diff --git a/policy-F13.patch b/policy-F13.patch index b18ce38..5439b7f 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -584,7 +584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc +/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-06-21 10:15:08.013074097 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-06-28 16:07:02.334150320 +0200 @@ -20,6 +20,9 @@ type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -606,6 +606,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) +@@ -93,6 +100,7 @@ + sysnet_exec_ifconfig(logwatch_t) + + userdom_dontaudit_search_user_home_dirs(logwatch_t) ++userdom_dontaudit_list_admin_dir(logwatch_t) + + mta_send_mail(logwatch_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.19/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te 2010-05-28 09:41:59.952610471 +0200 @@ -1925,6 +1933,87 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.7.19/policy/modules/admin/sectoolm.te +--- nsaserefpolicy/policy/modules/admin/sectoolm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/sectoolm.te 2010-06-28 16:05:26.150150582 +0200 +@@ -85,6 +85,7 @@ + sysnet_domtrans_ifconfig(sectoolm_t) + + userdom_manage_user_tmp_sockets(sectoolm_t) ++userdom_stream_connect(sectoolm_t) + + optional_policy(` + mount_exec(sectoolm_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if +--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-06-28 18:47:53.194150718 +0200 +@@ -37,44 +37,6 @@ + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) + ') + +-####################################### +-## +-## Read shorewall PID files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`shorewall_read_pid_files',` +- gen_require(` +- type shorewall_var_run_t; +- ') +- +- files_search_pids($1) +- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +-') +- +-####################################### +-## +-## Read and write shorewall PID files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`shorewall_rw_pid_files',` +- gen_require(` +- type shorewall_var_run_t; +- ') +- +- files_search_pids($1) +- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +-') +- + ###################################### + ## + ## Read shorewall /var/lib files. +@@ -134,9 +96,9 @@ + # + interface(`shorewall_admin',` + gen_require(` +- type shorewall_t, shorewall_var_run_t, shorewall_lock_t; ++ type shorewall_t, shorewall_lock_t; + type shorewall_initrc_exec_t, shorewall_var_lib_t; +- type shorewall_tmp_t; ++ type shorewall_tmp_t, shorewall_etc_t; + ') + + allow $1 shorewall_t:process { ptrace signal_perms }; +@@ -153,9 +115,6 @@ + files_search_locks($1) + admin_pattern($1, shorewall_lock_t) + +- files_search_pids($1) +- admin_pattern($1, shorewall_var_run_t) +- + files_search_var_lib($1) + admin_pattern($1, shorewall_var_lib_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-06-14 20:23:23.332218554 +0200 @@ -6601,8 +6690,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-16 18:43:19.954110079 +0200 -@@ -0,0 +1,388 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-28 14:07:11.618192152 +0200 +@@ -0,0 +1,389 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6912,7 +7001,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +files_dontaudit_getattr_all_dirs(sandbox_web_type) + -+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) ++#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) ++fs_rw_anon_inodefs_files(sandbox_web_type) +fs_dontaudit_getattr_all_fs(sandbox_web_type) + +storage_dontaudit_rw_fuse(sandbox_web_type) @@ -12775,15 +12865,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt admin_pattern($1, abrt_var_cache_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-15 06:54:27.545609592 +0200 -@@ -1,5 +1,5 @@ ++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-28 16:23:52.388151357 +0200 +@@ -1,11 +1,19 @@ -policy_module(abrt, 1.0.1) +policy_module(abrt, 1.1.0) ######################################## # -@@ -33,13 +33,25 @@ + # Declarations + # + ++## ++##

++## Allow ABRT to modify public files ++## used for public file transfer services. ++##

++## ++gen_tunable(abrt_anon_write, false) ++ + type abrt_t; + type abrt_exec_t; + init_daemon_domain(abrt_t, abrt_exec_t) +@@ -33,13 +41,25 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -12811,7 +12915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -54,20 +66,25 @@ +@@ -54,20 +74,25 @@ manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) @@ -12839,7 +12943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -75,25 +92,46 @@ +@@ -75,27 +100,49 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -12888,8 +12992,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +fs_search_all(abrt_t) sysnet_read_config(abrt_t) ++sysnet_dns_name_resolve(abrt_t) -@@ -103,22 +141,121 @@ + logging_read_generic_logs(abrt_t) + logging_send_syslog_msg(abrt_t) +@@ -103,22 +150,125 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -12899,6 +13006,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +userdom_dontaudit_read_admin_home_files(abrt_t) +userdom_dontaudit_read_user_home_content_files(abrt_t) + ++tunable_policy(`abrt_anon_write',` ++ miscfiles_manage_public_files(abrt_t) ++') ++ +optional_policy(` + afs_rw_udp_sockets(abrt_t) +') @@ -12906,10 +13017,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) +') - - optional_policy(` -- dbus_connect_system_bus(abrt_t) -- dbus_system_bus_client(abrt_t) ++ ++optional_policy(` + nis_use_ypbind(abrt_t) +') + @@ -12924,8 +13033,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) +') -+ -+optional_policy(` + + optional_policy(` +- dbus_connect_system_bus(abrt_t) +- dbus_system_bus_client(abrt_t) + prelink_exec(abrt_t) + libs_exec_ld_so(abrt_t) + corecmd_exec_all_executables(abrt_t) @@ -13170,7 +13281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.19/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-06-14 11:26:09.815056510 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-06-28 16:17:48.423149845 +0200 @@ -0,0 +1,71 @@ + +policy_module(aiccu, 1.0.0) @@ -13241,8 +13352,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + +modutils_domtrans_insmod(aiccu_t) + ++sysnet_dns_name_resolve(aiccu_t) +sysnet_domtrans_ifconfig(aiccu_t) -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.19/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/services/aisexec.fc 2010-05-28 09:42:00.055610771 +0200 @@ -13540,7 +13651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-06-09 16:37:21.838505993 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-06-25 15:40:57.982387846 +0200 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -13926,7 +14037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac admin_pattern($1, httpd_tmp_t) admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) -+ files_tmp_filetrans($1, httpd_tmp_t, { file dir }) ++# files_tmp_filetrans($1, httpd_tmp_t, { file dir }) + +ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t ) @@ -14705,6 +14816,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah seutil_sigchld_newrole(avahi_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.19/policy/modules/services/bind.if +--- nsaserefpolicy/policy/modules/services/bind.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/bind.if 2010-06-25 15:40:14.365137939 +0200 +@@ -359,7 +359,7 @@ + interface(`bind_admin',` + gen_require(` + type named_t, named_tmp_t, named_log_t; +- type named_conf_t, named_var_lib_t, named_var_run_t; ++ type named_conf_t, named_var_run_t; + type named_cache_t, named_zone_t; + type dnssec_t, ndc_t; + type named_initrc_exec_t; +@@ -391,9 +391,6 @@ + admin_pattern($1, named_zone_t) + admin_pattern($1, dnssec_t) + +- files_list_var_lib($1) +- admin_pattern($1, named_var_lib_t) +- + files_list_pids($1) + admin_pattern($1, named_var_run_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-06-09 23:44:39.315208775 +0200 @@ -14731,7 +14864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl sysnet_dns_name_resolve(bitlbee_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.19/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/bluetooth.if 2010-05-28 09:42:00.066610888 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/bluetooth.if 2010-06-25 15:39:19.963137669 +0200 @@ -117,6 +117,27 @@ ######################################## @@ -14760,6 +14893,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## +@@ -194,7 +215,7 @@ + interface(`bluetooth_admin',` + gen_require(` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; +- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; ++ type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t; + type bluetooth_initrc_exec_t; + ') +@@ -217,9 +238,6 @@ + admin_pattern($1, bluetooth_conf_t) + admin_pattern($1, bluetooth_conf_rw_t) + +- files_list_spool($1) +- admin_pattern($1, bluetooth_spool_t) +- + files_list_var_lib($1) + admin_pattern($1, bluetooth_var_lib_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc --- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-05-28 09:42:00.067610962 +0200 @@ -14772,7 +14924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.19/policy/modules/services/boinc.if --- nsaserefpolicy/policy/modules/services/boinc.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-05-28 09:42:00.067610962 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-06-25 14:56:43.461388526 +0200 @@ -0,0 +1,151 @@ + +## policy for boinc @@ -14919,7 +15071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + + boinc_initrc_domtrans($1) + domain_system_change_exemption($1) -+ role_transition $2 myboinc_initrc_exec_t system_r; ++ role_transition $2 boinc_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) @@ -14927,8 +15079,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-06-02 12:11:58.588387262 +0200 -@@ -0,0 +1,97 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-06-28 16:33:50.749151175 +0200 +@@ -0,0 +1,98 @@ + +policy_module(boinc,1.0.0) + @@ -15000,6 +15152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +corenet_tcp_bind_generic_node(boinc_t) +corenet_udp_bind_generic_node(boinc_t) +corenet_tcp_bind_boinc_port(boinc_t) ++corenet_tcp_connect_boinc_port(boinc_t) +corenet_tcp_connect_http_port(boinc_t) +corenet_tcp_connect_http_cache_port(boinc_t) + @@ -15398,8 +15551,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.19/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.if 2010-05-28 09:42:00.073610778 +0200 -@@ -0,0 +1,217 @@ ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.if 2010-06-28 14:44:32.157401643 +0200 +@@ -0,0 +1,218 @@ + +## Certificate status monitor and PKI enrollment client + @@ -15599,7 +15752,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +# +interface(`certmonger_admin',` + gen_require(` -+ type certmonger_t, certmonger_initrc_exec_t; ++ type certmonger_t, certmonger_initrc_exec_t; ++ type certmonger_var_lib_t, certmonger_var_run_t; + ') + + allow $1 certmonger_t:process { ptrace signal_perms getattr }; @@ -15612,10 +15766,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + allow $2 system_r; + + files_search_var_lib($1) -+ admin_pattern($1, cermonger_var_lib_t) ++ admin_pattern($1, certmonger_var_lib_t) + + files_search_pids($1) -+ admin_pattern($1, cermonger_var_run_t) ++ admin_pattern($1, certmonger_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100 @@ -15714,8 +15868,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.19/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-05-28 09:42:00.075610786 +0200 -@@ -0,0 +1,243 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-06-28 18:45:48.968401671 +0200 +@@ -0,0 +1,242 @@ +## libcg is a library that abstracts the control group file system in Linux. +## +##

@@ -15932,7 +16086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + gen_require(` + type cgred_t, cgconfigparser_t, cgred_var_run_t; + type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; -+ type cgred_etc_t, cgroup_t, cgroupfs_t; ++ type cgroup_t, cgroupfs_t; + ') + + allow $1 cgconfigparser_t:process { ptrace signal_perms getattr }; @@ -15946,7 +16100,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + + files_search_etc($1) + admin_pattern($1, cgconfig_etc_t) -+ admin_pattern($1, cgred_etc_t) + + files_list_var($1) + admin_pattern($1, cgred_var_run_t) @@ -16067,7 +16220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +fs_setattr_cgroupfs_files(cgconfigparser_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-28 09:42:00.077610724 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-06-28 18:44:16.191151821 +0200 @@ -19,6 +19,24 @@ domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') @@ -16158,9 +16311,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro #################################### ##

## All of the rules required to administrate -@@ -103,3 +179,4 @@ +@@ -75,9 +151,10 @@ + # + interface(`chronyd_admin',` + gen_require(` +- type chronyd_t, chronyd_var_log_t; +- type chronyd_var_run_t, chronyd_var_lib_t; +- type chronyd_initrc_exec_t, chronyd_keys_t; ++ type chronyd_t, chronyd_initrc_exec_t; ++ type chronyd_keys_t, chronyd_var_log_t; ++ type chronyd_var_lib_t, chronyd_var_run_t; ++ type chronyd_tmpfs_t; + ') + + allow $1 chronyd_t:process { ptrace signal_perms }; +@@ -101,5 +178,6 @@ + admin_pattern($1, chronyd_var_run_t) + files_search_tmp($1) - admin_pattern($1, chronyd_tmp_t) +- admin_pattern($1, chronyd_tmp_t) ++ admin_pattern($1, chronyd_tmpfs_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te @@ -16207,7 +16377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-08 15:32:46.193610434 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-28 16:21:55.618400228 +0200 @@ -1,6 +1,13 @@ policy_module(clamav, 1.7.1) @@ -16230,15 +16400,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow clamd_t self:unix_dgram_socket create_socket_perms; -@@ -177,6 +185,7 @@ +@@ -177,8 +185,11 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_connect_clamd_port(freshclam_t) corenet_sendrecv_http_client_packets(freshclam_t) ++corecmd_exec_shell(freshclam_t) ++ dev_read_rand(freshclam_t) -@@ -189,10 +198,14 @@ + dev_read_urand(freshclam_t) + +@@ -189,10 +200,14 @@ auth_use_nsswitch(freshclam_t) @@ -16253,7 +16427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -@@ -246,6 +259,14 @@ +@@ -246,6 +261,14 @@ mta_send_mail(clamscan_t) @@ -16641,7 +16815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_cache_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-16 21:29:07.544874309 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-25 15:03:23.048137726 +0200 @@ -68,7 +68,7 @@ ######################################## ## @@ -16660,7 +16834,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ## an cobblerd environment ## ## -@@ -173,9 +173,11 @@ +@@ -162,6 +162,7 @@ + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t; ++ type httpd_cobbler_content_rw_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms getattr }; +@@ -173,9 +174,11 @@ files_list_var_lib($1) admin_pattern($1, cobbler_var_lib_t) @@ -17752,6 +17934,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.7.19/policy/modules/services/cups.if +--- nsaserefpolicy/policy/modules/services/cups.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cups.if 2010-06-28 18:43:30.174401225 +0200 +@@ -314,7 +314,7 @@ + interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; +- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; ++ type cupsd_etc_t, cupsd_log_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_var_run_t, ptal_etc_t; + type ptal_var_run_t, hplip_var_run_t; +@@ -341,9 +341,6 @@ + + admin_pattern($1, cupsd_lpd_var_run_t) + +- admin_pattern($1, cupsd_spool_t) +- files_list_spool($1) +- + admin_pattern($1, cupsd_tmp_t) + files_list_tmp($1) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-06-01 16:38:46.796222623 +0200 @@ -18982,6 +19186,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.7.19/policy/modules/services/dovecot.if +--- nsaserefpolicy/policy/modules/services/dovecot.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.if 2010-06-25 15:36:57.767137390 +0200 +@@ -93,7 +93,7 @@ + # + interface(`dovecot_admin',` + gen_require(` +- type dovecot_t, dovecot_etc_t, dovecot_log_t; ++ type dovecot_t, dovecot_etc_t; + type dovecot_spool_t, dovecot_var_lib_t; + type dovecot_var_run_t; + +@@ -112,9 +112,6 @@ + files_list_etc($1) + admin_pattern($1, dovecot_etc_t) + +- logging_list_logs($1) +- admin_pattern($1, dovecot_log_t) +- + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-06-08 14:51:46.576610409 +0200 @@ -20673,6 +20899,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.19/policy/modules/services/ksmtuned.if +--- nsaserefpolicy/policy/modules/services/ksmtuned.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.if 2010-06-28 14:28:28.265152638 +0200 +@@ -59,8 +59,8 @@ + type ksmtuned_initrc_exec_t; + ') + +- allow $1 ksmtuned_t:process { ptrace signal_perms }; +- ps_process_pattern(ksmtumed_t) ++ allow $1 ksmtuned_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, ksmtuned_t, ksmtuned_t) + + files_list_pids($1) + admin_pattern($1, ksmtuned_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-06-21 21:11:46.923156716 +0200 @@ -20925,6 +21165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if +--- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-06-25 15:07:20.909137514 +0200 +@@ -59,6 +59,7 @@ + gen_require(` + type memcached_t; + type memcached_initrc_exec_t; ++ type memcached_var_run_t; + ') + + allow $1 memcached_t:process { ptrace signal_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.19/policy/modules/services/milter.if --- nsaserefpolicy/policy/modules/services/milter.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-05-28 09:42:00.123612272 +0200 @@ -21016,11 +21267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.7.19/policy/modules/services/mpd.fc --- nsaserefpolicy/policy/modules/services/mpd.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.fc 2010-06-14 18:34:39.866517713 +0200 -@@ -0,0 +1,10 @@ ++++ serefpolicy-3.7.19/policy/modules/services/mpd.fc 2010-06-28 14:07:11.647362394 +0200 +@@ -0,0 +1,11 @@ ++ + ++/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) + -+/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) +/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) + +/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) @@ -21030,7 +21282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if --- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-15 17:58:09.853018142 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-28 14:07:11.654150869 +0200 @@ -0,0 +1,295 @@ + +## policy for daemon for playing music @@ -21304,7 +21556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + type mpd_data_t; + type mpd_etc_t; + type mpd_log_t; -+ type mpd_var_lib_t; ++ type mpd_var_lib_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; @@ -21316,7 +21568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + allow $2 system_r; + + admin_pattern($1, mpd_etc_t) -+ files_search_etc($1) ++ files_search_etc($1) + + files_search_var_lib($1) + admin_pattern($1, mpd_var_lib_t) @@ -21329,7 +21581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te --- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-06-14 18:36:19.117468437 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-06-28 14:07:11.656151016 +0200 @@ -0,0 +1,111 @@ + +policy_module(mpd,1.0.0) @@ -21414,7 +21666,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + +dev_read_sysfs(mpd_t) + -+files_read_etc_files(mpd_t) +files_read_usr_files(mpd_t) + +fs_getattr_tmpfs(mpd_t) @@ -21427,6 +21678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + +miscfiles_read_localization(mpd_t) + ++userdom_read_home_audio_files(mpd_t) +userdom_read_user_tmpfs_files(mpd_t) + +optional_policy(` @@ -21574,8 +21826,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-06-21 21:28:36.494406812 +0200 -@@ -63,6 +63,9 @@ ++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-06-28 17:07:58.819151852 +0200 +@@ -23,6 +23,7 @@ + + type mail_forward_t; + files_type(mail_forward_t) ++userdom_user_home_content(mail_forward_t) + + type mqueue_spool_t; + files_mountpoint(mqueue_spool_t) +@@ -63,6 +64,9 @@ can_exec(system_mail_t, mta_exec_type) @@ -21585,7 +21845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) kernel_request_load_module(system_mail_t) -@@ -75,10 +78,15 @@ +@@ -75,10 +79,15 @@ selinux_getattr_fs(system_mail_t) @@ -21601,7 +21861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -89,6 +97,7 @@ +@@ -89,6 +98,7 @@ apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -21609,7 +21869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -100,6 +109,11 @@ +@@ -100,6 +110,11 @@ ') optional_policy(` @@ -21621,7 +21881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -107,6 +121,9 @@ +@@ -107,6 +122,9 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -21631,7 +21891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -126,6 +143,7 @@ +@@ -126,6 +144,7 @@ optional_policy(` fail2ban_append_log(system_mail_t) @@ -21639,7 +21899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -142,6 +160,10 @@ +@@ -142,6 +161,10 @@ ') optional_policy(` @@ -21650,7 +21910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. nagios_read_tmp_files(system_mail_t) ') -@@ -185,6 +207,10 @@ +@@ -185,6 +208,10 @@ ') optional_policy(` @@ -21661,7 +21921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -216,6 +242,7 @@ +@@ -216,6 +243,7 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -22795,7 +23055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.19/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-05-28 09:42:00.134610841 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-06-28 18:01:28.875149888 +0200 @@ -100,6 +100,27 @@ ######################################## @@ -22849,7 +23109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ## Read NetworkManager PID files. ## ## -@@ -134,3 +173,90 @@ +@@ -134,3 +173,89 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -22900,7 +23160,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + role $2 types NetworkManager_t; +') + -+ +####################################### +## +## Allow caller to relabel tun_socket @@ -22942,7 +23201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-16 23:01:53.144859835 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-28 17:38:00.689150486 +0200 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -23124,12 +23383,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,23 +212,55 @@ +@@ -155,23 +212,58 @@ ') optional_policy(` - nis_use_ypbind(NetworkManager_t) + ipsec_domtrans_mgmt(NetworkManager_t) ++ ipsec_mgmt_kill(NetworkManager_t) ++ ipsec_mgmt_signal(NetworkManager_t) ++ ipsec_mgmt_signull(NetworkManager_t) +') + +optional_policy(` @@ -23183,7 +23445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -179,12 +268,16 @@ +@@ -179,12 +271,16 @@ ') optional_policy(` @@ -23561,6 +23823,167 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc files_read_etc_files(nslcd_t) auth_use_nsswitch(nslcd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.if serefpolicy-3.7.19/policy/modules/services/ntop.if +--- nsaserefpolicy/policy/modules/services/ntop.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ntop.if 2010-06-28 14:35:14.462401509 +0200 +@@ -1 +1,157 @@ + ## Network Top ++ ++######################################## ++## ++## Execute a domain transition to run ntop. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ntop_domtrans',` ++ gen_require(` ++ type ntop_t, ntop_exec_t; ++ ') ++ ++ domtrans_pattern($1, ntop_exec_t, ntop_t) ++') ++ ++######################################## ++## ++## Execute ntop server in the ntop domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ntop_initrc_domtrans',` ++ gen_require(` ++ type ntop_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ntop_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read ntop content in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_read_config',` ++ gen_require(` ++ type ntop_etc_t; ++ ') ++ ++ read_files_pattern($1, ntop_etc_t, ntop_etc_t); ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Search ntop dirs in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_search_lib',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ search_dirs_pattern($1, ntop_var_lib_t, ntop_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read ntop files in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_read_lib_files',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ read_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Manage ntop files in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_manage_lib_files',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ntop environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ntop_admin',` ++ gen_require(` ++ type ntop_t, ntop_var_lib_t, ntop_var_run_t; ++ type ntop_etc_t, ntop_initrc_exec_t; ++ type ntop_tmp_t; ++ ') ++ ++ allow $1 ntop_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, ntop_t, ntop_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, ntop_etc_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, ntop_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, ntop_var_run_t) ++ ++ admin_pattern($1, ntop_tmp_t) ++ ++ ntop_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 ntop_initrc_exec_t system_r; ++ allow $2 system_r; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.19/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/ntop.te 2010-05-28 09:42:00.140610931 +0200 @@ -23862,7 +24285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-05-28 09:42:00.147610884 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-06-28 16:12:48.219149997 +0200 @@ -25,6 +25,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -23883,7 +24306,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) -@@ -114,6 +120,7 @@ +@@ -103,6 +109,9 @@ + + auth_use_pam(openvpn_t) + ++init_read_utmp(openvpn_t) ++init_dontaudit_write_utmp(openvpn_t) ++ + logging_send_syslog_msg(openvpn_t) + + miscfiles_read_localization(openvpn_t) +@@ -114,6 +123,7 @@ sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -25230,7 +25663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-05-28 09:42:00.157610567 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-06-25 15:34:21.259137720 +0200 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -25574,7 +26007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; + type postfix_var_run_t; + -+ type postfix_map_tmp, postfix_prng_t, postfix_public_t; ++ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + ') + + allow $1 postfix_bounce_t:process { ptrace signal_perms getattr }; @@ -25617,7 +26050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + admin_pattern($1, postfix_var_run_t) + + files_search_tmp($1) -+ admin_pattern($1, postfix_map_tmp) ++ admin_pattern($1, postfix_map_tmp_t) + + admin_pattern($1, postfix_prng_t) + @@ -26157,7 +26590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.7.19/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-06-16 22:24:51.305109719 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-06-25 15:09:49.810137902 +0200 @@ -174,6 +174,26 @@ append_files_pattern($1, psad_var_log_t, psad_var_log_t) ') @@ -26185,6 +26618,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad ######################################## ## ## Read and write psad fifo files. +@@ -232,9 +252,9 @@ + # + interface(`psad_admin',` + gen_require(` +- type psad_t, psad_var_run_t, psad_var_log_t; +- type psad_initrc_exec_t, psad_var_lib_t; +- type psad_tmp_t; ++ type psad_t, psad_initrc_exec_t, psad_etc_t; ++ type psad_var_lib_t, psad_var_log_t; ++ type psad_var_run_t, psad_tmp_t; + ') + + allow $1 psad_t:process { ptrace signal_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.7.19/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/psad.te 2010-06-03 10:24:19.786161096 +0200 @@ -26598,7 +27044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te --- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-05-28 09:42:00.165610873 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-06-28 16:21:33.763401566 +0200 @@ -0,0 +1,61 @@ +policy_module(qpidd,1.0.0) + @@ -26627,7 +27073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +# qpidd local policy +# + -+allow qpidd_t self:process signull; ++allow qpidd_t self:process { getsched setsched signull }; +allow qpidd_t self:fifo_file rw_fifo_file_perms; +allow qpidd_t self:sem create_sem_perms; +allow qpidd_t self:shm create_shm_perms; @@ -28093,6 +28539,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.19/policy/modules/services/rpcbind.if +--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-06-25 15:10:52.796137763 +0200 +@@ -141,7 +141,7 @@ + allow $1 rpcbind_t:process { ptrace signal_perms }; + ps_process_pattern($1, rpcbind_t) + +- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) ++ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rpcbind_initrc_exec_t system_r; + allow $2 system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.19/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/rpcbind.te 2010-06-09 23:09:15.321208553 +0200 @@ -28395,7 +28853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.19/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-05-28 09:42:00.179610779 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-06-28 18:46:37.808401969 +0200 @@ -62,6 +62,25 @@ ######################################## @@ -28567,15 +29025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## All of the rules required to administrate ## an samba environment ## -@@ -630,6 +759,7 @@ - type nmbd_t, nmbd_var_run_t; - type smbd_t, smbd_tmp_t; - type smbd_var_run_t; -+ type smbd_initrc_exec_t, smbd_spool_t; - - type samba_log_t, samba_var_t; - type samba_etc_t, samba_share_t; -@@ -640,6 +770,7 @@ +@@ -640,6 +769,7 @@ type winbind_var_run_t, winbind_tmp_t; type winbind_log_t; @@ -28583,7 +29033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_initrc_exec_t; ') -@@ -649,6 +780,9 @@ +@@ -649,6 +779,9 @@ allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) @@ -28593,17 +29043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -674,6 +808,9 @@ - admin_pattern($1, samba_var_t) - files_list_var($1) - -+ admin_pattern($1, smbd_spool_t) -+ files_list_spool($1) -+ - admin_pattern($1, smbd_var_run_t) - files_list_pids($1) - -@@ -689,4 +826,5 @@ +@@ -689,4 +822,5 @@ admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -29166,7 +29606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-05-28 09:42:00.185610799 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-06-25 15:13:41.144137172 +0200 @@ -16,8 +16,8 @@ ') @@ -29288,7 +29728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +# +interface(`setroubleshoot_admin',` + gen_require(` -+ type setroubleshootd_t, setroubleshoot_log_t; ++ type setroubleshootd_t, setroubleshoot_var_log_t; + type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + ') + @@ -29296,7 +29736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + ps_process_pattern($1, setroubleshootd_t) + + logging_list_logs($1) -+ admin_pattern($1, setroubleshoot_log_t) ++ admin_pattern($1, setroubleshoot_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, setroubleshoot_var_lib_t) @@ -30072,7 +30512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-05-28 09:42:00.193610685 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-06-28 14:23:36.870401349 +0200 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -30233,7 +30673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +# +interface(`ssh_initrc_domtrans',` + gen_require(` -+ type sshdd_initrc_exec_t; ++ type sshd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sshd_initrc_exec_t) @@ -30331,7 +30771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + + userdom_search_user_home_dirs($1) + userdom_search_admin_dir($1) -+ admin_pattern($1,ssh_home_t) ++ admin_pattern($1, ssh_home_t) + + files_search_etc($1) + admin_pattern($1,sshd_key_t) @@ -30702,7 +31142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-05-28 09:42:00.200610708 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-06-28 16:27:05.439151006 +0200 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -30711,7 +31151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt role system_r types $1_t; type $1_devpts_t; -@@ -35,9 +36,7 @@ +@@ -35,16 +36,16 @@ type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) @@ -30722,15 +31162,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1_t, $1_devpts_t) -@@ -45,6 +44,7 @@ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) ++ manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) + rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +57,6 @@ +@@ -57,18 +58,6 @@ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -30749,7 +31190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt optional_policy(` xserver_rw_shm($1_t) ') -@@ -171,6 +159,7 @@ +@@ -171,6 +160,7 @@ files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -30757,7 +31198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -192,6 +181,7 @@ +@@ -192,6 +182,7 @@ files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -30765,7 +31206,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -433,15 +423,15 @@ +@@ -306,6 +297,24 @@ + read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + ') + ++####################################### ++## ++## Dontaudit inherited read virt lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_dontaudit_read_lib_files',` ++ gen_require(` ++ type virt_var_lib_t; ++ ') ++ ++ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; ++') ++ + ######################################## + ## + ## Create, read, write, and delete +@@ -433,15 +442,15 @@ ## ## # @@ -30786,7 +31252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +506,32 @@ +@@ -516,3 +525,32 @@ virt_manage_log($1) ') @@ -33954,7 +34420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-06-16 22:59:08.426110312 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-06-28 18:03:11.725433402 +0200 @@ -18,6 +18,24 @@ domtrans_pattern($1, ipsec_exec_t, ipsec_t) ') @@ -33980,9 +34446,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ######################################## ## ## Connect to IPSEC using a unix domain stream socket. +@@ -273,3 +291,57 @@ + ipsec_domtrans_setkey($1) + role $2 types setkey_t; + ') ++ ++####################################### ++## ++## Send the kill signal to ipsec-mgmt ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_mgmt_kill',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 ipsec_mgmt_t:process sigkill; ++') ++ ++######################################## ++## ++## Send a generic signal to ipsec-mgmt ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_mgmt_signal',` ++ gen_require(` ++ type ipsec_mgmt_t; ++ ') ++ ++ allow $1 ipsec_mgmt_t:process signal; ++') ++ ++######################################## ++## ++## Send a generic signull to ipsec-mgmt. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_mgmt_signull',` ++ gen_require(` ++ type ipsec-mgmt_t; ++ ') ++ ++ allow $1 ipsec_mgmt_t:process signull; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-28 09:42:00.219610910 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-06-28 17:43:10.957161748 +0200 @@ -73,7 +73,7 @@ # @@ -34001,16 +34525,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,7 +188,7 @@ +@@ -186,7 +188,9 @@ allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; dontaudit ipsec_mgmt_t self:capability sys_tty_config; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; ++# don't audit using of lsof ++dontaudit ipsec_mgmt_t self:capability sys_ptrace; +allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -225,7 +227,6 @@ +@@ -225,7 +229,6 @@ manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) @@ -34018,25 +34544,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) -@@ -258,7 +259,7 @@ +@@ -258,7 +261,13 @@ domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. -domain_dontaudit_list_all_domains_state(ipsec_mgmt_t) +domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) ++ ++domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) ++domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) ++ ++dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) ++dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -@@ -276,7 +277,7 @@ +@@ -270,19 +279,25 @@ + files_read_usr_files(ipsec_mgmt_t) + files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) + files_dontaudit_getattr_default_files(ipsec_mgmt_t) ++files_dontaudit_getattr_all_files(ipsec_mgmt_t) ++files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) + files_list_tmp(ipsec_mgmt_t) + + fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) +term_use_all_terms(ipsec_mgmt_t) ++ ++auth_read_login_records(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) -@@ -291,7 +292,9 @@ + init_use_fds(ipsec_mgmt_t) + init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) ++init_read_utmp(ipsec_mgmt_t) + ++logging_read_all_logs(ipsec_mgmt_t) + logging_send_syslog_msg(ipsec_mgmt_t) + + miscfiles_read_localization(ipsec_mgmt_t) +@@ -291,15 +306,34 @@ seutil_dontaudit_search_config(ipsec_mgmt_t) @@ -34046,7 +34596,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_use_user_terminals(ipsec_mgmt_t) -@@ -386,6 +389,8 @@ + optional_policy(` ++ dbus_system_bus_client(ipsec_mgmt_t) ++ dbus_connect_system_bus(ipsec_mgmt_t) ++') ++ ++optional_policy(` + consoletype_exec(ipsec_mgmt_t) + ') + + optional_policy(` ++ hostname_exec(ipsec_mgmt_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(ipsec_mgmt_t) ++') ++ ++optional_policy(` ++ networkmanager_dbus_chat(ipsec_mgmt_t) ++') ++ ++optional_policy(` + nscd_socket_use(ipsec_mgmt_t) + ') + +@@ -386,6 +420,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -34055,7 +34630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -412,6 +417,7 @@ +@@ -412,6 +448,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -34063,7 +34638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -423,3 +429,4 @@ +@@ -423,3 +460,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) @@ -34617,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.19/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-05-28 09:42:00.503610861 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-06-28 18:21:14.861150814 +0200 @@ -545,6 +545,25 @@ ######################################## @@ -34671,7 +35246,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -798,7 +835,7 @@ +@@ -739,6 +776,25 @@ + read_files_pattern($1, logfile, logfile) + ') + ++####################################### ++## ++## dontaudit Read all log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_dontaudit_read_all_logs',` ++ gen_require(` ++ attribute logfile; ++ ') ++ ++ dontaudit $1 logfile:file read_file_perms; ++') ++ + ######################################## + ## + ## Execute all log files in the caller domain. +@@ -798,7 +854,7 @@ files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -34680,7 +35281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -996,6 +1033,8 @@ +@@ -996,6 +1052,8 @@ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -34893,8 +35494,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-06-16 23:04:05.990110101 +0200 -@@ -76,12 +76,16 @@ ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-06-28 14:07:11.666276142 +0200 +@@ -76,12 +76,18 @@ /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) @@ -34903,6 +35504,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) ++ /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) @@ -37876,8 +38479,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-28 09:42:00.524610720 +0200 -@@ -1,4 +1,13 @@ ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-06-28 14:07:11.693150801 +0200 +@@ -1,4 +1,14 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -37889,12 +38492,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-14 18:44:14.626468321 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-28 16:31:05.602400171 +0200 @@ -30,8 +30,9 @@ ') @@ -38637,11 +39241,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -735,70 +841,73 @@ +@@ -735,70 +841,74 @@ allow $1_t self:context contains; - kernel_dontaudit_read_system_state($1_t) ++ kernel_dontaudit_list_all_proc($1_usertype) + kernel_dontaudit_read_system_state($1_usertype) - dev_read_sysfs($1_t) @@ -38744,10 +39349,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -830,12 +939,35 @@ +@@ -830,12 +940,38 @@ typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) ++ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; ++ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; ++ + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_t self:netlink_audit_socket create_socket_perms; + @@ -38780,7 +39388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r) ') ') -@@ -871,45 +1003,83 @@ +@@ -871,45 +1007,83 @@ # auth_role($1_r, $1_t) @@ -38879,7 +39487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -944,7 +1114,7 @@ +@@ -944,7 +1118,7 @@ # # Inherit rules for ordinary users. @@ -38888,7 +39496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -953,54 +1123,73 @@ +@@ -953,54 +1127,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -38904,7 +39512,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - ifndef(`enable_mls',` - fs_exec_noxattr($1_t) -- ++ storage_rw_fuse($1_t) + - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) @@ -38915,8 +39524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - storage_raw_read_removable_device($1_t) - ') - ') -+ storage_rw_fuse($1_t) - +- - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` @@ -38957,16 +39565,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + gpm_stream_connect($1_usertype) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) ++ ') ++ ++ optional_policy(` + execmem_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + java_role_template($1, $1_r, $1_t) + ') + @@ -38980,19 +39585,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) + postfix_run_postdrop($1_t, $1_r) -+ ') -+ + ') + + # Run pppd in pppd_t by default for user -+ optional_policy(` + optional_policy(` +- setroubleshoot_stream_connect($1_t) + ppp_run_cond($1_t, $1_r) ') ') -@@ -1036,7 +1225,7 @@ +@@ -1036,7 +1229,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -39001,7 +39609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1071,6 +1260,9 @@ +@@ -1071,6 +1264,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -39011,7 +39619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1277,7 @@ +@@ -1085,6 +1281,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -39019,7 +39627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1116,10 +1309,13 @@ +@@ -1116,10 +1313,13 @@ domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -39033,7 +39641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1139,6 +1335,7 @@ +@@ -1139,6 +1339,7 @@ logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -39041,7 +39649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1207,6 +1404,8 @@ +@@ -1207,6 +1408,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -39050,7 +39658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1234,6 +1433,7 @@ +@@ -1234,6 +1437,7 @@ seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -39058,7 +39666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_setfiles($1, $2) optional_policy(` -@@ -1272,11 +1472,15 @@ +@@ -1272,11 +1476,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -39074,7 +39682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,6 +1591,7 @@ +@@ -1387,6 +1595,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -39082,7 +39690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') -@@ -1433,6 +1638,14 @@ +@@ -1433,6 +1642,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -39097,7 +39705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1448,9 +1661,11 @@ +@@ -1448,9 +1665,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -39109,7 +39717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1507,6 +1722,42 @@ +@@ -1507,6 +1726,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -39152,7 +39760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1581,6 +1832,8 @@ +@@ -1581,6 +1836,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -39161,7 +39769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1595,10 +1848,12 @@ +@@ -1595,10 +1852,12 @@ # interface(`userdom_list_user_home_content',` gen_require(` @@ -39176,7 +39784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1641,6 +1896,24 @@ +@@ -1641,6 +1900,24 @@ ######################################## ## @@ -39201,7 +39809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1692,10 +1965,30 @@ +@@ -1692,10 +1969,30 @@ type user_home_dir_t, user_home_t; ') @@ -39232,7 +39840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Do not audit attempts to read user home files. -@@ -1708,11 +2001,14 @@ +@@ -1708,11 +2005,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -39250,7 +39858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1802,8 +2098,7 @@ +@@ -1802,8 +2102,7 @@ type user_home_dir_t, user_home_t; ') @@ -39260,7 +39868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1815,25 +2110,18 @@ +@@ -1815,25 +2114,18 @@ ## Domain allowed access. ## ## @@ -39290,7 +39898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Do not audit attempts to execute user home files. -@@ -1866,6 +2154,7 @@ +@@ -1866,6 +2158,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -39298,7 +39906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2102,6 +2391,25 @@ +@@ -2102,6 +2395,25 @@ ######################################## ## @@ -39324,7 +39932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to list user ## temporary directories. ## -@@ -2218,6 +2526,25 @@ +@@ -2218,6 +2530,25 @@ ######################################## ## @@ -39350,7 +39958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to manage users ## temporary files. ## -@@ -2427,13 +2754,14 @@ +@@ -2427,13 +2758,14 @@ ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -39366,7 +39974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2454,6 +2782,24 @@ +@@ -2454,6 +2786,24 @@ ######################################## ## @@ -39391,7 +39999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Get the attributes of a user domain tty. ## ## -@@ -2747,6 +3093,25 @@ +@@ -2747,6 +3097,25 @@ ######################################## ## @@ -39417,7 +40025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Execute bin_t in the unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -2787,7 +3152,7 @@ +@@ -2787,7 +3156,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -39426,7 +40034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2803,11 +3168,13 @@ +@@ -2803,11 +3172,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -39442,7 +40050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2944,7 +3311,7 @@ +@@ -2944,7 +3315,7 @@ type user_tmp_t; ') @@ -39451,7 +40059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2981,6 +3348,7 @@ +@@ -2981,6 +3352,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -39459,7 +40067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3479,702 @@ +@@ -3111,3 +3483,724 @@ allow $1 userdomain:dbus send_msg; ') @@ -40034,6 +40642,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + read_lnk_files_pattern($1, home_cert_t, home_cert_t) +') + ++####################################### ++## ++## Read audio files in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_read_home_audio_files',` ++ gen_require(` ++ type audio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 audio_home_t:dir list_dir_perms; ++ read_files_pattern($1, audio_home_t, audio_home_t) ++ read_lnk_files_pattern($1, audio_home_t, audio_home_t) ++') ++ +######################################## +## +## dontaudit Search getatrr /root files @@ -40164,7 +40794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-28 09:42:00.529612133 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-06-28 14:07:11.753148781 +0200 @@ -29,13 +29,6 @@ ## @@ -40210,11 +40840,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +100,36 @@ +@@ -97,3 +100,40 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + ++type audio_home_t; ++userdom_user_home_content(audio_home_t) ++ubac_constrained(audio_home_t) ++ +type home_bin_t; +userdom_user_home_content(home_bin_t) +ubac_constrained(home_bin_t) @@ -40263,7 +40897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-05-28 09:42:00.531610673 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-06-28 16:10:21.601401352 +0200 @@ -5,6 +5,7 @@ # # Declarations @@ -40297,7 +40931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te kernel_read_kernel_sysctls(xm_t) kernel_read_sysctl(xm_t) kernel_read_xen_state(xm_t) -@@ -438,6 +441,12 @@ +@@ -438,10 +441,17 @@ ') optional_policy(` @@ -40310,7 +40944,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te virt_domtrans(xm_t) virt_manage_images(xm_t) virt_manage_config(xm_t) -@@ -454,11 +463,14 @@ + virt_stream_connect(xm_t) ++ virt_dontaudit_read_lib_files(xm_t) + ') + + ######################################## +@@ -454,11 +464,14 @@ kernel_read_xen_state(xm_ssh_t) kernel_write_xen_state(xm_ssh_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d4d9a49..a3d8785 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,16 @@ exit 0 %endif %changelog +* Mon Jun 28 2010 Miroslav Grepl 3.7.19-32 +- Allow sectool to connect to users over unix stream socket +- Add label for /var/spool/abrt-upload +- Add audio_home_t type for homedir/Music files +- Allow aiccu to read network config files +- Allow qpidd to setsched +- Allow virt domains to manage svirt_image_t fifo files +- Fixes for NM-openswan +- Fixes for admin interfaces + * Mon Jun 21 2010 Miroslav Grepl 3.7.19-31 - Remove daemons dontaudit to search all dirs - Add support for epylog