diff --git a/policy-F13.patch b/policy-F13.patch index 20a068e..558a15e 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -401,6 +401,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.7.19/policy/modules/admin/bootloader.if +--- nsaserefpolicy/policy/modules/admin/bootloader.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/bootloader.if 2010-11-02 18:30:14.260901576 +0100 +@@ -18,6 +18,24 @@ + domtrans_pattern($1, bootloader_exec_t, bootloader_t) + ') + ++####################################### ++## ++## Execute bootloader in the caller domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`bootloader_exec',` ++ gen_require(` ++ type bootloader_exec_t; ++ ') ++ ++ can_exec($1, bootloader_exec_t) ++') ++ + ######################################## + ## + ## Execute bootloader interactively and do diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.7.19/policy/modules/admin/brctl.if --- nsaserefpolicy/policy/modules/admin/brctl.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/brctl.if 2010-10-13 09:27:42.212650392 +0200 @@ -1395,7 +1423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.19/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.if 2010-05-28 09:41:59.958611405 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.if 2010-11-11 15:55:49.911148064 +0100 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -1728,11 +1756,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +553,120 @@ +@@ -283,3 +553,138 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') + ++###################################### ++## ++## Dontaudit search the RPM package database. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_dontaudit_search_db',` ++ gen_require(` ++ type rpm_var_lib_t; ++ ') ++ ++ dontaudit $1 rpm_var_lib_t:dir list_dir_perms; ++') ++ +##################################### +## +## Read rpm pid files. @@ -3445,8 +3491,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.19/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-10-01 15:25:08.567599755 +0200 -@@ -0,0 +1,67 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-11-11 15:54:48.726147945 +0100 +@@ -0,0 +1,70 @@ + +policy_module(firewallgui,1.0.0) + @@ -3514,6 +3560,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + ++optional_policy(` ++ rpm_dontaudit_search_db(firewallgui_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.7.19/policy/modules/apps/gitosis.fc --- nsaserefpolicy/policy/modules/apps/gitosis.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/apps/gitosis.fc 2010-06-08 14:54:39.156860589 +0200 @@ -10059,7 +10108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-09-09 09:56:22.877085209 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-11-11 16:56:14.983399503 +0100 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -10073,12 +10122,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1408,6 +1406,24 @@ +@@ -1408,6 +1406,42 @@ allow $1 mountpoint:dir getattr; ') +####################################### +## ++## Get the attributes of all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir setattr; ++') ++ ++####################################### ++## +## Do not audit listing of all mount points. +## +## @@ -10098,7 +10165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Search all mount points. -@@ -1428,6 +1444,42 @@ +@@ -1428,6 +1462,42 @@ ######################################## ## @@ -10141,7 +10208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -1552,6 +1604,24 @@ +@@ -1552,6 +1622,24 @@ ######################################## ## @@ -10166,7 +10233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Remove entries from the root directory. ## ## -@@ -1697,6 +1767,24 @@ +@@ -1697,6 +1785,24 @@ ######################################## ## @@ -10191,7 +10258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create a private type object in boot ## with an automatic type transition ## -@@ -1740,7 +1828,7 @@ +@@ -1740,7 +1846,7 @@ type boot_t; ') @@ -10200,7 +10267,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2209,6 +2297,24 @@ +@@ -1781,6 +1887,25 @@ + relabelfrom_files_pattern($1, boot_t, boot_t) + ') + ++####################################### ++## ++## Read symbolic links ++## in the /boot directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_boot_symlinks',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ read_lnk_files_pattern($1, boot_t, boot_t) ++') ++ + ######################################## + ## + ## Read and write symbolic links +@@ -2209,6 +2334,24 @@ allow $1 etc_t:dir rw_dir_perms; ') @@ -10225,7 +10318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ########################################## ## ## Manage generic directories in /etc -@@ -2280,6 +2386,7 @@ +@@ -2280,6 +2423,7 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10233,7 +10326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2362,6 +2469,24 @@ +@@ -2362,6 +2506,24 @@ ######################################## ## @@ -10258,7 +10351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2789,6 +2914,120 @@ +@@ -2789,6 +2951,120 @@ ######################################## ## @@ -10379,7 +10472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## -@@ -2899,6 +3138,7 @@ +@@ -2899,6 +3175,7 @@ ') allow $1 home_root_t:dir getattr; @@ -10387,7 +10480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2919,6 +3159,7 @@ +@@ -2919,6 +3196,7 @@ ') dontaudit $1 home_root_t:dir getattr; @@ -10395,7 +10488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2937,6 +3178,7 @@ +@@ -2937,6 +3215,7 @@ ') allow $1 home_root_t:dir search_dir_perms; @@ -10403,7 +10496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2956,6 +3198,7 @@ +@@ -2956,6 +3235,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; @@ -10411,7 +10504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2975,6 +3218,7 @@ +@@ -2975,6 +3255,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; @@ -10419,7 +10512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2993,6 +3237,7 @@ +@@ -2993,6 +3274,7 @@ ') allow $1 home_root_t:dir list_dir_perms; @@ -10427,7 +10520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3156,6 +3401,24 @@ +@@ -3156,6 +3438,24 @@ allow $1 mnt_t:dir list_dir_perms; ') @@ -10452,7 +10545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Mount a filesystem on /mnt. -@@ -3229,6 +3492,24 @@ +@@ -3229,6 +3529,24 @@ read_files_pattern($1, mnt_t, mnt_t) ') @@ -10477,7 +10570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3520,57 +3801,151 @@ +@@ -3520,27 +3838,121 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10517,50 +10610,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. -######################################## +###################################### - ## --## Get the attributes of the tmp directory (/tmp). ++## +## Manage manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir getattr; ++ + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) - ') - --######################################## ++') ++ +####################################### - ## --## Do not audit attempts to get the --## attributes of the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_getattr_tmp_dirs',` -- gen_require(` ++## ++# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; @@ -10627,40 +10703,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +') + +######################################## -+## -+## Get the attributes of the tmp directory (/tmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_tmp_dirs',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ allow $1 tmp_t:dir getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to get the -+## attributes of the tmp directory (/tmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_dontaudit_getattr_tmp_dirs',` -+ gen_require(` - type tmp_t; - ') - -@@ -3705,6 +4080,32 @@ + ## + ## Get the attributes of the tmp directory (/tmp). + ## +@@ -3705,6 +4117,32 @@ ######################################## ## @@ -10693,7 +10739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3918,6 +4319,13 @@ +@@ -3918,6 +4356,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10707,7 +10753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4013,6 +4421,24 @@ +@@ -4013,6 +4458,24 @@ ######################################## ## @@ -10732,7 +10778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Delete generic files in /usr in the caller domain. ## ## -@@ -4026,7 +4452,7 @@ +@@ -4026,7 +4489,7 @@ type usr_t; ') @@ -10741,7 +10787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4107,6 +4533,24 @@ +@@ -4107,6 +4570,24 @@ ######################################## ## @@ -10766,7 +10812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5032,6 +5476,43 @@ +@@ -5032,6 +5513,43 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -10810,7 +10856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5091,6 +5572,24 @@ +@@ -5091,6 +5609,24 @@ ######################################## ## @@ -10835,7 +10881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5238,6 +5737,7 @@ +@@ -5238,6 +5774,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -10843,7 +10889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5306,6 +5806,24 @@ +@@ -5306,6 +5843,24 @@ ######################################## ## @@ -10868,7 +10914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5494,12 +6012,15 @@ +@@ -5494,12 +6049,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -10885,7 +10931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +6041,229 @@ +@@ -5520,3 +6078,229 @@ typeattribute $1 files_unconfined_type; ') @@ -15870,7 +15916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-25 09:58:11.608650337 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-11-11 16:12:33.885398972 +0100 @@ -19,11 +19,13 @@ # Declarations # @@ -16100,7 +16146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +## +##

-+## Allow Apache to use mod_auth_pam ++## Allow Apache to use mod_auth_ntlm_winbind +##

+## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) @@ -16832,18 +16878,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-06-09 23:44:39.315208775 +0200 -@@ -27,7 +27,8 @@ ++++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-11-10 09:41:46.688398097 +0100 +@@ -27,13 +27,13 @@ # # Local policy # -# -+ -+allow bitlbee_t self:capability { setgid setuid }; ++allow bitlbee_t self:capability { setgid setuid }; ++allow bitlbee_t self:process { setsched signal }; allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; -@@ -81,6 +82,10 @@ + allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; + allow bitlbee_t self:fifo_file rw_fifo_file_perms; +-allow bitlbee_t self:process signal; + + bitlbee_read_config(bitlbee_t) + +@@ -81,6 +81,10 @@ libs_legacy_use_shared_libs(bitlbee_t) @@ -19364,8 +19416,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-16 17:00:39.810387061 +0200 -@@ -0,0 +1,144 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-11-08 15:05:45.930398628 +0100 +@@ -0,0 +1,145 @@ + +policy_module(corosync,1.0.0) + @@ -19405,8 +19457,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +# corosync local policy +# + -+allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock }; -+allow corosync_t self:process { setrlimit setsched signal signull }; ++allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock }; ++allow corosync_t self:process { setpgid setrlimit setsched signal signull }; + +allow corosync_t self:fifo_file rw_fifo_file_perms; +allow corosync_t self:sem create_sem_perms; @@ -19443,6 +19495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +kernel_read_system_state(corosync_t) +kernel_read_network_state(corosync_t) ++kernel_read_net_sysctls(corosync_t) + +domain_read_all_domains_state(corosync_t) + @@ -20160,7 +20213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-08-11 14:30:44.731085160 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-11-11 16:08:06.457149130 +0100 @@ -16,6 +16,7 @@ type cupsd_t; type cupsd_exec_t; @@ -20389,7 +20442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -554,15 +598,22 @@ +@@ -554,15 +598,23 @@ miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -20397,6 +20450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups userdom_home_filetrans_user_home_dir(cups_pdf_t) +userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) ++userdom_read_user_home_content_symlinks(cups_pdf_t) userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) +userdom_dontaudit_search_admin_dir(cups_pdf_t) @@ -20412,7 +20466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_manage_nfs_dirs(cups_pdf_t) fs_manage_nfs_files(cups_pdf_t) ') -@@ -601,6 +652,9 @@ +@@ -601,6 +653,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -20422,7 +20476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +681,7 @@ +@@ -627,6 +682,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -20430,7 +20484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -@@ -647,6 +702,8 @@ +@@ -647,6 +703,8 @@ files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -21490,7 +21544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-23 15:00:20.316636690 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-11-10 09:36:59.500167274 +0100 @@ -9,6 +9,9 @@ type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -21600,7 +21654,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove seutil_sigchld_newrole(dovecot_t) ') -@@ -172,11 +203,6 @@ +@@ -166,17 +197,14 @@ + + allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + ++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) ++ + read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + + manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) @@ -21612,7 +21674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) -@@ -197,11 +223,13 @@ +@@ -197,11 +225,13 @@ files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) @@ -21627,7 +21689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) -@@ -225,6 +253,7 @@ +@@ -225,6 +255,7 @@ ') optional_policy(` @@ -21635,7 +21697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,18 +263,35 @@ +@@ -234,18 +265,35 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -21671,7 +21733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -263,15 +309,24 @@ +@@ -263,15 +311,24 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`use_nfs_home_dirs',` @@ -24513,8 +24575,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te --- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-07-09 09:35:18.424385283 +0200 -@@ -0,0 +1,112 @@ ++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-11-11 20:18:12.828425369 +0100 +@@ -0,0 +1,122 @@ + +policy_module(mpd,1.0.0) + @@ -24614,6 +24676,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +userdom_read_home_audio_files(mpd_t) +userdom_read_user_tmpfs_files(mpd_t) + ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(mpd_t) ++ fs_read_cifs_symlinks(mpd_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(mpd_t) ++ fs_read_nfs_symlinks(mpd_t) ++') ++ +optional_policy(` + dbus_system_bus_client(mpd_t) +') @@ -25792,19 +25864,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-09-09 11:00:52.622085022 +0200 -@@ -6,17 +6,23 @@ - # Declarations - # - -+## -+##

-+## Allow fenced domain to connect to the network using TCP. -+##

-+## -+gen_tunable(nagios_plugin_dontaudit_bind_port, false) -+ - type nagios_t; ++++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-11-11 16:15:32.446172203 +0100 +@@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -25821,7 +25882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nagios_log_t; logging_log_file(nagios_log_t) -@@ -26,6 +32,9 @@ +@@ -26,6 +25,9 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) @@ -25831,7 +25892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +42,44 @@ +@@ -33,6 +35,44 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) @@ -25876,7 +25937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ######################################## # # Nagios local policy -@@ -60,6 +107,9 @@ +@@ -60,6 +100,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -25886,7 +25947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -76,6 +126,9 @@ +@@ -76,6 +119,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) @@ -25896,7 +25957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) -@@ -86,13 +139,12 @@ +@@ -86,13 +132,12 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -25912,7 +25973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -@@ -103,12 +155,13 @@ +@@ -103,12 +148,13 @@ userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) @@ -25929,7 +25990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi optional_policy(` seutil_sigchld_newrole(nagios_t) -@@ -118,61 +171,63 @@ +@@ -118,61 +164,63 @@ udev_read_db(nagios_t) ') @@ -26025,7 +26086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,11 +238,15 @@ +@@ -183,11 +231,15 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -26041,7 +26102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) -@@ -199,6 +258,11 @@ +@@ -199,6 +251,11 @@ ') optional_policy(` @@ -26053,7 +26114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi seutil_sigchld_newrole(nrpe_t) ') -@@ -209,3 +273,151 @@ +@@ -209,3 +266,145 @@ optional_policy(` udev_read_db(nrpe_t) ') @@ -26155,12 +26216,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +files_read_usr_files(nagios_services_plugin_t) + -+# just workaround for now -+tunable_policy(`nagios_plugin_dontaudit_bind_port',` -+ corenet_dontaudit_tcp_bind_all_ports(nagios_services_plugin_t) -+ corenet_dontaudit_udp_bind_all_ports(nagios_services_plugin_t) -+') -+ +optional_policy(` + netutils_domtrans_ping(nagios_services_plugin_t) + netutils_signal_ping(nagios_services_plugin_t) @@ -26390,7 +26445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-09-09 10:04:37.547084791 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-11-10 10:33:17.378148982 +0100 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -26953,11 +27008,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.19/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nscd.if 2010-05-28 09:42:00.138610784 +0200 -@@ -121,6 +121,24 @@ ++++ serefpolicy-3.7.19/policy/modules/services/nscd.if 2010-11-11 16:02:13.620399037 +0100 +@@ -112,11 +112,33 @@ + allow $1 self:unix_stream_socket create_socket_perms; - ######################################## - ## + allow $1 nscd_t:nscd { getpwd getgrp gethost }; ++ ++ ps_process_pattern(nscd_t, $1) ++ + dontaudit $1 nscd_t:fd use; + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file { getattr read }; ++ ++') ++ ++######################################## ++## +## Use nscd services +## +## @@ -26972,14 +27040,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + ',` + nscd_socket_use($1) + ') -+') -+ -+######################################## -+## - ## Use NSCD services by mapping the database from - ## an inherited NSCD file descriptor. - ## -@@ -168,7 +186,7 @@ + ') + + ######################################## +@@ -168,7 +190,7 @@ type nscd_var_run_t; ') @@ -30268,7 +30332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-09-16 15:40:46.667386897 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-11-10 09:56:12.468147284 +0100 @@ -192,7 +192,14 @@ manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) @@ -30284,7 +30348,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) -@@ -222,6 +229,8 @@ +@@ -218,10 +225,13 @@ + logging_send_syslog_msg(puppetmaster_t) + + miscfiles_read_localization(puppetmaster_t) ++miscfiles_read_certs(puppetmaster_t) + sysnet_dns_name_resolve(puppetmaster_t) sysnet_run_ifconfig(puppetmaster_t, system_r) @@ -30293,7 +30362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -232,3 +241,8 @@ +@@ -232,3 +242,8 @@ rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -30701,8 +30770,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te --- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-08-24 15:45:39.029334176 +0200 -@@ -0,0 +1,59 @@ ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-11-11 16:21:18.340430870 +0100 +@@ -0,0 +1,63 @@ +policy_module(qpidd,1.0.0) + +######################################## @@ -30762,6 +30831,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) ++ ++optional_policy(` ++ corosync_stream_connect(qpidd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.7.19/policy/modules/services/radius.if --- nsaserefpolicy/policy/modules/services/radius.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/radius.if 2010-09-16 15:25:26.911637199 +0200 @@ -30904,6 +30977,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.7.19/policy/modules/services/remotelogin.te +--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2010-11-08 15:03:03.626165758 +0100 +@@ -50,6 +50,7 @@ + fs_search_auto_mountpoints(remote_login_t) + + term_relabel_all_ptys(remote_login_t) ++term_use_all_ptys(remote_login_t) + + auth_rw_login_records(remote_login_t) + auth_rw_faillog(remote_login_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/resmgr.if serefpolicy-3.7.19/policy/modules/services/resmgr.if --- nsaserefpolicy/policy/modules/services/resmgr.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/resmgr.if 2010-09-16 15:29:11.862636875 +0200 @@ -31796,8 +31880,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-09-16 17:00:39.818386668 +0200 -@@ -0,0 +1,257 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-11-10 09:52:06.897160419 +0100 +@@ -0,0 +1,259 @@ + +policy_module(rhcs,1.1.0) + @@ -31971,6 +32055,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +allow groupd_t self:shm create_shm_perms; + ++domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) ++ +dev_list_sysfs(groupd_t) + +files_read_etc_files(groupd_t) @@ -35629,7 +35715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp logging_list_logs($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/uucp.te 2010-08-04 15:04:00.352085562 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/uucp.te 2010-11-11 16:29:14.234398746 +0100 @@ -84,6 +84,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) corenet_tcp_sendrecv_all_ports(uucpd_t) @@ -35649,6 +35735,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp ######################################## # # UUX Local policy +@@ -125,6 +130,8 @@ + uucp_append_log(uux_t) + uucp_manage_spool(uux_t) + ++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) ++ + corecmd_exec_bin(uux_t) + + files_read_etc_files(uux_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.19/policy/modules/services/varnishd.if --- nsaserefpolicy/policy/modules/services/varnishd.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/varnishd.if 2010-05-28 09:42:00.198610771 +0200 @@ -37243,7 +37338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-11-02 17:43:43.719667433 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-11-02 18:15:31.232651388 +0100 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.3.2) @@ -37251,7 +37346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser gen_require(` class x_drawable all_x_drawable_perms; -@@ -36,6 +36,13 @@ +@@ -36,6 +36,20 @@ ## ##

@@ -37262,10 +37357,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +## +##

++## Allows xdm to execute bootloader ++##

++## ++gen_tunable(xdm_exec_bootloader, false) ++ ++## ++##

## Allow xdm logins as sysadm ##

## -@@ -48,6 +55,16 @@ +@@ -48,6 +62,16 @@ ## gen_tunable(xserver_object_manager, false) @@ -37282,7 +37384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser attribute x_domain; # X Events -@@ -110,21 +127,26 @@ +@@ -110,21 +134,26 @@ type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; @@ -37309,7 +37411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; application_domain(iceauth_t, iceauth_exec_t) ubac_constrained(iceauth_t) -@@ -132,6 +154,7 @@ +@@ -132,6 +161,7 @@ type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; @@ -37317,7 +37419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_poly_member(iceauth_home_t) userdom_user_home_content(iceauth_home_t) -@@ -139,17 +162,20 @@ +@@ -139,17 +169,20 @@ type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; @@ -37338,7 +37440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) -@@ -164,16 +190,21 @@ +@@ -164,16 +197,21 @@ type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -37363,7 +37465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -181,13 +212,27 @@ +@@ -181,13 +219,27 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -37392,7 +37494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -200,15 +245,9 @@ +@@ -200,15 +252,9 @@ init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -37410,7 +37512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -238,9 +277,13 @@ +@@ -238,9 +284,13 @@ allow xdm_t iceauth_home_t:file read_file_perms; @@ -37424,7 +37526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,50 +293,106 @@ +@@ -250,50 +300,106 @@ fs_manage_cifs_files(iceauth_t) ') @@ -37537,7 +37639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +404,33 @@ +@@ -305,20 +411,33 @@ # XDM Local policy # @@ -37574,7 +37676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -326,32 +438,55 @@ +@@ -326,32 +445,55 @@ allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -37635,7 +37737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -359,10 +494,13 @@ +@@ -359,10 +501,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -37649,7 +37751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,18 +509,25 @@ +@@ -371,18 +516,25 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -37676,7 +37778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -394,11 +539,14 @@ +@@ -394,11 +546,14 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -37691,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +554,7 @@ +@@ -406,6 +561,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -37699,7 +37801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +563,22 @@ +@@ -414,18 +570,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -37725,7 +37827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +589,17 @@ +@@ -436,9 +596,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -37743,7 +37845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +608,21 @@ +@@ -447,14 +615,21 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -37765,7 +37867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +633,12 @@ +@@ -465,10 +640,12 @@ logging_read_generic_logs(xdm_t) @@ -37780,7 +37882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +647,12 @@ +@@ -477,6 +654,12 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -37793,7 +37895,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -508,11 +684,17 @@ +@@ -495,6 +678,12 @@ + fs_exec_cifs_files(xdm_t) + ') + ++tunable_policy(`xdm_exec_bootloader',` ++ bootloader_exec(xdm_t) ++ files_read_boot_files(xdm_t) ++ files_read_boot_symlinks(xdm_t) ++') ++ + tunable_policy(`xdm_sysadm_login',` + userdom_xsession_spec_domtrans_all_users(xdm_t) + # FIXME: +@@ -508,11 +697,17 @@ ') optional_policy(` @@ -37811,7 +37926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +702,51 @@ +@@ -520,12 +715,51 @@ ') optional_policy(` @@ -37863,7 +37978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +764,63 @@ +@@ -543,20 +777,63 @@ ') optional_policy(` @@ -37929,7 +38044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +829,6 @@ +@@ -565,7 +842,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -37937,7 +38052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +839,10 @@ +@@ -576,6 +852,10 @@ ') optional_policy(` @@ -37948,7 +38063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +867,9 @@ +@@ -600,10 +880,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -37960,7 +38075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +881,18 @@ +@@ -615,6 +894,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -37979,7 +38094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +912,19 @@ +@@ -634,12 +925,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -38001,7 +38116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -647,6 +932,7 @@ +@@ -647,6 +945,7 @@ # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -38009,7 +38124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -673,7 +959,6 @@ +@@ -673,7 +972,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -38017,7 +38132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +968,12 @@ +@@ -683,9 +981,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -38031,7 +38146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +988,13 @@ +@@ -700,8 +1001,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -38045,7 +38160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +1016,14 @@ +@@ -723,11 +1029,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -38060,7 +38175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1075,28 @@ +@@ -779,12 +1088,28 @@ ') optional_policy(` @@ -38090,7 +38205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1123,7 @@ +@@ -811,7 +1136,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -38099,7 +38214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1144,14 @@ +@@ -832,9 +1157,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -38114,7 +38229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1166,14 @@ +@@ -849,11 +1179,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -38131,7 +38246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1319,33 @@ +@@ -999,3 +1332,34 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -38149,6 +38264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow xserver_t self:process { execheap execmem execstack }; +') + ++ +# Hack to handle the problem of using the nvidia blobs +tunable_policy(`allow_execmem',` + allow xdm_t self:process execmem; @@ -38246,7 +38362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ssh_rw_stream_sockets(application_domain_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.19/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-05-28 09:42:00.209610947 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-11-10 15:15:13.229148284 +0100 @@ -10,6 +10,7 @@ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) @@ -38255,6 +38371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` +@@ -39,6 +40,7 @@ + /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) + + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) ++/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-11-02 16:59:22.380650718 +0100 @@ -40017,8 +40141,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.19/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-09-15 15:53:35.451386747 +0200 -@@ -77,6 +77,8 @@ ++++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-11-08 16:19:07.128446678 +0100 +@@ -77,9 +77,12 @@ dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -40027,7 +40151,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -@@ -92,5 +94,5 @@ ++domain_dontaudit_ptrace_all_domains(iscsid_t) + + files_read_etc_files(iscsid_t) + +@@ -92,5 +95,5 @@ miscfiles_read_localization(iscsid_t) optional_policy(` @@ -40050,7 +40178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. dev_read_sysfs(kdump_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-09-24 12:55:11.845386098 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-11-11 16:35:19.332397032 +0100 @@ -127,17 +127,23 @@ /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40068,7 +40196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar -/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/plugins/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40087,7 +40215,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +215,7 @@ +@@ -198,8 +205,6 @@ + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -208,6 +213,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40095,7 +40232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -302,13 +310,8 @@ +@@ -302,13 +308,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40111,7 +40248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +322,153 @@ +@@ -319,14 +320,153 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -40262,7 +40399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ ++/usr/lib/vlc/plugins/video_filter/libvideo_filter_wrapper_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40966,16 +41103,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## Read the configuration options used when diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-08-10 16:41:48.680085643 +0200 -@@ -19,6 +19,7 @@ ++++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-11-11 16:53:00.882398885 +0100 +@@ -19,8 +19,12 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) +mls_process_write_down(insmod_t) role system_r types insmod_t; ++type insmod_tmpfs_t; ++files_tmpfs_file(insmod_tmpfs_t) ++ # module loading config -@@ -56,12 +57,14 @@ + type modules_conf_t; + files_type(modules_conf_t) +@@ -56,12 +60,14 @@ domain_use_interactive_fds(depmod_t) @@ -40990,7 +41132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti fs_getattr_xattr_fs(depmod_t) -@@ -75,6 +78,7 @@ +@@ -75,6 +81,7 @@ # Read System.map from home directories. files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) @@ -40998,7 +41140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ifdef(`distro_ubuntu',` optional_policy(` -@@ -105,7 +109,7 @@ +@@ -105,7 +112,7 @@ # insmod local policy # @@ -41007,7 +41149,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -126,6 +130,7 @@ +@@ -117,6 +124,9 @@ + list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) + read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) + ++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) ++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) ++ + can_exec(insmod_t, insmod_exec_t) + + kernel_load_module(insmod_t) +@@ -126,6 +136,7 @@ kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -41015,7 +41167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -143,6 +148,7 @@ +@@ -143,6 +154,7 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -41023,7 +41175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -159,13 +165,17 @@ +@@ -159,13 +171,17 @@ # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) @@ -41041,7 +41193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -174,8 +184,7 @@ +@@ -174,8 +190,7 @@ seutil_read_file_contexts(insmod_t) @@ -41051,7 +41203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -236,6 +245,10 @@ +@@ -236,6 +251,10 @@ ') optional_policy(` @@ -41279,7 +41431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-26 13:46:49.368668089 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-11-10 09:36:38.851147626 +0100 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -41327,7 +41479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,30 +69,52 @@ +@@ -47,30 +69,53 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -41373,6 +41525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_manage_etc_runtime_files(mount_t) files_etc_filetrans_etc_runtime(mount_t, file) files_mounton_all_mountpoints(mount_t) ++files_setattr_all_mountpoints(mount_t) +# ntfs-3g checks whether the mountpoint is writable before mounting +files_write_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) @@ -41382,7 +41535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +124,19 @@ +@@ -80,15 +125,19 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -41405,7 +41558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +147,7 @@ +@@ -99,6 +148,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -41413,7 +41566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +156,8 @@ +@@ -107,6 +157,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -41422,7 +41575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +168,12 @@ +@@ -117,6 +169,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -41435,7 +41588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +189,17 @@ +@@ -132,10 +190,17 @@ ') ') @@ -41453,7 +41606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +229,8 @@ +@@ -165,6 +230,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -41462,7 +41615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +238,25 @@ +@@ -172,6 +239,25 @@ ') optional_policy(` @@ -41488,7 +41641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +264,15 @@ +@@ -179,6 +265,15 @@ ') ') @@ -41504,7 +41657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +280,23 @@ +@@ -186,6 +281,23 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -41528,7 +41681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -194,6 +305,42 @@ +@@ -194,6 +306,42 @@ # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 51461b2..9c10af7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,14 @@ exit 0 %endif %changelog +* Fri Nov 12 2010 Miroslav Grepl 3.7.19-71 +- Add label for libvideo_filter_wrapper_plugin.so +- Fixes for corosync policy +- Allow mpd to be able to read samba/nfs files +- Allow mount to set the attributes of all mount points +- Add label for faillock directory +- Fix descriptions for allow_httpd_mod_auth_ntlm_winbind + * Tue Nov 2 2010 Miroslav Grepl 3.7.19-70 - Add authlogin_radius boolean - Fixes for certmonger policy