From f14eb068cd5d1b3fc44dde87395e9004bf53b1c3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 09 2010 13:46:16 +0000 Subject: - Allow virt domains execute qemu_exec_t - Add support for dkim-milter - Fixes for freshclam - Allow iptables to read shorewall tmp files - Add boolean to allow icecast to connect to any port - Allow freshclam to execute shell and bin_t --- diff --git a/policy-F13.patch b/policy-F13.patch index 1533331..8cdf510 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -10,6 +10,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/ net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.7.19/man/man8/ftpd_selinux.8 +--- nsaserefpolicy/man/man8/ftpd_selinux.8 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/man/man8/ftpd_selinux.8 2010-09-09 15:08:15.357085367 +0200 +@@ -15,7 +15,7 @@ + semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" + .TP + .B +-restorecon -R -v /var/ftp ++restorecon -F -R -v /var/ftp + .TP + Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. + .PP +@@ -23,7 +23,7 @@ + semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" + .TP + .B +-restorecon -R -v /var/ftp/incoming ++restorecon -F -R -v /var/ftp/incoming + + .SH BOOLEANS + .PP diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/global_tunables 2010-05-28 09:41:59.942610848 +0200 @@ -2109,7 +2130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool mount_exec(sectoolm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-08-17 10:56:22.490085133 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-09-09 13:43:11.957085205 +0200 @@ -18,47 +18,27 @@ domtrans_pattern($1, shorewall_exec_t, shorewall_t) ') @@ -2185,7 +2206,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') ###################################### -@@ -134,9 +114,9 @@ +@@ -115,6 +95,25 @@ + rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + ') + ++###################################### ++## ++## Read shorewall tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shorewall_read_tmp_files',` ++ gen_require(` ++ type shorewall_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) ++') ++ + ####################################### + ## + ## All of the rules required to administrate +@@ -134,9 +133,9 @@ # interface(`shorewall_admin',` gen_require(` @@ -2197,7 +2244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') allow $1 shorewall_t:process { ptrace signal_perms }; -@@ -153,9 +133,6 @@ +@@ -153,9 +152,6 @@ files_search_locks($1) admin_pattern($1, shorewall_lock_t) @@ -3386,7 +3433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. +sysnet_read_config(gitosis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-08-24 15:33:52.995335336 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-09-09 13:47:27.008335639 +0200 @@ -1,8 +1,31 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -3396,8 +3443,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) -+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -+/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) + + +/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) @@ -4732,7 +4779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.19/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/java.te 2010-05-28 09:41:59.983610743 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/java.te 2010-09-09 12:48:28.290335334 +0200 @@ -147,6 +147,15 @@ init_dbus_chat_script(unconfined_java_t) @@ -6391,7 +6438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.19/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-05-28 09:42:00.000610955 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-09-09 13:11:47.340085075 +0200 @@ -127,12 +127,14 @@ template(`qemu_role',` gen_require(` @@ -6407,7 +6454,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if ') ######################################## -@@ -273,6 +275,67 @@ +@@ -153,6 +155,24 @@ + domtrans_pattern($1, qemu_exec_t, qemu_t) + ') + ++####################################### ++## ++## Execute a qemu in the callers domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qemu_exec',` ++ gen_require(` ++ type qemu_exec_t; ++ ') ++ ++ can_exec($1, qemu_exec_t) ++') ++ + ######################################## + ## + ## Execute qemu in the qemu domain. +@@ -273,6 +293,67 @@ ######################################## ## @@ -6475,7 +6547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if ## Manage qemu temporary dirs. ## ## -@@ -306,3 +369,24 @@ +@@ -306,3 +387,24 @@ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') @@ -8264,7 +8336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.19/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-08 14:24:13.013626203 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-09-09 10:27:11.540085109 +0200 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -8308,6 +8380,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) +@@ -121,6 +135,7 @@ + files_list_tmp(vmware_host_t) + files_read_etc_files(vmware_host_t) + files_read_etc_runtime_files(vmware_host_t) ++files_read_usr_files(vmware_host_t) + + fs_getattr_all_fs(vmware_host_t) + fs_search_auto_mountpoints(vmware_host_t) +@@ -151,6 +166,10 @@ + ') + + optional_policy(` ++ shutdown_domtrans(vmware_host_t) ++') ++ ++optional_policy(` + udev_read_db(vmware_host_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.7.19/policy/modules/apps/webalizer.te --- nsaserefpolicy/policy/modules/apps/webalizer.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2010-08-13 07:59:10.406085311 +0200 @@ -8360,8 +8451,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if xserver_role($1_r, $1_wine_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.19/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/wine.te 2010-05-28 09:42:00.016654044 +0200 -@@ -1,6 +1,14 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/wine.te 2010-09-09 14:18:56.313334508 +0200 +@@ -1,6 +1,13 @@ policy_module(wine, 1.6.1) @@ -8370,13 +8461,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te +## Ignore wine mmap_zero errors +##

+## -+# +gen_tunable(wine_mmap_zero_ignore, false) + ######################################## # # Declarations -@@ -30,7 +38,13 @@ +@@ -30,7 +37,14 @@ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) @@ -8385,6 +8475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te +tunable_policy(`mmap_low_allowed',` + domain_mmap_low(wine_t) +') ++ +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') @@ -8458,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-30 20:26:39.691335235 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-09-09 10:26:47.476085401 +0200 @@ -9,8 +9,11 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -8502,7 +8593,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -147,6 +160,9 @@ +@@ -105,6 +118,8 @@ + /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) + ') + ++/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + # + # /lib + # +@@ -147,6 +162,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -8512,7 +8612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -189,7 +205,8 @@ +@@ -189,7 +207,8 @@ /usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -8522,7 +8622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) -@@ -216,11 +233,17 @@ +@@ -216,11 +235,17 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -8540,7 +8640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -240,6 +263,7 @@ +@@ -240,6 +265,7 @@ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -8548,7 +8648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -297,6 +321,7 @@ +@@ -297,6 +323,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -8556,7 +8656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -@@ -331,3 +356,21 @@ +@@ -331,3 +358,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -9608,7 +9708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-30 19:22:32.465335135 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-09-09 09:56:22.877085209 +0200 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -10026,50 +10126,99 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3520,6 +3801,82 @@ +@@ -3520,57 +3801,151 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') +-######################################## +####################################### -+## + ## +-## Allow the specified type to associate +-## to a filesystem with the type of the +-## temporary directory (/tmp). +## Read manageable system configuration files in /etc -+## + ## +-## +-## +-## Type of the file to associate. +-## +## +## +## Domain allowed access. +## -+## + ## +## -+# + # +-interface(`files_associate_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + ') + +-######################################## ++####################################### + ## +-## Do not audit attempts to get the +-## attributes of the tmp directory (/tmp). ++## Relabel manageable system configuration files in /etc. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` ++interface(`files_relabelto_system_conf_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ relabelto_files_pattern($1, system_conf_t, system_conf_t) +') + -+####################################### ++##################################### +## +## Relabel manageable system configuration files in /etc. +## @@ -10079,12 +10228,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## +## +# -+interface(`files_relabelto_system_conf_files',` ++interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') + -+ relabelto_files_pattern($1, system_conf_t, system_conf_t) ++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t) +') + +################################### @@ -10106,10 +10255,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + filetrans_pattern($1, etc_t, system_conf_t, file) +') + - ######################################## - ## - ## Allow the specified type to associate -@@ -3705,6 +4062,32 @@ ++######################################## ++## ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## temporary directory (/tmp). ++## ++## ++## ++## Type of the file to associate. ++## ++## ++# ++interface(`files_associate_tmp',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ allow $1 tmp_t:filesystem associate; ++') ++ ++######################################## ++## ++## Get the attributes of the tmp directory (/tmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_tmp_dirs',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ allow $1 tmp_t:dir getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the ++## attributes of the tmp directory (/tmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_getattr_tmp_dirs',` ++ gen_require(` + type tmp_t; + ') + +@@ -3705,6 +4080,32 @@ ######################################## ## @@ -10142,7 +10342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3918,6 +4301,13 @@ +@@ -3918,6 +4319,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10156,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4013,6 +4403,24 @@ +@@ -4013,6 +4421,24 @@ ######################################## ## @@ -10181,7 +10381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Delete generic files in /usr in the caller domain. ## ## -@@ -4026,7 +4434,7 @@ +@@ -4026,7 +4452,7 @@ type usr_t; ') @@ -10190,7 +10390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4107,6 +4515,24 @@ +@@ -4107,6 +4533,24 @@ ######################################## ## @@ -10215,7 +10415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5032,6 +5458,43 @@ +@@ -5032,6 +5476,43 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -10259,7 +10459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5091,6 +5554,24 @@ +@@ -5091,6 +5572,24 @@ ######################################## ## @@ -10284,7 +10484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5238,6 +5719,7 @@ +@@ -5238,6 +5737,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -10292,7 +10492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5306,6 +5788,24 @@ +@@ -5306,6 +5806,24 @@ ######################################## ## @@ -10317,7 +10517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5494,12 +5994,15 @@ +@@ -5494,12 +6012,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -10334,7 +10534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +6023,229 @@ +@@ -5520,3 +6041,229 @@ typeattribute $1 files_unconfined_type; ') @@ -10621,7 +10821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-02 13:53:43.031083801 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-09 13:45:53.856085155 +0200 @@ -559,6 +559,24 @@ ######################################## @@ -10660,10 +10860,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') - allow $1 cifs_t:filesystem getattr; --') -- --######################################## --## ++ allow $1 cgroup_t:filesystem getattr; + ') + + ######################################## + ## -## list dirs on cgroup -## file systems. -## @@ -10680,11 +10881,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) -+ allow $1 cgroup_t:filesystem getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## list dirs on cgroup @@ -10861,7 +11061,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write hugetlbfs files. ## ## -@@ -1899,6 +2009,7 @@ +@@ -1847,6 +1957,24 @@ + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + ') + ++####################################### ++## ++## Manage hugetlbfs dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_hugetlbfs_dirs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ + ######################################## + ## + ## Allow the type to associate to hugetlbfs filesystems. +@@ -1899,6 +2027,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -10869,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2295,6 +2406,25 @@ +@@ -2295,6 +2424,25 @@ ######################################## ## @@ -10895,7 +11120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2349,7 +2479,7 @@ +@@ -2349,7 +2497,7 @@ type nfs_t; ') @@ -10904,7 +11129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2537,6 +2667,24 @@ +@@ -2537,6 +2685,24 @@ ######################################## ## @@ -10929,7 +11154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2745,7 +2893,7 @@ +@@ -2745,7 +2911,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -10938,7 +11163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3812,6 +3960,24 @@ +@@ -3812,6 +3978,24 @@ rw_files_pattern($1, tmpfs_t, tmpfs_t) ') @@ -10963,7 +11188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Read tmpfs link files. -@@ -3870,6 +4036,24 @@ +@@ -3870,6 +4054,24 @@ ######################################## ## @@ -10988,7 +11213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4616,44 @@ +@@ -4432,6 +4634,44 @@ ######################################## ## @@ -11033,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4771,24 @@ +@@ -4549,3 +4789,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -12154,8 +12379,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-05-28 09:42:00.048612487 +0200 -@@ -0,0 +1,667 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-09-09 11:07:14.850085218 +0200 +@@ -0,0 +1,687 @@ +## Unconfiend user role + +######################################## @@ -12823,10 +13048,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + + allow $1 unconfined_r; +') ++ ++####################################### ++## ++## Allow domain to attach to TUN devices created by unconfined_t users. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_attach_tun_iface',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-13 07:30:50.833085376 +0200 -@@ -0,0 +1,444 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-09-09 14:20:14.370335617 +0200 +@@ -0,0 +1,455 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -12856,6 +13101,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +## +gen_tunable(allow_unconfined_qemu_transition, false) + ++## ++##

++## Ignore wine mmap_zero errors ++##

++## ++gen_tunable(unconfined_mmap_zero_ignore, false) ++ +# usage in this module of types created by these +# calls is not correct, however we dont currently +# have another method to add access to these types @@ -12945,6 +13197,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + allow unconfined_t unconfined_login_domain:process sigchld; +') + ++tunable_policy(`wine_mmap_zero_ignore',` ++ dontaudit unconfined_usertype self:memprotect mmap_zero; ++') ++ +optional_policy(` + gen_require(` + attribute unconfined_usertype; @@ -14584,7 +14840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-25 09:32:04.821085078 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-09-09 13:49:57.498085155 +0200 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -14605,7 +14861,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) -@@ -41,11 +37,11 @@ +@@ -36,16 +32,18 @@ + domain_type(httpd_$1_script_t) + role system_r types httpd_$1_script_t; + ++ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type) ++ + # This type is used for executable scripts files + type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) @@ -14619,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) -@@ -54,7 +50,7 @@ +@@ -54,7 +52,7 @@ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; @@ -14628,7 +14891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -86,7 +82,6 @@ +@@ -86,7 +84,6 @@ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -14636,7 +14899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -95,6 +90,7 @@ +@@ -95,6 +92,7 @@ dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) @@ -14644,7 +14907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) -@@ -108,19 +104,6 @@ +@@ -108,19 +106,6 @@ seutil_dontaudit_search_config(httpd_$1_script_t) @@ -14664,7 +14927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -@@ -140,6 +123,7 @@ +@@ -140,6 +125,7 @@ allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -14672,7 +14935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi',` -@@ -148,14 +132,19 @@ +@@ -148,14 +134,19 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -14692,7 +14955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; -@@ -172,6 +161,7 @@ +@@ -172,6 +163,7 @@ libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) @@ -14700,7 +14963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -182,15 +172,13 @@ +@@ -182,15 +174,13 @@ optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) @@ -14718,7 +14981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -229,6 +217,13 @@ +@@ -229,6 +219,13 @@ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -14732,7 +14995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -312,6 +307,25 @@ +@@ -312,6 +309,25 @@ domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -14758,7 +15021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ####################################### ## ## Send a generic signal to apache. -@@ -400,7 +414,7 @@ +@@ -400,7 +416,7 @@ type httpd_t; ') @@ -14767,7 +15030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -526,6 +540,25 @@ +@@ -526,6 +542,25 @@ ######################################## ## ## Allow the specified domain to delete @@ -14793,7 +15056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Apache cache. ## ## -@@ -756,6 +789,28 @@ +@@ -756,6 +791,28 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -14822,7 +15085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -814,6 +869,7 @@ +@@ -814,6 +871,7 @@ ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -14830,7 +15093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -836,11 +892,62 @@ +@@ -836,11 +894,62 @@ ') files_search_var($1) @@ -14893,7 +15156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +965,11 @@ +@@ -858,6 +967,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -14905,7 +15168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1057,7 @@ +@@ -945,7 +1059,7 @@ type httpd_squirrelmail_t; ') @@ -14914,7 +15177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -985,6 +1097,24 @@ +@@ -985,6 +1099,24 @@ allow $1 httpd_sys_content_t:dir search_dir_perms; ') @@ -14939,7 +15202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Read apache system content. -@@ -1086,6 +1216,25 @@ +@@ -1086,6 +1218,25 @@ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -14965,7 +15228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1251,7 @@ +@@ -1102,7 +1253,7 @@ type httpd_tmp_t; ') @@ -14974,7 +15237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1321,7 @@ +@@ -1172,7 +1323,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -14983,7 +15246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1351,62 @@ +@@ -1202,12 +1353,62 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -15049,7 +15312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-09-01 12:22:03.915084400 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-09-09 13:07:21.400085528 +0200 @@ -19,11 +19,13 @@ # Declarations # @@ -15093,7 +15356,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -72,6 +88,13 @@ +@@ -58,6 +74,13 @@ + + ## + ##

++## Allow httpd to connect to memcache server ++##

++## ++gen_tunable(httpd_can_network_memcache, false) ++ ++## ++##

+ ## Allow httpd to act as a relay + ##

+ ## +@@ -72,6 +95,13 @@ ## ##

@@ -15107,7 +15384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow Apache to communicate with avahi service via dbus ##

## -@@ -101,6 +124,20 @@ +@@ -101,6 +131,20 @@ ## ##

@@ -15128,7 +15405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

## -@@ -108,6 +145,13 @@ +@@ -108,6 +152,13 @@ ## ##

@@ -15142,7 +15419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -131,7 +175,7 @@ +@@ -131,7 +182,7 @@ ## ##

@@ -15151,7 +15428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ##

## gen_tunable(httpd_use_gpg, false) -@@ -143,6 +187,13 @@ +@@ -143,6 +194,13 @@ ## gen_tunable(httpd_use_nfs, false) @@ -15165,7 +15442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -218,6 +269,10 @@ +@@ -218,6 +276,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -15176,7 +15453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +281,10 @@ +@@ -226,6 +288,10 @@ apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -15187,7 +15464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +292,7 @@ +@@ -233,6 +299,7 @@ userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -15195,7 +15472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -286,6 +346,7 @@ +@@ -286,6 +353,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -15203,7 +15480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -355,6 +416,7 @@ +@@ -355,6 +423,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -15211,7 +15488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +427,10 @@ +@@ -365,8 +434,10 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -15222,7 +15499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +442,12 @@ +@@ -378,12 +449,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -15238,7 +15515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -402,6 +466,10 @@ +@@ -402,6 +473,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -15249,7 +15526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -420,12 +488,23 @@ +@@ -420,12 +495,23 @@ miscfiles_manage_public_files(httpd_t) ') @@ -15275,7 +15552,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -439,6 +518,7 @@ +@@ -433,12 +519,17 @@ + corenet_tcp_connect_all_ports(httpd_t) + ') + ++tunable_policy(`httpd_can_network_memcache',` ++ corenet_tcp_connect_memcache_port(httpd_t) ++') ++ + tunable_policy(`httpd_can_network_relay',` + # allow httpd to work as a relay + corenet_tcp_connect_gopher_port(httpd_t) corenet_tcp_connect_ftp_port(httpd_t) corenet_tcp_connect_http_port(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) @@ -15283,7 +15570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_tcp_connect_memcache_port(httpd_t) corenet_sendrecv_gopher_client_packets(httpd_t) corenet_sendrecv_ftp_client_packets(httpd_t) -@@ -446,6 +526,16 @@ +@@ -446,6 +537,16 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -15300,7 +15587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') -@@ -456,6 +546,10 @@ +@@ -456,6 +557,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -15311,7 +15598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -470,11 +564,25 @@ +@@ -470,11 +575,25 @@ userdom_read_user_home_content_files(httpd_t) ') @@ -15337,7 +15624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,9 +592,22 @@ +@@ -484,9 +603,22 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -15360,7 +15647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -500,8 +621,13 @@ +@@ -500,8 +632,13 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -15374,7 +15661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -514,6 +640,9 @@ +@@ -514,6 +651,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -15384,7 +15671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +657,7 @@ +@@ -528,7 +668,7 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -15393,7 +15680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +666,12 @@ +@@ -537,8 +677,12 @@ ') optional_policy(` @@ -15407,7 +15694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -557,6 +690,7 @@ +@@ -557,6 +701,7 @@ optional_policy(` # Allow httpd to work with mysql @@ -15415,7 +15702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +701,7 @@ +@@ -567,6 +712,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -15423,7 +15710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +712,23 @@ +@@ -577,12 +723,23 @@ ') optional_policy(` @@ -15447,7 +15734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +737,11 @@ +@@ -591,6 +748,11 @@ ') optional_policy(` @@ -15459,7 +15746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -618,6 +769,10 @@ +@@ -618,6 +780,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -15470,7 +15757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +854,18 @@ +@@ -699,17 +865,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -15492,7 +15779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +896,21 @@ +@@ -740,10 +907,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -15515,7 +15802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +936,12 @@ +@@ -769,6 +947,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -15528,7 +15815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -792,9 +965,13 @@ +@@ -792,9 +976,13 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -15542,7 +15829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +980,28 @@ +@@ -803,6 +991,28 @@ mta_send_mail(httpd_sys_script_t) ') @@ -15571,7 +15858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1029,16 @@ +@@ -830,6 +1040,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -15588,7 +15875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1051,7 @@ +@@ -842,6 +1062,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -15596,7 +15883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1101,33 @@ +@@ -891,11 +1112,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -15614,7 +15901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') + ') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) @@ -15623,7 +15910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) - ') ++') + +# Removal of fastcgi, will cause problems without the following +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; @@ -17419,7 +17706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-18 14:20:22.831085034 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-09-09 11:18:18.035085273 +0200 @@ -1,6 +1,13 @@ policy_module(clamav, 1.7.1) @@ -17450,16 +17737,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam # log files manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -@@ -170,6 +179,8 @@ - allow freshclam_t clamd_var_log_t:dir search_dir_perms; +@@ -167,9 +176,15 @@ + # log files (own logfiles only) + manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) + allow freshclam_t freshclam_var_log_t:dir setattr; +-allow freshclam_t clamd_var_log_t:dir search_dir_perms; ++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +kernel_read_kernel_sysctls(freshclam_t) ++kernel_read_system_state(freshclam_t) ++ ++corecmd_exec_shell(freshclam_t) ++corecmd_exec_bin(freshclam_t) + corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -177,8 +188,11 @@ +@@ -177,8 +192,11 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -17471,7 +17766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam dev_read_rand(freshclam_t) dev_read_urand(freshclam_t) -@@ -189,14 +203,24 @@ +@@ -189,14 +207,24 @@ auth_use_nsswitch(freshclam_t) @@ -17496,7 +17791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # clamscam local policy -@@ -231,6 +255,7 @@ +@@ -231,6 +259,7 @@ corenet_tcp_connect_clamd_port(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) @@ -17504,7 +17799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -246,6 +271,14 @@ +@@ -246,6 +275,14 @@ mta_send_mail(clamscan_t) @@ -20425,7 +20720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-24 14:32:28.482083467 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-09 10:57:08.707085315 +0200 @@ -9,6 +9,9 @@ type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -20560,7 +20855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,18 +260,28 @@ +@@ -234,18 +260,30 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -20570,6 +20865,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; ++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) ++ +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) @@ -20589,7 +20886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -263,15 +299,24 @@ +@@ -263,15 +301,24 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`use_nfs_home_dirs',` @@ -22093,8 +22390,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. # Local hald dccm policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.19/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-08-30 20:14:45.201335228 +0200 -@@ -38,7 +38,10 @@ ++++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-09-09 12:23:45.726084993 +0200 +@@ -6,6 +6,14 @@ + # Declarations + # + ++## ++##

++## Allow icecast to connect to all ports, not just ++## sound ports. ++##

++## ++gen_tunable(icecast_connect_any, false) ++ + type icecast_t; + type icecast_exec_t; + init_daemon_domain(icecast_t, icecast_exec_t) +@@ -38,7 +46,16 @@ manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) @@ -22102,10 +22414,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec + corenet_tcp_bind_soundd_port(icecast_t) +corenet_tcp_connect_soundd_port(icecast_t) ++ ++tunable_policy(`icecast_connect_any',` ++ corenet_tcp_connect_all_ports(icecast_t) ++ corenet_tcp_bind_all_ports(icecast_t) ++ corenet_sendrecv_all_packets(icecast_t) ++') # Init script handling domain_use_interactive_fds(icecast_t) -@@ -52,5 +55,9 @@ +@@ -52,5 +69,9 @@ sysnet_dns_name_resolve(icecast_t) optional_policy(` @@ -22799,9 +23117,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc ') allow $1 memcached_t:process { ptrace signal_perms }; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.7.19/policy/modules/services/milter.fc +--- nsaserefpolicy/policy/modules/services/milter.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/milter.fc 2010-09-09 10:52:57.640084901 +0200 +@@ -1,3 +1,6 @@ ++/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) ++ ++/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) + /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) + /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) + /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +@@ -5,6 +8,7 @@ + /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) + /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) + ++/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) + /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) + /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.19/policy/modules/services/milter.if --- nsaserefpolicy/policy/modules/services/milter.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-05-28 09:42:00.123612272 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-09-09 10:52:57.640084901 +0200 @@ -37,6 +37,8 @@ files_read_etc_files($1_milter_t) @@ -22836,10 +23172,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt ## Manage spamassassin milter state ## ## +@@ -100,3 +120,22 @@ + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + ') ++ ++####################################### ++## ++## Delete dkim-milter PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`milter_delete_dkim_pid_files',` ++ gen_require(` ++ type dkim_milter_data_t; ++ ') ++ ++ files_search_pids($1) ++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.7.19/policy/modules/services/milter.te --- nsaserefpolicy/policy/modules/services/milter.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-05-28 09:42:00.123612272 +0200 -@@ -81,13 +81,11 @@ ++++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-09-09 10:52:57.643085262 +0200 +@@ -10,6 +10,13 @@ + attribute milter_domains; + attribute milter_data_type; + ++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter ++milter_template(dkim) ++ ++# type for the private key of dkim-milter ++type dkim_milter_private_key_t; ++files_type(dkim_milter_private_key_t) ++ + # currently-supported milters are milter-greylist, milter-regex and spamass-milter + milter_template(greylist) + milter_template(regex) +@@ -21,6 +28,23 @@ + type spamass_milter_state_t; + files_type(spamass_milter_state_t) + ++####################################### ++# ++# dkim-milter local policy ++# ++ ++allow dkim_milter_t self:capability { kill setgid setuid }; ++ ++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; ++ ++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) ++ ++auth_use_nsswitch(dkim_milter_t) ++ ++sysnet_dns_name_resolve(dkim_milter_t) ++ ++mta_read_config(dkim_milter_t) ++ + ######################################## + # + # milter-greylist local policy +@@ -81,13 +105,11 @@ allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; files_search_var_lib(spamass_milter_t) @@ -23339,7 +23736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-08-17 15:07:58.255085184 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-09-09 11:00:37.517335104 +0200 @@ -144,6 +144,30 @@ ') ') @@ -23468,7 +23865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -390,12 +478,15 @@ +@@ -390,12 +478,51 @@ # interface(`mta_sendmail_domtrans',` gen_require(` @@ -23485,10 +23882,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + + allow $2 mta_exec_type:file entrypoint; + domtrans_pattern($1, mta_exec_type, $2) ++') ++ ++####################################### ++## ++## Send system mail client a signal ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_signal_system_mail',` ++ gen_require(` ++ type system_mail_t; ++ ') ++ ++ allow $1 system_mail_t:process signal; ++') ++ ++####################################### ++## ++## Send system mail client a kill signal ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_kill_system_mail',` ++ gen_require(` ++ type system_mail_t; ++ ') ++ ++ allow $1 system_mail_t:process sigkill; ') ######################################## -@@ -454,7 +545,8 @@ +@@ -454,7 +581,8 @@ type etc_mail_t; ') @@ -23498,7 +23931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -678,7 +770,7 @@ +@@ -678,7 +806,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -23507,7 +23940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -765,6 +857,25 @@ +@@ -765,6 +893,25 @@ ####################################### ## @@ -24420,7 +24853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-06-03 14:19:20.251161230 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-09-09 11:00:52.622085022 +0200 @@ -6,17 +6,23 @@ # Declarations # @@ -24540,8 +24973,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -@@ -105,10 +157,9 @@ +@@ -103,12 +155,13 @@ + userdom_dontaudit_search_user_home_dirs(nagios_t) + mta_send_mail(nagios_t) ++mta_kill_system_mail(nagios_t) ++mta_signal_system_mail(nagios_t) optional_policy(` - netutils_domtrans_ping(nagios_t) @@ -24553,7 +24990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi optional_policy(` seutil_sigchld_newrole(nagios_t) -@@ -118,61 +169,63 @@ +@@ -118,61 +171,63 @@ udev_read_db(nagios_t) ') @@ -24649,7 +25086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,11 +236,15 @@ +@@ -183,11 +238,15 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -24665,7 +25102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) -@@ -199,6 +256,11 @@ +@@ -199,6 +258,11 @@ ') optional_policy(` @@ -24677,7 +25114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi seutil_sigchld_newrole(nrpe_t) ') -@@ -209,3 +271,151 @@ +@@ -209,3 +273,151 @@ optional_policy(` udev_read_db(nrpe_t) ') @@ -25013,7 +25450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-28 17:38:00.689150486 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-09-09 10:04:37.547084791 +0200 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -25162,25 +25599,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -142,12 +182,29 @@ +@@ -142,12 +182,31 @@ ') optional_policy(` - consoletype_exec(NetworkManager_t) + consoletype_domtrans(NetworkManager_t) - ') - - optional_policy(` -- dbus_system_bus_client(NetworkManager_t) -- dbus_connect_system_bus(NetworkManager_t) ++') ++ ++optional_policy(` + dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + ++ init_dbus_chat(NetworkManager_t) ++ + optional_policy(` + consolekit_dbus_chat(NetworkManager_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- dbus_system_bus_client(NetworkManager_t) +- dbus_connect_system_bus(NetworkManager_t) + dnsmasq_read_pid_files(NetworkManager_t) + dnsmasq_delete_pid_files(NetworkManager_t) + dnsmasq_domtrans(NetworkManager_t) @@ -25195,7 +25634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,23 +212,58 @@ +@@ -155,23 +214,58 @@ ') optional_policy(` @@ -25229,17 +25668,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + policykit_dbus_chat(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) + userdom_read_all_users_state(NetworkManager_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) - ppp_read_pid_files(NetworkManager_t) @@ -25257,7 +25696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -179,12 +271,16 @@ +@@ -179,12 +273,16 @@ ') optional_policy(` @@ -26218,7 +26657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-08-13 08:05:55.420085199 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-09-09 11:14:32.048085808 +0200 @@ -25,6 +25,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -26229,6 +26668,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) +@@ -49,7 +52,7 @@ + allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow openvpn_t self:udp_socket create_socket_perms; + allow openvpn_t self:tcp_socket server_stream_socket_perms; +-allow openvpn_t self:tun_socket create; ++allow openvpn_t self:tun_socket { create relabelfrom }; + allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; + + can_exec(openvpn_t, openvpn_etc_t) @@ -59,6 +62,9 @@ manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) @@ -26265,6 +26713,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open tunable_policy(`openvpn_enable_homedirs',` userdom_read_user_home_content_files(openvpn_t) +@@ -139,3 +150,7 @@ + + networkmanager_dbus_chat(openvpn_t) + ') ++ ++optional_policy(` ++ unconfined_attach_tun_iface(openvpn_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 15:11:28.402085340 +0200 @@ -26562,8 +27018,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te --- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-08-09 14:39:37.318084747 +0200 -@@ -0,0 +1,226 @@ ++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-09-09 13:14:39.486084912 +0200 +@@ -0,0 +1,230 @@ + +policy_module(piranha,1.0.0) + @@ -26691,6 +27147,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +') + +optional_policy(` ++ gnome_dontaudit_search_config(piranha_web_t) ++') ++ ++optional_policy(` + sasl_connect(piranha_web_t) +') + @@ -27361,7 +27821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.19/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-05-28 09:42:00.153610624 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-09-09 11:05:30.401085346 +0200 @@ -25,6 +25,9 @@ type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -27438,7 +27898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli -allow policykit_auth_t self:capability setgid; -allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; -+allow policykit_auth_t self:capability { setgid setuid }; ++allow policykit_auth_t self:capability { ipc_lock setgid setuid }; +dontaudit policykit_auth_t self:capability sys_tty_config; +allow policykit_auth_t self:process { getattr getsched signal }; +allow policykit_auth_t self:fifo_file rw_fifo_file_perms; @@ -31092,6 +31552,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki +optional_policy(` policykit_dbus_chat(rtkit_daemon_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.7.19/policy/modules/services/rwho.te +--- nsaserefpolicy/policy/modules/services/rwho.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rwho.te 2010-09-09 13:17:41.097085184 +0200 +@@ -56,6 +56,8 @@ + init_read_utmp(rwho_t) + init_dontaudit_write_utmp(rwho_t) + ++logging_send_syslog_msg(rwho_t) ++ + miscfiles_read_localization(rwho_t) + + sysnet_dns_name_resolve(rwho_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-08-10 16:58:12.349085082 +0200 @@ -33866,7 +34338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-08-10 16:18:48.565085270 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-09 13:45:21.039085272 +0200 @@ -1,5 +1,5 @@ -policy_module(virt, 1.3.2) @@ -33874,7 +34346,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## # -@@ -51,12 +51,12 @@ +@@ -43,6 +43,13 @@ + + ## + ##

++## Allow virtual machine to interact with the xserver ++##

++## ++gen_tunable(virt_use_xserver, false) ++ ++## ++##

+ ## Allow virt to use usb devices + ##

+ ## +@@ -51,12 +58,12 @@ virt_domain_template(svirt) role system_r types svirt_t; @@ -33890,7 +34376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virt_etc_t; files_config_file(virt_etc_t) -@@ -66,20 +66,26 @@ +@@ -66,20 +73,26 @@ # virt Image files type virt_image_t; # customizable virt_image(virt_image_t) @@ -33917,7 +34403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virtd_t; type virtd_exec_t; -@@ -90,6 +96,11 @@ +@@ -90,6 +103,11 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -33929,7 +34415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -105,10 +116,6 @@ +@@ -105,15 +123,12 @@ allow svirt_t self:udp_socket create_socket_perms; @@ -33940,7 +34426,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) allow svirt_t svirt_image_t:dir search_dir_perms; -@@ -148,11 +155,13 @@ + manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) + manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) ++manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t) + fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) + + list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +@@ -148,11 +163,13 @@ tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -33954,7 +34446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') tunable_policy(`virt_use_sysfs',` -@@ -161,6 +170,7 @@ +@@ -161,11 +178,18 @@ tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -33962,7 +34454,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') -@@ -179,22 +189,30 @@ + + optional_policy(` ++ tunable_policy(`virt_use_xserver',` ++ xserver_stream_connect(svirt_t) ++ ') ++') ++ ++optional_policy(` + xen_rw_image_files(svirt_t) + ') + +@@ -179,22 +203,30 @@ # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -33996,7 +34499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -205,9 +223,15 @@ +@@ -205,9 +237,15 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -34012,7 +34515,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) logging_log_filetrans(virtd_t, virt_log_t, { file dir }) -@@ -248,18 +272,25 @@ +@@ -225,6 +263,7 @@ + kernel_read_system_state(virtd_t) + kernel_read_network_state(virtd_t) + kernel_rw_net_sysctls(virtd_t) ++kernel_read_kernel_sysctls(virtd_t) + kernel_request_load_module(virtd_t) + kernel_search_debugfs(virtd_t) + +@@ -248,18 +287,27 @@ dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) @@ -34031,7 +34542,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) -files_manage_etc_files(virtd_t) -+ ++files_relabelto_system_conf_files(virtd_t) ++files_relabelfrom_system_conf_files(virtd_t) ++ +# Manages /etc/sysconfig/system-config-firewall +files_manage_system_conf_files(virtd_t) +files_manage_system_conf_files(virtd_t) @@ -34039,10 +34552,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -268,6 +299,15 @@ +@@ -267,6 +315,17 @@ + fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) - ++fs_manage_hugetlbfs_dirs(virtd_t) ++fs_rw_hugetlbfs_files(virtd_t) ++ +mls_fd_share_all_levels(virtd_t) +mls_file_read_to_clearance(virtd_t) +mls_file_write_to_clearance(virtd_t) @@ -34051,11 +34567,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +mls_socket_write_to_clearance(virtd_t) +mls_socket_read_to_clearance(virtd_t) +mls_rangetrans_source(virtd_t) -+ + mcs_process_set_categories(virtd_t) - storage_manage_fixed_disk(virtd_t) -@@ -291,15 +331,22 @@ +@@ -291,15 +350,24 @@ logging_send_syslog_msg(virtd_t) @@ -34075,18 +34590,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) ++ ++consoletype_exec(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -370,6 +417,7 @@ +@@ -370,6 +438,8 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) + qemu_entry_type(virt_domain) ++ qemu_exec(virt_domain) ') optional_policy(` -@@ -407,6 +455,19 @@ +@@ -407,6 +477,19 @@ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -34106,7 +34624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -427,6 +488,7 @@ +@@ -427,6 +510,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -34114,7 +34632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -434,10 +496,12 @@ +@@ -434,10 +518,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -34127,7 +34645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -445,6 +509,11 @@ +@@ -445,6 +531,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -34139,7 +34657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -462,8 +531,13 @@ +@@ -462,8 +553,13 @@ ') optional_policy(` @@ -36338,7 +36856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-06-15 17:06:19.819626772 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-09-09 13:09:09.505085410 +0200 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -36534,7 +37052,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1637,7 +1712,7 @@ +@@ -1335,6 +1410,27 @@ + allow $1 initrc_t:dbus send_msg; + ') + ++####################################### ++## ++## Send and receive messages from ++## init over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dbus_chat',` ++ gen_require(` ++ type init_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 init_t:dbus send_msg; ++ allow init_t $1:dbus send_msg; ++') ++ + ######################################## + ## + ## Send and receive messages from +@@ -1637,7 +1733,7 @@ type initrc_var_run_t; ') @@ -36543,7 +37089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1712,3 +1787,56 @@ +@@ -1712,3 +1808,56 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -36602,7 +37148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-08-17 10:58:03.628085191 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-09-09 10:54:48.345085410 +0200 @@ -1,5 +1,5 @@ -policy_module(init, 1.14.2) @@ -36954,10 +37500,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -695,7 +814,12 @@ +@@ -695,7 +814,13 @@ ') optional_policy(` ++ milter_delete_dkim_pid_files(initrc_t) + milter_setattr_all_dirs(initrc_t) +') + @@ -36967,7 +37514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +842,10 @@ +@@ -718,6 +843,10 @@ ') optional_policy(` @@ -36978,7 +37525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -739,6 +867,10 @@ +@@ -739,6 +868,10 @@ ') optional_policy(` @@ -36989,7 +37536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -760,8 +892,6 @@ +@@ -760,8 +893,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -36998,7 +37545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -770,14 +900,21 @@ +@@ -770,14 +901,21 @@ ') optional_policy(` @@ -37020,7 +37567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +927,7 @@ +@@ -790,6 +928,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -37028,7 +37575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -798,11 +936,19 @@ +@@ -798,11 +937,19 @@ ') optional_policy(` @@ -37049,7 +37596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +958,25 @@ +@@ -812,6 +959,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -37075,7 +37622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +1002,35 @@ +@@ -837,3 +1003,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -37440,7 +37987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-07-13 08:49:55.484502545 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-09-09 13:43:36.973085060 +0200 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -37530,6 +38077,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` +@@ -124,6 +139,7 @@ + ') + + optional_policy(` ++ shorewall_read_tmp_files(iptables_t) + shorewall_rw_lib_files(iptables_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.19/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/iscsi.if 2010-05-28 09:42:00.221610567 +0200 @@ -41473,8 +42028,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-06-28 14:07:11.693150801 +0200 -@@ -1,4 +1,14 @@ ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-09-09 13:46:56.201334848 +0200 +@@ -1,4 +1,15 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -41486,6 +42041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 414de03..e252a7f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 54%{?dist} +Release: 55%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,14 @@ exit 0 %endif %changelog +* Thu Sep 9 2010 Miroslav Grepl 3.7.19-55 +- Allow virt domains execute qemu_exec_t +- Add support for dkim-milter +- Fixes for freshclam +- Allow iptables to read shorewall tmp files +- Add boolean to allow icecast to connect to any port +- Allow freshclam to execute shell and bin_t + * Thu Sep 2 2010 Miroslav Grepl 3.7.19-54 - Allow clmvd to create tmpfs files