_t) -@@ -324,6 +280,7 @@ +@@ -324,6 +281,7 @@ userdom_search_user_home_dirs($1,httpd_t) userdom_search_user_home_dirs($1,httpd_suexec_t) userdom_search_user_home_dirs($1,httpd_$1_script_t) @@ -5872,7 +5899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -345,12 +302,11 @@ +@@ -345,12 +303,11 @@ # template(`apache_read_user_scripts',` gen_require(` @@ -5889,7 +5916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -371,12 +327,12 @@ +@@ -371,12 +328,12 @@ # template(`apache_read_user_content',` gen_require(` @@ -5906,7 +5933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -754,6 +710,7 @@ +@@ -754,6 +711,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -5914,7 +5941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -838,6 +795,10 @@ +@@ -838,6 +796,10 @@ type httpd_sys_script_t; ') @@ -5925,7 +5952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') -@@ -925,7 +886,7 @@ +@@ -925,7 +887,7 @@ type httpd_squirrelmail_t; ') @@ -5934,7 +5961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1005,6 +966,31 @@ +@@ -1005,6 +967,31 @@ ######################################## ## @@ -5966,7 +5993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Search system script state directory. ## ## -@@ -1056,3 +1042,138 @@ +@@ -1056,3 +1043,138 @@ allow httpd_t $1:process signal; ') @@ -6107,7 +6134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-12-31 07:21:15.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(apache,1.7.1) @@ -6258,7 +6285,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -330,6 +367,10 @@ +@@ -310,9 +347,7 @@ + + auth_use_nsswitch(httpd_t) + +-# execute perl +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) ++application_exec_all(httpd_t) + + domain_use_interactive_fds(httpd_t) + +@@ -330,6 +365,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -6269,7 +6307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -344,12 +385,8 @@ +@@ -344,12 +383,8 @@ seutil_dontaudit_search_config(httpd_t) @@ -6282,7 +6320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -@@ -358,8 +395,16 @@ +@@ -358,8 +393,16 @@ # # We need optionals to be able to be within booleans to make this work # @@ -6299,7 +6337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -367,6 +412,16 @@ +@@ -367,6 +410,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -6316,7 +6354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -387,6 +442,10 @@ +@@ -387,6 +440,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -6327,7 +6365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -404,11 +463,21 @@ +@@ -404,11 +461,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -6349,7 +6387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -430,6 +499,12 @@ +@@ -430,6 +497,12 @@ ') optional_policy(` @@ -6362,7 +6400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -442,8 +517,14 @@ +@@ -442,8 +515,14 @@ ') optional_policy(` @@ -6378,7 +6416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -457,11 +538,11 @@ +@@ -457,11 +536,11 @@ optional_policy(` mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) @@ -6391,7 +6429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -481,6 +562,7 @@ +@@ -481,6 +560,7 @@ ') optional_policy(` @@ -6399,7 +6437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -516,6 +598,13 @@ +@@ -516,6 +596,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -6413,7 +6451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -553,6 +642,7 @@ +@@ -553,6 +640,7 @@ optional_policy(` mysql_stream_connect(httpd_php_t) @@ -6421,7 +6459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -567,7 +657,6 @@ +@@ -567,7 +655,6 @@ allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; @@ -6429,7 +6467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -581,6 +670,10 @@ +@@ -581,6 +668,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -6440,7 +6478,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -620,8 +713,6 @@ +@@ -590,8 +681,7 @@ + fs_search_auto_mountpoints(httpd_suexec_t) + + # for shell scripts +-corecmd_exec_bin(httpd_suexec_t) +-corecmd_exec_shell(httpd_suexec_t) ++application_exec_all(httpd_suexec_t) + + files_read_etc_files(httpd_suexec_t) + files_read_usr_files(httpd_suexec_t) +@@ -620,8 +710,6 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) @@ -6449,7 +6497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -634,6 +725,12 @@ +@@ -634,6 +722,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -6462,7 +6510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -651,18 +748,6 @@ +@@ -651,18 +745,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -6481,7 +6529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -672,7 +757,8 @@ +@@ -672,7 +754,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6491,7 +6539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +772,62 @@ +@@ -686,15 +769,62 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -6555,7 +6603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -707,6 +840,7 @@ +@@ -707,6 +837,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -6563,7 +6611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -728,3 +862,46 @@ +@@ -728,3 +859,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -7013,7 +7061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-12-31 09:05:48.000000000 -0500 @@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) @@ -7030,9 +7078,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam -/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -+/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te @@ -7407,7 +7455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-12-27 07:19:45.000000000 -0500 @@ -50,6 +50,7 @@ type crond_tmp_t; @@ -7472,7 +7520,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron corecmd_exec_shell(crond_t) corecmd_list_bin(crond_t) -@@ -146,7 +157,9 @@ +@@ -142,11 +153,14 @@ + files_search_default(crond_t) + + init_rw_utmp(crond_t) ++init_spec_domtrans_script(crond_t) + libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) @@ -7482,7 +7535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -160,6 +173,16 @@ +@@ -160,6 +174,16 @@ mta_send_mail(crond_t) @@ -7499,7 +7552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` optional_policy(` # Debian logcheck has the home dir set to its cache -@@ -180,29 +203,34 @@ +@@ -180,29 +204,34 @@ locallogin_link_keys(crond_t) ') @@ -7542,7 +7595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -239,7 +267,6 @@ +@@ -239,7 +268,6 @@ allow system_crond_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) @@ -7550,7 +7603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -249,6 +276,8 @@ +@@ -249,6 +277,8 @@ # for this purpose. allow system_crond_t system_cron_spool_t:file entrypoint; @@ -7559,7 +7612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond # via setexeccon. There is no way to set up an automatic -@@ -270,9 +299,16 @@ +@@ -270,9 +300,16 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) @@ -7577,7 +7630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -326,7 +362,7 @@ +@@ -326,7 +363,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -7586,7 +7639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron libs_use_ld_so(system_crond_t) libs_use_shared_libs(system_crond_t) -@@ -334,6 +370,7 @@ +@@ -334,6 +371,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -7594,7 +7647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -384,6 +421,14 @@ +@@ -384,6 +422,14 @@ ') optional_policy(` @@ -7609,7 +7662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron mrtg_append_create_logs(system_crond_t) ') -@@ -424,8 +469,7 @@ +@@ -424,8 +470,7 @@ ') optional_policy(` @@ -7619,7 +7672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -433,15 +477,12 @@ +@@ -433,15 +478,12 @@ ') optional_policy(` @@ -8102,7 +8155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-21 16:31:32.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-24 06:13:08.000000000 -0500 @@ -50,6 +50,12 @@ ## # @@ -9688,7 +9741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. +/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-12-31 06:38:31.000000000 -0500 @@ -303,6 +303,25 @@ ######################################## @@ -9715,7 +9768,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. ## Create, read, write, and delete printer spool files. ## ## -@@ -394,3 +413,22 @@ +@@ -317,10 +336,8 @@ + ') + + files_search_spool($1) ++ manage_dirs_pattern($1,print_spool_t,print_spool_t) + manage_files_pattern($1,print_spool_t,print_spool_t) +- +- # cjp: cups wants setattr +- allow $1 print_spool_t:dir setattr; + ') + + ######################################## +@@ -394,3 +411,22 @@ domtrans_pattern($2, lpr_exec_t, $1_lpr_t) ') @@ -9738,6 +9803,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. + + can_exec($1,lpr_exec_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.0.8/policy/modules/services/mailman.if +--- nsaserefpolicy/policy/modules/services/mailman.if 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mailman.if 2007-12-31 14:17:27.000000000 -0500 +@@ -256,6 +256,25 @@ + + ####################################### + ## ++## read ++## mailman logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailman_read_log',` ++ gen_require(` ++ type mailman_log_t; ++ ') ++ ++ read_files_pattern($1,mailman_log_t,mailman_log_t) ++') ++ ++####################################### ++## + ## Append to mailman logs. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2007-12-02 21:15:34.000000000 -0500 @@ -9853,7 +9947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-06 16:44:16.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-27 11:44:18.000000000 -0500 @@ -87,6 +87,8 @@ # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) @@ -9967,7 +10061,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -447,20 +491,18 @@ +@@ -431,6 +475,7 @@ + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) ++ apache_append_log($1) + ') + ') + +@@ -447,20 +492,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -9994,7 +10096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -595,6 +637,25 @@ +@@ -595,6 +638,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -10020,6 +10122,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### ## +@@ -901,3 +963,23 @@ + + allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; + ') ++ ++######################################## ++## ++## read mail queue files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_queue',` ++ gen_require(` ++ type mqueue_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-12-02 21:15:34.000000000 -0500 @@ -10116,6 +10242,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.0.8/policy/modules/services/munin.fc +--- nsaserefpolicy/policy/modules/services/munin.fc 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/munin.fc 2007-12-26 20:33:19.000000000 -0500 +@@ -6,6 +6,6 @@ + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) + + /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) + /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) + /var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-12-02 21:15:34.000000000 -0500 @@ -10235,7 +10372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2007-12-31 06:59:24.000000000 -0500 @@ -25,6 +25,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -10246,6 +10383,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## # # Local policy +@@ -33,7 +36,8 @@ + allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; + dontaudit mysqld_t self:capability sys_tty_config; + allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +-allow mysqld_t self:fifo_file { read write }; ++allow mysqld_t self:fifo_file rw_fifo_file_perms; ++allow mysqld_t self:shm create_shm_file_perms; + allow mysqld_t self:unix_stream_socket create_stream_socket_perms; + allow mysqld_t self:tcp_socket create_stream_socket_perms; + allow mysqld_t self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2007-12-02 21:15:34.000000000 -0500 @@ -10405,16 +10552,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-12-02 21:15:34.000000000 -0500 -@@ -5,3 +5,4 @@ ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-12-31 08:48:19.000000000 -0500 +@@ -1,7 +1,9 @@ + /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-12-02 21:15:34.000000000 -0500 -@@ -97,3 +97,24 @@ ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-12-31 08:56:04.000000000 -0500 +@@ -97,3 +97,42 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; ') @@ -10439,15 +10591,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + dontaudit $1 NetworkManager_t:dbus send_msg; + dontaudit NetworkManager_t $1:dbus send_msg; +') ++ ++######################################## ++## ++## Send a generic signal to NetworkManager ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_signal',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:process signal; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-12-26 20:31:56.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) +type NetworkManager_log_t; -+files_pid_file(NetworkManager_log_t) ++logging_log_file(NetworkManager_log_t) + ######################################## # @@ -11217,7 +11387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-12-31 14:17:40.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -11309,15 +11479,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -275,6 +302,7 @@ +@@ -275,6 +302,8 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) ++ mailman_read_log(postfix_local_t) ') optional_policy(` -@@ -327,6 +355,8 @@ +@@ -327,6 +356,8 @@ files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) @@ -11326,7 +11497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post libs_use_ld_so(postfix_map_t) libs_use_shared_libs(postfix_map_t) -@@ -334,10 +364,6 @@ +@@ -334,10 +365,6 @@ miscfiles_read_localization(postfix_map_t) @@ -11337,7 +11508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -350,10 +376,6 @@ +@@ -350,10 +377,6 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -11348,7 +11519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -377,7 +399,7 @@ +@@ -377,7 +400,7 @@ # Postfix pipe local policy # @@ -11357,7 +11528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -386,6 +408,10 @@ +@@ -386,6 +409,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -11368,7 +11539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -394,6 +420,10 @@ +@@ -394,6 +421,10 @@ ') optional_policy(` @@ -11379,7 +11550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -418,14 +448,17 @@ +@@ -418,14 +449,17 @@ term_dontaudit_use_all_user_ptys(postfix_postdrop_t) term_dontaudit_use_all_user_ttys(postfix_postdrop_t) @@ -11399,7 +11570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) -@@ -454,8 +487,6 @@ +@@ -454,8 +488,6 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -11408,7 +11579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -498,15 +529,11 @@ +@@ -498,15 +530,11 @@ term_use_all_user_ptys(postfix_showq_t) term_use_all_user_ttys(postfix_showq_t) @@ -11424,7 +11595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -514,6 +541,8 @@ +@@ -514,6 +542,8 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -11433,7 +11604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -@@ -538,9 +567,45 @@ +@@ -538,9 +568,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -11688,9 +11859,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ## Read PPP-writable configuration files. ## ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te +--- nsaserefpolicy/policy/modules/services/ppp.te 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2007-12-31 08:55:01.000000000 -0500 +@@ -197,11 +197,7 @@ + ') + + optional_policy(` +- nis_use_ypbind(pppd_t) +-') +- +-optional_policy(` +- nscd_socket_use(pppd_t) ++ NetworkManager_signal(pppd_t) + ') + + optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.0.8/policy/modules/services/procmail.if +--- nsaserefpolicy/policy/modules/services/procmail.if 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2007-12-31 15:18:54.000000000 -0500 +@@ -39,3 +39,22 @@ + corecmd_search_bin($1) + can_exec($1,procmail_exec_t) + ') ++ ++######################################## ++## ++## Read procmail tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`procmail_read_tmp_files',` ++ gen_require(` ++ type procmail_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 procmail_tmp_t:file read_file_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-12-26 18:17:07.000000000 -0500 @@ -30,6 +30,8 @@ allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -11739,7 +11952,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -@@ -129,3 +133,7 @@ +@@ -125,7 +129,12 @@ + corenet_udp_bind_generic_port(procmail_t) + corenet_dontaudit_udp_bind_all_ports(procmail_t) + ++ spamassassin_read_user_home_files(procmail_t) + spamassassin_exec(procmail_t) spamassassin_exec_client(procmail_t) spamassassin_read_lib_files(procmail_t) ') @@ -11772,6 +11990,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.0.8/policy/modules/services/pyzor.te +--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/pyzor.te 2007-12-31 15:18:29.000000000 -0500 +@@ -68,6 +68,8 @@ + + miscfiles_read_localization(pyzor_t) + ++mta_read_queue(pyzor_t) ++ + userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) + + optional_policy(` +@@ -76,8 +78,13 @@ + ') + + optional_policy(` ++ procmail_read_tmp_files(pyzor_t) ++') ++ ++optional_policy(` + spamassassin_signal_spamd(pyzor_t) + spamassassin_read_spamd_tmp_files(pyzor_t) ++ userdom_read_user_home_content_files(unconfined,pyzor_t) + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.8/policy/modules/services/radius.fc --- nsaserefpolicy/policy/modules/services/radius.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/radius.fc 2007-12-02 21:15:34.000000000 -0500 @@ -13093,7 +13337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-17 13:48:38.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-31 15:41:55.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -13108,8 +13352,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send # -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; +-allow sendmail_t self:process signal; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; - allow sendmail_t self:process signal; ++allow sendmail_t self:process { signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -13454,7 +13699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-18 13:43:52.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-26 18:17:32.000000000 -0500 @@ -286,6 +286,12 @@ userdom_manage_user_home_content_symlinks($1,spamd_t) ') @@ -13468,7 +13713,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_spamassassin_t) fs_manage_nfs_files($1_spamassassin_t) -@@ -531,3 +537,21 @@ +@@ -472,6 +478,7 @@ + ') + + files_search_var_lib($1) ++ read_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t) + read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) + ') + +@@ -531,3 +538,56 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -13490,9 +13743,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + + stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) +') ++ ++######################################## ++## ++## Read spamassassin per user homedir ++## ++## ++##

++## Read spamassassin per user homedir ++##

++##

++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`spamassassin_read_user_home_files',` ++ gen_require(` ++ type user_spamassassin_home_t; ++ ') ++ ++ allow $1 user_spamassassin_home_t:dir list_dir_perms; ++ allow $1 user_spamassassin_home_t:file read_file_perms; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-18 13:54:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-27 11:47:32.000000000 -0500 @@ -81,11 +81,12 @@ # var/lib files for spamd @@ -14279,8 +14567,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-12-04 15:52:53.000000000 -0500 -@@ -116,8 +116,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-12-31 07:34:12.000000000 -0500 +@@ -116,16 +116,19 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -14290,7 +14578,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) dev_wx_raw_memory($1_xserver_t) -@@ -126,6 +125,8 @@ + # for other device nodes such as the NVidia binary-only driver + dev_rw_xserver_misc($1_xserver_t) ++ dev_setattr_xserver_misc_dev($1_xserver_t) ++ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) dev_rwx_zero($1_xserver_t) @@ -14299,7 +14590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_mmap_low($1_xserver_t) -@@ -141,10 +142,12 @@ +@@ -141,10 +144,12 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -14313,7 +14604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -178,13 +181,7 @@ +@@ -178,13 +183,7 @@ auth_search_pam_console_data($1_xserver_t) ') @@ -14328,7 +14619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` rhgb_getpgid($1_xserver_t) -@@ -251,7 +248,7 @@ +@@ -251,7 +250,7 @@ userdom_user_home_content($1,$1_fonts_cache_t) type $1_fonts_config_t, fonts_config_type; @@ -14337,7 +14628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type $1_iceauth_t; domain_type($1_iceauth_t) -@@ -282,11 +279,15 @@ +@@ -282,11 +281,15 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) allow $1_xserver_t $1_xauth_home_t:file { getattr read }; @@ -14353,7 +14644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -316,6 +317,7 @@ +@@ -316,6 +319,7 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -14361,7 +14652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -324,13 +326,6 @@ +@@ -324,13 +328,6 @@ userhelper_search_config($1_xserver_t) ') @@ -14375,7 +14666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # $1_xauth_t Local policy -@@ -353,12 +348,6 @@ +@@ -353,12 +350,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -14388,7 +14679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +376,14 @@ +@@ -387,6 +378,14 @@ ') optional_policy(` @@ -14403,7 +14694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -536,17 +533,16 @@ +@@ -536,17 +535,16 @@ template(`xserver_user_client_template',` gen_require(` @@ -14428,7 +14719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +551,55 @@ +@@ -555,25 +553,55 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -14492,7 +14783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +652,24 @@ +@@ -626,6 +654,24 @@ ######################################## ## @@ -14517,7 +14808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +703,73 @@ +@@ -659,6 +705,73 @@ ######################################## ## @@ -14591,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -927,6 +1038,7 @@ +@@ -927,6 +1040,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -14599,7 +14890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -987,6 +1099,37 @@ +@@ -987,6 +1101,37 @@ ######################################## ## @@ -14637,7 +14928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1279,7 @@ +@@ -1136,7 +1281,7 @@ type xdm_xserver_tmp_t; ') @@ -14646,31 +14937,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1468,82 @@ +@@ -1325,3 +1470,64 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') + +######################################## +## -+## Sigchld XDM -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_xdm_sigchld',` -+ gen_require(` -+ type xdm_t; -+ ') -+ -+ allow $1 xdm_t:process sigchld; -+') -+ -+######################################## -+## +## Connect to apmd over an unix stream socket. +## +## @@ -15836,7 +16109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-12-27 07:18:07.000000000 -0500 @@ -211,6 +211,21 @@ kernel_dontaudit_use_fds($1) ') @@ -16074,7 +16347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-13 14:24:45.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-31 09:16:41.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -16138,7 +16411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_shell_domtrans_sysadm(init_t) +',` + optional_policy(` -+ unconfined_shell_domtrans(init_t) ++ unconfined_shel_domtrans(init_t) + unconfined_domain(init_t) + ') ') @@ -16457,7 +16730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-17 11:22:51.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-27 11:39:05.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16523,7 +16796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware -@@ -284,3 +296,11 @@ +@@ -284,3 +296,14 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -16535,6 +16808,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-12-10 16:27:26.000000000 -0500 @@ -16986,7 +17262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-12-25 07:00:48.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(logging,1.7.3) @@ -17083,7 +17359,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) -@@ -194,6 +208,7 @@ +@@ -157,6 +171,10 @@ + userdom_dontaudit_search_sysadm_home_dirs(auditd_t) + + optional_policy(` ++ mta_send_mail(auditd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(auditd_t) + ') + +@@ -194,6 +212,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) @@ -17091,7 +17378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(klogd_t) -@@ -241,12 +256,16 @@ +@@ -241,12 +260,16 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -17108,7 +17395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -255,6 +274,9 @@ +@@ -255,6 +278,9 @@ manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) @@ -17118,7 +17405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) -@@ -312,6 +334,7 @@ +@@ -312,6 +338,7 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -17501,7 +17788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-12-21 02:36:44.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-12-31 11:02:48.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -19148,7 +19435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-22 07:12:33.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-31 09:17:49.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -20217,7 +20504,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4574,6 +4757,7 @@ +@@ -4444,9 +4627,11 @@ + interface(`userdom_dontaudit_search_sysadm_home_dirs',` + gen_require(` + type sysadm_home_dir_t; ++ type user_home_dir_t; + ') + + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; ++ dontaudit $1 user_home_dir_t:dir search_dir_perms; + ') + + ######################################## +@@ -4574,6 +4759,7 @@ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) @@ -20225,7 +20524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4609,11 +4793,29 @@ +@@ -4609,11 +4795,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -20256,7 +20555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4835,14 @@ +@@ -4633,6 +4837,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -20271,7 +20570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5533,7 @@ +@@ -5323,7 +5535,7 @@ attribute user_tmpfile; ') @@ -20280,7 +20579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5346,6 +5556,25 @@ +@@ -5346,6 +5558,25 @@ ######################################## ## @@ -20306,7 +20605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all unprivileged users files in /tmp ## ## -@@ -5529,6 +5758,24 @@ +@@ -5529,6 +5760,24 @@ ######################################## ## @@ -20331,7 +20630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5806,419 @@ +@@ -5559,3 +5808,419 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -21199,7 +21498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-21 16:23:42.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-22 07:19:20.000000000 -0500 @@ -0,0 +1,12 @@ +policy_module(guest,1.0.1) +userdom_restricted_user_template(guest)