diff --git a/policy-F13.patch b/policy-F13.patch index 8411ffc..ccd98ff 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -791,8 +791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te --- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-04 14:43:51.328085349 +0200 -@@ -0,0 +1,81 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-06 12:08:25.383084696 +0200 +@@ -0,0 +1,85 @@ + +policy_module(ncftool,1.0.0) + @@ -866,12 +866,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool + +userdom_read_user_tmp_files(ncftool_t) + ++#optional_policy(` ++# brctl_domtrans(ncftool_t) ++#') ++ +optional_policy(` -+ brctl_domtrans(ncftool_t) ++ dbus_system_bus_client(ncftool_t) +') + +optional_policy(` -+ dbus_system_bus_client(ncftool_t) ++ iptables_initrc_domtrans(ncftool_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc @@ -1226,7 +1230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_dontaudit_read_ramfs_files(readahead_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.19/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.fc 2010-07-13 15:40:51.058503014 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.fc 2010-08-05 16:24:23.494085276 +0200 @@ -1,18 +1,20 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1254,7 +1258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc ifdef(`distro_redhat', ` /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -21,15 +23,23 @@ +@@ -21,15 +23,25 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1268,6 +1272,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++ ++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -5647,7 +5653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.19/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-07-13 08:42:05.605502749 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-08-05 10:55:36.778085667 +0200 @@ -0,0 +1,299 @@ + +policy_module(nsplugin, 1.0.0) @@ -5679,7 +5685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +type nsplugin_rw_t; +files_poly_member(nsplugin_rw_t) -+userdom_user_home_content(nsplugin_rw_t) ++files_type(nsplugin_rw_t) + +type nsplugin_tmp_t; +files_tmp_file(nsplugin_tmp_t) @@ -8410,7 +8416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-07-14 11:12:04.568158290 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-08-05 11:50:26.359085282 +0200 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -8479,7 +8485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -@@ -125,39 +133,52 @@ +@@ -125,39 +133,53 @@ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -8493,6 +8499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(lirc, tcp,8765,s0) ++network_port(luci, tcp,8084,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) @@ -8534,7 +8541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,18 +198,22 @@ +@@ -177,18 +199,22 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -8558,7 +8565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,23 +226,23 @@ +@@ -201,23 +227,23 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -11211,7 +11218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.19/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-05-28 09:42:00.041610572 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-08-06 12:20:38.267333652 +0200 @@ -101,6 +101,8 @@ dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; @@ -11221,7 +11228,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag typeattribute $1 fixed_disk_raw_read; ') -@@ -572,6 +574,26 @@ +@@ -203,6 +205,8 @@ + type fixed_disk_device_t; + ') + ++ allow $1 self:capability mknod; ++ + allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; + dev_add_entry_generic_dirs($1) + ') +@@ -572,6 +576,26 @@ ######################################## ## @@ -23174,7 +23190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-08-02 09:03:13.550641907 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-08-06 12:19:29.129334324 +0200 @@ -28,12 +28,26 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -23213,7 +23229,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni # Allow access to the munin databases manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -@@ -131,8 +146,13 @@ +@@ -108,6 +123,7 @@ + + miscfiles_read_fonts(munin_t) + miscfiles_read_localization(munin_t) ++miscfiles_setattr_fonts_cache_dirs(munin_t) + + sysnet_exec_ifconfig(munin_t) + +@@ -131,8 +147,13 @@ ') optional_policy(` @@ -23227,7 +23251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni mta_read_queue(munin_t) ') -@@ -147,6 +167,7 @@ +@@ -147,6 +168,7 @@ optional_policy(` postfix_list_spool(munin_t) @@ -23235,7 +23259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -164,3 +185,160 @@ +@@ -164,3 +186,160 @@ optional_policy(` udev_read_db(munin_t) ') @@ -24588,7 +24612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.19/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nis.if 2010-05-28 09:42:00.136610568 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nis.if 2010-08-06 12:16:38.934083793 +0200 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -24598,6 +24622,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; +@@ -38,27 +38,27 @@ + allow $1 var_yp_t:file read_file_perms; + + corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) +- corenet_tcp_sendrecv_generic_if($1) +- corenet_udp_sendrecv_generic_if($1) +- corenet_tcp_sendrecv_generic_node($1) +- corenet_udp_sendrecv_generic_node($1) +- corenet_tcp_sendrecv_all_ports($1) +- corenet_udp_sendrecv_all_ports($1) +- corenet_tcp_bind_generic_node($1) +- corenet_udp_bind_generic_node($1) +- corenet_tcp_bind_generic_port($1) +- corenet_udp_bind_generic_port($1) +- corenet_dontaudit_tcp_bind_all_reserved_ports($1) +- corenet_dontaudit_udp_bind_all_reserved_ports($1) +- corenet_dontaudit_tcp_bind_all_ports($1) +- corenet_dontaudit_udp_bind_all_ports($1) +- corenet_tcp_connect_portmap_port($1) +- corenet_tcp_connect_reserved_port($1) +- corenet_tcp_connect_generic_port($1) +- corenet_dontaudit_tcp_connect_all_ports($1) +- corenet_sendrecv_portmap_client_packets($1) +- corenet_sendrecv_generic_client_packets($1) ++ corenet_all_recvfrom_netlabel($1) ++ corenet_tcp_sendrecv_generic_if($1) ++ corenet_udp_sendrecv_generic_if($1) ++ corenet_tcp_sendrecv_generic_node($1) ++ corenet_udp_sendrecv_generic_node($1) ++ corenet_tcp_sendrecv_all_ports($1) ++ corenet_udp_sendrecv_all_ports($1) ++ corenet_tcp_bind_generic_node($1) ++ corenet_udp_bind_generic_node($1) ++ corenet_tcp_bind_generic_port($1) ++ corenet_udp_bind_generic_port($1) ++ corenet_tcp_bind_all_rpc_ports($1) ++ corenet_udp_bind_all_rpc_ports($1) ++ corenet_dontaudit_tcp_bind_all_ports($1) ++ corenet_dontaudit_udp_bind_all_ports($1) ++ corenet_tcp_connect_portmap_port($1) ++ corenet_tcp_connect_all_reserved_ports($1) ++ corenet_tcp_connect_generic_port($1) ++ corenet_dontaudit_tcp_connect_all_ports($1) ++ corenet_sendrecv_portmap_client_packets($1) ++ corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) + + sysnet_read_config($1) @@ -133,11 +133,37 @@ ######################################## @@ -25503,8 +25576,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.7.19/policy/modules/services/piranha.fc --- nsaserefpolicy/policy/modules/services/piranha.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-05-28 09:42:00.148610747 +0200 -@@ -0,0 +1,21 @@ ++++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-08-05 10:49:22.814085304 +0200 +@@ -0,0 +1,27 @@ + +/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) + @@ -25513,11 +25586,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + +/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) + ++/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0) ++ +/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) +/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) +/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) +/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0) + ++/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0) ++/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) ++/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) ++ +/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0) + +/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0) @@ -25707,8 +25786,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te --- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-07-09 09:34:16.430135505 +0200 -@@ -0,0 +1,198 @@ ++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-08-05 10:47:23.099085304 +0200 +@@ -0,0 +1,225 @@ + +policy_module(piranha,1.0.0) + @@ -25740,6 +25819,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +type piranha_web_tmpfs_t; +files_tmpfs_file(piranha_web_tmpfs_t) + ++type piranha_web_conf_t; ++files_type(piranha_web_conf_t) ++ ++type piranha_web_data_t; ++files_type(piranha_web_data_t) ++ ++type piranha_web_tmp_t; ++files_tmp_file(piranha_web_tmp_t) ++ +permissive piranha_fos_t; +permissive piranha_lvs_t; +permissive piranha_pulse_t; @@ -25783,10 +25871,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + +rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) + ++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) ++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) ++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file) ++ ++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t) ++ +manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) +manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) +logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } ) + ++can_exec(piranha_web_t, piranha_web_tmp_t) ++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) ++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) ++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) ++ +manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) +manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) +fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file }) @@ -25796,6 +25895,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +kernel_read_kernel_sysctls(piranha_web_t) + +corenet_tcp_bind_piranha_port(piranha_web_t) ++corenet_tcp_bind_luci_port(piranha_web_t) ++corenet_tcp_connect_ricci_port(piranha_web_t) + +dev_read_urand(piranha_web_t) + @@ -25806,11 +25907,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +consoletype_exec(piranha_web_t) + +optional_policy(` ++ apache_read_config(piranha_web_t) + apache_getattr_suexec(piranha_web_t) + apache_exec_modules(piranha_web_t) + apache_exec(piranha_web_t) +') + ++optional_policy(` ++ sasl_connect(piranha_web_t) ++') ++ +###################################### +# +# piranha-lvs local policy @@ -29254,8 +29360,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-07-09 09:10:00.586383981 +0200 -@@ -0,0 +1,244 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-08-06 12:18:34.559334235 +0200 +@@ -0,0 +1,245 @@ + +policy_module(rhcs,1.1.0) + @@ -29328,6 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; ++allow fenced_t self:unix_stream_socket connectto; + +can_exec(fenced_t,fenced_exec_t) + @@ -33772,7 +33879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-04 15:12:04.599085274 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-06 12:35:56.607334166 +0200 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.3.2) @@ -34518,7 +34625,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +953,6 @@ +@@ -647,6 +927,7 @@ + # Xorg wants to check if kernel is tainted + kernel_read_kernel_sysctls(xserver_t) + kernel_write_proc_files(xserver_t) ++kernel_request_load_module(xserver_t) + + # Run helper programs in xserver_t. + corecmd_exec_bin(xserver_t) +@@ -673,7 +954,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -34526,7 +34641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +962,12 @@ +@@ -683,9 +963,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -34540,7 +34655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +982,13 @@ +@@ -700,8 +983,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -34554,7 +34669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +1010,14 @@ +@@ -723,11 +1011,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -34569,7 +34684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1069,28 @@ +@@ -779,12 +1070,28 @@ ') optional_policy(` @@ -34599,7 +34714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1117,7 @@ +@@ -811,7 +1118,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -34608,7 +34723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1138,14 @@ +@@ -832,9 +1139,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -34623,7 +34738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1160,14 @@ +@@ -849,11 +1161,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -34640,7 +34755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1313,33 @@ +@@ -999,3 +1314,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -36008,7 +36123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-06-29 10:04:26.921616707 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-08-06 12:09:07.432084464 +0200 @@ -73,7 +73,7 @@ # @@ -36018,7 +36133,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; -@@ -167,6 +167,8 @@ +@@ -150,6 +150,7 @@ + files_list_tmp(ipsec_t) + files_read_etc_files(ipsec_t) + files_read_usr_files(ipsec_t) ++files_dontaudit_search_home(ipsec_t) + + fs_getattr_all_fs(ipsec_t) + fs_search_auto_mountpoints(ipsec_t) +@@ -167,6 +168,8 @@ miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) @@ -36027,7 +36150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,7 +188,9 @@ +@@ -186,7 +189,9 @@ allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; dontaudit ipsec_mgmt_t self:capability sys_tty_config; @@ -36038,7 +36161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -225,7 +229,6 @@ +@@ -225,7 +230,6 @@ manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) @@ -36046,7 +36169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) -@@ -258,7 +261,13 @@ +@@ -258,7 +262,13 @@ domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. @@ -36061,7 +36184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -@@ -270,19 +279,25 @@ +@@ -270,19 +280,25 @@ files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) @@ -36088,7 +36211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. logging_send_syslog_msg(ipsec_mgmt_t) miscfiles_read_localization(ipsec_mgmt_t) -@@ -291,15 +306,38 @@ +@@ -291,15 +307,38 @@ seutil_dontaudit_search_config(ipsec_mgmt_t) @@ -36127,7 +36250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. nscd_socket_use(ipsec_mgmt_t) ') -@@ -386,6 +424,8 @@ +@@ -386,6 +425,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -36136,7 +36259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -412,6 +452,7 @@ +@@ -412,6 +453,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -36144,7 +36267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -423,3 +464,4 @@ +@@ -423,3 +465,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9d53773..e9017a3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 43%{?dist} +Release: 44%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,10 @@ exit 0 %endif %changelog +* Thu Aug 5 2010 Miroslav Grepl 3.7.19-44 +- Add support for luci +- Add label for /var/spool/up2date + * Wed Aug 4 2010 Miroslav Grepl 3.7.19-43 - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy