diff --git a/modules-targeted.conf b/modules-targeted.conf index b57aa71..3002e40 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2313,3 +2313,11 @@ keyboardd = module # # matahari = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + diff --git a/policy-F14.patch b/policy-F14.patch index 21d24af..6861e8f 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -293,7 +293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 ser .EE diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.9.7/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2010-10-12 20:42:51.000000000 +0000 -+++ serefpolicy-3.9.7/policy/flask/access_vectors 2011-02-25 17:40:38.916550076 +0000 ++++ serefpolicy-3.9.7/policy/flask/access_vectors 2011-05-27 09:50:12.647196996 +0000 @@ -153,6 +153,8 @@ search rmdir @@ -352,7 +352,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors } class fd -@@ -816,3 +831,33 @@ +@@ -363,6 +378,7 @@ + setbool + setsecparam + setcheckreqprot ++ read_policy + } + + +@@ -816,3 +832,33 @@ class x_keyboard inherits x_device @@ -1401,7 +1409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.9.7/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-10-12 20:42:51.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/admin/prelink.te 2011-02-25 17:40:38.998548057 +0000 ++++ serefpolicy-3.9.7/policy/modules/admin/prelink.te 2011-05-27 12:04:41.581208002 +0000 @@ -59,10 +59,11 @@ manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) @@ -1460,16 +1468,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,7 +159,7 @@ +@@ -147,8 +158,9 @@ + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) ++ files_list_mnt(prelink_cron_system_t) - init_exec(prelink_cron_system_t) + init_telinit(prelink_cron_system_t) libs_exec_ld_so(prelink_cron_system_t) -@@ -158,7 +169,14 @@ +@@ -158,7 +170,14 @@ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) @@ -1992,7 +2002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.9.7/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-10-12 20:42:51.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/admin/shorewall.te 2011-02-25 17:40:39.030547270 +0000 ++++ serefpolicy-3.9.7/policy/modules/admin/shorewall.te 2011-05-17 15:52:41.041889000 +0000 @@ -58,6 +58,9 @@ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) @@ -2003,7 +2013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa kernel_read_kernel_sysctls(shorewall_t) kernel_read_network_state(shorewall_t) -@@ -80,13 +83,18 @@ +@@ -80,13 +83,20 @@ init_rw_utmp(shorewall_t) @@ -2015,6 +2025,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa sysnet_domtrans_ifconfig(shorewall_t) -userdom_dontaudit_list_user_home_dirs(shorewall_t) ++userdom_use_inherited_user_ttys(shorewall_t) ++userdom_use_inherited_user_ptys(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) + +optional_policy(` @@ -4771,7 +4783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.9.7/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/apps/mozilla.te 2011-02-25 17:40:39.215542716 +0000 ++++ serefpolicy-3.9.7/policy/modules/apps/mozilla.te 2011-05-11 10:01:42.426771001 +0000 @@ -25,6 +25,7 @@ type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; @@ -4842,7 +4854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,140 @@ +@@ -266,3 +291,144 @@ optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4971,6 +4983,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +') + +optional_policy(` ++ pcscd_stream_connect(mozilla_plugin_t) ++') ++ ++optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) @@ -6843,8 +6859,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.9.7/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-04-18 10:24:44.752000002 +0000 -@@ -0,0 +1,480 @@ ++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-05-27 12:09:07.899208002 +0000 +@@ -0,0 +1,484 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7303,6 +7319,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + udev_read_state(sandbox_web_type) +') + ++optional_policy(` ++ unconfined_dontaudit_rw_shm(sandbox_web_type) ++') ++ +######################################## +# +# sandbox_net_client_t local policy @@ -8116,8 +8136,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.9.7/policy/modules/apps/userhelper.te --- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/apps/userhelper.te 2011-02-25 17:40:39.321540107 +0000 -@@ -6,9 +6,61 @@ ++++ serefpolicy-3.9.7/policy/modules/apps/userhelper.te 2011-05-17 15:09:38.009889000 +0000 +@@ -6,9 +6,63 @@ # attribute userhelper_type; @@ -8154,6 +8174,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + +corecmd_exec_bin(consolehelper_domain) + ++dev_getattr_all_chr_files(consolehelper_domain) ++ +files_read_config_files(consolehelper_domain) +files_read_usr_files(consolehelper_domain) + @@ -8652,7 +8674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-03-18 15:05:56.787630000 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-05-27 13:54:04.734208002 +0000 @@ -24,6 +24,7 @@ # type tun_tap_device_t; @@ -8695,7 +8717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -96,8 +103,11 @@ +@@ -96,8 +103,12 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) @@ -8703,11 +8725,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(epmap, tcp,135,s0, udp,135,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) ++network_port(firebird, tcp,3050,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -111,7 +121,7 @@ +@@ -111,7 +122,7 @@ network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -8716,11 +8739,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -125,43 +135,58 @@ +@@ -125,43 +136,59 @@ network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) +network_port(jabber_router, tcp,5347,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) +network_port(kerberos_admin, tcp,749,s0) @@ -8779,7 +8803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -176,24 +201,28 @@ +@@ -176,24 +203,28 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -8812,7 +8836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -203,16 +232,17 @@ +@@ -203,20 +234,22 @@ network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -8833,7 +8857,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -274,5 +304,5 @@ + network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) ++network_port(zented, tcp,1229,s0, udp,1229,s0) + network_port(zope, tcp,8021,s0) + + # Defaults for reserved ports. Earlier portcon entries take precedence; +@@ -274,5 +307,5 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -8842,7 +8871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.9.7/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2011-04-04 18:47:26.703000001 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2011-05-27 11:10:43.059208001 +0000 @@ -17,8 +17,10 @@ /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) @@ -8854,7 +8883,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -159,6 +161,7 @@ +@@ -132,6 +134,7 @@ + /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + + /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) + + /dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) +@@ -159,6 +162,7 @@ /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -8862,7 +8899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -176,13 +179,12 @@ +@@ -176,13 +180,12 @@ /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) @@ -8878,7 +8915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ifdef(`distro_redhat',` # originally from named.fc -@@ -191,3 +193,8 @@ +@@ -191,3 +194,8 @@ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -8889,7 +8926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.9.7/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-02-25 17:40:39.342539589 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-05-27 09:53:49.237196995 +0000 @@ -336,6 +336,24 @@ ######################################## @@ -9015,7 +9052,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Create, delete, read, and write symbolic links in device directories. ## ## -@@ -1088,6 +1178,42 @@ +@@ -916,6 +1006,7 @@ + interface(`dev_getattr_all_chr_files',` + gen_require(` + attribute device_node; ++ type device_t; + ') + + getattr_chr_files_pattern($1, device_t, device_node) +@@ -1088,6 +1179,42 @@ ######################################## ## @@ -9058,7 +9103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Delete all block device files. ## ## -@@ -1350,6 +1476,24 @@ +@@ -1350,6 +1477,24 @@ ######################################## ## @@ -9083,7 +9128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -1595,6 +1739,24 @@ +@@ -1595,6 +1740,24 @@ rw_chr_files_pattern($1, device_t, cpu_device_t) ') @@ -9108,7 +9153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ######################################## ## ## Read and write the the hardware SSL accelerator. -@@ -1977,6 +2139,24 @@ +@@ -1977,6 +2140,24 @@ read_chr_files_pattern($1, device_t, kmsg_device_t) ') @@ -9133,7 +9178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ######################################## ## ## Write to the kernel messages device -@@ -3048,24 +3228,6 @@ +@@ -3048,24 +3229,6 @@ ######################################## ## @@ -9158,7 +9203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3613,6 +3775,24 @@ +@@ -3613,6 +3776,24 @@ ######################################## ## @@ -9183,7 +9228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of sysfs directories. ## ## -@@ -3755,6 +3935,24 @@ +@@ -3755,6 +3936,24 @@ ######################################## ## @@ -9208,7 +9253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## -@@ -3924,6 +4122,24 @@ +@@ -3924,6 +4123,24 @@ ######################################## ## @@ -9233,7 +9278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -4234,11 +4450,10 @@ +@@ -4234,11 +4451,10 @@ # interface(`dev_rw_vhost',` gen_require(` @@ -9249,7 +9294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.9.7/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/devices.te 2011-02-25 17:40:39.343539564 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/devices.te 2011-05-27 10:26:51.808208002 +0000 @@ -56,6 +56,12 @@ type cpu_device_t; dev_node(cpu_device_t) @@ -9271,7 +9316,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # # Type for /dev/lirc -@@ -304,5 +311,5 @@ +@@ -259,6 +266,7 @@ + # + type vhost_device_t; + dev_node(vhost_device_t) ++mls_trusted_object(vhost_device_t) + + # Type for vmware devices. + type vmware_device_t; +@@ -304,5 +312,5 @@ # allow devices_unconfined_type self:capability sys_rawio; @@ -12063,8 +12116,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.9.7/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-10-12 20:42:51.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/roles/staff.te 2011-02-25 17:40:39.509535479 +0000 -@@ -8,12 +8,52 @@ ++++ serefpolicy-3.9.7/policy/modules/roles/staff.te 2011-05-27 10:25:17.255208001 +0000 +@@ -8,12 +8,54 @@ role staff_r; userdom_unpriv_user_template(staff) @@ -12084,6 +12137,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +kernel_read_software_raid_state(staff_usertype) +kernel_read_fs_sysctls(staff_usertype) + ++dev_read_cpuid(staff_usertype) ++ +domain_read_all_domains_state(staff_usertype) +domain_getattr_all_domains(staff_usertype) +domain_obj_id_change_exemption(staff_t) @@ -12117,7 +12172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +67,108 @@ +@@ -27,25 +69,108 @@ ') optional_policy(` @@ -12228,7 +12283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t optional_policy(` xserver_role(staff_r, staff_t) -@@ -133,10 +256,6 @@ +@@ -133,10 +258,6 @@ ') optional_policy(` @@ -12580,8 +12635,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.9.7/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/roles/unconfineduser.if 2011-02-25 17:40:39.528535011 +0000 -@@ -0,0 +1,687 @@ ++++ serefpolicy-3.9.7/policy/modules/roles/unconfineduser.if 2011-05-27 12:07:16.060208002 +0000 +@@ -0,0 +1,705 @@ +## Unconfiend user role + +######################################## @@ -13139,6 +13194,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + allow $1 unconfined_t:shm rw_shm_perms; +') + ++####################################### ++## ++## Dontaudit Read and write to unconfined shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_shm',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:shm rw_shm_perms; ++') ++ +######################################## +## +## Read and write to unconfined execmem shared memory. @@ -13271,8 +13344,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.9.7/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/roles/unconfineduser.te 2011-04-18 08:46:14.973000002 +0000 -@@ -0,0 +1,497 @@ ++++ serefpolicy-3.9.7/policy/modules/roles/unconfineduser.te 2011-05-27 12:50:41.279208002 +0000 +@@ -0,0 +1,498 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -13381,6 +13454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +seutil_run_setsebool(unconfined_t, unconfined_r) +seutil_run_setfiles(unconfined_t, unconfined_r) +seutil_run_semanage(unconfined_t, unconfined_r) ++seutil_run_loadpolicy(unconfined_t, unconfined_r) + +unconfined_domain_noaudit(unconfined_t) + @@ -15542,7 +15616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-03-18 15:15:13.372630000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-05-27 14:11:36.477208002 +0000 @@ -18,130 +18,195 @@ # Declarations # @@ -15865,7 +15939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +451,10 @@ +@@ -365,8 +451,11 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -15873,10 +15947,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) +corenet_tcp_bind_ntop_port(httpd_t) ++corenet_tcp_bind_jboss_management_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +466,12 @@ +@@ -378,12 +467,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -15892,7 +15967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -400,8 +488,13 @@ +@@ -400,8 +489,16 @@ files_read_etc_files(httpd_t) # for tomcat files_read_var_lib_symlinks(httpd_t) @@ -15902,11 +15977,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +# php uploads a file to /tmp and then execs programs to acton them +manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) libs_read_lib_files(httpd_t) -@@ -416,34 +509,73 @@ +@@ -416,34 +513,75 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -15944,6 +16022,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_oracle_port(httpd_t) + corenet_sendrecv_oracle_client_packets(httpd_t) ++ corenet_tcp_connect_firebird_port(httpd_t) ++ corenet_sendrecv_firebird_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -15982,7 +16062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +588,10 @@ +@@ -456,6 +594,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -15993,7 +16073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +602,28 @@ +@@ -466,15 +608,28 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -16024,7 +16104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +633,16 @@ +@@ -484,7 +639,16 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -16041,7 +16121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_ssi_exec',` -@@ -500,8 +658,10 @@ +@@ -500,8 +664,10 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -16052,7 +16132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -513,7 +673,13 @@ +@@ -513,7 +679,13 @@ ') optional_policy(` @@ -16067,7 +16147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +694,19 @@ +@@ -528,7 +700,19 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -16088,7 +16168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +715,13 @@ +@@ -537,8 +721,13 @@ ') optional_policy(` @@ -16103,7 +16183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -556,7 +739,13 @@ +@@ -556,7 +745,13 @@ ') optional_policy(` @@ -16117,7 +16197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +756,7 @@ +@@ -567,6 +762,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -16125,7 +16205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,6 +767,16 @@ +@@ -577,6 +773,16 @@ ') optional_policy(` @@ -16142,7 +16222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +791,11 @@ +@@ -591,6 +797,11 @@ ') optional_policy(` @@ -16154,7 +16234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +808,11 @@ +@@ -603,6 +814,11 @@ yam_read_content(httpd_t) ') @@ -16166,7 +16246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache helper local policy -@@ -618,6 +828,10 @@ +@@ -618,6 +834,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -16177,7 +16257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -654,28 +868,29 @@ +@@ -654,28 +874,31 @@ userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -16198,6 +16278,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mssql_client_packets(httpd_php_t) + corenet_tcp_connect_oracle_port(httpd_php_t) + corenet_sendrecv_oracle_client_packets(httpd_php_t) ++ corenet_tcp_connect_firebird_port(httpd_php_t) ++ corenet_sendrecv_firebird_client_packets(httpd_php_t) ') optional_policy(` @@ -16220,7 +16302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -699,17 +914,22 @@ +@@ -699,17 +922,22 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -16246,7 +16328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +960,26 @@ +@@ -740,13 +968,28 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -16255,6 +16337,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_oracle_port(httpd_suexec_t) + corenet_sendrecv_oracle_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_firebird_port(httpd_suexec_t) ++ corenet_sendrecv_firebird_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -16274,7 +16358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1002,25 @@ +@@ -769,6 +1012,25 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -16300,7 +16384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -791,10 +1043,15 @@ +@@ -791,10 +1053,15 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -16316,7 +16400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1060,37 @@ +@@ -803,6 +1070,39 @@ mta_send_mail(httpd_sys_script_t) ') @@ -16331,6 +16415,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_oracle_port(httpd_sys_script_t) + corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_firebird_port(httpd_sys_script_t) ++ corenet_sendrecv_firebird_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -16354,7 +16440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -822,14 +1110,29 @@ +@@ -822,14 +1122,29 @@ ') tunable_policy(`httpd_enable_homedirs',` @@ -16385,7 +16471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1145,20 @@ +@@ -842,10 +1157,20 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -16406,7 +16492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -891,11 +1204,21 @@ +@@ -891,11 +1216,21 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -16616,7 +16702,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.9.7/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/asterisk.te 2011-02-25 17:40:39.637532328 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/asterisk.te 2011-05-27 11:25:00.733208002 +0000 +@@ -39,7 +39,7 @@ + # + + # dac_override for /var/run/asterisk +-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; ++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; + dontaudit asterisk_t self:capability sys_tty_config; + allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; + allow asterisk_t self:fifo_file rw_fifo_file_perms; @@ -77,9 +77,10 @@ files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) @@ -16648,7 +16743,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) -@@ -147,6 +151,10 @@ +@@ -123,6 +127,7 @@ + # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm + # are labeled usr_t + files_read_usr_files(asterisk_t) ++files_dontaudit_search_home(asterisk_t) + + fs_getattr_all_fs(asterisk_t) + fs_list_inotifyfs(asterisk_t) +@@ -139,6 +144,10 @@ + userdom_dontaudit_search_user_home_dirs(asterisk_t) + + optional_policy(` ++ alsa_read_rw_config(asterisk_t) ++') ++ ++optional_policy(` + mysql_stream_connect(asterisk_t) + ') + +@@ -147,6 +156,10 @@ ') optional_policy(` @@ -17248,8 +17362,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.9.7/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/boinc.te 2011-02-25 17:40:39.658531811 +0000 -@@ -0,0 +1,169 @@ ++++ serefpolicy-3.9.7/policy/modules/services/boinc.te 2011-05-27 11:13:45.949208002 +0000 +@@ -0,0 +1,173 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -17362,6 +17476,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +mta_send_mail(boinc_t) + ++optional_policy(` ++ xserver_dontaudit_stream_connect(boinc_t) ++ xserver_dontaudit_read_xdm_pid(boinc_t) ++') +######################################## +# +# boinc-projects local policy @@ -17818,7 +17936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. interface(`ccs_domtrans',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.9.7/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/ccs.te 2011-02-25 17:40:39.689531049 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/ccs.te 2011-05-27 10:24:07.887208001 +0000 @@ -61,7 +61,7 @@ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) @@ -17828,7 +17946,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) -@@ -107,7 +107,7 @@ +@@ -97,6 +97,7 @@ + files_read_etc_runtime_files(ccs_t) + + init_rw_script_tmp_files(ccs_t) ++init_signal(ccs_t) + + logging_send_syslog_msg(ccs_t) + +@@ -107,7 +108,7 @@ userdom_manage_unpriv_user_shared_mem(ccs_t) userdom_manage_unpriv_user_semaphores(ccs_t) @@ -17837,7 +17963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) ') -@@ -118,5 +118,10 @@ +@@ -118,5 +119,10 @@ ') optional_policy(` @@ -18098,7 +18224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.9.7/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/cgroup.te 2011-02-25 17:40:39.694530924 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/cgroup.te 2011-05-27 10:35:25.464208001 +0000 @@ -16,14 +16,17 @@ type cgred_initrc_exec_t; init_script_file(cgred_initrc_exec_t) @@ -18161,6 +18287,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro # rc script creates pid file manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +@@ -86,6 +93,8 @@ + + kernel_read_system_state(cgred_t) + ++mcs_file_read_all(cgred_t) ++ + domain_read_all_domains_state(cgred_t) + domain_setpriority_all_domains(cgred_t) + +@@ -97,6 +106,8 @@ + + fs_write_cgroup_files(cgred_t) + ++auth_use_nsswitch(cgred_t) ++ + logging_send_syslog_msg(cgred_t) + + miscfiles_read_localization(cgred_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.9.7/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-10-12 20:42:48.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/chronyd.if 2011-02-25 17:40:39.694530924 +0000 @@ -18790,7 +18934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.9.7/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/cobbler.if 2011-02-25 17:40:39.762529251 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/cobbler.if 2011-05-27 10:36:05.207208000 +0000 @@ -1,12 +1,12 @@ ## Cobbler installation server. ## @@ -18887,15 +19031,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb files_search_var_lib($1) ') -@@ -119,6 +121,7 @@ +@@ -118,7 +120,9 @@ + type cobbler_var_lib_t; ') ++ allow $1 cobbler_var_lib_t:dir list_dir_perms; read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_var_lib($1) ') -@@ -137,12 +140,33 @@ +@@ -137,12 +141,33 @@ type cobbler_var_lib_t; ') @@ -18929,7 +19075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ## All of the rules required to administrate ## an cobblerd environment ## -@@ -161,25 +185,34 @@ +@@ -161,25 +186,34 @@ interface(`cobblerd_admin',` gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; @@ -27747,12 +27893,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.9.7/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/munin.fc 2011-02-25 17:40:40.187518789 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/munin.fc 2011-05-27 11:59:56.833208002 +0000 @@ -51,6 +51,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -29097,7 +29243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. init_labeled_script_domtrans($1, ntpd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.9.7/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/ntp.te 2011-02-25 17:40:40.225517854 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/ntp.te 2011-05-27 10:50:03.042208002 +0000 @@ -96,9 +96,12 @@ dev_read_sysfs(ntpd_t) # for SSP @@ -29111,6 +29257,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) +@@ -148,6 +151,10 @@ + ') + + optional_policy(` ++ samba_read_config(ntpd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ntpd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.9.7/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2010-10-12 20:42:49.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/nx.if 2011-02-25 17:40:40.226517829 +0000 @@ -31195,7 +31352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.9.7/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-04-05 17:25:41.674000001 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-05-27 10:36:58.289208002 +0000 @@ -35,7 +35,7 @@ role system_r types postfix_$1_t; @@ -31222,7 +31379,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) -@@ -272,7 +273,8 @@ +@@ -160,6 +161,8 @@ + + typeattribute postfix_$1_t postfix_user_domains; + ++ application_domain(postfix_$1_t, postfix_$1_exec_t) ++ + allow postfix_$1_t self:capability dac_override; + + domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) +@@ -272,7 +275,8 @@ type postfix_local_t; ') @@ -31232,7 +31398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -290,7 +292,8 @@ +@@ -290,7 +294,8 @@ type postfix_master_t; ') @@ -31242,7 +31408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -376,6 +379,25 @@ +@@ -376,6 +381,25 @@ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -31268,7 +31434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Execute the master postfix program in the -@@ -404,7 +426,6 @@ +@@ -404,7 +428,6 @@ ## Domain allowed access. ## ## @@ -31276,7 +31442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # interface(`postfix_stream_connect_master',` gen_require(` -@@ -414,6 +435,24 @@ +@@ -414,6 +437,24 @@ stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) ') @@ -31301,7 +31467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Execute the master postdrop in the -@@ -529,6 +568,25 @@ +@@ -529,6 +570,25 @@ ######################################## ## @@ -31327,7 +31493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Search postfix mail spool directories. ## ## -@@ -539,10 +597,10 @@ +@@ -539,10 +599,10 @@ # interface(`postfix_search_spool',` gen_require(` @@ -31340,7 +31506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -558,10 +616,10 @@ +@@ -558,10 +618,10 @@ # interface(`postfix_list_spool',` gen_require(` @@ -31353,7 +31519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -577,11 +635,11 @@ +@@ -577,11 +637,11 @@ # interface(`postfix_read_spool_files',` gen_require(` @@ -31367,7 +31533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -596,11 +654,11 @@ +@@ -596,11 +656,11 @@ # interface(`postfix_manage_spool_files',` gen_require(` @@ -31381,7 +31547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -621,3 +679,103 @@ +@@ -621,3 +681,103 @@ typeattribute $1 postfix_user_domtrans; ') @@ -34735,8 +34901,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.9.7/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-04-11 08:55:38.770000002 +0000 -@@ -6,13 +6,15 @@ ++++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-05-27 10:38:03.562208002 +0000 +@@ -6,13 +6,22 @@ # ## @@ -34749,13 +34915,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs ## gen_tunable(fenced_can_network_connect, false) ++## ++##

++## Allow fenced domain to execute ssh. ++##

++## ++gen_tunable(fenced_can_ssh, false) ++ attribute cluster_domain; +attribute cluster_tmpfs; +attribute cluster_pid; rhcs_domain_template(dlm_controld) -@@ -24,6 +26,9 @@ +@@ -24,6 +33,9 @@ type fenced_tmp_t; files_tmp_file(fenced_tmp_t) @@ -34765,7 +34938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs rhcs_domain_template(gfs_controld) rhcs_domain_template(groupd) -@@ -33,6 +38,10 @@ +@@ -33,6 +45,10 @@ type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) @@ -34776,7 +34949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs ##################################### # # dlm_controld local policy -@@ -55,20 +64,17 @@ +@@ -55,20 +71,17 @@ init_rw_script_tmp_files(dlm_controld_t) @@ -34799,7 +34972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs can_exec(fenced_t, fenced_exec_t) -@@ -82,7 +88,10 @@ +@@ -82,8 +95,12 @@ stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -34808,24 +34981,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs corecmd_exec_bin(fenced_t) +corecmd_exec_shell(fenced_t) ++corenet_tcp_bind_zented_port(fenced_t) corenet_tcp_connect_http_port(fenced_t) -@@ -104,9 +113,13 @@ - corenet_tcp_connect_all_ports(fenced_t) + dev_read_sysfs(fenced_t) +@@ -105,8 +122,24 @@ ') + optional_policy(` ++ tunable_policy(`fenced_can_ssh',` ++ ++ allow fenced_t self:capability { setuid setgid }; ++ ++ corenet_tcp_connect_ssh_port(fenced_t) ++ ++ ssh_exec(fenced_t) ++ ssh_read_user_home_files(fenced_t) ++ ') ++') ++ +# needed by fence_scsi +optional_policy(` + corosync_exec(fenced_t) +') + - optional_policy(` ++optional_policy(` ccs_read_config(fenced_t) - ccs_stream_connect(fenced_t) ') optional_policy(` -@@ -116,11 +129,30 @@ +@@ -116,11 +149,30 @@ ###################################### # @@ -34857,7 +35043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +171,6 @@ +@@ -139,10 +191,6 @@ init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -34868,7 +35054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,9 +182,10 @@ +@@ -154,9 +202,10 @@ allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -34880,7 +35066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs dev_list_sysfs(groupd_t) files_read_etc_files(groupd_t) -@@ -168,8 +197,7 @@ +@@ -168,8 +217,7 @@ # qdiskd local policy # @@ -34890,7 +35076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -199,6 +227,8 @@ +@@ -199,6 +247,8 @@ files_dontaudit_getattr_all_pipes(qdiskd_t) files_read_etc_files(qdiskd_t) @@ -34899,7 +35085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs storage_raw_read_removable_device(qdiskd_t) storage_raw_write_removable_device(qdiskd_t) storage_raw_read_fixed_disk(qdiskd_t) -@@ -207,10 +237,6 @@ +@@ -207,10 +257,6 @@ auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -34910,7 +35096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +249,28 @@ +@@ -223,18 +269,28 @@ # rhcs domains common policy # @@ -36743,8 +36929,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.9.7/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/smartmon.te 2011-02-25 17:40:40.521510568 +0000 -@@ -72,16 +72,22 @@ ++++ serefpolicy-3.9.7/policy/modules/services/smartmon.te 2011-05-17 14:38:31.193889000 +0000 +@@ -72,19 +72,27 @@ files_read_etc_runtime_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) @@ -36767,6 +36953,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar term_dontaudit_search_ptys(fsdaemon_t) ++init_read_utmp(fsdaemon_t) ++ + libs_exec_ld_so(fsdaemon_t) + libs_exec_lib_files(fsdaemon_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.9.7/policy/modules/services/smokeping.if --- nsaserefpolicy/policy/modules/services/smokeping.if 2010-10-12 20:42:49.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/smokeping.if 2011-02-25 17:40:40.521510568 +0000 @@ -40093,7 +40284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.9.7/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-04-11 08:31:17.362000002 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-05-17 15:07:13.256889000 +0000 @@ -5,80 +5,97 @@ # Declarations # @@ -40243,7 +40434,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,6 +152,8 @@ +@@ -120,6 +139,9 @@ + dontaudit svirt_t virt_content_t:file write_file_perms; + dontaudit svirt_t virt_content_t:dir write; + ++# virt will attempt to us another virtualizations pubsaudio tmpfs_t, ignore error ++dontaudit svirt_t svirt_tmpfs_t:file { read write }; ++ + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) +@@ -133,6 +155,8 @@ userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) @@ -40252,7 +40453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +168,15 @@ +@@ -147,11 +171,15 @@ tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -40268,7 +40469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +185,22 @@ +@@ -160,11 +188,22 @@ tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -40291,7 +40492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt xen_rw_image_files(svirt_t) ') -@@ -174,22 +210,33 @@ +@@ -174,22 +213,33 @@ # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -40328,7 +40529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +247,14 @@ +@@ -200,8 +250,14 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -40345,7 +40546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +273,7 @@ +@@ -220,6 +276,7 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -40353,7 +40554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -243,18 +297,27 @@ +@@ -243,18 +300,27 @@ dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) @@ -40382,7 +40583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +325,18 @@ +@@ -262,6 +328,18 @@ fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -40401,14 +40602,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) -@@ -285,16 +360,31 @@ +@@ -285,16 +363,31 @@ modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -40433,7 +40634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +403,10 @@ +@@ -313,6 +406,10 @@ ') optional_policy(` @@ -40444,7 +40645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dbus_system_bus_client(virtd_t) optional_policy(` -@@ -365,6 +459,8 @@ +@@ -365,6 +462,8 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -40453,7 +40654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -394,14 +490,26 @@ +@@ -394,14 +493,26 @@ # virtual domains common policy # @@ -40482,7 +40683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +530,7 @@ +@@ -422,6 +533,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -40490,7 +40691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +538,12 @@ +@@ -429,10 +541,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -40503,7 +40704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +551,11 @@ +@@ -440,6 +554,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -40515,7 +40716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +573,117 @@ +@@ -457,8 +576,117 @@ ') optional_policy(` @@ -44312,7 +44513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.9.7/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/init.if 2011-03-18 15:25:35.837630000 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/init.if 2011-05-27 14:16:28.984208000 +0000 @@ -105,7 +105,11 @@ role system_r types $1; @@ -44620,7 +44821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1748,3 +1879,92 @@ +@@ -1748,3 +1879,110 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -44713,6 +44914,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + + dontaudit $1 init_t:unix_stream_socket connectto; +') ++ ++####################################### ++## ++## Send generic signals to init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_signal',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:process signal; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.9.7/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-10-12 20:42:50.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-04-20 13:49:07.390000005 +0000 @@ -49602,7 +49821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.9.7/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-04-26 09:58:05.420000003 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-05-27 12:53:02.524208002 +0000 @@ -37,6 +37,8 @@ # @@ -49664,11 +49883,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') optional_policy(` +- consoletype_exec(udev_t) + consolekit_read_pid_files(udev_t) +') + +optional_policy(` - consoletype_exec(udev_t) ++ consoletype_domtrans(udev_t) ') optional_policy(` @@ -50482,7 +50702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.debug(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-04-04 18:03:36.285000001 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-05-27 10:23:57.751208001 +0000 @@ -30,8 +30,9 @@ ') @@ -51704,15 +51924,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1237,6 +1483,7 @@ +@@ -1237,8 +1483,15 @@ seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) + seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) ++ seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) ++ optional_policy(` -@@ -1275,12 +1522,15 @@ + aide_run($1,$2) + ') +@@ -1275,12 +1528,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -51729,7 +51957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1391,6 +1641,7 @@ +@@ -1391,6 +1647,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -51737,7 +51965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') -@@ -1437,6 +1688,14 @@ +@@ -1437,6 +1694,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -51752,7 +51980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1452,9 +1711,11 @@ +@@ -1452,9 +1717,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -51764,7 +51992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1511,6 +1772,42 @@ +@@ -1511,6 +1778,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -51807,7 +52035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1585,6 +1882,8 @@ +@@ -1585,6 +1888,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -51816,7 +52044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1599,10 +1898,12 @@ +@@ -1599,10 +1904,12 @@ # interface(`userdom_list_user_home_content',` gen_require(` @@ -51831,7 +52059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1645,30 +1946,49 @@ +@@ -1645,26 +1952,45 @@ ######################################## ## @@ -51862,10 +52090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo -## Mmap user home files. +## Do not audit attempts to set the +## attributes of user home files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. +## +## @@ -51881,14 +52108,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +######################################## +## +## Mmap user home files. -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -1696,12 +2016,32 @@ + ## + ## + ## +@@ -1696,12 +2022,32 @@ type user_home_dir_t, user_home_t; ') @@ -51921,7 +52144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to read user home files. ## ## -@@ -1712,11 +2052,14 @@ +@@ -1712,11 +2058,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -51939,7 +52162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1806,8 +2149,7 @@ +@@ -1806,8 +2155,7 @@ type user_home_dir_t, user_home_t; ') @@ -51949,7 +52172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1823,20 +2165,14 @@ +@@ -1823,20 +2171,14 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -51974,7 +52197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -2178,7 +2514,7 @@ +@@ -2178,7 +2520,7 @@ type user_tmp_t; ') @@ -51983,7 +52206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2431,13 +2767,14 @@ +@@ -2431,13 +2773,14 @@ ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -51999,7 +52222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2458,26 +2795,6 @@ +@@ -2458,26 +2801,6 @@ ######################################## ## @@ -52026,7 +52249,57 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Get the attributes of a user domain tty. ## ## -@@ -2811,7 +3128,7 @@ +@@ -2566,6 +2889,24 @@ + allow $1 user_tty_device_t:chr_file rw_term_perms; + ') + ++###################################### ++## ++## Read and write inherited user domain tty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_inherited_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file { getattr read write append ioctl }; ++') ++ + ######################################## + ## + ## Read and write a user domain pty. +@@ -2584,6 +2925,24 @@ + allow $1 user_devpts_t:chr_file rw_term_perms; + ') + ++###################################### ++## ++## Read and write inherited user domain pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_inherited_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file { getattr read write append ioctl }; ++') ++ + ######################################## + ## + ## Read and write a user TTYs and PTYs. +@@ -2811,7 +3170,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -52035,7 +52308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2827,11 +3144,13 @@ +@@ -2827,11 +3186,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -52051,7 +52324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2913,7 +3232,7 @@ +@@ -2913,7 +3274,7 @@ type user_devpts_t; ') @@ -52060,7 +52333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2968,7 +3287,45 @@ +@@ -2968,7 +3329,45 @@ type user_tmp_t; ') @@ -52107,7 +52380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3005,6 +3362,7 @@ +@@ -3005,6 +3404,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -52115,7 +52388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3135,3 +3493,873 @@ +@@ -3135,3 +3535,873 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index f858eba..a3048bd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 41%{?dist} +Release: 42%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,11 @@ exit 0 %endif %changelog +* Fri May 27 2011 Miroslav Grepl 3.9.7-42 +- Make upgrade from F13 working +- Fixes for asterisk policy +- Fixes for vdagent policy + * Tue May 10 2011 Miroslav Grepl 3.9.7-41 - Allow aisexec domtrans to corosync domain - Allow kadmind setsched