From ef6c41e1526ef5c7f8f995b05b9aa3c0ae6bbcf6 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 02 2010 17:03:54 +0000 Subject: - Add authlogin_radius boolean - Fixes for certmonger policy - Allow xguest to use smartcard - Make sshd to use user_tmp_t for its /tmp content --- diff --git a/policy-F13.patch b/policy-F13.patch index 4ea86b4..20a068e 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2545,6 +2545,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +optional_policy(` + xserver_dontaudit_write_log(shutdown_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.19/policy/modules/admin/smoltclient.te +--- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/smoltclient.te 2010-10-26 13:48:18.337651044 +0200 +@@ -46,6 +46,7 @@ + + files_getattr_generic_locks(smoltclient_t) + files_read_etc_files(smoltclient_t) ++files_read_etc_runtime_files(smoltclient_t) + files_read_usr_files(smoltclient_t) + + auth_use_nsswitch(smoltclient_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.fc serefpolicy-3.7.19/policy/modules/admin/sudo.fc --- nsaserefpolicy/policy/modules/admin/sudo.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/sudo.fc 2010-09-13 15:54:07.362085420 +0200 @@ -14084,7 +14095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-08-20 13:55:45.358085064 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-11-02 17:09:32.420901767 +0100 @@ -15,7 +15,7 @@ ## @@ -14143,20 +14154,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ') ') -@@ -81,19 +89,79 @@ +@@ -81,19 +89,84 @@ ') optional_policy(` - java_role(xguest_r, xguest_t) + apache_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + gnomeclock_dontaudit_dbus_chat(xguest_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + chrome_role(xguest_r, xguest_usertype) +') + @@ -14170,13 +14180,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + +optional_policy(` + nsplugin_role(xguest_r, xguest_t) -+') -+ + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) ++ pcscd_read_pub_files(xguest_usertype) ++ pcscd_stream_connect(xguest_usertype) + ') + +#optional_policy(` +# telepathy_dbus_session_role(xguest_r, xguest_t) +#') + -+optional_policy(` + optional_policy(` tunable_policy(`xguest_connect_network',` + kernel_read_network_state(xguest_usertype) + @@ -14214,19 +14230,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) + corenet_tcp_connect_jabber_client_port(xguest_usertype) -+ ') -+') -+ + ') + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) +optional_policy(` + gen_require(` + type mozilla_t; - ') ++ ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; - ') - --#gen_user(xguest_u,, xguest_r, s0, s0) ++') ++ +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 20:44:37.000000000 +0200 @@ -15354,7 +15370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-10-08 10:37:53.972901045 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-11-02 16:55:03.289650829 +0100 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -15421,7 +15437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) -@@ -108,19 +106,6 @@ +@@ -108,18 +106,7 @@ seutil_dontaudit_search_config(httpd_$1_script_t) @@ -15437,11 +15453,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') -- ++ apache_dontaudit_leaks(httpd_$1_script_t) + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -@@ -140,6 +125,7 @@ +@@ -140,6 +127,7 @@ allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -15449,7 +15465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi',` -@@ -148,14 +134,19 @@ +@@ -148,14 +136,19 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -15469,7 +15485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; -@@ -172,6 +163,7 @@ +@@ -172,6 +165,7 @@ libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) @@ -15477,7 +15493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -182,15 +174,13 @@ +@@ -182,15 +176,13 @@ optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) @@ -15495,7 +15511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -229,6 +219,13 @@ +@@ -229,6 +221,13 @@ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -15509,7 +15525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -312,6 +309,25 @@ +@@ -312,6 +311,25 @@ domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -15535,7 +15551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ####################################### ## ## Send a generic signal to apache. -@@ -400,7 +416,7 @@ +@@ -400,7 +418,7 @@ type httpd_t; ') @@ -15544,7 +15560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -526,6 +542,25 @@ +@@ -526,6 +544,25 @@ ######################################## ## ## Allow the specified domain to delete @@ -15570,7 +15586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Apache cache. ## ## -@@ -542,6 +577,26 @@ +@@ -542,6 +579,26 @@ delete_files_pattern($1, httpd_cache_t, httpd_cache_t) ') @@ -15597,7 +15613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Allow the specified domain to read -@@ -756,6 +811,28 @@ +@@ -756,6 +813,28 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -15626,7 +15642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -814,6 +891,7 @@ +@@ -814,6 +893,7 @@ ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -15634,7 +15650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -836,11 +914,62 @@ +@@ -836,11 +916,62 @@ ') files_search_var($1) @@ -15697,7 +15713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +987,11 @@ +@@ -858,6 +989,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -15709,7 +15725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1079,7 @@ +@@ -945,7 +1081,7 @@ type httpd_squirrelmail_t; ') @@ -15718,7 +15734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -985,6 +1119,24 @@ +@@ -985,6 +1121,24 @@ allow $1 httpd_sys_content_t:dir search_dir_perms; ') @@ -15743,7 +15759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Read apache system content. -@@ -1086,6 +1238,25 @@ +@@ -1086,6 +1240,25 @@ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -15769,7 +15785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1273,7 @@ +@@ -1102,7 +1275,7 @@ type httpd_tmp_t; ') @@ -15778,7 +15794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1343,7 @@ +@@ -1172,7 +1345,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -15787,7 +15803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1373,62 @@ +@@ -1202,12 +1375,63 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -15825,13 +15841,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +# +interface(`apache_dontaudit_leaks',` + gen_require(` -+ type httpd_t; ++ type httpd_t, httpd_tmp_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 httpd_t:tcp_socket { read write }; + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ++ dontaudit $1 httpd_tmp_t:file { read write }; +') + +####################################### @@ -17844,8 +17861,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-10-08 10:39:56.442913129 +0200 -@@ -0,0 +1,83 @@ ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-11-02 17:07:05.681649412 +0100 +@@ -0,0 +1,88 @@ +policy_module(certmonger,1.0.0) + +######################################## @@ -17872,6 +17889,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +# + +allow certmonger_t self:capability { kill sys_nice }; ++dontaudit certmonger_t self:capability sys_tty_config; ++ +allow certmonger_t self:process { fork getsched setsched sigkill }; +allow certmonger_t self:fifo_file rw_file_perms; +allow certmonger_t self:unix_stream_socket create_stream_socket_perms; @@ -17899,6 +17918,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +files_read_usr_files(certmonger_t) +files_list_tmp(certmonger_t) + ++auth_rw_cache(certmonger_t) ++ +miscfiles_read_localization(certmonger_t) +miscfiles_manage_cert_files(certmonger_t) + @@ -17927,6 +17948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +optional_policy(` + pcscd_stream_connect(certmonger_t) ++ pcscd_read_pub_files(certmonger_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.19/policy/modules/services/cgroup.fc @@ -21855,7 +21877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc files_list_etc($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-09-13 13:10:28.599085102 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-11-02 17:13:59.386650147 +0100 @@ -18,9 +18,9 @@ # Local policy # @@ -21868,7 +21890,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -55,4 +55,6 @@ +@@ -41,6 +41,8 @@ + + auth_use_nsswitch(fprintd_t) + ++init_dontaudit_leaks(fprintd_t) ++ + miscfiles_read_localization(fprintd_t) + + userdom_use_user_ptys(fprintd_t) +@@ -55,4 +57,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) @@ -23701,7 +23732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt admin_pattern($1, ksmtuned_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-06-21 21:11:46.923156716 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-11-02 17:00:40.709901203 +0100 @@ -10,6 +10,9 @@ type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) @@ -23723,7 +23754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -32,9 +39,15 @@ +@@ -32,9 +39,17 @@ dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) @@ -23737,6 +23768,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + +term_use_all_terms(ksmtuned_t) + ++logging_send_syslog_msg(ksmtuned_t) ++ miscfiles_read_localization(ksmtuned_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.19/policy/modules/services/ldap.fc @@ -34674,7 +34707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-09-16 16:52:19.653637145 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-11-02 17:20:27.771899311 +0100 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -34827,7 +34860,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; -@@ -359,7 +373,7 @@ +@@ -338,6 +352,7 @@ + manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1_t) ++ userdom_manage_tmp_role($2, ssh_t) + + ############################## + # +@@ -359,7 +374,7 @@ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. @@ -34836,7 +34877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) -@@ -388,6 +402,7 @@ +@@ -388,6 +403,7 @@ logging_send_syslog_msg($1_ssh_agent_t) miscfiles_read_localization($1_ssh_agent_t) @@ -34844,7 +34885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. seutil_dontaudit_read_config($1_ssh_agent_t) -@@ -395,10 +410,8 @@ +@@ -395,10 +411,8 @@ userdom_use_user_terminals($1_ssh_agent_t) # for the transition back to normal privs upon exec @@ -34856,7 +34897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -475,7 +488,7 @@ +@@ -475,7 +489,7 @@ type sshd_t; ') @@ -34865,7 +34906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## ## -@@ -492,7 +505,7 @@ +@@ -492,7 +506,7 @@ type sshd_t; ') @@ -34874,7 +34915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## -@@ -582,6 +595,25 @@ +@@ -582,6 +596,25 @@ domtrans_pattern($1, sshd_exec_t, sshd_t) ') @@ -34900,7 +34941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ######################################## ## ## Execute the ssh client in the caller domain. -@@ -616,7 +648,7 @@ +@@ -616,7 +649,7 @@ type sshd_key_t; ') @@ -34909,7 +34950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. files_search_pids($1) ') -@@ -693,7 +725,51 @@ +@@ -693,7 +726,51 @@ type sshd_key_t; ') @@ -34962,7 +35003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ####################################### -@@ -714,3 +790,67 @@ +@@ -714,3 +791,67 @@ files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -35032,8 +35073,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-10-25 12:31:52.241650895 +0200 -@@ -34,6 +34,9 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-11-02 17:26:10.850902064 +0100 +@@ -34,13 +34,12 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -35043,7 +35084,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. type sshd_key_t; files_type(sshd_key_t) -@@ -97,6 +100,8 @@ +-type sshd_tmp_t; +-files_tmp_file(sshd_tmp_t) +-files_poly_parent(sshd_tmp_t) +- + ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) + ') +@@ -97,14 +96,11 @@ allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -35052,7 +35100,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; -@@ -114,6 +119,7 @@ +-# Access the ssh temporary files. +-allow ssh_t sshd_tmp_t:dir manage_dir_perms; +-allow ssh_t sshd_tmp_t:file manage_file_perms; +-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir }) +- + manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +@@ -114,6 +110,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -35060,7 +35116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -125,9 +131,10 @@ +@@ -125,9 +122,10 @@ read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -35074,7 +35130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -139,6 +146,8 @@ +@@ -139,6 +137,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -35083,7 +35139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -170,8 +179,10 @@ +@@ -170,8 +170,10 @@ userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -35095,16 +35151,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -282,6 +293,8 @@ +@@ -282,32 +284,39 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; +-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) +allow sshd_t self:process setcurrent; -+ - manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) - manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) - manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -@@ -290,24 +303,34 @@ + kernel_search_key(sshd_t) kernel_link_key(sshd_t) @@ -35122,6 +35178,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +userdom_read_user_home_content_files(sshd_t) +userdom_read_user_home_content_symlinks(sshd_t) +userdom_search_admin_dir(sshd_t) ++userdom_manage_tmp_role(system_r, sshd_t) ++userdom_spec_domtrans_unpriv_users(sshd_t) ++userdom_signal_unpriv_users(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd @@ -35135,15 +35194,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. - userdom_signal_unpriv_users(sshd_t) +') + -+userdom_spec_domtrans_unpriv_users(sshd_t) -+userdom_signal_unpriv_users(sshd_t) -+ +optional_policy(` + daemontools_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` -@@ -315,7 +338,12 @@ +@@ -315,7 +324,12 @@ ') optional_policy(` @@ -35157,7 +35213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -323,6 +351,10 @@ +@@ -323,6 +337,10 @@ ') optional_policy(` @@ -35168,7 +35224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +365,18 @@ +@@ -333,10 +351,18 @@ ') optional_policy(` @@ -37187,7 +37243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-10-08 10:31:31.109650747 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-11-02 17:43:43.719667433 +0100 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.3.2) @@ -37368,7 +37424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +293,65 @@ +@@ -250,50 +293,106 @@ fs_manage_cifs_files(iceauth_t) ') @@ -37437,8 +37493,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) - # cjp: why? -@@ -283,17 +361,36 @@ +-# cjp: why? +-term_use_ptmx(xauth_t) ++# Probably leak ++# 583546 bug ++term_dontaudit_use_ptmx(xauth_t) ++term_dontaudit_use_console(xauth_t) + + auth_use_nsswitch(xauth_t) userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -37475,7 +37537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +402,33 @@ +@@ -305,20 +404,33 @@ # XDM Local policy # @@ -37512,7 +37574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -326,32 +436,55 @@ +@@ -326,32 +438,55 @@ allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -37573,7 +37635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -359,10 +492,13 @@ +@@ -359,10 +494,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -37587,7 +37649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,18 +507,25 @@ +@@ -371,18 +509,25 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -37614,7 +37676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -394,11 +537,14 @@ +@@ -394,11 +539,14 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -37629,7 +37691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +552,7 @@ +@@ -406,6 +554,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -37637,7 +37699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +561,22 @@ +@@ -414,18 +563,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -37663,7 +37725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +587,17 @@ +@@ -436,9 +589,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -37681,7 +37743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +606,21 @@ +@@ -447,14 +608,21 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -37703,7 +37765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +631,12 @@ +@@ -465,10 +633,12 @@ logging_read_generic_logs(xdm_t) @@ -37718,7 +37780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +645,12 @@ +@@ -477,6 +647,12 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -37731,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -508,11 +682,17 @@ +@@ -508,11 +684,17 @@ ') optional_policy(` @@ -37749,7 +37811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +700,51 @@ +@@ -520,12 +702,51 @@ ') optional_policy(` @@ -37801,7 +37863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +762,63 @@ +@@ -543,20 +764,63 @@ ') optional_policy(` @@ -37867,7 +37929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +827,6 @@ +@@ -565,7 +829,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -37875,7 +37937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +837,10 @@ +@@ -576,6 +839,10 @@ ') optional_policy(` @@ -37886,7 +37948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +865,9 @@ +@@ -600,10 +867,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -37898,7 +37960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +879,18 @@ +@@ -615,6 +881,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -37917,7 +37979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +910,19 @@ +@@ -634,12 +912,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -37939,7 +38001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -647,6 +930,7 @@ +@@ -647,6 +932,7 @@ # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -37947,7 +38009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -673,7 +957,6 @@ +@@ -673,7 +959,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -37955,7 +38017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +966,12 @@ +@@ -683,9 +968,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -37969,7 +38031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +986,13 @@ +@@ -700,8 +988,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -37983,7 +38045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +1014,14 @@ +@@ -723,11 +1016,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -37998,7 +38060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1073,28 @@ +@@ -779,12 +1075,28 @@ ') optional_policy(` @@ -38028,7 +38090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1121,7 @@ +@@ -811,7 +1123,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -38037,7 +38099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1142,14 @@ +@@ -832,9 +1144,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -38052,7 +38114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1164,14 @@ +@@ -849,11 +1166,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -38069,7 +38131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1317,33 @@ +@@ -999,3 +1319,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -38195,7 +38257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-10-13 08:41:54.579650714 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-11-02 16:59:22.380650718 +0100 @@ -41,7 +41,6 @@ ## # @@ -38229,7 +38291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_use_pam($1) init_rw_utmp($1) -@@ -151,6 +154,41 @@ +@@ -151,6 +154,45 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -38239,6 +38301,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + userdom_delete_user_tmp_files($1) + userdom_search_admin_dir($1) + ++ tunable_policy(`authlogin_radius',` ++ corenet_udp_bind_all_unreserved_ports($1) ++ ') ++ + optional_policy(` + afs_rw_udp_sockets($1) + ') @@ -38271,7 +38337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -365,13 +403,15 @@ +@@ -365,13 +407,15 @@ ') optional_policy(` @@ -38288,7 +38354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -418,6 +458,7 @@ +@@ -418,6 +462,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -38296,7 +38362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -694,7 +735,7 @@ +@@ -694,7 +739,7 @@ ') files_search_etc($1) @@ -38305,7 +38371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -1500,6 +1541,8 @@ +@@ -1500,6 +1545,8 @@ # interface(`auth_use_nsswitch',` @@ -38314,7 +38380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1574,15 @@ +@@ -1531,7 +1578,15 @@ ') optional_policy(` @@ -38333,8 +38399,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-08-20 13:51:57.715085006 +0200 -@@ -84,7 +84,7 @@ ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-11-02 16:58:56.412650880 +0100 +@@ -6,6 +6,13 @@ + # Declarations + # + ++## ++##

++## Allow users to login using a radius server ++##

++## ++gen_tunable(authlogin_radius, false) ++ + attribute can_read_shadow_passwords; + attribute can_write_shadow_passwords; + attribute can_relabelto_shadow_passwords; +@@ -84,7 +91,7 @@ allow chkpwd_t self:capability { dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; @@ -41199,7 +41279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-13 08:11:09.866910335 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-26 13:46:49.368668089 +0200 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -41424,7 +41504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +280,19 @@ +@@ -186,6 +280,23 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -41440,11 +41520,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') + +optional_policy(` ++ virt_read_blk_images(mount_t) ++') ++ ++optional_policy(` + vmware_exec_host(mount_t) ') ######################################## -@@ -194,6 +301,42 @@ +@@ -194,6 +305,42 @@ # optional_policy(` @@ -46222,7 +46306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-08-13 08:20:57.407085107 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-11-02 17:26:58.264649340 +0100 @@ -29,18 +29,18 @@ ## @@ -46278,6 +46362,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) +@@ -85,7 +95,7 @@ + files_type(user_devpts_t) + ubac_constrained(user_devpts_t) + +-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; ++type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t sshd_tmp_t auditadm_tmp_t unconfined_tmp_t }; + typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; + files_tmp_file(user_tmp_t) + userdom_user_home_content(user_tmp_t) @@ -97,3 +107,41 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 172d278..51461b2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 69%{?dist} +Release: 70%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Tue Nov 2 2010 Miroslav Grepl 3.7.19-70 +- Add authlogin_radius boolean +- Fixes for certmonger policy +- Allow xguest to use smartcard +- Make sshd to use user_tmp_t for its /tmp content + * Tue Oct 26 2010 Miroslav Grepl 3.7.19-69 - Dontaudit init leaks