From ca1da1a0f73b37c7f6ed46947c4926f3c4928d6b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 15 2010 17:11:27 +0000 Subject: - Allow bluetooth sys_admin capability - Fix label for libADM libraries - Allow libvirt to set svrit_image_t label on sysfs - Add shutdown policy from Dan Walsh --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 00464c4..181449e 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -861,6 +861,180 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Declarations +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.6.32/policy/modules/admin/shutdown.fc +--- nsaserefpolicy/policy/modules/admin/shutdown.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.fc 2010-03-11 21:20:40.173442296 +0100 +@@ -0,0 +1,5 @@ ++/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) ++ ++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ ++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.6.32/policy/modules/admin/shutdown.if +--- nsaserefpolicy/policy/modules/admin/shutdown.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.if 2010-03-11 21:27:17.562510150 +0100 +@@ -0,0 +1,100 @@ ++ ++## policy for shutdown ++ ++######################################## ++## ++## Execute a domain transition to run shutdown. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`shutdown_domtrans',` ++ gen_require(` ++ type shutdown_t, shutdown_exec_t; ++ ') ++ ++ domtrans_pattern($1, shutdown_exec_t, shutdown_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit shutdown_t $1:socket_class_set { read write }; ++ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Execute shutdown in the shutdown domain, and ++## allow the specified role the shutdown domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the shutdown domain. ++## ++## ++# ++interface(`shutdown_run',` ++ gen_require(` ++ type shutdown_t; ++ ') ++ ++ shutdown_domtrans($1) ++ role $2 types shutdown_t; ++') ++ ++######################################## ++## ++## Role access for shutdown ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`shutdown_role',` ++ gen_require(` ++ type shutdown_t; ++ ') ++ ++ role $1 types shutdown_t; ++ ++ shutdown_domtrans($2) ++ ++ ps_process_pattern($2, shutdown_t) ++ allow $2 shutdown_t:process signal; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## shutdown over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shutdown_dbus_chat',` ++ gen_require(` ++ type shutdown_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 shutdown_t:dbus send_msg; ++ allow shutdown_t $1:dbus send_msg; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.6.32/policy/modules/admin/shutdown.te +--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.te 2010-03-11 21:21:02.264511203 +0100 +@@ -0,0 +1,57 @@ ++policy_module(shutdown,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type shutdown_t; ++type shutdown_exec_t; ++application_domain(shutdown_t, shutdown_exec_t) ++role system_r types shutdown_t; ++ ++type shutdown_etc_t; ++files_config_file(shutdown_etc_t) ++ ++type shutdown_var_run_t; ++files_pid_file(shutdown_var_run_t) ++ ++permissive shutdown_t; ++ ++######################################## ++# ++# shutdown local policy ++# ++ ++allow shutdown_t self:capability { kill setuid sys_tty_config }; ++allow shutdown_t self:process { fork signal }; ++ ++allow shutdown_t self:fifo_file manage_fifo_file_perms; ++allow shutdown_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) ++files_etc_filetrans(shutdown_t, shutdown_etc_t, file) ++ ++manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) ++files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) ++ ++files_read_etc_files(shutdown_t) ++files_read_generic_pids(shutdown_t) ++ ++term_use_all_terms(shutdown_t) ++ ++auth_use_nsswitch(shutdown_t) ++auth_write_login_records(shutdown_t) ++ ++init_dontaudit_write_utmp(shutdown_t) ++init_read_utmp(shutdown_t) ++init_telinit(shutdown_t) ++ ++logging_send_audit_msgs(shutdown_t) ++ ++miscfiles_read_localization(shutdown_t) ++ ++optional_policy(` ++ dbus_system_bus_client(shutdown_t) ++ dbus_connect_system_bus(shutdown_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-01-18 18:24:22.573543214 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2010-01-25 11:03:49.548441857 +0100 @@ -1004,8 +1178,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-03 10:39:47.586612078 +0100 -@@ -74,7 +74,11 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-11 22:17:04.177894107 +0100 +@@ -74,7 +74,15 @@ ') optional_policy(` @@ -1015,6 +1189,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ mozilla_exec_domtrans($3, $1_execmem_t) ++ ') ++ ++ optional_policy(` xserver_role($2, $1_execmem_t) ') ') @@ -1243,7 +1421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-03-03 10:39:47.587612339 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-03-11 21:20:40.181057088 +0100 @@ -112,11 +112,6 @@ userdom_use_user_terminals(gpg_t) @@ -1256,7 +1434,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # GPG helper local policy -@@ -271,6 +266,6 @@ +@@ -156,6 +151,7 @@ + # sign/encrypt user files + userdom_manage_user_tmp_files(gpg_t) + userdom_manage_user_home_content_files(gpg_t) ++userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +@@ -185,6 +181,8 @@ + # GPG agent local policy + # + ++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) ++ + # rlimit: gpg-agent wants to prevent coredumps + allow gpg_agent_t self:process setrlimit; + +@@ -271,6 +269,6 @@ ') optional_policy(` @@ -1311,6 +1506,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if +--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-01-18 18:24:22.624530355 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2010-03-11 22:16:08.809566699 +0100 +@@ -210,3 +210,39 @@ + + allow $1 mozilla_t:tcp_socket rw_socket_perms; + ') ++ ++####################################### ++## ++## Execute mozilla_exec_t ++## in the specified domain. ++## ++## ++##

++## Execute a mozilla_exec_t ++## in the specified domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`mozilla_exec_domtrans',` ++ gen_require(` ++ type mozilla_exec_t; ++ ') ++ ++ allow $2 mozilla_exec_t:file entrypoint; ++ domtrans_pattern($1, mozilla_exec_t, $2) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 2010-01-18 18:24:22.626536127 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2010-01-21 18:31:18.271612626 +0100 @@ -1323,8 +1561,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 2010-01-18 18:24:22.627530248 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-03-03 10:39:47.590622757 +0100 -@@ -130,8 +130,6 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-03-15 11:21:13.428614633 +0100 +@@ -130,8 +132,6 @@ optional_policy(` pulseaudio_role($1, nsplugin_t) ') @@ -1333,7 +1571,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -321,3 +319,39 @@ +@@ -169,7 +169,7 @@ + domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) + ') + +-####################################### ++###################################### + ## + ## The per role template for the nsplugin module. + ## +@@ -321,3 +322,39 @@ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; ') @@ -1459,7 +1706,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-01-18 18:24:22.632542198 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-03-04 16:47:02.048533186 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-03-15 12:23:36.288864417 +0100 +@@ -18,7 +18,7 @@ + interface(`pulseaudio_role',` + gen_require(` + type pulseaudio_t, pulseaudio_exec_t, print_spool_t; +- class dbus { send_msg }; ++ class dbus { acquire_svc send_msg }; + ') + + role $1 types pulseaudio_t; @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) @@ -2248,7 +2504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(nmbd, udp,137,s0, udp,138,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-26 09:33:34.628548195 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-03-15 10:19:23.322613725 +0100 @@ -64,6 +64,7 @@ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) @@ -2265,7 +2521,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -104,6 +106,7 @@ +@@ -101,9 +103,12 @@ + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) ++/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) @@ -2273,27 +2534,54 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -145,6 +148,7 @@ - /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) - - /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) - -@@ -162,6 +166,8 @@ - /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) - -+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) -+ - /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-26 09:33:41.069548571 +0100 -@@ -147,6 +147,24 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-03-15 11:20:54.084614154 +0100 +@@ -29,14 +29,39 @@ + + ######################################## + ## +-## Make the passed in type a type appropriate for +-## use on device nodes (usually files in /dev). ++## Make the specified type usable for device ++## nodes in a filesystem. + ## +-## ++## ++##

++## Make the specified type usable for device nodes ++## in a filesystem. Types used for device nodes that ++## do not use this interface, or an interface that ++## calls this one, will have unexpected behaviors ++## while the system is running. ++##

++##

++## Example: ++##

++##

++## type mydev_t; ++## dev_node(mydev_t) ++## allow mydomain_t mydev_t:chr_file read_chr_file_perms; ++##

++##

++## Related interfaces: ++##

++## ++## ++## + ## +-## The object type that will be used on device nodes. ++## Type to be used for device nodes. + ## + ## ++## + # + interface(`dev_node',` + gen_require(` +@@ -147,6 +172,24 @@ ######################################## ## @@ -2318,15 +2606,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create a directory in the device directory. ## ## -@@ -418,6 +436,24 @@ +@@ -436,6 +479,24 @@ ######################################## ## -+## Dontaudit getattr for generic character device files. ++## Read and write generic character device files. +## +## +## -+## Domain to dontaudit access. ++## Domain allowed access. +## +## +# @@ -2340,10 +2628,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## - ## Dontaudit setattr for generic character device files. + ## Do not audit attempts to set the attributes + ## of symbolic links in device directories (/dev). ## - ## -@@ -873,6 +909,42 @@ +@@ -873,6 +934,42 @@ ######################################## ## @@ -2386,7 +2674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Delete all block device files. ## ## -@@ -1398,6 +1470,42 @@ +@@ -1398,6 +1495,42 @@ rw_chr_files_pattern($1, device_t, crypt_device_t) ') @@ -2429,7 +2717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## getattr the dri devices. -@@ -1728,6 +1836,24 @@ +@@ -1728,6 +1861,24 @@ ######################################## ## @@ -2454,7 +2742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of the ksm devices. ## ## -@@ -1963,7 +2089,7 @@ +@@ -1963,7 +2114,7 @@ ######################################## ## @@ -2463,7 +2751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1971,17 +2097,17 @@ +@@ -1971,17 +2122,17 @@ ## ## # @@ -2485,7 +2773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1989,15 +2115,14 @@ +@@ -1989,15 +2140,14 @@ ## ## # @@ -2504,32 +2792,91 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). -@@ -2487,6 +2612,24 @@ +@@ -2018,7 +2168,7 @@ ######################################## ## -+## Dontaudit write the memory type range registers (MTRR). +-## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## Read raw memory devices (e.g. /dev/mem). + ## + ## + ## +@@ -2026,34 +2176,35 @@ + ## + ## + # +-interface(`dev_dontaudit_read_memory_dev',` ++interface(`dev_read_raw_memory',` + gen_require(` +- type memory_device_t; ++ type device_t, memory_device_t; ++ attribute memory_raw_read; + ') + +- dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++ read_chr_files_pattern($1, device_t, memory_device_t) ++ ++ allow $1 self:capability sys_rawio; ++ typeattribute $1 memory_raw_read; + ') + + ######################################## + ## +-## Read raw memory devices (e.g. /dev/mem). ++## Do not audit attempts to read raw memory devices ++## (e.g. /dev/mem). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_read_raw_memory',` ++interface(`dev_dontaudit_read_raw_memory',` + gen_require(` +- type device_t, memory_device_t; +- attribute memory_raw_read; ++ type memory_device_t; + ') + +- read_chr_files_pattern($1, device_t, memory_device_t) +- +- allow $1 self:capability sys_rawio; +- typeattribute $1 memory_raw_read; ++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; + ') + + ######################################## +@@ -2468,6 +2619,26 @@ + + ######################################## + ## ++## Do not audit attempts to write the memory type ++## range registers (MTRR). +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# +interface(`dev_dontaudit_write_mtrr',` -+ gen_require(` -+ type mtrr_device_t; -+ ') ++ gen_require(` ++ type mtrr_device_t; ++ ') + + dontaudit $1 mtrr_device_t:chr_file write; ++ dontaudit $1 mtrr_device_t:file write; +') + +######################################## +## - ## Get the attributes of the network control device + ## Read and write the memory type range registers (MTRR). ## ## -@@ -2590,8 +2733,7 @@ +@@ -2590,8 +2761,7 @@ type device_t, null_device_t; ') @@ -2539,7 +2886,118 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3553,6 +3695,24 @@ +@@ -2835,13 +3005,28 @@ + ######################################## + ## + ## Read from random number generator +-## devices (e.g., /dev/random) ++## devices (e.g., /dev/random). + ## ++## ++##

++## Allow the specified domain to read from random number ++## generator devices (e.g., /dev/random). Typically this is ++## used in situations when a cryptographically secure random ++## number is needed. ++##

++##

++## Related interface: ++##

++##
    ++##
  • dev_read_urand()
    • ++##
++## + ## + ## + ## Domain allowed access. + ## + ## ++## + # + interface(`dev_read_rand',` + gen_require(` +@@ -3383,13 +3568,22 @@ + + ######################################## + ## +-## Allow caller to read hardware state information. ++## Read hardware state information. + ## ++## ++##

++## Allow the specified domain to read the contents of ++## the sysfs filesystem. This filesystem contains ++## information, parameters, and other settings on the ++## hardware installed on the system. ++##

++## + ## + ## +-## The process type reading hardware state information. ++## Domain allowed access. + ## + ## ++## + # + interface(`dev_read_sysfs',` + gen_require(` +@@ -3425,13 +3619,54 @@ + + ######################################## + ## +-## Read from pseudo random devices (e.g., /dev/urandom) ++## Associate a file to a sysfs filesystem. + ## ++## ++## ++## The type of the file to be associated to sysfs. ++## ++## ++# ++interface(`dev_associate_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem associate; ++') ++ ++######################################## ++## ++## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## ++## ++##

++## Allow the specified domain to read from pseudo random number ++## generator devices (e.g., /dev/urandom). Typically this is ++## used in situations when a cryptographically secure random ++## number is not necessarily needed. One example is the Stack ++## Smashing Protector (SSP, formerly known as ProPolice) support ++## that may be compiled into programs. ++##

++##

++## Related interface: ++##

++##
    ++##
  • dev_read_rand()
    • ++##
++##

++## Related tunable: ++##

++##
    ++##
  • global_ssp
    • ++##
++## + ## + ## + ## Domain allowed access. + ## + ## ++## + # + interface(`dev_read_urand',` + gen_require(` +@@ -3553,6 +3788,24 @@ ######################################## ## @@ -2564,13 +3022,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a usbfs filesystem. ## ## -@@ -3741,6 +3901,24 @@ +@@ -3741,6 +3994,24 @@ getattr_chr_files_pattern($1, device_t, v4l_device_t) ') +###################################### +## -+## Read or write userio device. ++## Read and write userio device. +## +## +## @@ -4033,7 +4491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-01 16:05:50.238492151 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-11 22:17:24.506733160 +0100 @@ -26,6 +26,8 @@ auth_domtrans_pam_console(staff_t) @@ -4074,7 +4532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gnomeclock_dbus_chat(staff_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-01-18 18:24:22.719529727 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-03-05 09:36:36.292561297 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-03-11 21:20:40.181057088 +0100 @@ -29,6 +29,7 @@ corecmd_exec_shell(sysadm_t) @@ -4102,6 +4560,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +@@ -314,7 +320,11 @@ + ') + + optional_policy(` +- tzdata_domtrans(sysadm_t) ++ shutdown_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` ++ tzdata_run(sysadm_t, sysadm_r) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100 @@ -4119,7 +4590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-09 15:42:45.872752800 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-11 22:33:59.863510767 +0100 @@ -39,6 +39,8 @@ type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -4149,18 +4620,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -344,7 +350,7 @@ +@@ -344,7 +350,11 @@ ') optional_policy(` - tzdata_run(unconfined_t, unconfined_r) ++ shutdown_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + tzdata_run(unconfined_usertype, unconfined_r) ') optional_policy(` +@@ -405,7 +415,8 @@ + type unconfined_execmem_t; + type nsplugin_exec_t; + ') +- domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) ++ #nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) ++ #domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) + domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) + ') + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-02-16 17:36:22.545598200 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-03-15 10:36:16.988623468 +0100 @@ -15,7 +15,7 @@ ## @@ -4181,6 +4666,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` +@@ -100,6 +104,7 @@ + tunable_policy(`xguest_connect_network',` + networkmanager_dbus_chat(xguest_t) + networkmanager_read_var_lib_files(xguest_t) ++ kernel_read_network_state(xguest_usertype) + corenet_tcp_connect_pulseaudio_port(xguest_usertype) + corenet_all_recvfrom_unlabeled(xguest_usertype) + corenet_all_recvfrom_netlabel(xguest_usertype) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100 +++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100 @@ -4198,7 +4691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ###################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-10 16:27:19.514618496 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-15 11:24:00.710614337 +0100 @@ -96,16 +96,19 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) @@ -4206,7 +4699,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_getattr_all_chr_files(abrt_t) dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) - dev_dontaudit_read_memory_dev(abrt_t) +-dev_dontaudit_read_memory_dev(abrt_t) ++dev_dontaudit_read_raw_memory(abrt_t) +domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) @@ -4475,7 +4969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-05 10:50:10.901811487 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-15 09:29:24.349614032 +0100 @@ -67,6 +67,13 @@ ## @@ -4499,7 +4993,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -363,10 +370,10 @@ +@@ -351,7 +358,8 @@ + + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) + manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir }) ++manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) ++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) + + manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) + manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -363,10 +371,10 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -4512,7 +5016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -400,6 +407,7 @@ +@@ -400,6 +408,7 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) @@ -4520,7 +5024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(httpd_t) fs_read_iso9660_files(httpd_t) -@@ -483,8 +491,14 @@ +@@ -483,8 +492,14 @@ corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) @@ -4536,7 +5040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_can_network_relay',` -@@ -588,6 +602,9 @@ +@@ -588,6 +603,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -4546,7 +5050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -612,6 +629,11 @@ +@@ -612,6 +630,11 @@ avahi_dbus_chat(httpd_t) ') ') @@ -4558,7 +5062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') -@@ -756,8 +778,14 @@ +@@ -756,8 +779,14 @@ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) corenet_tcp_connect_mysqld_port(httpd_suexec_t) corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) @@ -4574,7 +5078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_stream_connect(httpd_php_t) -@@ -895,6 +923,9 @@ +@@ -895,6 +924,9 @@ sysnet_read_config(httpd_sys_script_t) @@ -4584,7 +5088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -906,6 +937,7 @@ +@@ -906,6 +938,7 @@ fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) @@ -4592,7 +5096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) -@@ -945,6 +976,7 @@ +@@ -945,6 +977,7 @@ fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) @@ -4602,7 +5106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-03-15 10:39:23.254614082 +0100 @@ -31,7 +31,7 @@ # @@ -4612,6 +5116,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; allow apcupsd_t self:tcp_socket create_stream_socket_perms; +@@ -99,6 +99,10 @@ + mta_system_content(apcupsd_tmp_t) + ') + ++optional_policy(` ++ shutdown_domtrans(apcupsd_t) ++') ++ + ######################################## + # + # apcupsd_cgi Declarations diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100 +++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-02-11 20:25:58.833441037 +0100 @@ -4644,6 +5159,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.32/policy/modules/services/avahi.if +--- nsaserefpolicy/policy/modules/services/avahi.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/avahi.if 2010-03-15 12:20:34.422613978 +0100 +@@ -92,6 +92,7 @@ + + allow $1 avahi_t:dbus send_msg; + allow avahi_t $1:dbus send_msg; ++ allow avahi_t $1:file read; + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-01-18 18:24:22.745530450 +0100 +++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-03-01 15:52:05.256741085 +0100 @@ -4673,6 +5199,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Send and receive datagrams to and from named. (Deprecated) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-18 18:24:22.747539993 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2010-03-15 10:10:44.978613858 +0100 +@@ -54,7 +54,7 @@ + # Bluetooth services local policy + # + +-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; + dontaudit bluetooth_t self:capability sys_tty_config; + allow bluetooth_t self:process { getcap setcap getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc 2010-03-01 09:30:08.471741607 +0100 @@ -5383,7 +5921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-03 10:48:14.219612204 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-11 21:20:40.181057088 +0100 @@ -16,6 +16,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -5410,8 +5948,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -118,10 +119,10 @@ +@@ -116,12 +117,16 @@ + ') + optional_policy(` ++ shutdown_domtrans(consolekit_t) ++') ++ ++optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) - xserver_common_app(consolekit_t) @@ -7101,7 +7645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-01 15:09:45.271494370 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-15 10:42:13.048864743 +0100 @@ -121,6 +121,7 @@ corenet_udp_sendrecv_all_ports(hald_t) @@ -7121,7 +7665,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -331,6 +336,10 @@ +@@ -322,6 +327,10 @@ + ') + + optional_policy(` ++ shutdown_domtrans(hald_t) ++') ++ ++optional_policy(` + udev_domtrans(hald_t) + udev_read_db(hald_t) + ') +@@ -331,6 +340,10 @@ ') optional_policy(` @@ -7381,7 +7936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-17 16:21:10.049863655 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-03-15 17:17:51.765854346 +0100 @@ -44,7 +44,7 @@ # Local policy # @@ -7391,7 +7946,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; -@@ -147,6 +147,8 @@ +@@ -56,6 +56,7 @@ + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) ++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) + + allow mysqld_t mysqld_etc_t:file read_file_perms; +@@ -147,6 +148,8 @@ dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -7400,7 +7963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -@@ -156,6 +158,7 @@ +@@ -156,6 +159,7 @@ domain_read_all_domains_state(mysqld_safe_t) @@ -7788,6 +8351,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te +--- nsaserefpolicy/policy/modules/services/nut.te 2010-01-18 18:24:22.836530501 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2010-03-15 12:18:24.764614391 +0100 +@@ -96,9 +96,6 @@ + kernel_read_kernel_sysctls(nut_upsmon_t) + kernel_read_system_state(nut_upsmon_t) + +-# creates /etc/killpower +-#files_manage_etc_files(nut_upsmon_t) +- + # Creates /etc/killpower + files_manage_etc_runtime_files(nut_upsmon_t) + files_etc_filetrans_etc_runtime(nut_upsmon_t, file) +@@ -118,6 +115,12 @@ + init_rw_utmp(nut_upsmon_t) + init_telinit(nut_upsmon_t) + ++mta_send_mail(nut_upsmon_t) ++ ++optional_policy(` ++ shutdown_domtrans(nut_upsmon_t) ++') ++ + ######################################## + # + # Local policy for upsdrvctl +@@ -140,7 +143,6 @@ + files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) + + # /sbin/upsdrvctl executes other drivers +-# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) + corecmd_exec_bin(nut_upsdrvctl_t) + corecmd_exec_sbin(nut_upsdrvctl_t) + +@@ -177,7 +179,6 @@ + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) + corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) +-# corenet_tcp_connect_generic_port(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100 @@ -8838,8 +9443,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the master postdrop in the diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100 -@@ -443,6 +443,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-03-15 12:17:32.531614479 +0100 +@@ -307,6 +307,8 @@ + mta_delete_spool(postfix_local_t) + # For reading spamassasin + mta_read_config(postfix_local_t) ++# Handle vacation script ++mta_send_mail(postfix_local_t) + + domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) + +@@ -443,6 +445,7 @@ optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -8847,7 +9461,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -486,7 +487,7 @@ +@@ -459,6 +462,8 @@ + allow postfix_postdrop_t self:tcp_socket create; + allow postfix_postdrop_t self:udp_socket create_socket_perms; + ++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; ++ + rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) + + postfix_list_spool(postfix_postdrop_t) +@@ -486,7 +491,7 @@ ') optional_policy(` @@ -8856,7 +9479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -573,6 +574,8 @@ +@@ -573,6 +578,8 @@ # Postfix smtp delivery local policy # @@ -10164,14 +10787,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-01-19 17:08:41.212631842 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-03-11 17:03:12.375269132 +0100 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + - /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if @@ -10722,7 +11346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(usbmuxd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-03-03 10:40:17.331612366 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-03-15 10:19:23.356614270 +0100 @@ -194,6 +194,7 @@ files_search_var_lib($1) @@ -10741,7 +11365,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type $1_tmp_t; files_tmp_file($1_tmp_t) -@@ -457,6 +461,9 @@ +@@ -453,10 +457,14 @@ + type $1_image_t, virt_image_type; + files_type($1_image_t) + dev_node($1_image_t) ++ dev_associate_sysfs($1_image_t) + type $1_var_run_t; files_pid_file($1_var_run_t) @@ -10751,7 +11380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -@@ -486,7 +493,6 @@ +@@ -486,7 +494,6 @@ optional_policy(` xserver_rw_shm($1_t) @@ -10823,8 +11452,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_generic_ptys(virt_domain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-03 10:40:17.332611859 +0100 -@@ -51,17 +51,16 @@ ++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-11 17:11:02.481510064 +0100 +@@ -51,17 +51,17 @@ # /tmp # @@ -10833,7 +11462,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix/.* -s <> -+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) # # /usr @@ -10845,7 +11475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -@@ -102,6 +101,7 @@ +@@ -102,6 +102,7 @@ /var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) @@ -10853,7 +11483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) -@@ -114,9 +114,12 @@ +@@ -114,9 +115,12 @@ /var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -10867,7 +11497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -@@ -125,6 +128,8 @@ +@@ -125,6 +129,8 @@ /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') @@ -13118,7 +13748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-03 10:40:17.345612249 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-15 17:17:02.854604441 +0100 @@ -165,6 +165,7 @@ type init_t; role system_r; @@ -13171,7 +13801,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -775,8 +781,10 @@ +@@ -701,6 +707,10 @@ + ifdef(`enable_mls',` + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit init_script_file_type $1:fifo_file rw_inherited_fifo_file_perms; ++ ') + ') + + ######################################## +@@ -775,8 +785,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -13182,7 +13823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1686,3 +1694,26 @@ +@@ -1686,3 +1698,26 @@ allow $1 initrc_t:sem rw_sem_perms; ') @@ -13498,7 +14139,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-01 15:02:25.227490412 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-15 09:55:26.375864536 +0100 +@@ -133,7 +133,7 @@ + /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -245,8 +245,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -13512,7 +14162,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -396,10 +400,8 @@ +@@ -377,9 +381,6 @@ + + /usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +- + /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -396,10 +397,8 @@ /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -13523,7 +14183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -432,9 +434,22 @@ +@@ -432,9 +431,22 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 378418a..9e2bcd3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 101%{?dist} +Release: 102%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Mon Mar 15 2010 Miroslav Grepl 3.6.32-102 +- Allow bluetooth sys_admin capability +- Fix label for libADM libraries +- Allow libvirt to set svrit_image_t label on sysfs +- Add shutdown policy from Dan Walsh + * Wed Mar 10 2010 Miroslav Grepl 3.6.32-101 - Allow nsplugin to manage pulseaudio homedir content