-@@ -62,7 +63,7 @@ +@@ -54,6 +55,9 @@ + type krb5kdc_var_run_t; + files_pid_file(krb5kdc_var_run_t) + ++type krb5_host_rcache_t; ++files_tmp_file(krb5_host_rcache_t) ++ + ######################################## + # + # kadmind local policy +@@ -62,7 +66,7 @@ # Use capabilities. Surplus capabilities may be allowed. allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; @@ -5418,7 +5537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; allow kadmind_t self:unix_dgram_socket { connect create write }; allow kadmind_t self:tcp_socket connected_stream_socket_perms; -@@ -91,6 +92,7 @@ +@@ -91,6 +95,7 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) @@ -5426,7 +5545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb corenet_non_ipsec_sendrecv(kadmind_t) corenet_tcp_sendrecv_all_if(kadmind_t) -@@ -117,6 +119,9 @@ +@@ -117,6 +122,9 @@ domain_use_interactive_fds(kadmind_t) files_read_etc_files(kadmind_t) @@ -5436,7 +5555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb libs_use_ld_so(kadmind_t) libs_use_shared_libs(kadmind_t) -@@ -126,6 +131,7 @@ +@@ -126,6 +134,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) @@ -5444,7 +5563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) -@@ -142,6 +148,7 @@ +@@ -142,6 +151,7 @@ optional_policy(` seutil_sigchld_newrole(kadmind_t) @@ -5452,7 +5571,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') optional_policy(` -@@ -227,6 +234,7 @@ +@@ -156,7 +166,7 @@ + # Use capabilities. Surplus capabilities may be allowed. + allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; + dontaudit krb5kdc_t self:capability sys_tty_config; +-allow krb5kdc_t self:process { setsched getsched signal_perms }; ++allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; + allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; + allow krb5kdc_t self:tcp_socket create_stream_socket_perms; + allow krb5kdc_t self:udp_socket create_socket_perms; +@@ -227,6 +237,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) @@ -5460,7 +5588,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -@@ -248,3 +256,36 @@ +@@ -243,8 +254,42 @@ + + optional_policy(` + seutil_sigchld_newrole(krb5kdc_t) ++ seutil_read_file_contexts(krb5kdc_t) + ') + optional_policy(` udev_read_db(krb5kdc_t) ') @@ -7148,15 +7282,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.6.4/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rlogin.te 2007-08-07 09:42:35.000000000 -0400 -@@ -64,6 +64,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rlogin.te 2007-09-11 09:05:43.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(rlogin,1.3.0) ++policy_module(rlogin,1.4.0) + + ######################################## + # +@@ -50,7 +50,8 @@ + kernel_read_system_state(rlogind_t) + kernel_read_network_state(rlogind_t) + +-corenet_non_ipsec_sendrecv(rlogind_t) ++corenet_all_recvfrom_unlabeled(rlogind_t) ++corenet_all_recvfrom_netlabel(rlogind_t) + corenet_tcp_sendrecv_all_if(rlogind_t) + corenet_udp_sendrecv_all_if(rlogind_t) + corenet_tcp_sendrecv_all_nodes(rlogind_t) +@@ -63,9 +64,10 @@ + fs_getattr_xattr_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) ++auth_use_nsswitch(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) +auth_domtrans_upd_passwd(rlogind_t) auth_rw_login_records(rlogind_t) - auth_use_nsswitch(rlogind_t) +-auth_use_nsswitch(rlogind_t) + + files_read_etc_files(rlogind_t) + files_read_etc_runtime_files(rlogind_t) +@@ -81,7 +83,7 @@ + + miscfiles_read_localization(rlogind_t) + +-seutil_dontaudit_search_config(rlogind_t) ++seutil_read_config(rlogind_t) + + sysnet_read_config(rlogind_t) +@@ -92,7 +94,9 @@ + remotelogin_domtrans(rlogind_t) + + optional_policy(` ++ kerberos_use(rlogind_t) + kerberos_read_keytab(rlogind_t) ++ kerberos_manage_host_rcache(rlogind_t) + ') + + ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-2.6.4/policy/modules/services/rpcbind.fc --- nsaserefpolicy/policy/modules/services/rpcbind.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/rpcbind.fc 2007-08-07 09:42:35.000000000 -0400 @@ -7428,15 +7602,105 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`nfs_export_all_ro',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-08-07 09:42:35.000000000 -0400 -@@ -44,6 +44,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-09-11 09:10:41.000000000 -0400 +@@ -11,19 +11,22 @@ + domain_subj_id_change_exemption(rshd_t) + domain_role_change_exemption(rshd_t) + role system_r types rshd_t; ++domain_interactive_fd(rshd_t) + + ######################################## + # + # Local policy + # +-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; ++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; + allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; + allow rshd_t self:fifo_file rw_fifo_file_perms; + allow rshd_t self:tcp_socket create_stream_socket_perms; ++allow rshd_t self:key {search write link}; + + kernel_read_kernel_sysctls(rshd_t) + +-corenet_non_ipsec_sendrecv(rshd_t) ++corenet_all_recvfrom_unlabeled(rshd_t) ++corenet_all_recvfrom_netlabel(rshd_t) + corenet_tcp_sendrecv_generic_if(rshd_t) + corenet_udp_sendrecv_generic_if(rshd_t) + corenet_tcp_sendrecv_all_nodes(rshd_t) +@@ -32,6 +35,8 @@ + corenet_udp_sendrecv_all_ports(rshd_t) + corenet_tcp_bind_all_nodes(rshd_t) + corenet_tcp_bind_rsh_port(rshd_t) ++corenet_tcp_bind_all_rpc_ports(rshd_t) ++corenet_tcp_connect_all_rpc_ports(rshd_t) + corenet_sendrecv_rsh_server_packets(rshd_t) + + dev_read_urand(rshd_t) +@@ -43,31 +48,43 @@ + selinux_compute_relabel_context(rshd_t) selinux_compute_user_contexts(rshd_t) ++auth_use_nsswitch(rshd_t) auth_domtrans_chk_passwd(rshd_t) +auth_domtrans_upd_passwd(rshd_t) ++auth_search_key(rshd_t) ++auth_write_login_records(rshd_t) corecmd_read_bin_symlinks(rshd_t) + files_list_home(rshd_t) + files_read_etc_files(rshd_t) +-files_search_tmp(rshd_t) ++files_manage_generic_tmp_dirs(rshd_t) ++ ++init_rw_utmp(rshd_t) + + libs_use_ld_so(rshd_t) + libs_use_shared_libs(rshd_t) + + logging_send_syslog_msg(rshd_t) ++logging_search_logs(rshd_t) + + miscfiles_read_localization(rshd_t) + + seutil_read_config(rshd_t) + seutil_read_default_contexts(rshd_t) + +-sysnet_read_config(rshd_t) +- + userdom_search_all_users_home_content(rshd_t) + ++optional_policy(` ++ kerberos_use(rshd_t) ++ kerberos_read_keytab(rshd_t) ++ kerberos_manage_host_rcache(rshd_t) ++') ++ + ifdef(`targeted_policy',` + unconfined_domain(rshd_t) + unconfined_shell_domtrans(rshd_t) ++ unconfined_signal(rshd_t) + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -80,16 +97,3 @@ + fs_read_cifs_symlinks(rshd_t) + ') + +-optional_policy(` +- kerberos_use(rshd_t) +-') +- +-optional_policy(` +- nscd_socket_use(rshd_t) +-') +- +-ifdef(`TODO',` +-optional_policy(` +- allow rshd_t rlogind_tmp_t:file rw_file_perms; +-') +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.6.4/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/rsync.te 2007-08-07 09:42:35.000000000 -0400 @@ -7539,7 +7803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-2.6.4/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.fc 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.fc 2007-09-11 09:23:35.000000000 -0400 @@ -3,6 +3,7 @@ # /etc # @@ -7548,7 +7812,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) -@@ -27,6 +28,9 @@ +@@ -14,6 +15,7 @@ + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) + /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) + /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) + + /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +@@ -27,6 +29,9 @@ /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -7560,7 +7832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-11 09:24:04.000000000 -0400 @@ -177,6 +177,27 @@ ######################################## @@ -7653,7 +7925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Allow the specified domain to write to smbmount tcp sockets. ##
+ ##
+## Allow samba to run as the domain controller; add machines to passwd file
+##
+##
-+## Allow samba to be exported read/write.
+ ## Allow samba to export user home directories.
+ ##
++## Export all files on system read only.
+##
-+## Allow samba to be exported read only
++## Export all files on system read-write.
+##
@@ -7760,27 +8088,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+##
+ ## Allow samba to export NFS volumes.
+ ##