diff --git a/policy-F13.patch b/policy-F13.patch index c6a2cbc..9991be0 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -555,8 +555,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -9,6 +9,7 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-04-30 09:52:59.000000000 -0400 +@@ -9,6 +9,8 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -564,6 +564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) ++/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.19/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-04-14 10:48:18.000000000 -0400 @@ -682,7 +683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-04-30 08:25:29.000000000 -0400 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -747,7 +748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +118,58 @@ +@@ -99,5 +118,59 @@ ') optional_policy(` @@ -806,6 +807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.19/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/admin/quota.te 2010-04-14 10:48:18.000000000 -0400 @@ -4033,8 +4035,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.f +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.19/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/livecd.if 2010-04-14 13:27:07.000000000 -0400 -@@ -0,0 +1,108 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/livecd.if 2010-04-30 08:23:28.000000000 -0400 +@@ -0,0 +1,127 @@ + +## policy for livecd + @@ -4108,6 +4110,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + +######################################## +## ++## Read livecd temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`livecd_read_tmp_files',` ++ gen_require(` ++ type livecd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) ++') ++ ++######################################## ++## +## Read and write livecd temporary files. +## +## @@ -6029,8 +6050,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-29 12:22:20.000000000 -0400 -@@ -0,0 +1,382 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-30 09:06:38.000000000 -0400 +@@ -0,0 +1,383 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6138,6 +6159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_domain self:msgq create_msgq_perms; +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; +allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; ++dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +dev_rw_all_inherited_chr_files(sandbox_domain) +dev_rw_all_inherited_blk_files(sandbox_domain) @@ -7169,7 +7191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 14:43:42.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-29 12:54:00.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-30 09:52:59.000000000 -0400 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -7186,13 +7208,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -73,12 +75,14 @@ +@@ -73,12 +75,15 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) +network_port(amqp, tcp,5671,s0, udp,5671,s0, tcp,5672,s0, udp,5672,s0) network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) ++network_port(apertus_ldp, tcp,539,s0, udp,539,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) @@ -7201,7 +7224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -86,6 +90,7 @@ +@@ -86,6 +91,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -7209,7 +7232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -98,7 +103,9 @@ +@@ -98,7 +104,9 @@ network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(epmap, tcp,135,s0, udp,135,s0) @@ -7219,16 +7242,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,7 +116,7 @@ +@@ -109,7 +117,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,3636,s0, tcp,8008,s0,tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port ++network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -@@ -132,6 +139,7 @@ +@@ -132,6 +140,7 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) @@ -7236,7 +7259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) -@@ -140,24 +148,33 @@ +@@ -140,24 +149,34 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) network_port(munin, tcp,4949,s0, udp,4949,s0) @@ -7255,6 +7278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) ++network_port(piranha, tcp,3636,s0) +network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) @@ -7271,7 +7295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,16 +194,18 @@ +@@ -177,16 +196,18 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -7291,7 +7315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) -@@ -201,13 +220,13 @@ +@@ -201,13 +222,13 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -7320,7 +7344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-26 10:13:11.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-30 09:01:39.000000000 -0400 @@ -934,6 +934,42 @@ ######################################## @@ -7769,7 +7793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-04-30 08:55:43.000000000 -0400 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -7792,18 +7816,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -62,6 +65,10 @@ +@@ -62,6 +65,11 @@ /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) + /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -72,7 +79,8 @@ +@@ -72,7 +80,8 @@ /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -7813,7 +7838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -93,7 +101,7 @@ +@@ -93,7 +102,7 @@ # HOME_ROOT # expanded by genhomedircon # @@ -7822,7 +7847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -205,15 +213,19 @@ +@@ -205,15 +214,19 @@ /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/local/lost\+found/.* <> @@ -7842,7 +7867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> -@@ -229,6 +241,8 @@ +@@ -229,6 +242,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -7851,7 +7876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -254,3 +268,5 @@ +@@ -254,3 +269,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -11283,7 +11308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-03-10 15:28:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-04-29 10:23:43.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-04-29 15:11:16.000000000 -0400 @@ -15,7 +15,7 @@ ## @@ -11342,20 +11367,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ') ') -@@ -81,19 +89,66 @@ +@@ -81,19 +89,70 @@ ') optional_policy(` - java_role(xguest_r, xguest_t) + apache_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` -+ java_role_template(xguest, xguest_r, xguest_t) ') optional_policy(` - mozilla_role(xguest_r, xguest_t) ++ gnomeclock_dontaudit_dbus_chat(xguest_t) ++') ++ ++optional_policy(` ++ java_role_template(xguest, xguest_r, xguest_t) ++') ++ ++optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) +') + @@ -12264,7 +12293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-04-30 09:52:59.000000000 -0400 @@ -24,7 +24,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -12281,7 +12310,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -109,3 +107,17 @@ +@@ -86,7 +84,6 @@ + /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + + ifdef(`distro_debian', ` + /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +@@ -109,3 +106,17 @@ /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -12301,7 +12338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-04-30 09:52:59.000000000 -0400 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -12449,7 +12486,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -400,7 +395,7 @@ +@@ -312,6 +307,25 @@ + domtrans_pattern($1, httpd_exec_t, httpd_t) + ') + ++###################################### ++## ++## Allow the specified domain to execute apache ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_exec',` ++ gen_require(` ++ type httpd_exec_t; ++ ') ++ ++ can_exec($1, httpd_exec_t) ++') ++ + ####################################### + ## + ## Send a generic signal to apache. +@@ -400,7 +414,7 @@ type httpd_t; ') @@ -12458,7 +12521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -526,6 +521,25 @@ +@@ -526,6 +540,25 @@ ######################################## ## ## Allow the specified domain to delete @@ -12484,7 +12547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Apache cache. ## ## -@@ -756,6 +770,7 @@ +@@ -756,6 +789,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -12492,7 +12555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -814,6 +829,7 @@ +@@ -814,6 +848,7 @@ ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -12500,7 +12563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -843,6 +859,31 @@ +@@ -843,6 +878,31 @@ ######################################## ## @@ -12532,7 +12595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Execute all web scripts in the system ## script domain. ## -@@ -858,6 +899,11 @@ +@@ -858,6 +918,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -12544,7 +12607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +991,7 @@ +@@ -945,7 +1010,7 @@ type httpd_squirrelmail_t; ') @@ -12553,7 +12616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1102,7 +1148,7 @@ +@@ -1102,7 +1167,7 @@ type httpd_tmp_t; ') @@ -12562,7 +12625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1218,7 @@ +@@ -1172,7 +1237,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -12571,7 +12634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1248,44 @@ +@@ -1202,12 +1267,44 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -14413,6 +14476,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +fs_rw_cgroup_files(cgconfigparser_t) +fs_setattr_cgroup_files(cgconfigparser_t) +fs_mount_cgroup(cgconfigparser_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if +--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-03-29 15:04:22.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-04-30 08:59:20.000000000 -0400 +@@ -56,6 +56,28 @@ + read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) + ') + ++######################################## ++## ++## Read and write chronyd shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`chronyd_rw_shm',` ++ gen_require(` ++ type chronyd_t, chronyd_tmpfs_t; ++ ') ++ ++ allow $1 chronyd_t:shm rw_shm_perms; ++ allow $1 chronyd_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) ++ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) ++ fs_search_tmpfs($1) ++') ++ + #################################### + ## + ## All of the rules required to administrate +@@ -103,3 +125,4 @@ + files_search_tmp($1) + admin_pattern($1, chronyd_tmp_t) + ') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te +--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-03-29 15:04:22.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-04-30 09:00:30.000000000 -0400 +@@ -16,6 +16,9 @@ + type chronyd_keys_t; + files_type(chronyd_keys_t) + ++type chronyd_tmpfs_t; ++files_tmpfs_file(chronyd_tmpfs_t) ++ + type chronyd_var_lib_t; + files_type(chronyd_var_lib_t) + +@@ -25,6 +28,7 @@ + type chronyd_var_run_t; + files_pid_file(chronyd_var_run_t) + ++ + ######################################## + # + # Local policy +@@ -38,6 +42,10 @@ + + allow chronyd_t chronyd_keys_t:file read_file_perms; + ++manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) ++manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) ++fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) ++ + manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) + manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) + manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-04-14 10:48:18.000000000 -0400 @@ -15293,7 +15425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.19/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-04-30 08:24:14.000000000 -0400 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -15529,7 +15661,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ftp_read_log(system_cronjob_t) ') -@@ -456,11 +528,16 @@ +@@ -452,15 +524,24 @@ + ') + + optional_policy(` ++ livecd_read_tmp_files(system_cronjob_t) ++') ++ ++optional_policy(` + lpd_list_spool(system_cronjob_t) ') optional_policy(` @@ -15546,7 +15686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -476,7 +553,7 @@ +@@ -476,7 +557,7 @@ prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -15555,7 +15695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -491,6 +568,7 @@ +@@ -491,6 +572,7 @@ optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15563,7 +15703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -498,6 +576,9 @@ +@@ -498,6 +580,9 @@ ') optional_policy(` @@ -15573,7 +15713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -591,6 +672,7 @@ +@@ -591,6 +676,7 @@ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -16990,6 +17130,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_files(dovecot_t) fs_manage_cifs_symlinks(dovecot_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc +--- nsaserefpolicy/policy/modules/services/exim.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/exim.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,3 +1,6 @@ ++ ++/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) ++ + /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) + /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) + /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.19/policy/modules/services/exim.te +--- nsaserefpolicy/policy/modules/services/exim.te 2010-03-04 11:17:25.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-04-30 09:53:00.000000000 -0400 +@@ -36,6 +36,9 @@ + application_executable_file(exim_exec_t) + mta_agent_executable(exim_exec_t) + ++type exim_initrc_exec_t; ++init_script_file(exim_initrc_exec_t) ++ + type exim_log_t; + logging_log_file(exim_log_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.19/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-03-18 06:48:09.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/fail2ban.if 2010-04-14 10:48:18.000000000 -0400 @@ -18094,6 +18257,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.7.19/policy/modules/services/gnomeclock.if +--- nsaserefpolicy/policy/modules/services/gnomeclock.if 2009-09-16 10:01:13.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/gnomeclock.if 2010-04-29 15:10:45.000000000 -0400 +@@ -63,3 +63,24 @@ + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Do not audit send and receive messages from ++## gnomeclock over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnomeclock_dontaudit_dbus_chat',` ++ gen_require(` ++ type gnomeclock_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 gnomeclock_t:dbus send_msg; ++ dontaudit gnomeclock_t $1:dbus send_msg; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.19/policy/modules/services/gpsd.te +--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-04-13 14:43:42.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/gpsd.te 2010-04-30 09:01:03.000000000 -0400 +@@ -57,9 +57,14 @@ + miscfiles_read_localization(gpsd_t) + + optional_policy(` ++ chronyd_rw_shm(gpsd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(gpsd_t) + ') + + optional_policy(` + ntp_rw_shm(gpsd_t) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2010-02-12 10:33:09.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-04-20 08:14:46.000000000 -0400 @@ -18332,15 +18541,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.19/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -1,5 +1,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ldap.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,6 +1,8 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + - /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + @@ -15,3 +17,4 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) @@ -20720,8 +20931,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.19/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/ntp.te 2010-04-14 10:48:18.000000000 -0400 -@@ -100,6 +100,8 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ntp.te 2010-04-30 09:01:49.000000000 -0400 +@@ -97,9 +97,12 @@ + dev_read_sysfs(ntpd_t) + # for SSP + dev_read_urand(ntpd_t) ++dev_rw_realtime_clock(ntpd_t) fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) @@ -21017,6 +21232,400 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.7.19/policy/modules/services/piranha.fc +--- nsaserefpolicy/policy/modules/services/piranha.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -0,0 +1,21 @@ ++ ++/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) ++ ++# RHEL6 ++#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) ++ ++/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) ++ ++/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) ++/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) ++/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) ++/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0) ++ ++/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0) ++ ++/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0) ++/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0) ++/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0) ++/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0) ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.7.19/policy/modules/services/piranha.if +--- nsaserefpolicy/policy/modules/services/piranha.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/services/piranha.if 2010-04-30 09:53:00.000000000 -0400 +@@ -0,0 +1,175 @@ ++ ++## policy for piranha ++ ++####################################### ++## ++## Creates types and rules for a basic ++## cluster init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`piranha_domain_template',` ++ ++ gen_require(` ++ attribute piranha_domain; ++ ') ++ ++ ############################## ++ # ++ # piranha_$1_t declarations ++ # ++ ++ type piranha_$1_t, piranha_domain; ++ type piranha_$1_exec_t; ++ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) ++ ++ # pid files ++ type piranha_$1_var_run_t; ++ files_pid_file(piranha_$1_var_run_t) ++ ++ ############################## ++ # ++ # piranha_$1_t local policy ++ # ++ ++ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) ++ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) ++ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { file }) ++') ++ ++######################################## ++## ++## Execute a domain transition to run fos. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_domtrans_fos',` ++ gen_require(` ++ type piranha_fos_t, piranha_fos_exec_t; ++ ') ++ ++ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) ++') ++ ++####################################### ++## ++## Execute a domain transition to run lvsd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_domtrans_lvs',` ++ gen_require(` ++ type piranha_lvs_t, piranha_lvs_exec_t; ++ ') ++ ++ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) ++') ++ ++####################################### ++## ++## Execute a domain transition to run pulse. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_domtrans_pulse',` ++ gen_require(` ++ type piranha_pulse_t, piranha_pulse_exec_t; ++ ') ++ ++ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) ++') ++ ++####################################### ++## ++## Execute pulse server in the pulse domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`piranha_pulse_initrc_domtrans',` ++ gen_require(` ++ type piranha_pulse_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read piranha's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`piranha_read_log',` ++ gen_require(` ++ type piranha_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, piranha_log_t, piranha_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append ++## piranha log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_append_log',` ++ gen_require(` ++ type piranha_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, piranha_log_t, piranha_log_t) ++') ++ ++######################################## ++## ++## Allow domain to manage piranha log files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`piranha_manage_log',` ++ gen_require(` ++ type piranha_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, piranha_log_t, piranha_log_t) ++ manage_files_pattern($1, piranha_log_t, piranha_log_t) ++ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te +--- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-04-30 09:53:00.000000000 -0400 +@@ -0,0 +1,186 @@ ++ ++policy_module(piranha,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

++## Allow piranha-lvs domain to connect to the network using TCP. ++##

++## ++gen_tunable(piranha_lvs_can_network_connect, false) ++ ++attribute piranha_domain; ++ ++piranha_domain_template(fos) ++ ++piranha_domain_template(lvs) ++ ++piranha_domain_template(pulse) ++ ++type piranha_pulse_initrc_exec_t; ++init_script_file(piranha_pulse_initrc_exec_t) ++ ++piranha_domain_template(web) ++ ++permissive piranha_fos_t; ++permissive piranha_lvs_t; ++permissive piranha_pulse_t; ++permissive piranha_web_t; ++ ++type piranha_etc_rw_t; ++files_type(piranha_etc_rw_t) ++ ++type piranha_log_t; ++logging_log_file(piranha_log_t) ++ ++####################################### ++# ++# piranha-fos local policy ++# ++ ++kernel_read_kernel_sysctls(piranha_fos_t) ++ ++domain_read_all_domains_state(piranha_fos_t) ++ ++consoletype_exec(piranha_fos_t) ++ ++# start and stop services ++init_domtrans_script(piranha_fos_t) ++ ++######################################## ++# ++# piranha-gui local policy ++# ++ ++allow piranha_web_t self:capability { setuid sys_nice kill setgid }; ++allow piranha_web_t self:process { getsched setsched signal }; ++ ++allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; ++allow piranha_web_t self:sem create_sem_perms; ++allow piranha_web_t self:shm create_shm_perms; ++ ++rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) ++ ++manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) ++manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) ++logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } ) ++ ++piranha_pulse_initrc_domtrans(piranha_web_t) ++ ++kernel_read_kernel_sysctls(piranha_web_t) ++ ++corenet_tcp_bind_piranha_port(piranha_web_t) ++ ++dev_read_urand(piranha_web_t) ++ ++domain_read_all_domains_state(piranha_web_t) ++ ++files_read_usr_files(piranha_web_t) ++ ++consoletype_exec(piranha_web_t) ++ ++optional_policy(` ++ apache_exec_modules(piranha_web_t) ++ apache_exec(piranha_web_t) ++') ++ ++###################################### ++# ++# piranha-lvs local policy ++# ++ ++# neede by nanny ++allow piranha_lvs_t self:capability { net_raw sys_nice }; ++ ++allow piranha_lvs_t self:process signal; ++ ++allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; ++allow piranha_lvs_t self:rawip_socket create_socket_perms; ++ ++kernel_read_kernel_sysctls(piranha_lvs_t) ++ ++# needed by nanny ++corenet_tcp_connect_ftp_port(piranha_lvs_t) ++corenet_tcp_connect_http_port(piranha_lvs_t) ++ ++sysnet_dns_name_resolve(piranha_lvs_t) ++ ++# needed by nanny ++tunable_policy(`piranha_lvs_can_network_connect',` ++ corenet_tcp_connect_all_ports(piranha_lvs_t) ++') ++ ++# needed by ipvsadm ++optional_policy(` ++ iptables_domtrans(piranha_lvs_t) ++') ++ ++####################################### ++# ++# piranha-pulse local policy ++# ++ ++allow piranha_pulse_t self:packet_socket create_socket_perms; ++ ++# pulse starts fos and lvs daemon ++domtrans_pattern(piranha_fos_t, piranha_fos_exec_t, piranha_fos_t) ++allow piranha_pulse_t piranha_fos_t:process signal; ++ ++domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t) ++allow piranha_pulse_t piranha_lvs_t:process signal; ++ ++corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) ++ ++sysnet_dns_name_resolve(piranha_pulse_t) ++ ++optional_policy(` ++ netutils_domtrans_ping(piranha_pulse_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(piranha_pulse_t) ++') ++ ++#################################### ++# ++# piranha domains common policy ++# ++ ++allow piranha_domain self:fifo_file rw_fifo_file_perms; ++allow piranha_domain self:tcp_socket create_stream_socket_perms; ++allow piranha_domain self:udp_socket create_socket_perms; ++allow piranha_domain self:unix_stream_socket create_stream_socket_perms; ++ ++read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) ++ ++kernel_read_system_state(piranha_domain) ++kernel_read_network_state(piranha_domain) ++ ++corenet_all_recvfrom_unlabeled(piranha_domain) ++corenet_all_recvfrom_netlabel(piranha_domain) ++corenet_tcp_sendrecv_generic_if(piranha_domain) ++corenet_udp_sendrecv_generic_if(piranha_domain) ++corenet_tcp_sendrecv_generic_node(piranha_domain) ++corenet_udp_sendrecv_generic_node(piranha_domain) ++corenet_tcp_sendrecv_all_ports(piranha_domain) ++corenet_udp_sendrecv_all_ports(piranha_domain) ++corenet_tcp_bind_generic_node(piranha_domain) ++corenet_udp_bind_generic_node(piranha_domain) ++ ++files_read_etc_files(piranha_domain) ++ ++corecmd_exec_bin(piranha_domain) ++corecmd_exec_shell(piranha_domain) ++ ++libs_use_ld_so(piranha_domain) ++libs_use_shared_libs(piranha_domain) ++ ++logging_send_syslog_msg(piranha_domain) ++ ++miscfiles_read_localization(piranha_domain) ++ ++sysnet_read_config(piranha_domain) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.19/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/services/plymouthd.fc 2010-04-14 10:48:18.000000000 -0400 @@ -21767,10 +22376,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.7.19/policy/modules/services/portreserve.fc +--- nsaserefpolicy/policy/modules/services/portreserve.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/portreserve.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,3 +1,6 @@ ++ ++/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) ++ + /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + + /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.19/policy/modules/services/portreserve.te +--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-06 15:15:38.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-04-30 09:53:00.000000000 -0400 +@@ -10,6 +10,9 @@ + type portreserve_exec_t; + init_daemon_domain(portreserve_t, portreserve_exec_t) + ++type portreserve_initrc_exec_t; ++init_script_file(portreserve_initrc_exec_t) ++ + type portreserve_etc_t; + files_type(portreserve_etc_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.19/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -29,12 +29,10 @@ ++++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,4 +1,5 @@ + # postfix ++/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) + /etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) + ifdef(`distro_redhat', ` + /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +@@ -29,12 +30,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) @@ -22082,7 +22720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-04-30 09:53:00.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -22138,7 +22776,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -68,13 +84,13 @@ +@@ -44,6 +60,9 @@ + # generation macro work + mta_mailserver(postfix_t, postfix_master_exec_t) + ++type postfix_initrc_exec_t; ++init_script_file(postfix_initrc_exec_t) ++ + postfix_server_domain_template(pickup) + + postfix_server_domain_template(pipe) +@@ -68,13 +87,13 @@ postfix_server_domain_template(smtpd) @@ -22155,7 +22803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_type(postfix_spool_flush_t) type postfix_public_t; -@@ -90,9 +106,6 @@ +@@ -90,9 +109,6 @@ postfix_server_domain_template(virtual) mta_mailserver_delivery(postfix_virtual_t) @@ -22165,7 +22813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix master process local policy -@@ -103,6 +116,7 @@ +@@ -103,6 +119,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -22173,7 +22821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -132,6 +146,7 @@ +@@ -132,6 +149,7 @@ # allow access to deferred queue and allow removing bogus incoming entries manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) @@ -22181,7 +22829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr; -@@ -142,6 +157,7 @@ +@@ -142,6 +160,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -22189,7 +22837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post kernel_read_all_sysctls(postfix_master_t) -@@ -153,6 +169,9 @@ +@@ -153,6 +172,9 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -22199,7 +22847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -170,6 +189,8 @@ +@@ -170,6 +192,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -22208,7 +22856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post term_dontaudit_search_ptys(postfix_master_t) -@@ -181,6 +202,7 @@ +@@ -181,6 +205,7 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -22216,7 +22864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ifdef(`distro_redhat',` # for newer main.cf that uses /etc/aliases -@@ -193,6 +215,10 @@ +@@ -193,6 +218,10 @@ ') optional_policy(` @@ -22227,7 +22875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # for postalias mailman_manage_data_files(postfix_master_t) ') -@@ -202,6 +228,10 @@ +@@ -202,6 +231,10 @@ ') optional_policy(` @@ -22238,7 +22886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post sendmail_signal(postfix_master_t) ') -@@ -219,6 +249,7 @@ +@@ -219,6 +252,7 @@ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) @@ -22246,7 +22894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -240,11 +271,18 @@ +@@ -240,11 +274,18 @@ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) @@ -22265,7 +22913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix local local policy -@@ -253,10 +291,6 @@ +@@ -253,10 +294,6 @@ allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; @@ -22276,7 +22924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -270,18 +304,31 @@ +@@ -270,18 +307,31 @@ files_read_etc_files(postfix_local_t) @@ -22308,7 +22956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -292,8 +339,7 @@ +@@ -292,8 +342,7 @@ # # Postfix map local policy # @@ -22318,7 +22966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,14 +386,15 @@ +@@ -340,14 +389,15 @@ miscfiles_read_localization(postfix_map_t) @@ -22338,7 +22986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -372,6 +419,7 @@ +@@ -372,6 +422,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -22346,7 +22994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -379,6 +427,12 @@ +@@ -379,6 +430,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -22359,7 +23007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -388,6 +442,16 @@ +@@ -388,6 +445,16 @@ ') optional_policy(` @@ -22376,7 +23024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -415,6 +479,10 @@ +@@ -415,6 +482,10 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -22387,7 +23035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -424,8 +492,11 @@ +@@ -424,8 +495,11 @@ ') optional_policy(` @@ -22401,7 +23049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -451,6 +522,15 @@ +@@ -451,6 +525,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -22417,7 +23065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -464,6 +544,7 @@ +@@ -464,6 +547,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -22425,7 +23073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -499,13 +580,14 @@ +@@ -499,13 +583,14 @@ # # connect to master process @@ -22441,7 +23089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +617,18 @@ +@@ -535,9 +620,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -22460,7 +23108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +650,22 @@ +@@ -559,20 +653,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -23166,8 +23814,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.19/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,8 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -0,0 +1,10 @@ ++ ++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + @@ -23280,8 +23930,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,226 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-04-30 09:53:00.000000000 -0400 +@@ -0,0 +1,229 @@ + +policy_module(rgmanager,1.0.0) + @@ -23302,6 +23952,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +domain_type(rgmanager_t) +init_daemon_domain(rgmanager_t, rgmanager_exec_t) + ++type rgmanager_initrc_exec_t; ++init_script_file(rgmanager_initrc_exec_t) ++ +# tmp files +type rgmanager_tmp_t; +files_tmp_file(rgmanager_tmp_t) @@ -23965,7 +24618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-04-29 14:10:35.000000000 -0400 @@ -0,0 +1,239 @@ + +policy_module(rhcs,1.1.0) @@ -24033,7 +24686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# + +allow fenced_t self:capability { sys_rawio sys_resource }; -+allow fenced_t self:process getsched; ++allow fenced_t self:process { getsched signal_perms }; + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; @@ -24206,10 +24859,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` + corosync_stream_connect(cluster_domain) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.7.19/policy/modules/services/ricci.fc +--- nsaserefpolicy/policy/modules/services/ricci.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,3 +1,6 @@ ++ ++/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) ++ + /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) + /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) + /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-04-14 10:48:18.000000000 -0400 -@@ -194,10 +194,13 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-04-30 09:53:00.000000000 -0400 +@@ -11,6 +11,9 @@ + domain_type(ricci_t) + init_daemon_domain(ricci_t, ricci_exec_t) + ++type ricci_initrc_exec_t; ++init_script_file(ricci_initrc_exec_t) ++ + # tmp files + type ricci_tmp_t; + files_tmp_file(ricci_tmp_t) +@@ -194,10 +197,13 @@ # ricci_modcluster local policy # @@ -24224,7 +24897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc kernel_read_kernel_sysctls(ricci_modcluster_t) kernel_read_system_state(ricci_modcluster_t) -@@ -227,6 +230,11 @@ +@@ -227,6 +233,11 @@ ricci_stream_connect_modclusterd(ricci_modcluster_t) optional_policy(` @@ -24236,7 +24909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ccs_stream_connect(ricci_modcluster_t) ccs_domtrans(ricci_modcluster_t) ccs_manage_config(ricci_modcluster_t) -@@ -245,6 +253,10 @@ +@@ -245,6 +256,10 @@ ') optional_policy(` @@ -24247,7 +24920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc # XXX This has got to go. unconfined_domain(ricci_modcluster_t) ') -@@ -259,11 +271,11 @@ +@@ -259,11 +274,11 @@ allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; @@ -24260,7 +24933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc # log files allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; -@@ -294,6 +306,8 @@ +@@ -294,6 +309,8 @@ fs_getattr_xattr_fs(ricci_modclusterd_t) @@ -24269,7 +24942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc init_stream_connect_script(ricci_modclusterd_t) locallogin_dontaudit_use_fds(ricci_modclusterd_t) -@@ -303,7 +317,11 @@ +@@ -303,7 +320,11 @@ miscfiles_read_localization(ricci_modclusterd_t) sysnet_domtrans_ifconfig(ricci_modclusterd_t) @@ -24282,7 +24955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc optional_policy(` ccs_domtrans(ricci_modclusterd_t) -@@ -312,6 +330,10 @@ +@@ -312,6 +333,10 @@ ') optional_policy(` @@ -24293,7 +24966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc unconfined_use_fds(ricci_modclusterd_t) ') -@@ -440,6 +462,12 @@ +@@ -440,6 +465,12 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -24306,7 +24979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -@@ -457,6 +485,11 @@ +@@ -457,6 +488,11 @@ mount_domtrans(ricci_modstorage_t) optional_policy(` @@ -25091,6 +25764,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.7.19/policy/modules/services/sendmail.fc +--- nsaserefpolicy/policy/modules/services/sendmail.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,4 +1,6 @@ + ++/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) ++ + /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) + /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-04-14 10:48:18.000000000 -0400 @@ -25119,8 +25802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-14 10:48:18.000000000 -0400 -@@ -30,7 +30,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-30 09:53:00.000000000 -0400 +@@ -20,6 +20,9 @@ + mta_mailserver_delivery(sendmail_t) + mta_mailserver_sender(sendmail_t) + ++type sendmail_initrc_exec_t; ++init_script_file(sendmail_initrc_exec_t) ++ + type unconfined_sendmail_t; + application_domain(unconfined_sendmail_t, sendmail_exec_t) + role system_r types unconfined_sendmail_t; +@@ -30,7 +33,7 @@ # allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; @@ -25129,7 +25822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; -@@ -72,6 +72,7 @@ +@@ -72,6 +75,7 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) @@ -25137,7 +25830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send # for piping mail to a command corecmd_exec_shell(sendmail_t) -@@ -84,12 +85,14 @@ +@@ -84,12 +88,14 @@ files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) @@ -25152,7 +25845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send auth_use_nsswitch(sendmail_t) -@@ -103,7 +106,7 @@ +@@ -103,7 +109,7 @@ miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) @@ -25161,7 +25854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -133,6 +136,7 @@ +@@ -133,6 +139,7 @@ optional_policy(` fail2ban_read_lib_files(sendmail_t) @@ -25169,7 +25862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -148,7 +152,9 @@ +@@ -148,7 +155,9 @@ ') optional_policy(` @@ -25179,7 +25872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -167,6 +173,10 @@ +@@ -167,6 +176,10 @@ ') optional_policy(` @@ -25190,7 +25883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send udev_read_db(sendmail_t) ') -@@ -184,3 +194,4 @@ +@@ -184,3 +197,4 @@ mta_etc_filetrans_aliases(unconfined_sendmail_t) unconfined_domain(unconfined_sendmail_t) ') @@ -26075,8 +26768,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -14,3 +14,5 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-04-30 09:53:00.000000000 -0400 +@@ -1,5 +1,7 @@ + HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + ++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) ++ + /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) + /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) + /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) +@@ -14,3 +16,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -26277,8 +26978,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ## Delete from the ssh temp files. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-04-14 10:48:18.000000000 -0400 -@@ -114,6 +114,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-04-30 09:53:00.000000000 -0400 +@@ -34,6 +34,9 @@ + ssh_server_template(sshd) + init_daemon_domain(sshd_t, sshd_exec_t) + ++type sshd_initrc_exec_t; ++init_script_file(sshd_initrc_exec_t) ++ + type sshd_key_t; + files_type(sshd_key_t) + +@@ -114,6 +117,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -26286,7 +26997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -125,9 +126,10 @@ +@@ -125,9 +129,10 @@ read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -26300,7 +27011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -139,6 +141,8 @@ +@@ -139,6 +144,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -26309,7 +27020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -170,8 +174,10 @@ +@@ -170,8 +177,10 @@ userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -26321,7 +27032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -282,6 +288,8 @@ +@@ -282,6 +291,8 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -26330,7 +27041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -@@ -292,22 +300,30 @@ +@@ -292,22 +303,30 @@ term_use_all_ptys(sshd_t) term_setattr_all_ptys(sshd_t) @@ -26365,7 +27076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -315,7 +331,12 @@ +@@ -315,7 +334,12 @@ ') optional_policy(` @@ -26379,7 +27090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -323,6 +344,10 @@ +@@ -323,6 +347,10 @@ ') optional_policy(` @@ -26390,7 +27101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +358,18 @@ +@@ -333,10 +361,18 @@ ') optional_policy(` @@ -28424,7 +29135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-04-30 08:25:24.000000000 -0400 @@ -41,7 +41,6 @@ ## # @@ -29593,20 +30304,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-04-20 09:06:19.000000000 -0400 -@@ -1,6 +1,4 @@ ++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-04-30 08:55:43.000000000 -0400 +@@ -1,13 +1,18 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -@@ -11,3 +9,5 @@ + /sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + ++/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) ++ + /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-04-14 10:48:18.000000000 -0400 @@ -29623,7 +30342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-04-30 08:55:43.000000000 -0400 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -29634,13 +30353,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl type iptables_tmp_t; files_tmp_file(iptables_tmp_t) -@@ -30,12 +27,12 @@ +@@ -30,12 +27,14 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; -allow iptables_t self:fifo_file rw_fifo_file_perms; +allow iptables_t self:fifo_file rw_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; ++# needed by ipvsadm ++allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) @@ -29650,7 +30371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -57,6 +54,9 @@ +@@ -53,10 +52,16 @@ + kernel_read_modprobe_sysctls(iptables_t) + kernel_use_fds(iptables_t) + ++# needed by ipvsadm ++corecmd_exec_bin(iptables_t) ++ + corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -29660,7 +30388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -65,6 +65,7 @@ +@@ -65,6 +70,7 @@ mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -29668,7 +30396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl domain_use_interactive_fds(iptables_t) -@@ -78,6 +79,7 @@ +@@ -78,6 +84,7 @@ # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -29676,7 +30404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl logging_send_syslog_msg(iptables_t) -@@ -91,6 +93,7 @@ +@@ -91,6 +98,7 @@ optional_policy(` fail2ban_append_log(iptables_t)