diff --git a/policy-F12.patch b/policy-F12.patch index 4fd3632..8dcc9ab 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -420,7 +420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2009-12-29 20:01:48.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -437,6 +437,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) +@@ -217,6 +219,8 @@ + dev_read_urand(traceroute_t) + files_read_usr_files(traceroute_t) + ++term_use_all_terms(traceroute_t) ++ + tunable_policy(`user_ping',` + term_use_all_user_ttys(traceroute_t) + term_use_all_user_ptys(traceroute_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.32/policy/modules/admin/portage.te --- nsaserefpolicy/policy/modules/admin/portage.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/portage.te 2009-12-17 11:20:45.000000000 -0500 @@ -5964,7 +5973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-18 15:32:53.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-30 08:13:06.000000000 -0500 @@ -1,4 +1,4 @@ - +c @@ -5995,7 +6004,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -125,6 +128,7 @@ +@@ -62,6 +65,7 @@ + /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + + /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) ++/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) + + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + +@@ -125,6 +129,7 @@ /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) @@ -6003,7 +6020,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt -@@ -135,13 +139,15 @@ +@@ -135,13 +140,15 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6020,7 +6037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -211,6 +217,12 @@ +@@ -211,6 +218,12 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -6033,7 +6050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,12 +233,16 @@ +@@ -221,12 +234,16 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -6051,7 +6068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +279,7 @@ +@@ -263,6 +280,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -6059,7 +6076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +332,21 @@ +@@ -315,3 +333,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7198,7 +7215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-21 17:41:42.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-29 18:03:58.000000000 -0500 @@ -110,7 +110,11 @@ ## # @@ -7877,7 +7894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-23 12:11:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-30 08:06:40.000000000 -0500 @@ -310,6 +310,26 @@ ######################################## @@ -7959,7 +7976,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Mount a DOS filesystem, such as -@@ -1537,6 +1595,24 @@ +@@ -1401,6 +1459,25 @@ + + ######################################## + ## ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete directories + ## on a FUSEFS filesystem. + ## +@@ -1537,6 +1614,24 @@ ######################################## ## @@ -7984,7 +8027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## -@@ -1971,7 +2047,7 @@ +@@ -1971,7 +2066,7 @@ type nfs_t; ') @@ -7993,7 +8036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,6 +2069,25 @@ +@@ -1993,6 +2088,25 @@ read_lnk_files_pattern($1, nfs_t, nfs_t) ') @@ -8019,7 +8062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################### ## ## Read named sockets on a NFS filesystem. -@@ -2542,6 +2637,42 @@ +@@ -2542,6 +2656,42 @@ ######################################## ## @@ -8062,7 +8105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write NFS server files. ## ## -@@ -3572,6 +3703,122 @@ +@@ -3572,6 +3722,122 @@ ######################################## ## @@ -8185,7 +8228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount all filesystems. ## ## -@@ -3971,3 +4218,175 @@ +@@ -3971,3 +4237,175 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -8791,7 +8834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-12-29 20:01:46.000000000 -0500 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -10745,8 +10788,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-12-17 11:20:45.000000000 -0500 -@@ -35,6 +35,23 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-12-29 18:11:53.000000000 -0500 +@@ -31,10 +31,29 @@ + + userdom_restricted_xwindows_user_template(xguest) + ++sysnet_dns_name_resolve(xguest_t) ++ + ######################################## # # Local policy # @@ -10770,7 +10819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow mounting of file systems optional_policy(` -@@ -49,10 +66,9 @@ +@@ -49,10 +68,9 @@ fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -10782,7 +10831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -67,17 +83,60 @@ +@@ -67,17 +85,60 @@ ') optional_policy(` @@ -10832,10 +10881,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) ++ ') ') - ') - --#gen_user(xguest_u,, xguest_r, s0, s0) ++ +optional_policy(` + gen_require(` + type mozilla_t; @@ -10843,8 +10891,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; -+') -+ + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 10:01:19.000000000 -0400 @@ -11033,7 +11082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-23 07:13:32.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-29 19:58:48.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -11081,7 +11130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +90,35 @@ +@@ -75,18 +90,36 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -11112,12 +11161,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(abrt_t) fs_getattr_all_dirs(abrt_t) +fs_read_fusefs_files(abrt_t) ++fs_read_noxattr_fs_files(abrt_t) +fs_read_nfs_files(abrt_t) +fs_search_all(abrt_t) sysnet_read_config(abrt_t) -@@ -96,22 +128,90 @@ +@@ -96,22 +129,91 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -11183,6 +11233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow abrt_helper_t self:capability { chown setgid }; ++allow abrt_helper_t self:process signal; +read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) + +manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) @@ -11490,7 +11541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2009-12-30 08:22:28.000000000 -0500 @@ -103,6 +103,8 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) kernel_dontaudit_read_system_state(amavis_t) @@ -11500,6 +11551,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # find perl corecmd_exec_bin(amavis_t) +@@ -141,6 +143,7 @@ + logging_send_syslog_msg(amavis_t) + + miscfiles_read_localization(amavis_t) ++miscfiles_read_certs(amavis_t) + + sysnet_dns_name_resolve(amavis_t) + sysnet_use_ldap(amavis_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-12-17 11:20:45.000000000 -0500 @@ -12298,7 +12357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-18 15:32:53.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-29 18:35:40.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12509,7 +12568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,16 +375,18 @@ +@@ -312,19 +375,22 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -12533,7 +12592,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -335,12 +400,11 @@ ++corenet_tcp_bind_ntop_port(httpd_t) + # Signal self for shutdown + corenet_tcp_connect_http_port(httpd_t) + +@@ -335,12 +401,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -12548,7 +12611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -356,8 +420,13 @@ +@@ -356,8 +421,13 @@ files_read_etc_files(httpd_t) # for tomcat files_read_var_lib_symlinks(httpd_t) @@ -12562,7 +12625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_read_lib_files(httpd_t) -@@ -372,18 +441,33 @@ +@@ -372,18 +442,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -12600,7 +12663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -391,32 +475,71 @@ +@@ -391,32 +476,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12677,7 +12740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +547,23 @@ +@@ -424,11 +548,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12701,7 +12764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +586,18 @@ +@@ -451,6 +587,18 @@ ') optional_policy(` @@ -12720,7 +12783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +606,13 @@ +@@ -459,8 +607,13 @@ ') optional_policy(` @@ -12736,7 +12799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -468,22 +620,19 @@ +@@ -468,22 +621,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12762,7 +12825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -494,12 +643,23 @@ +@@ -494,12 +644,23 @@ ') optional_policy(` @@ -12786,7 +12849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +668,7 @@ +@@ -508,6 +669,7 @@ ') optional_policy(` @@ -12794,7 +12857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +696,23 @@ +@@ -535,6 +697,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12818,7 +12881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +742,25 @@ +@@ -564,20 +743,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12850,7 +12913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +778,24 @@ +@@ -595,23 +779,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12879,7 +12942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +808,7 @@ +@@ -624,6 +809,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12887,7 +12950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +816,31 @@ +@@ -631,22 +817,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12926,7 +12989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +866,14 @@ +@@ -672,15 +867,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12945,7 +13008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +892,24 @@ +@@ -699,12 +893,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12972,7 +13035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +917,35 @@ +@@ -712,6 +918,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -13008,7 +13071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +958,10 @@ +@@ -724,6 +959,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -13019,7 +13082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +973,8 @@ +@@ -735,6 +974,8 @@ # httpd_rotatelogs local policy # @@ -13028,7 +13091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +994,88 @@ +@@ -754,11 +995,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -13211,7 +13274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-22 08:26:17.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-30 08:24:32.000000000 -0500 @@ -34,18 +34,21 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -13272,7 +13335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(asterisk_t) -@@ -119,17 +129,25 @@ +@@ -119,17 +129,29 @@ fs_getattr_all_fs(asterisk_t) fs_search_auto_mountpoints(asterisk_t) @@ -13289,6 +13352,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - nis_use_ypbind(asterisk_t) ++ mysql_stream_connect(asterisk_t) ++') ++ ++optional_policy(` + mta_send_mail(asterisk_t) +') + @@ -13301,11 +13368,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -137,10 +155,10 @@ +@@ -137,10 +159,11 @@ ') optional_policy(` - udev_read_db(asterisk_t) ++ snmp_read_snmp_var_lib_files(asterisk_t) + snmp_stream_connect(asterisk_t) ') @@ -14169,7 +14237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive chronyd_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.32/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2009-12-29 18:41:29.000000000 -0500 @@ -117,9 +117,9 @@ logging_send_syslog_msg(clamd_t) @@ -14182,16 +14250,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_use_fds(clamd_t) cron_use_system_job_fds(clamd_t) -@@ -187,15 +187,15 @@ +@@ -187,15 +187,17 @@ files_read_etc_files(freshclam_t) files_read_etc_runtime_files(freshclam_t) -miscfiles_read_localization(freshclam_t) +auth_use_nsswitch(freshclam_t) -+ -+logging_send_syslog_msg(freshclam_t) -sysnet_dns_name_resolve(freshclam_t) ++logging_send_syslog_msg(freshclam_t) ++ +miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -14200,10 +14268,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -cron_use_system_job_fds(freshclam_t) -cron_rw_pipes(freshclam_t) +cron_system_entry(freshclam_t, freshclam_exec_t) ++ ++userdom_stream_connect(freshclam_t) ######################################## # -@@ -247,5 +247,9 @@ +@@ -247,5 +249,9 @@ mta_send_mail(clamscan_t) optional_policy(` @@ -14510,7 +14580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-29 20:22:45.000000000 -0500 @@ -21,7 +21,7 @@ # consolekit local policy # @@ -14525,7 +14595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(consolekit_t) +auth_manage_pam_console_data(consolekit_t) -+auth_dontaudit_write_login_records(consolekit_t) ++auth_write_login_records(consolekit_t) init_telinit(consolekit_t) init_rw_utmp(consolekit_t) @@ -15352,7 +15422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-23 12:11:24.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-29 20:26:54.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15380,6 +15450,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type hplip_var_run_t; files_pid_file(hplip_var_run_t) +@@ -97,7 +103,7 @@ + # + + # /usr/lib/cups/backend/serial needs sys_admin(?!) +-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; + dontaudit cupsd_t self:capability { sys_tty_config net_admin }; + allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; + allow cupsd_t self:fifo_file rw_fifo_file_perms; @@ -105,6 +111,7 @@ allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms; @@ -17101,7 +17180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-21 10:21:57.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-29 20:09:00.000000000 -0500 @@ -55,13 +55,16 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17162,7 +17241,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -290,6 +305,7 @@ +@@ -286,10 +301,12 @@ + ') + + optional_policy(` ++ ppp_domtrans(hald_t) + ppp_read_rw_config(hald_t) ') optional_policy(` @@ -17170,7 +17254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -321,6 +337,10 @@ +@@ -321,6 +338,10 @@ virt_manage_images(hald_t) ') @@ -17181,7 +17265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Hal acl local policy -@@ -341,6 +361,7 @@ +@@ -341,6 +362,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -17189,7 +17273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -357,6 +378,8 @@ +@@ -357,6 +379,8 @@ files_read_usr_files(hald_acl_t) files_read_etc_files(hald_acl_t) @@ -17198,7 +17282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) storage_getattr_fixed_disk_dev(hald_acl_t) -@@ -369,6 +392,7 @@ +@@ -369,6 +393,7 @@ miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -17206,7 +17290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -450,12 +474,16 @@ +@@ -450,12 +475,16 @@ miscfiles_read_localization(hald_keymap_t) @@ -17225,7 +17309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_dccm_t self:process getsched; allow hald_dccm_t self:tcp_socket create_stream_socket_perms; allow hald_dccm_t self:udp_socket create_socket_perms; -@@ -469,10 +497,22 @@ +@@ -469,10 +498,22 @@ manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_dccm_t) @@ -17248,7 +17332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(hald_dccm_t) corenet_all_recvfrom_netlabel(hald_dccm_t) corenet_tcp_sendrecv_generic_if(hald_dccm_t) -@@ -484,6 +524,7 @@ +@@ -484,6 +525,7 @@ corenet_tcp_bind_generic_node(hald_dccm_t) corenet_udp_bind_generic_node(hald_dccm_t) corenet_udp_bind_dhcpc_port(hald_dccm_t) @@ -17256,7 +17340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_dccm_port(hald_dccm_t) logging_send_syslog_msg(hald_dccm_t) -@@ -491,3 +532,7 @@ +@@ -491,3 +533,7 @@ files_read_usr_files(hald_dccm_t) miscfiles_read_localization(hald_dccm_t) @@ -17711,6 +17795,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + miscfiles_read_localization(lircd_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.32/policy/modules/services/mailman.fc +--- nsaserefpolicy/policy/modules/services/mailman.fc 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/mailman.fc 2009-12-30 08:17:22.000000000 -0500 +@@ -26,9 +26,8 @@ + /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + + /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +-/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +-/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +-/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +- ++/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) ++/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2009-12-17 11:20:45.000000000 -0500 @@ -17875,7 +17975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-12-29 16:33:40.000000000 -0500 @@ -27,6 +27,9 @@ type mail_spool_t; files_mountpoint(mail_spool_t) @@ -17898,7 +17998,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) -@@ -72,16 +77,21 @@ +@@ -68,20 +73,27 @@ + + selinux_getattr_fs(system_mail_t) + ++term_dontaudit_use_unallocated_ttys(system_mail_t) ++ + init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) @@ -17920,7 +18026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -100,6 +110,7 @@ +@@ -100,6 +112,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -17928,7 +18034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -178,6 +189,10 @@ +@@ -178,6 +191,10 @@ ') optional_policy(` @@ -17939,7 +18045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol smartmon_read_tmp_files(system_mail_t) ') -@@ -197,6 +212,25 @@ +@@ -197,6 +214,25 @@ ') ') @@ -18018,7 +18124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.32/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.if 2009-12-18 15:32:53.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/mysql.if 2009-12-29 20:13:37.000000000 -0500 @@ -1,5 +1,43 @@ ## Policy for MySQL @@ -18065,7 +18171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a generic signal to MySQL. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-23 12:06:27.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-29 09:05:26.000000000 -0500 @@ -1,6 +1,13 @@ policy_module(mysql, 1.11.0) @@ -18102,7 +18208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -+read_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) ++manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; @@ -18348,7 +18454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-12-30 08:28:57.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -18534,7 +18640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +233,19 @@ +@@ -183,11 +233,15 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -18545,15 +18651,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) ++auth_use_nsswitch(nrpe_t) ++ logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) - -+sysnet_read_config(nrpe_t) -+ - userdom_dontaudit_use_unpriv_user_fds(nrpe_t) - - optional_policy(` @@ -209,3 +263,84 @@ optional_policy(` udev_read_db(nrpe_t) @@ -18751,7 +18853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-12-29 16:26:25.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -18963,7 +19065,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) - ppp_read_pid_files(NetworkManager_t) +- ppp_read_pid_files(NetworkManager_t) ++ ppp_manage_pid_files(NetworkManager_t) + ppp_kill(NetworkManager_t) ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) @@ -21665,7 +21768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.32/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ppp.if 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/ppp.if 2009-12-29 16:26:08.000000000 -0500 @@ -177,10 +177,16 @@ interface(`ppp_run',` gen_require(` @@ -21685,7 +21788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2009-12-29 16:46:06.000000000 -0500 @@ -38,7 +38,7 @@ files_type(pppd_etc_rw_t) @@ -21722,7 +21825,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; allow pptp_t self:fifo_file rw_fifo_file_perms; -@@ -295,6 +297,14 @@ +@@ -289,12 +291,21 @@ + + userdom_dontaudit_use_unpriv_user_fds(pptp_t) + userdom_dontaudit_search_user_home_dirs(pptp_t) ++userdom_signal_unpriv_users(pptp_t) + + optional_policy(` + consoletype_exec(pppd_t) ') optional_policy(` @@ -21739,8 +21849,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2009-12-17 11:20:45.000000000 -0500 -@@ -122,7 +122,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2009-12-30 08:34:13.000000000 -0500 +@@ -90,6 +90,7 @@ + corenet_tcp_bind_prelude_port(prelude_t) + corenet_tcp_connect_prelude_port(prelude_t) + corenet_tcp_connect_postgresql_port(prelude_t) ++corenet_tcp_connect_mysql_port(prelude_t) + + dev_read_rand(prelude_t) + dev_read_urand(prelude_t) +@@ -122,7 +123,8 @@ # # prelude_audisp local policy # @@ -23854,7 +23972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-12-29 19:04:54.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24028,6 +24146,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) +@@ -657,7 +696,7 @@ + files_pid_filetrans(swat_t, swat_var_run_t, file) + + allow swat_t winbind_exec_t:file mmap_file_perms; +-can_exec(swat_t, winbind_exec_t) ++domtrans_pattern(swat_t, winbind_exec_t, winbind_t) + + allow swat_t winbind_var_run_t:dir { write add_name remove_name }; + allow swat_t winbind_var_run_t:sock_file { create unlink }; @@ -700,6 +739,8 @@ miscfiles_read_localization(swat_t) @@ -24337,7 +24464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2009-12-22 14:56:01.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2009-12-27 07:57:52.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -24366,13 +24493,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) -@@ -64,24 +69,29 @@ +@@ -64,24 +69,30 @@ fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) +fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) ++term_dontaudit_use_generic_ptys(sendmail_t) # for piping mail to a command corecmd_exec_shell(sendmail_t) @@ -24396,7 +24524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(sendmail_t) -@@ -89,23 +99,46 @@ +@@ -89,23 +100,46 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) @@ -24445,7 +24573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -113,13 +146,20 @@ +@@ -113,13 +147,20 @@ ') optional_policy(` @@ -24467,7 +24595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -127,24 +167,29 @@ +@@ -127,24 +168,29 @@ ') optional_policy(` @@ -24949,7 +25077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(snmpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/snort.te 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/snort.te 2009-12-27 08:04:33.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -24958,6 +25086,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Snort IPS node. unverified. allow snort_t self:netlink_firewall_socket { bind create getattr }; +@@ -55,11 +56,12 @@ + manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) + files_pid_filetrans(snort_t, snort_var_run_t, file) + +-kernel_read_kernel_sysctls(snort_t) +-kernel_read_sysctl(snort_t) ++kernel_dontaudit_read_system_state(snort_t) + kernel_list_proc(snort_t) ++kernel_read_kernel_sysctls(snort_t) + kernel_read_proc_symlinks(snort_t) +-kernel_dontaudit_read_system_state(snort_t) ++kernel_read_sysctl(snort_t) ++kernel_request_load_module(snort_t) + + corenet_all_recvfrom_unlabeled(snort_t) + corenet_all_recvfrom_netlabel(snort_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.32/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc 2009-12-17 11:20:47.000000000 -0500 @@ -26269,6 +26413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.32/policy/modules/services/telnet.te +--- nsaserefpolicy/policy/modules/services/telnet.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/telnet.te 2009-12-29 17:46:17.000000000 -0500 +@@ -85,6 +85,7 @@ + remotelogin_domtrans(telnetd_t) + + userdom_search_user_home_dirs(telnetd_t) ++userdom_setattr_user_ptys(telnetd_t) + + optional_policy(` + kerberos_keytab_template(telnetd, telnetd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.6.32/policy/modules/services/tftp.fc --- nsaserefpolicy/policy/modules/services/tftp.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/tftp.fc 2009-12-17 11:20:47.000000000 -0500 @@ -27293,8 +27448,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-12-18 15:27:23.000000000 -0500 -@@ -20,6 +20,28 @@ ++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-12-29 16:41:42.000000000 -0500 +@@ -8,6 +8,13 @@ + + ## + ##

++## Allow virt to read fuse files ++##

++## ++gen_tunable(virt_use_fusefs, false) ++ ++## ++##

+ ## Allow virt to manage nfs files + ##

+ ## +@@ -20,6 +27,28 @@ ## gen_tunable(virt_use_samba, false) @@ -27323,7 +27492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol attribute virt_image_type; type virt_etc_t; -@@ -29,9 +51,14 @@ +@@ -29,9 +58,14 @@ files_type(virt_etc_rw_t) # virt Image files @@ -27339,7 +27508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,27 +75,56 @@ +@@ -48,27 +82,56 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -27400,7 +27569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -76,6 +132,7 @@ +@@ -76,6 +139,7 @@ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) @@ -27408,7 +27577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -@@ -86,7 +143,8 @@ +@@ -86,7 +150,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -27418,7 +27587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -97,40 +155,77 @@ +@@ -97,40 +162,77 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -27500,7 +27669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -168,22 +263,36 @@ +@@ -168,22 +270,36 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -27511,10 +27680,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(virtd, virtd_t) ') -#optional_policy(` @@ -27522,6 +27687,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# polkit_domtrans_resolve(virtd_t) -#') +optional_policy(` ++ kerberos_keytab_template(virtd, virtd_t) ++') + + optional_policy(` +- qemu_domtrans(virtd_t) + lvm_domtrans(virtd_t) +') + @@ -27531,9 +27701,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -27542,7 +27711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +305,154 @@ +@@ -196,8 +312,158 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -27602,6 +27771,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_rw_sysfs(svirt_t) +') + ++tunable_policy(`virt_use_fusefs',` ++ fs_read_fusefs_files(svirt_t) ++') ++ +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_t) + fs_manage_nfs_files(svirt_t) @@ -28734,7 +28907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-23 09:07:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-30 08:06:59.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -29006,7 +29179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +394,43 @@ +@@ -325,26 +394,44 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -29031,6 +29204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_getattr_all_fs(xdm_t) +fs_list_inotifyfs(xdm_t) +fs_read_noxattr_fs_files(xdm_t) ++fs_dontaudit_list_fusefs(xdm_t) + +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) + @@ -29057,7 +29231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +444,7 @@ +@@ -358,6 +445,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -29065,7 +29239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +453,14 @@ +@@ -366,10 +454,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -29081,7 +29255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +480,13 @@ +@@ -389,11 +481,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -29095,7 +29269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +494,7 @@ +@@ -401,6 +495,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -29103,7 +29277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +507,17 @@ +@@ -413,14 +508,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -29123,7 +29297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +528,15 @@ +@@ -431,9 +529,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -29139,7 +29313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +545,7 @@ +@@ -442,6 +546,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -29147,7 +29321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +554,7 @@ +@@ -450,6 +555,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -29155,7 +29329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +565,13 @@ +@@ -460,10 +566,13 @@ logging_read_generic_logs(xdm_t) @@ -29171,7 +29345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +580,10 @@ +@@ -472,6 +581,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29182,7 +29356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +616,12 @@ +@@ -504,10 +617,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -29195,7 +29369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +629,47 @@ +@@ -515,12 +630,47 @@ ') optional_policy(` @@ -29243,7 +29417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -535,6 +684,7 @@ +@@ -535,6 +685,7 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -29251,7 +29425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -542,6 +692,39 @@ +@@ -542,6 +693,39 @@ ') optional_policy(` @@ -29291,7 +29465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +733,9 @@ +@@ -550,8 +734,9 @@ ') optional_policy(` @@ -29303,7 +29477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +744,6 @@ +@@ -560,7 +745,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -29311,7 +29485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +754,10 @@ +@@ -571,6 +755,10 @@ ') optional_policy(` @@ -29322,7 +29496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +774,9 @@ +@@ -587,10 +775,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29334,7 +29508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +788,12 @@ +@@ -602,9 +789,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29347,7 +29521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +805,14 @@ +@@ -616,13 +806,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -29363,7 +29537,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +825,19 @@ +@@ -635,9 +826,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29383,7 +29557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +871,6 @@ +@@ -671,7 +872,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29391,7 +29565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +880,12 @@ +@@ -681,9 +881,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -29405,7 +29579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +900,12 @@ +@@ -698,8 +901,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29418,7 +29592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +927,8 @@ +@@ -721,6 +928,8 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -29427,7 +29601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +951,7 @@ +@@ -743,7 +952,7 @@ ') ifdef(`enable_mls',` @@ -29436,7 +29610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +983,20 @@ +@@ -775,12 +984,20 @@ ') optional_policy(` @@ -29458,7 +29632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +1023,12 @@ +@@ -807,12 +1024,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -29475,7 +29649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1044,14 @@ +@@ -828,9 +1045,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29490,7 +29664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1066,14 @@ +@@ -845,11 +1067,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -29506,7 +29680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1106,8 @@ +@@ -882,6 +1107,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -29515,7 +29689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1132,8 @@ +@@ -906,6 +1133,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -29524,7 +29698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1201,49 @@ +@@ -973,17 +1202,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -30108,6 +30282,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.6.32/policy/modules/system/getty.te +--- nsaserefpolicy/policy/modules/system/getty.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/getty.te 2009-12-29 16:32:15.000000000 -0500 +@@ -56,11 +56,10 @@ + manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) + files_pid_filetrans(getty_t, getty_var_run_t, file) + +-kernel_list_proc(getty_t) +-kernel_read_proc_symlinks(getty_t) ++kernel_read_system_state(getty_t) + +-corecmd_search_bin(getty_t) +-corecmd_read_bin_symlinks(getty_t) ++corecmd_exec_bin(getty_t) ++corecmd_exec_shell(getty_t) + + dev_read_sysfs(getty_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.32/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/init.fc 2009-12-17 11:20:47.000000000 -0500 @@ -30136,7 +30328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /var diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-12-29 20:23:06.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -30211,16 +30403,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -546,7 +585,7 @@ +@@ -546,7 +585,8 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; ++ allow $1 init_t:unix_stream_socket connectto; + init_chat($1) ') ') -@@ -619,18 +658,19 @@ +@@ -619,18 +659,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -30244,7 +30437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,19 +686,39 @@ +@@ -646,19 +687,39 @@ # interface(`init_domtrans_script',` gen_require(` @@ -30288,7 +30481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -904,6 +964,24 @@ +@@ -904,6 +965,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -30313,7 +30506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Execute all init scripts in the caller domain. -@@ -1123,7 +1201,7 @@ +@@ -1123,7 +1202,7 @@ type initrc_t; ') @@ -30322,7 +30515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,6 +1369,25 @@ +@@ -1291,6 +1370,25 @@ ######################################## ## @@ -30348,7 +30541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1618,70 @@ +@@ -1521,3 +1619,70 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -31093,7 +31286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-29 17:01:11.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -31204,13 +31397,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) -@@ -153,17 +181,20 @@ +@@ -153,17 +181,21 @@ # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; -allow ipsec_mgmt_t self:process { signal setrlimit }; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap }; ++dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { signal setrlimit ptrace }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; @@ -31228,7 +31422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -241,6 +272,7 @@ +@@ -241,6 +273,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -31236,7 +31430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ipsec_mgmt_t) -@@ -280,6 +312,13 @@ +@@ -280,6 +313,13 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; @@ -31250,7 +31444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # manage pid file manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -296,6 +335,14 @@ +@@ -296,6 +336,14 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -31265,7 +31459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) -@@ -314,6 +361,8 @@ +@@ -314,6 +362,8 @@ files_read_etc_files(racoon_t) @@ -31274,7 +31468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) -@@ -328,6 +377,14 @@ +@@ -328,6 +378,14 @@ miscfiles_read_localization(racoon_t) @@ -31289,7 +31483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Setkey local policy -@@ -341,12 +398,15 @@ +@@ -341,12 +399,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -31305,7 +31499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -358,3 +418,5 @@ +@@ -358,3 +419,5 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) @@ -31625,7 +31819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-23 12:43:17.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-29 20:06:16.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -31833,12 +32027,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +309,117 @@ +@@ -307,10 +309,129 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) +/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + ++/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++ ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') @@ -31862,7 +32059,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31951,6 +32150,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-12-17 11:20:47.000000000 -0500 @@ -34151,7 +34357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-27 08:20:17.000000000 -0500 @@ -43,6 +43,36 @@ sysnet_domtrans_dhcpc($1) @@ -34252,10 +34458,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -557,6 +609,14 @@ +@@ -556,7 +608,15 @@ + corenet_sendrecv_dns_client_packets($1) files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; +- allow $1 net_conf_t:file read_file_perms; ++ read_files_pattern($1, net_conf_t, net_conf_t) + + optional_policy(` + avahi_stream_connect($1) @@ -35501,7 +35709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-23 07:52:17.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-29 18:41:02.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -38375,7 +38583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-12-29 17:59:22.000000000 -0500 @@ -181,7 +181,7 @@ # define(`getattr_dir_perms',`{ getattr }') @@ -38412,7 +38620,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -305,10 +307,27 @@ +@@ -238,7 +240,8 @@ + define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') + define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') + define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') +-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') ++define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') + define(`create_fifo_file_perms',`{ getattr create open }') + define(`rename_fifo_file_perms',`{ getattr rename }') + define(`delete_fifo_file_perms',`{ getattr unlink }') +@@ -305,10 +308,27 @@ # # Use (read and write) terminals # diff --git a/selinux-policy.spec b/selinux-policy.spec index b899cbe..21c8a99 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 64%{?dist} +Release: 65%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,35 @@ exit 0 %endif %changelog +* Wed Dec 30 2009 Dan Walsh 3.6.32-65 +- Allow traceroute to use all terms +- Fix mgetty use for faxes +- Dontaudit xdm listing fusefs +- Allow xguest to resolve host names +- Allow abrt to read noxattr filesystems (cdrom) +- Allow abrt_helper to send itself signals +- Allow amavis to read certs +- Allow apache to bind to port 3000 (Ruby on rails) +- Asterist uses mysql and snmp +- Allow consolekit to write wtmp file for shutdown +- Allow cups ipc_lock +- Allow hal to transition to ppp +- Fix mailman labels for 64 bit systems +- dontaudit system_mail access to leaked terminals +- Allow mysqld_safe_t to unlink mysqld pid files +- nrpe_t uses getpw calls +- Allow NetworkManager to delete ppp pid files +- Allow pptp_t to sens userdomain signals +- Allow prelude to connect to mysql +- Allow swat to start winbind server +- Fixes for snort +- Allow telnetd to setattr user terminals +- Allow qemu to read fusefs +- Allow domains that have telinit to connectto upstart unix_stream_socket +- Dontaudit ipsec_mgmt sys_tty_config +- Fix labels for postgrestgres test suite +- Other textrel_shlib_t fixes + * Wed Dec 23 2009 Dan Walsh 3.6.32-64 - Update to Rawhide filesystem.if file - Allow abrt to read nfs