diff --git a/policy-20071130.patch b/policy-20071130.patch index bdd1c14..c5925e2 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -5996,7 +5996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 13:48:22.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6032,7 +6032,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -127,6 +135,8 @@ +@@ -99,11 +107,6 @@ + /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) + ') + +-ifdef(`distro_redhat',` +-/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0) +-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0) +-') +- + # + # /sbin + # +@@ -127,6 +130,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6041,7 +6053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -144,10 +154,7 @@ +@@ -144,10 +149,7 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6053,7 +6065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -178,6 +185,8 @@ +@@ -178,6 +180,8 @@ /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6062,7 +6074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -185,8 +194,12 @@ +@@ -185,8 +189,12 @@ /usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6075,7 +6087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +297,10 @@ +@@ -284,3 +292,10 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6088,7 +6100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.3.1/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if 2008-02-26 11:58:10.000000000 -0500 @@ -875,6 +875,7 @@ read_lnk_files_pattern($1,bin_t,bin_t) @@ -6199,7 +6211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(xen, tcp,8002,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 14:17:28.000000000 -0500 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -6209,7 +6221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -12,32 +12,45 @@ +@@ -12,42 +12,58 @@ /dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -6255,7 +6267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -48,6 +61,7 @@ + /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) ++/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) + /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) @@ -6263,7 +6280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -@@ -69,9 +83,8 @@ +@@ -69,9 +85,8 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -6275,7 +6292,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -98,13 +111,23 @@ +@@ -91,6 +106,7 @@ + + /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) + ++/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) + /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) + /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) + +@@ -98,13 +114,23 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6299,9 +6324,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> +@@ -134,3 +160,4 @@ + /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) + /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 14:19:56.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -6476,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -3322,3 +3452,96 @@ +@@ -3322,3 +3452,150 @@ typeattribute $1 devices_unconfined_type; ') @@ -6573,9 +6603,63 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + rw_chr_files_pattern($1,device_t,autofs_device_t) +') + ++######################################## ++## ++## Get the attributes of the network control device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_netcontrol',` ++ gen_require(` ++ type device_t, netcontrol_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1,device_t,netcontrol_device_t) ++') ++ ++######################################## ++## ++## Read the network control identity. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_netcontrol',` ++ gen_require(` ++ type device_t, netcontrol_device_t; ++ ') ++ ++ read_chr_files_pattern($1,device_t,netcontrol_device_t) ++') ++ ++######################################## ++## ++## Read and write the the network control device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_netcontrol',` ++ gen_require(` ++ type device_t, netcontrol_device_t; ++ ') ++ ++ rw_chr_files_pattern($1,device_t,netcontrol_device_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/devices.te 2008-02-26 14:16:11.000000000 -0500 @@ -32,6 +32,12 @@ type apm_bios_t; dev_node(apm_bios_t) @@ -6589,7 +6673,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device type cardmgr_dev_t; dev_node(cardmgr_dev_t) files_tmp_file(cardmgr_dev_t) -@@ -66,12 +72,25 @@ +@@ -49,6 +55,12 @@ + type cpu_device_t; + dev_node(cpu_device_t) + ++# ++# network control devices ++# ++type netcontrol_device_t; ++dev_node(netcontrol_device_t) ++ + # for the IBM zSeries z90crypt hardware ssl accelorator + type crypt_device_t; + dev_node(crypt_device_t) +@@ -66,12 +78,25 @@ dev_node(framebuf_device_t) # @@ -9396,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann +/etc/rc.d/init.d/canna -- gen_context(system_u:object_r:canna_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.3.1/policy/modules/services/canna.if --- nsaserefpolicy/policy/modules/services/canna.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/canna.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/canna.if 2008-02-26 11:51:53.000000000 -0500 @@ -18,3 +18,74 @@ files_search_pids($1) stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t) @@ -11210,9 +11307,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru ######################################## # # Local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.3.1/policy/modules/services/dbus.fc +--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-09-12 10:34:18.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.fc 2008-02-26 11:48:35.000000000 -0500 +@@ -4,6 +4,9 @@ + /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) + /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) + ++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) ++/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) ++ + /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) + + /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 12:56:03.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -11266,6 +11376,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; +@@ -115,8 +117,8 @@ + kernel_read_kernel_sysctls($1_dbusd_t) + + corecmd_list_bin($1_dbusd_t) +- corecmd_read_bin_symlinks($1_dbusd_t) + corecmd_read_bin_files($1_dbusd_t) ++ corecmd_read_bin_symlinks($1_dbusd_t) + corecmd_read_bin_pipes($1_dbusd_t) + corecmd_read_bin_sockets($1_dbusd_t) + @@ -139,6 +141,7 @@ fs_getattr_romfs($1_dbusd_t) @@ -11472,7 +11592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 10:53:25.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 14:09:20.000000000 -0500 @@ -9,6 +9,7 @@ # # Delcarations @@ -11515,7 +11635,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow system_dbusd_t self:fifo_file { read write }; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -65,6 +78,7 @@ +@@ -43,6 +56,8 @@ + # Receive notifications of policy reloads and enforcing status changes. + allow system_dbusd_t self:netlink_selinux_socket { create bind read }; + ++can_exec(system_dbusd_t,system_dbusd_exec_t) ++ + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t) + read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t) +@@ -65,6 +80,7 @@ fs_getattr_all_fs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) @@ -11523,15 +11652,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) -@@ -91,6 +105,7 @@ +@@ -81,7 +97,6 @@ + corecmd_list_bin(system_dbusd_t) + corecmd_read_bin_pipes(system_dbusd_t) + corecmd_read_bin_sockets(system_dbusd_t) +-corecmd_exec_bin(system_dbusd_t) + + domain_use_interactive_fds(system_dbusd_t) + +@@ -91,6 +106,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) -+init_domtrans_script(system_dbusd_t) ++init_dbus_chat_script(system_dbusd_t) ++init_bin_domtrans_spec(system_dbusd_t) libs_use_ld_so(system_dbusd_t) libs_use_shared_libs(system_dbusd_t) -@@ -121,9 +136,20 @@ +@@ -121,9 +138,20 @@ ') optional_policy(` @@ -12300,24 +12438,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.3.1/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if 2008-02-26 10:29:56.000000000 -0500 -@@ -21,14 +21,53 @@ ++++ serefpolicy-3.3.1/policy/modules/services/dovecot.if 2008-02-26 13:09:21.000000000 -0500 +@@ -21,7 +21,46 @@ ######################################## ## -## Do not audit attempts to delete dovecot lib files. +## Connect to dovecot auth unix domain stream socket. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## ++## +## - # ++# +interface(`dovecot_auth_stream_connect',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; @@ -12346,19 +12481,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t) +') + -+######################################## -+### -+### Do not audit attempts to delete dovecot lib files. -+### -+### -+### -+### Domain to not audit. -+### -+### -+## - interface(`dovecot_dontaudit_unlink_lib_files',` - gen_require(` - type dovecot_var_lib_t; ++####################################### ++## ++## Do not audit attempts to d`elete dovecot lib files. + ## + ## + ## @@ -36,3 +75,89 @@ dontaudit $1 dovecot_var_lib_t:file unlink; @@ -15398,11 +15526,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-02-26 08:29:22.000000000 -0500 -@@ -1,7 +1,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-02-26 14:08:24.000000000 -0500 +@@ -1,7 +1,10 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -24225,7 +24354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-02-26 13:19:58.000000000 -0500 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -24271,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers -@@ -226,6 +242,31 @@ +@@ -226,6 +242,33 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -24288,6 +24417,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + ') + + optional_policy(` ++ corecmd_exec_bin($1) ++ storage_getattr_fixed_disk_dev($1) + mount_domtrans($1) + ') + @@ -24303,7 +24434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -342,6 +383,8 @@ +@@ -342,6 +385,8 @@ optional_policy(` kerberos_use($1) @@ -24312,7 +24443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -356,6 +399,28 @@ +@@ -356,6 +401,28 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -24341,7 +24472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -369,12 +434,12 @@ +@@ -369,12 +436,12 @@ ## ## ## @@ -24356,7 +24487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## ## # -@@ -386,6 +451,7 @@ +@@ -386,6 +453,7 @@ auth_domtrans_chk_passwd($1) role $2 types system_chkpwd_t; allow system_chkpwd_t $3:chr_file rw_file_perms; @@ -24364,7 +24495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1457,6 +1523,7 @@ +@@ -1457,6 +1525,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -24372,7 +24503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1558,23 @@ +@@ -1491,3 +1560,23 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -24554,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f - diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 10:48:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 14:08:51.000000000 -0500 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') @@ -24607,26 +24738,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -567,18 +575,46 @@ +@@ -567,23 +575,70 @@ # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute initscript; - ') - - files_list_etc($1) -- domtrans_pattern($1,initrc_exec_t,initrc_t) ++ ') ++ ++ files_list_etc($1) + domtrans_pattern($1,initscript,initrc_t) - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; ++ ++ ifdef(`enable_mcs',` + range_transition $1 initscript:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ ') ++ ++ ifdef(`enable_mls',` + range_transition $1 initscript:process s0 - mls_systemhigh; + ') +') @@ -24644,21 +24772,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +interface(`init_script_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') -+ -+ files_list_etc($1) + ') + + files_list_etc($1) +- domtrans_pattern($1,initrc_exec_t,initrc_t) + domtrans_pattern($1,$2,initrc_t) -+ -+ ifdef(`enable_mcs',` + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; + range_transition $1 $2:process s0; -+ ') -+ -+ ifdef(`enable_mls',` + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 $2:process s0 - mls_systemhigh; ') ') -@@ -609,11 +645,11 @@ + ######################################## + ## ++## Execute a file in a bin directory ++## in the initrc_t domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_bin_domtrans_spec',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ corecmd_bin_domtrans($1, initrc_t) ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -609,11 +664,11 @@ # cjp: added for gentoo integrated run_init interface(`init_script_file_domtrans',` gen_require(` @@ -24672,7 +24827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -684,11 +720,11 @@ +@@ -684,11 +739,11 @@ # interface(`init_getattr_script_files',` gen_require(` @@ -24686,7 +24841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -703,11 +739,11 @@ +@@ -703,11 +758,11 @@ # interface(`init_exec_script_files',` gen_require(` @@ -24700,7 +24855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -931,6 +967,7 @@ +@@ -931,6 +986,7 @@ dontaudit $1 initrc_t:unix_stream_socket connectto; ') @@ -24708,7 +24863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ######################################## ## ## Send messages to init scripts over dbus. -@@ -1030,11 +1067,11 @@ +@@ -1030,11 +1086,11 @@ # interface(`init_read_script_files',` gen_require(` @@ -24722,7 +24877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1097,6 +1134,25 @@ +@@ -1097,6 +1153,25 @@ ######################################## ## @@ -24748,7 +24903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## Create files in a init script ## temporary data directory. ## -@@ -1252,7 +1308,7 @@ +@@ -1252,7 +1327,7 @@ type initrc_var_run_t; ') @@ -24757,7 +24912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1273,3 +1329,112 @@ +@@ -1273,3 +1348,114 @@ files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ') @@ -24870,6 +25025,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-02-26 10:49:22.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 6780096..798850f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,8 +388,12 @@ exit 0 %endif %changelog +* Tue Feb 26 2008 Dan Walsh 3.3.1-3 + * Tue Feb 26 2008 Dan Walsh 3.3.1-2 -- +- Fix Makefile.devel to build mls modules +- Fix qemu to be more specific on labeling + * Tue Feb 26 2008 Dan Walsh 3.3.1-1 - Update to upstream fixes