From ca51529d6b6d89bb6c664c69dc0bd828ae3a70f5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 30 2008 20:52:56 +0000 Subject: - Allow gdm to read rpm database - Allow nsplugin to read mplayer config files --- diff --git a/policy-20080509.patch b/policy-20080509.patch index 4cfc0a3..d447b86 100644 --- a/policy-20080509.patch +++ b/policy-20080509.patch @@ -284,18 +284,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.4.2/policy/modules/admin/amanda.te --- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te 2008-06-12 23:37:53.000000000 -0400 -@@ -82,8 +82,7 @@ ++++ serefpolicy-3.4.2/policy/modules/admin/amanda.te 2008-06-29 08:00:12.000000000 -0400 +@@ -82,8 +82,9 @@ allow amanda_t amanda_config_t:file { getattr read }; # access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file manage_file_perms; ++manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) ++filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) # access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; -@@ -220,6 +219,7 @@ +@@ -220,6 +221,7 @@ auth_use_nsswitch(amanda_recover_t) fstools_domtrans(amanda_t) @@ -700,6 +702,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te - dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; - dontaudit mrtg_t root_t:lnk_file getattr; -') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.4.2/policy/modules/admin/netutils.if +--- nsaserefpolicy/policy/modules/admin/netutils.if 2008-06-12 23:25:08.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/admin/netutils.if 2008-06-30 13:16:57.000000000 -0400 +@@ -124,6 +124,24 @@ + + ######################################## + ## ++## Send generic signals to netutils. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`netutils_signal',` ++ gen_require(` ++ type netutils_t; ++ ') ++ ++ allow $1 netutils_t:process signal; ++') ++ ++######################################## ++## + ## Execute ping in the ping domain, and + ## allow the specified role the ping domain. + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400 @@ -4543,8 +4573,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.2/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.4.2/policy/modules/apps/nsplugin.te 2008-06-12 23:37:51.000000000 -0400 -@@ -0,0 +1,215 @@ ++++ serefpolicy-3.4.2/policy/modules/apps/nsplugin.te 2008-06-29 08:22:17.000000000 -0400 +@@ -0,0 +1,217 @@ + +policy_module(nsplugin,1.0.0) + @@ -4577,189 +4607,191 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +userdom_user_home_content(user,nsplugin_home_t) +typealias nsplugin_home_t alias user_nsplugin_home_t; + -+ type nsplugin_t; -+ type nsplugin_config_t; -+ application_domain(nsplugin_t, nsplugin_exec_t) -+ application_domain(nsplugin_config_t, nsplugin_config_exec_t) ++type nsplugin_t; ++type nsplugin_config_t; ++application_domain(nsplugin_t, nsplugin_exec_t) ++application_domain(nsplugin_config_t, nsplugin_config_exec_t) + -+ ######################################## -+ # -+ # nsplugin local policy -+ # -+ allow nsplugin_t self:fifo_file rw_file_perms; -+ allow nsplugin_t self:process { ptrace getsched setsched signal_perms }; ++######################################## ++# ++# nsplugin local policy ++# ++allow nsplugin_t self:fifo_file rw_file_perms; ++allow nsplugin_t self:process { ptrace getsched setsched signal_perms }; + -+ allow nsplugin_t self:sem create_sem_perms; -+ allow nsplugin_t self:shm create_shm_perms; -+ allow nsplugin_t self:msgq create_msgq_perms; -+ allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow nsplugin_t self:sem create_sem_perms; ++allow nsplugin_t self:shm create_shm_perms; ++allow nsplugin_t self:msgq create_msgq_perms; ++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; + -+ tunable_policy(`allow_nsplugin_execmem',` -+ allow nsplugin_t self:process { execstack execmem }; -+ allow nsplugin_config_t self:process { execstack execmem }; -+ ') ++tunable_policy(`allow_nsplugin_execmem',` ++ allow nsplugin_t self:process { execstack execmem }; ++ allow nsplugin_config_t self:process { execstack execmem }; ++') + -+ manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+ exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+ manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+ manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+ userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) -+ unprivuser_dontaudit_write_home_content_files(nsplugin_t) -+ -+ corecmd_exec_bin(nsplugin_t) -+ corecmd_exec_shell(nsplugin_t) -+ -+ corenet_all_recvfrom_unlabeled(nsplugin_t) -+ corenet_all_recvfrom_netlabel(nsplugin_t) -+ corenet_tcp_connect_flash_port(nsplugin_t) -+ corenet_tcp_connect_pulseaudio_port(nsplugin_t) -+ corenet_tcp_connect_http_port(nsplugin_t) -+ corenet_tcp_sendrecv_generic_if(nsplugin_t) -+ corenet_tcp_sendrecv_all_nodes(nsplugin_t) -+ -+ domain_dontaudit_read_all_domains_state(nsplugin_t) -+ -+ dev_read_rand(nsplugin_t) -+ dev_read_sound(nsplugin_t) -+ dev_write_sound(nsplugin_t) -+ dev_read_video_dev(nsplugin_t) -+ dev_write_video_dev(nsplugin_t) -+ -+ kernel_read_kernel_sysctls(nsplugin_t) -+ kernel_read_system_state(nsplugin_t) -+ -+ files_read_usr_files(nsplugin_t) -+ files_read_etc_files(nsplugin_t) -+ -+ fs_list_inotifyfs(nsplugin_t) -+ fs_manage_tmpfs_files(nsplugin_t) -+ fs_getattr_tmpfs(nsplugin_t) -+ fs_getattr_xattr_fs(nsplugin_t) -+ -+ term_dontaudit_getattr_all_user_ptys(nsplugin_t) -+ term_dontaudit_getattr_all_user_ttys(nsplugin_t) -+ -+ auth_use_nsswitch(nsplugin_t) -+ -+ libs_use_ld_so(nsplugin_t) -+ libs_use_shared_libs(nsplugin_t) -+ libs_exec_ld_so(nsplugin_t) -+ -+ miscfiles_read_localization(nsplugin_t) -+ miscfiles_read_fonts(nsplugin_t) -+ -+ unprivuser_manage_tmp_dirs(nsplugin_t) -+ unprivuser_manage_tmp_files(nsplugin_t) -+ unprivuser_manage_tmp_sockets(nsplugin_t) -+ userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file }) -+ unprivuser_read_tmpfs_files(nsplugin_t) -+ unprivuser_rw_semaphores(nsplugin_t) -+ unprivuser_delete_tmpfs_files(nsplugin_t) -+ -+ unprivuser_read_home_content_symlinks(nsplugin_t) -+ unprivuser_read_home_content_files(nsplugin_t) -+ unprivuser_read_tmp_files(nsplugin_t) -+ userdom_write_user_tmp_sockets(user, nsplugin_t) -+ unprivuser_dontaudit_append_home_content_files(nsplugin_t) -+ userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t) ++manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) ++unprivuser_dontaudit_write_home_content_files(nsplugin_t) ++ ++corecmd_exec_bin(nsplugin_t) ++corecmd_exec_shell(nsplugin_t) ++ ++corenet_all_recvfrom_unlabeled(nsplugin_t) ++corenet_all_recvfrom_netlabel(nsplugin_t) ++corenet_tcp_connect_flash_port(nsplugin_t) ++corenet_tcp_connect_pulseaudio_port(nsplugin_t) ++corenet_tcp_connect_http_port(nsplugin_t) ++corenet_tcp_sendrecv_generic_if(nsplugin_t) ++corenet_tcp_sendrecv_all_nodes(nsplugin_t) ++ ++domain_dontaudit_read_all_domains_state(nsplugin_t) ++ ++dev_read_rand(nsplugin_t) ++dev_read_sound(nsplugin_t) ++dev_write_sound(nsplugin_t) ++dev_read_video_dev(nsplugin_t) ++dev_write_video_dev(nsplugin_t) ++ ++kernel_read_kernel_sysctls(nsplugin_t) ++kernel_read_system_state(nsplugin_t) ++ ++files_read_usr_files(nsplugin_t) ++files_read_etc_files(nsplugin_t) ++files_read_config_files(nsplugin_t) ++ ++fs_list_inotifyfs(nsplugin_t) ++fs_manage_tmpfs_files(nsplugin_t) ++fs_getattr_tmpfs(nsplugin_t) ++fs_getattr_xattr_fs(nsplugin_t) ++ ++term_dontaudit_getattr_all_user_ptys(nsplugin_t) ++term_dontaudit_getattr_all_user_ttys(nsplugin_t) ++ ++auth_use_nsswitch(nsplugin_t) ++ ++libs_use_ld_so(nsplugin_t) ++libs_use_shared_libs(nsplugin_t) ++libs_exec_ld_so(nsplugin_t) ++ ++miscfiles_read_localization(nsplugin_t) ++miscfiles_read_fonts(nsplugin_t) ++ ++unprivuser_manage_tmp_dirs(nsplugin_t) ++unprivuser_manage_tmp_files(nsplugin_t) ++unprivuser_manage_tmp_sockets(nsplugin_t) ++userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file }) ++unprivuser_read_tmpfs_files(nsplugin_t) ++unprivuser_rw_semaphores(nsplugin_t) ++unprivuser_delete_tmpfs_files(nsplugin_t) ++ ++unprivuser_read_home_content_symlinks(nsplugin_t) ++unprivuser_read_home_content_files(nsplugin_t) ++unprivuser_read_tmp_files(nsplugin_t) ++userdom_write_user_tmp_sockets(user, nsplugin_t) ++unprivuser_dontaudit_append_home_content_files(nsplugin_t) ++userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t) + -+ optional_policy(` -+ alsa_read_rw_config(nsplugin_t) -+ ') ++optional_policy(` ++ alsa_read_rw_config(nsplugin_t) ++') + -+ optional_policy(` -+ gnome_exec_gconf(nsplugin_t) -+ gnome_manage_user_gnome_config(user, nsplugin_t) -+ ') ++optional_policy(` ++ gnome_exec_gconf(nsplugin_t) ++ gnome_manage_user_gnome_config(user, nsplugin_t) ++') + -+ optional_policy(` -+ mozilla_read_user_home_files(user, nsplugin_t) -+ mozilla_write_user_home_files(user, nsplugin_t) -+ ') ++optional_policy(` ++ mozilla_read_user_home_files(user, nsplugin_t) ++ mozilla_write_user_home_files(user, nsplugin_t) ++') + -+ optional_policy(` -+ mplayer_exec(nsplugin_t) -+ ') ++optional_policy(` ++ mplayer_exec(nsplugin_t) ++') + -+ optional_policy(` -+ unconfined_execmem_signull(nsplugin_t) -+ unconfined_delete_tmpfs_files(nsplugin_t) -+ ') ++optional_policy(` ++ unconfined_execmem_signull(nsplugin_t) ++ unconfined_delete_tmpfs_files(nsplugin_t) ++') + -+ optional_policy(` -+ xserver_stream_connect_xdm_xserver(nsplugin_t) -+ xserver_xdm_rw_shm(nsplugin_t) -+ xserver_read_xdm_tmp_files(nsplugin_t) -+ xserver_read_xdm_pid(nsplugin_t) -+ xserver_read_user_xauth(user, nsplugin_t) -+ xserver_use_user_fonts(user, nsplugin_t) -+ xserver_manage_home_fonts(nsplugin_t) -+ ') ++optional_policy(` ++ xserver_stream_connect_xdm_xserver(nsplugin_t) ++ xserver_xdm_rw_shm(nsplugin_t) ++ xserver_read_xdm_tmp_files(nsplugin_t) ++ xserver_read_xdm_pid(nsplugin_t) ++ xserver_read_user_xauth(user, nsplugin_t) ++ xserver_use_user_fonts(user, nsplugin_t) ++ xserver_manage_home_fonts(nsplugin_t) ++') + -+ ######################################## -+ # -+ # nsplugin_config local policy -+ # ++######################################## ++# ++# nsplugin_config local policy ++# + -+ allow nsplugin_config_t self:capability { sys_nice setuid setgid }; -+ allow nsplugin_config_t self:process { setsched sigkill getsched execmem }; ++allow nsplugin_config_t self:capability { sys_nice setuid setgid }; ++allow nsplugin_config_t self:process { setsched sigkill getsched execmem }; + -+ allow nsplugin_config_t self:fifo_file rw_file_perms; -+ allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; ++allow nsplugin_config_t self:fifo_file rw_file_perms; ++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + -+ fs_list_inotifyfs(nsplugin_config_t) ++fs_list_inotifyfs(nsplugin_config_t) + -+ can_exec(nsplugin_config_t, nsplugin_rw_t) -+ manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+ manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+ manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++can_exec(nsplugin_config_t, nsplugin_rw_t) ++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) + -+ manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+ manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+ manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) + -+ corecmd_exec_bin(nsplugin_config_t) -+ corecmd_exec_shell(nsplugin_config_t) ++corecmd_exec_bin(nsplugin_config_t) ++corecmd_exec_shell(nsplugin_config_t) + -+ kernel_read_system_state(nsplugin_config_t) ++kernel_read_system_state(nsplugin_config_t) + -+ files_read_etc_files(nsplugin_config_t) -+ files_read_usr_files(nsplugin_config_t) -+ files_dontaudit_search_home(nsplugin_config_t) ++files_read_etc_files(nsplugin_config_t) ++files_read_usr_files(nsplugin_config_t) ++files_dontaudit_search_home(nsplugin_config_t) ++files_list_tmp(nsplugin_config_t) + -+ auth_use_nsswitch(nsplugin_config_t) ++auth_use_nsswitch(nsplugin_config_t) + -+ libs_use_ld_so(nsplugin_config_t) -+ libs_use_shared_libs(nsplugin_config_t) ++libs_use_ld_so(nsplugin_config_t) ++libs_use_shared_libs(nsplugin_config_t) + -+ miscfiles_read_localization(nsplugin_config_t) -+ miscfiles_read_fonts(nsplugin_config_t) ++miscfiles_read_localization(nsplugin_config_t) ++miscfiles_read_fonts(nsplugin_config_t) + -+ userdom_search_all_users_home_content(nsplugin_config_t) ++userdom_search_all_users_home_content(nsplugin_config_t) + -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(nsplugin_t) -+ fs_manage_nfs_files(nsplugin_t) -+ fs_manage_nfs_dirs(nsplugin_config_t) -+ fs_manage_nfs_files(nsplugin_config_t) -+ ') ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(nsplugin_t) ++ fs_manage_nfs_files(nsplugin_t) ++ fs_manage_nfs_dirs(nsplugin_config_t) ++ fs_manage_nfs_files(nsplugin_config_t) ++') + -+ tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(nsplugin_t) -+ fs_manage_cifs_files(nsplugin_t) -+ fs_manage_cifs_dirs(nsplugin_config_t) -+ fs_manage_cifs_files(nsplugin_config_t) -+ ') ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(nsplugin_t) ++ fs_manage_cifs_files(nsplugin_t) ++ fs_manage_cifs_dirs(nsplugin_config_t) ++ fs_manage_cifs_files(nsplugin_config_t) ++') + -+ domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) ++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) + -+ optional_policy(` -+ xserver_read_home_fonts(nsplugin_config_t) -+ ') ++optional_policy(` ++ xserver_read_home_fonts(nsplugin_config_t) ++') + -+ optional_policy(` -+ mozilla_read_user_home_files(user, nsplugin_config_t) -+ ') ++optional_policy(` ++ mozilla_read_user_home_files(user, nsplugin_config_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.2/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.4.2/policy/modules/apps/openoffice.fc 2008-06-12 23:37:51.000000000 -0400 @@ -9278,7 +9310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.4.2/policy/modules/services/aide.if --- nsaserefpolicy/policy/modules/services/aide.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/aide.if 2008-06-12 23:37:52.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/aide.if 2008-06-30 16:04:01.000000000 -0400 @@ -70,9 +70,11 @@ allow $1 aide_t:process { ptrace signal_perms }; ps_process_pattern($1, aide_t) @@ -12440,7 +12472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.4.2/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/cron.if 2008-06-12 23:37:52.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/cron.if 2008-06-30 08:30:16.000000000 -0400 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -13655,10 +13687,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + +sysadm_dontaudit_read_home_content_files(cups_pdf_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.4.2/policy/modules/services/cvs.fc +--- nsaserefpolicy/policy/modules/services/cvs.fc 2008-06-12 23:25:05.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/cvs.fc 2008-06-30 16:00:10.000000000 -0400 +@@ -5,3 +5,6 @@ + + /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + ++#CVSWeb file context ++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) ++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.4.2/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/cvs.if 2008-06-12 23:37:52.000000000 -0400 -@@ -36,3 +36,72 @@ ++++ serefpolicy-3.4.2/policy/modules/services/cvs.if 2008-06-30 16:04:16.000000000 -0400 +@@ -36,3 +36,70 @@ can_exec($1,cvs_exec_t) ') @@ -13706,15 +13748,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. +# +interface(`cvs_admin',` + gen_require(` -+ type cvs_t; ++ type cvs_t, cvs_tmp_t; ++ type cvs_data_t, cvs_var_run_t; + type cvs_script_exec_t; -+ type cvs_tmp_t; -+ type cvs_data_t; -+ type cvs_var_run_t; + ') + -+ allow $1 cvs_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, cvs_t, cvs_t) ++ allow $1 cvs_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, cvs_t) + + # Allow cvs_t to restart the apache service + cvs_script_domtrans($1) @@ -13733,7 +13773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.4.2/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/cvs.te 2008-06-12 23:37:51.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/cvs.te 2008-06-30 16:00:42.000000000 -0400 @@ -28,6 +28,9 @@ type cvs_var_run_t; files_pid_file(cvs_var_run_t) @@ -13761,15 +13801,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. mta_send_mail(cvs_t) # cjp: typeattribute doesnt work in conditionals yet -@@ -102,11 +104,3 @@ - kerberos_read_config(cvs_t) +@@ -103,10 +105,13 @@ kerberos_dontaudit_write_config(cvs_t) ') -- + -optional_policy(` - nis_use_ypbind(cvs_t) -') -- ++######################################## ++# CVSWeb policy ++ ++apache_content_template(cvs) ++ ++read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) ++manage_dirs_pattern(httpd_cvs_script_t_t,cvs_tmp_t,cvs_tmp_t) ++manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t) ++files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) + -optional_policy(` - nscd_socket_use(cvs_t) -') @@ -15531,7 +15579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.4.2/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/exim.te 2008-06-12 23:37:52.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/exim.te 2008-06-30 13:59:08.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files,false) @@ -15621,7 +15669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim files_read_etc_files(exim_t) auth_use_nsswitch(exim_t) -@@ -99,23 +125,90 @@ +@@ -99,23 +125,95 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) @@ -15671,7 +15719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + tunable_policy(`exim_can_connect_db',` + mysql_stream_connect(exim_t) + ') - ') ++') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` @@ -15686,13 +15734,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + +optional_policy(` + procmail_domtrans(exim_t) -+') + ') + +optional_policy(` + sasl_connect(exim_t) +') + +optional_policy(` ++ cron_read_pipes(exim_t) ++ cron_rw_system_job_pipes(exim_t) ++') ++ ++optional_policy(` + cyrus_stream_connect(exim_t) +') + @@ -17602,18 +17655,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.4.2/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/mta.fc 2008-06-12 23:37:52.000000000 -0400 -@@ -11,8 +11,10 @@ ++++ serefpolicy-3.4.2/policy/modules/services/mta.fc 2008-06-30 13:24:59.000000000 -0400 +@@ -11,6 +11,7 @@ /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +@@ -21,7 +22,3 @@ + /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +- +-#ifdef(`postfix.te', `', ` +-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-#') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.4.2/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2008-06-12 23:25:05.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/mta.if 2008-06-12 23:37:52.000000000 -0400 @@ -17809,7 +17867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-24 05:41:16.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-30 08:33:53.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -17944,11 +18002,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +214,4 @@ +@@ -154,3 +214,5 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') + ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.4.2/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-06-12 23:25:05.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/munin.fc 2008-06-12 23:37:52.000000000 -0400 @@ -20071,8 +20130,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.4.2/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.4.2/policy/modules/services/polkit.te 2008-06-12 23:37:52.000000000 -0400 -@@ -0,0 +1,219 @@ ++++ serefpolicy-3.4.2/policy/modules/services/polkit.te 2008-06-30 10:21:36.000000000 -0400 +@@ -0,0 +1,221 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -20229,6 +20288,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + +polkit_domtrans_auth(polkit_grant_t) + ++manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t) ++ +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) +userdom_read_all_users_state(polkit_grant_t) + @@ -21284,7 +21345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-24 06:34:11.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-30 15:20:18.000000000 -0400 @@ -19,12 +19,31 @@ type prelude_var_lib_t; files_type(prelude_var_lib_t) @@ -21343,11 +21404,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -126,6 +150,80 @@ +@@ -123,9 +147,84 @@ + libs_use_shared_libs(prelude_audisp_t) + + logging_send_syslog_msg(prelude_audisp_t) ++logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t) miscfiles_read_localization(prelude_audisp_t) -+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t) ++sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## +# @@ -21424,7 +21489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel ######################################## # # prewikka_cgi Declarations -@@ -135,6 +233,10 @@ +@@ -135,6 +234,10 @@ apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) @@ -23779,7 +23844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.4.2/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/sendmail.te 2008-06-12 23:37:51.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/sendmail.te 2008-06-30 08:31:37.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -27522,7 +27587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.2/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/xserver.te 2008-06-14 07:13:56.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/xserver.te 2008-06-29 08:15:37.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -27803,7 +27868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +472,26 @@ +@@ -382,16 +472,32 @@ ') optional_policy(` @@ -27811,6 +27876,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + polkit_read_lib(xdm_t) +') + ++# On crash gdm execs gdb to dump stack ++optional_policy(` ++ rpm_read_db(xdm_t) ++ rpm_dontaudit_manage_db(xdm_t) ++') ++ +optional_policy(` seutil_sigchld_newrole(xdm_t) ') @@ -27831,7 +27902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -427,7 +527,7 @@ +@@ -427,7 +533,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -27840,7 +27911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -439,6 +539,15 @@ +@@ -439,6 +545,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -27856,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +559,19 @@ +@@ -450,10 +565,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -27877,7 +27948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,7 +586,18 @@ +@@ -468,7 +592,18 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -27897,7 +27968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -481,16 +610,32 @@ +@@ -481,16 +616,32 @@ ') optional_policy(` @@ -27938,7 +28009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -544,3 +689,10 @@ +@@ -544,3 +695,10 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -28174,7 +28245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.4.2/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if 2008-06-12 23:37:53.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/system/authlogin.if 2008-06-30 16:47:52.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -28232,7 +28303,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers -@@ -226,8 +239,39 @@ +@@ -216,6 +229,7 @@ + auth_rw_faillog($1) + auth_exec_pam($1) + auth_use_nsswitch($1) ++ auth_manage_pam_pid($1) + + init_rw_utmp($1) + +@@ -226,8 +240,39 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -28272,7 +28351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -333,19 +377,15 @@ +@@ -333,19 +378,15 @@ dev_read_rand($1) dev_read_urand($1) @@ -28296,7 +28375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -356,6 +396,28 @@ +@@ -356,6 +397,28 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -28325,7 +28404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -369,12 +431,12 @@ +@@ -369,12 +432,12 @@ ## ## ## @@ -28340,7 +28419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## ## # -@@ -386,6 +448,7 @@ +@@ -386,6 +449,7 @@ auth_domtrans_chk_passwd($1) role $2 types system_chkpwd_t; allow system_chkpwd_t $3:chr_file rw_file_perms; @@ -28348,7 +28427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1447,6 +1510,10 @@ +@@ -1447,6 +1511,10 @@ ') optional_policy(` @@ -28359,7 +28438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo nis_use_ypbind($1) ') -@@ -1457,6 +1524,7 @@ +@@ -1457,6 +1525,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -28367,7 +28446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1559,59 @@ +@@ -1491,3 +1560,59 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -28630,6 +28709,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna role system_r types hostname_t; ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.4.2/policy/modules/system/hotplug.te +--- nsaserefpolicy/policy/modules/system/hotplug.te 2008-06-12 23:25:07.000000000 -0400 ++++ serefpolicy-3.4.2/policy/modules/system/hotplug.te 2008-06-30 13:18:01.000000000 -0400 +@@ -121,6 +121,7 @@ + optional_policy(` + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(hotplug_t) ++ netutils_signal(hotplug_t) + fs_rw_tmpfs_chr_files(hotplug_t) + ') + files_getattr_generic_locks(hotplug_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.4.2/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2008-06-12 23:25:07.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/init.fc 2008-06-12 23:37:53.000000000 -0400