diff --git a/modules-targeted.conf b/modules-targeted.conf index fe466ef..94c79ba 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -233,6 +233,13 @@ certwatch = module certmaster = module # Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: services # Module: cipe # # Encrypted tunnel daemon diff --git a/policy-F12.patch b/policy-F12.patch index 0f10fa7..3aa78b0 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -259,7 +259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.32/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-12-14 07:03:10.000000000 -0500 @@ -26,6 +26,9 @@ type kismet_var_run_t; files_pid_file(kismet_var_run_t) @@ -296,6 +296,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(kismet_t) +@@ -71,6 +82,7 @@ + corenet_tcp_sendrecv_all_ports(kismet_t) + corenet_tcp_bind_generic_node(kismet_t) + corenet_tcp_bind_kismet_port(kismet_t) ++corenet_tcp_connect_gpsd_port(kismet_t) + corenet_tcp_connect_kismet_port(kismet_t) + corenet_tcp_connect_pulseaudio_port(kismet_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-12-07 16:23:11.000000000 -0500 @@ -1818,7 +1826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-12-15 09:51:23.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1827,19 +1835,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_delete_user_home_content_dirs(tmpreaper_t) userdom_delete_user_home_content_files(tmpreaper_t) userdom_delete_user_home_content_symlinks(tmpreaper_t) -@@ -52,6 +53,11 @@ +@@ -52,6 +53,13 @@ ') optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) ++ apache_list_cache(tmpreaper_t) + apache_delete_cache(tmpreaper_t) ++ apache_setattr_cache_dirs(tmpreaper_t) +') + +optional_policy(` kismet_manage_log(tmpreaper_t) ') -@@ -60,5 +66,9 @@ +@@ -60,5 +68,9 @@ ') optional_policy(` @@ -3360,8 +3370,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.32/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/livecd.te 2009-12-03 13:45:10.000000000 -0500 -@@ -0,0 +1,27 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/livecd.te 2009-12-14 06:26:17.000000000 -0500 +@@ -0,0 +1,28 @@ +policy_module(livecd, 1.0.0) + +######################################## @@ -3389,6 +3399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +seutil_domtrans_setfiles_mac(livecd_t) + ++allow livecd_t self:passwd { passwd chfn chsh }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.32/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te 2009-12-03 13:45:10.000000000 -0500 @@ -3569,7 +3580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-12-15 09:19:26.000000000 -0500 @@ -45,6 +45,18 @@ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) @@ -5886,6 +5897,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.32/policy/modules/apps/slocate.te +--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/slocate.te 2009-12-14 07:21:33.000000000 -0500 +@@ -50,6 +50,7 @@ + fs_getattr_all_symlinks(locate_t) + fs_list_all(locate_t) + fs_list_inotifyfs(locate_t) ++fs_read_noxattr_fs_symlinks(locate_t) + + # getpwnam + auth_use_nsswitch(locate_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2009-12-03 13:45:10.000000000 -0500 @@ -6419,8 +6441,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-12-03 13:45:10.000000000 -0500 -@@ -47,8 +47,10 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-12-12 07:47:41.000000000 -0500 +@@ -17,6 +17,7 @@ + /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) + /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -47,8 +48,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) @@ -6431,7 +6461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -82,6 +84,7 @@ +@@ -82,6 +85,7 @@ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6439,7 +6469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -101,7 +104,7 @@ +@@ -101,7 +105,7 @@ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6448,7 +6478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -138,9 +141,14 @@ +@@ -138,9 +142,14 @@ /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) @@ -6463,7 +6493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/pts(/.*)? <> /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -148,6 +156,8 @@ +@@ -148,6 +157,8 @@ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6472,7 +6502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -168,6 +178,7 @@ +@@ -168,6 +179,7 @@ ifdef(`distro_redhat',` # originally from named.fc @@ -7313,20 +7343,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-10 10:34:27.000000000 -0500 -@@ -110,6 +110,11 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-15 08:48:57.000000000 -0500 +@@ -110,7 +110,11 @@ ## # interface(`files_config_file',` + gen_require(` -+ attribute etcfile; ++ attribute configfile; + ') -+ -+ typeattribute $1 etcfile; files_type($1) ++ typeattribute $1 configfile; ') -@@ -928,10 +933,8 @@ + ######################################## +@@ -928,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -7339,7 +7369,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1331,6 +1334,24 @@ +@@ -1207,6 +1209,24 @@ + + ######################################## + ## ++## Search all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_search_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ dontaudit $1 mountpoint:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the root directory. + ## + ## +@@ -1331,6 +1351,24 @@ ######################################## ## @@ -7364,7 +7419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Remove entries from the root directory. ## ## -@@ -1487,6 +1508,25 @@ +@@ -1487,6 +1525,25 @@ ######################################## ## @@ -7390,7 +7445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in the /boot directory. ## -@@ -1715,6 +1755,25 @@ +@@ -1715,6 +1772,25 @@ ######################################## ## @@ -7416,7 +7471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a filesystem on a directory with the default file type. ## ## -@@ -1931,6 +1990,28 @@ +@@ -1931,6 +2007,28 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -7436,16 +7491,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`files_read_config_files',` + gen_require(` -+ attribute etcfile; ++ attribute configfile; + ') + -+ allow $1 etcfile:dir list_dir_perms; -+ read_files_pattern($1, etcfile, etcfile) -+ read_lnk_files_pattern($1, etcfile, etcfile) ++ allow $1 configfile:dir list_dir_perms; ++ read_files_pattern($1, configfile, configfile) ++ read_lnk_files_pattern($1, configfile, configfile) ') ######################################## -@@ -2011,6 +2092,25 @@ +@@ -2011,6 +2109,25 @@ delete_files_pattern($1, etc_t, etc_t) ') @@ -7471,7 +7526,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Execute generic files in /etc. -@@ -2418,6 +2518,11 @@ +@@ -2159,8 +2276,8 @@ + ') + + allow $1 etc_t:dir list_dir_perms; +- read_files_pattern($1, etc_t, etc_runtime_t) +- read_lnk_files_pattern($1, etc_t, etc_runtime_t) ++ read_files_pattern($1, etc_runtime_t, etc_runtime_t) ++ read_lnk_files_pattern($1, etc_runtime_t, etc_runtime_t) + ') + + ######################################## +@@ -2418,6 +2535,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -7483,7 +7549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3320,6 +3425,32 @@ +@@ -3320,6 +3442,32 @@ ######################################## ## @@ -7516,7 +7582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage temporary files and directories in /tmp. ## ## -@@ -3449,6 +3580,24 @@ +@@ -3449,6 +3597,24 @@ ######################################## ## @@ -7541,7 +7607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3515,6 +3664,8 @@ +@@ -3515,6 +3681,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -7550,7 +7616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3623,7 +3774,12 @@ +@@ -3623,7 +3791,12 @@ type usr_t; ') @@ -7564,7 +7630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3662,6 +3818,7 @@ +@@ -3662,6 +3835,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -7572,7 +7638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4188,6 +4345,24 @@ +@@ -4188,6 +4362,24 @@ ######################################## ## @@ -7597,7 +7663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search the /var/lib directory. ## ## -@@ -4288,6 +4463,24 @@ +@@ -4288,6 +4480,24 @@ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -7622,7 +7688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4686,6 +4879,24 @@ +@@ -4686,6 +4896,24 @@ ######################################## ## @@ -7647,7 +7713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to ioctl daemon runtime data files. ## ## -@@ -4955,7 +5166,7 @@ +@@ -4955,7 +5183,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -7656,7 +7722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5188,15 @@ +@@ -4977,12 +5205,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7673,7 +7739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5217,192 @@ +@@ -5003,3 +5234,192 @@ typeattribute $1 files_unconfined_type; ') @@ -7868,7 +7934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2009-12-15 08:16:26.000000000 -0500 @@ -42,6 +42,7 @@ # type boot_t; @@ -7877,18 +7943,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # default_t is the default type for files that do not # match any specification in the file_contexts configuration -@@ -52,7 +53,9 @@ +@@ -52,7 +53,10 @@ # # etc_t is the type of the system etc directories. # -type etc_t; +attribute etcfile; ++attribute configfile; + -+type etc_t, etcfile; ++type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; -@@ -193,6 +196,7 @@ +@@ -193,6 +197,7 @@ fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) fs_associate_ramfs(file_type) @@ -7904,7 +7971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-14 07:21:05.000000000 -0500 @@ -290,7 +290,7 @@ ######################################## @@ -9012,7 +9079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-12-09 08:30:14.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-12-11 15:18:28.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -9055,7 +9122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol backup_run(sysadm_t, sysadm_r) ') -@@ -99,18 +97,10 @@ +@@ -99,15 +97,11 @@ ') optional_policy(` @@ -9068,13 +9135,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - cdrecord_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - certwatch_run(sysadm_t, sysadm_r) ++ certmonger_dbus_chat(sysadm_t) ') -@@ -127,7 +117,7 @@ + optional_policy(` +@@ -127,7 +121,7 @@ ') optional_policy(` @@ -9083,7 +9148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -135,10 +125,6 @@ +@@ -135,10 +129,6 @@ ') optional_policy(` @@ -9094,7 +9159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) -@@ -166,10 +152,6 @@ +@@ -166,10 +156,6 @@ ') optional_policy(` @@ -9105,7 +9170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol firstboot_run(sysadm_t, sysadm_r) ') -@@ -178,22 +160,6 @@ +@@ -178,22 +164,6 @@ ') optional_policy(` @@ -9128,7 +9193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_run(sysadm_t, sysadm_r) ') -@@ -205,6 +171,9 @@ +@@ -205,6 +175,9 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -9138,7 +9203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -212,11 +181,7 @@ +@@ -212,11 +185,7 @@ ') optional_policy(` @@ -9151,7 +9216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,10 +193,6 @@ +@@ -228,10 +197,6 @@ ') optional_policy(` @@ -9162,7 +9227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logrotate_run(sysadm_t, sysadm_r) ') -@@ -255,14 +216,6 @@ +@@ -255,14 +220,6 @@ ') optional_policy(` @@ -9177,7 +9242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_role(sysadm_r, sysadm_t) ') -@@ -290,11 +243,6 @@ +@@ -290,11 +247,6 @@ ') optional_policy(` @@ -9189,7 +9254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_run_cardctl(sysadm_t, sysadm_r) ') -@@ -308,7 +256,7 @@ +@@ -308,7 +260,7 @@ ') optional_policy(` @@ -9198,7 +9263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -320,10 +268,6 @@ +@@ -320,10 +272,6 @@ ') optional_policy(` @@ -9209,7 +9274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domtrans_nfsd(sysadm_t) ') -@@ -332,10 +276,6 @@ +@@ -332,10 +280,6 @@ ') optional_policy(` @@ -9220,7 +9285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rsync_exec(sysadm_t) ') -@@ -345,10 +285,6 @@ +@@ -345,10 +289,6 @@ ') optional_policy(` @@ -9231,7 +9296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(sysadm_r) ') -@@ -358,35 +294,15 @@ +@@ -358,35 +298,15 @@ ') optional_policy(` @@ -9267,7 +9332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +310,10 @@ +@@ -394,18 +314,10 @@ ') optional_policy(` @@ -9286,7 +9351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(sysadm_t) ') -@@ -418,17 +326,13 @@ +@@ -418,17 +330,13 @@ ') optional_policy(` @@ -9305,7 +9370,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -440,13 +344,16 @@ +@@ -440,13 +348,16 @@ ') optional_policy(` @@ -10875,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-10 13:05:08.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-12 07:39:21.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10923,7 +10988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +90,31 @@ +@@ -75,18 +90,32 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10944,6 +11009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(abrt_t) files_read_usr_files(abrt_t) +files_read_generic_tmp_files(abrt_t) ++files_read_kernel_modules(abrt_t) + +files_dontaudit_list_default(abrt_t) +files_dontaudit_read_default_files(abrt_t) @@ -10955,7 +11021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +124,90 @@ +@@ -96,22 +125,90 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -11467,7 +11533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-12-15 09:52:04.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -11790,10 +11856,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## TCP sockets. ## ## -@@ -503,6 +462,67 @@ +@@ -503,6 +462,105 @@ ######################################## ## ++## Allow the specified domain to list ++## Apache cache. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_list_cache',` ++ gen_require(` ++ type httpd_cache_t; ++ ') ++ ++ list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) ++') ++ ++######################################## ++## +## Allow the specified domain to delete +## Apache cache. +## @@ -11814,6 +11899,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Allow domain to set the attributes ++## of the APACHE cache directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_setattr_cache_dirs',` ++ gen_require(` ++ type httpd_cache_t; ++ ') ++ ++ allow $1 httpd_cache_t:dir setattr; ++') ++ ++######################################## ++## +## Allow the specified domain to read +## apache tmp files. +## @@ -11858,7 +11962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow the specified domain to read ## apache configuration files. ## -@@ -579,7 +599,7 @@ +@@ -579,7 +637,7 @@ ## ## ## @@ -11867,7 +11971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -715,6 +735,7 @@ +@@ -715,6 +773,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -11875,7 +11979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -782,6 +803,32 @@ +@@ -782,6 +841,32 @@ ######################################## ## @@ -11908,7 +12012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute all web scripts in the system ## script domain. ## -@@ -791,16 +838,18 @@ +@@ -791,16 +876,18 @@ ## ## # @@ -11931,7 +12035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -859,6 +908,8 @@ +@@ -859,6 +946,8 @@ ## ## # @@ -11940,7 +12044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; -@@ -884,7 +935,7 @@ +@@ -884,7 +973,7 @@ type httpd_squirrelmail_t; ') @@ -11949,7 +12053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1043,6 +1094,44 @@ +@@ -1043,6 +1132,44 @@ ######################################## ## @@ -11994,7 +12098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate an apache environment ## ## -@@ -1072,11 +1161,17 @@ +@@ -1072,11 +1199,17 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -12012,7 +12116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_manage_all_content($1) miscfiles_manage_public_files($1) -@@ -1096,12 +1191,57 @@ +@@ -1096,12 +1229,57 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -12983,8 +13087,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-09 08:14:01.000000000 -0500 -@@ -34,6 +34,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-14 06:52:25.000000000 -0500 +@@ -34,18 +34,21 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12993,9 +13097,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -@@ -42,10 +44,11 @@ + # + # dac_override for /var/run/asterisk - allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; +-allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; ++allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; dontaudit asterisk_t self:capability sys_tty_config; -allow asterisk_t self:process { setsched signal_perms }; +allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; @@ -13006,7 +13112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow asterisk_t self:tcp_socket create_stream_socket_perms; allow asterisk_t self:udp_socket create_socket_perms; -@@ -79,11 +82,14 @@ +@@ -79,11 +82,15 @@ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) @@ -13014,6 +13120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) ++kernel_request_load_module(asterisk_t) corecmd_exec_bin(asterisk_t) corecmd_search_bin(asterisk_t) @@ -13021,7 +13128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(asterisk_t) corenet_all_recvfrom_netlabel(asterisk_t) -@@ -97,16 +103,19 @@ +@@ -97,16 +104,19 @@ corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) corenet_udp_bind_asterisk_port(asterisk_t) @@ -13041,7 +13148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(asterisk_t) -@@ -119,17 +128,17 @@ +@@ -119,17 +129,25 @@ fs_getattr_all_fs(asterisk_t) fs_search_auto_mountpoints(asterisk_t) @@ -13059,15 +13166,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - nis_use_ypbind(asterisk_t) + mta_send_mail(asterisk_t) ++') ++ ++optional_policy(` ++ postfix_domtrans_postdrop(asterisk_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(asterisk_t) ') optional_policy(` -@@ -137,10 +146,10 @@ +@@ -137,10 +155,10 @@ ') optional_policy(` - udev_read_db(asterisk_t) -+ postgresql_stream_connect(asterisk_t) ++ snmp_stream_connect(asterisk_t) ') -ifdef(`TODO',` @@ -13139,7 +13254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-12-15 09:49:26.000000000 -0500 @@ -235,7 +235,7 @@ ######################################## @@ -13419,6 +13534,315 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow certmaster_t self:tcp_socket create_stream_socket_perms; # config files +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.6.32/policy/modules/services/certmonger.fc +--- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/certmonger.fc 2009-12-11 14:32:48.000000000 -0500 +@@ -0,0 +1,6 @@ ++/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) ++ ++/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) ++ ++/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) ++/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.6.32/policy/modules/services/certmonger.if +--- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/certmonger.if 2009-12-11 14:32:48.000000000 -0500 +@@ -0,0 +1,217 @@ ++ ++## Certificate status monitor and PKI enrollment client ++ ++######################################## ++## ++## Execute a domain transition to run certmonger. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`certmonger_domtrans',` ++ gen_require(` ++ type certmonger_t, certmonger_exec_t; ++ ') ++ ++ domtrans_pattern($1, certmonger_exec_t, certmonger_t) ++') ++ ++ ++######################################## ++## ++## Execute certmonger server in the certmonger domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`certmonger_initrc_domtrans',` ++ gen_require(` ++ type certmonger_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, certmonger_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read certmonger PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_read_pid_files',` ++ gen_require(` ++ type certmonger_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 certmonger_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage certmonger var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_manage_var_run',` ++ gen_require(` ++ type certmonger_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, certmonger_var_run_t, certmonger_var_run_t) ++ manage_files_pattern($1, certmonger_var_run_t, certmonger_var_run_t) ++ manage_lnk_files_pattern($1, certmonger_var_run_t, certmonger_var_run_t) ++') ++ ++ ++######################################## ++## ++## Search certmonger lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_search_lib',` ++ gen_require(` ++ type certmonger_var_lib_t; ++ ') ++ ++ allow $1 certmonger_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read certmonger lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_read_lib_files',` ++ gen_require(` ++ type certmonger_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## certmonger lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_manage_lib_files',` ++ gen_require(` ++ type certmonger_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) ++') ++ ++######################################## ++## ++## Manage certmonger var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_manage_var_lib',` ++ gen_require(` ++ type certmonger_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) ++ manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) ++ manage_lnk_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## certmonger over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmonger_dbus_chat',` ++ gen_require(` ++ type certmonger_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 certmonger_t:dbus send_msg; ++ allow certmonger_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an certmonger environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`certmonger_admin',` ++ gen_require(` ++ type certmonger_t, certmonger_initrc_exec_t; ++ ') ++ ++ allow $1 certmonger_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, certmonger_t, certmonger_t) ++ ++ # Allow certmonger_t to restart the apache service ++ certmonger_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 certmonger_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, cermonger_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, cermonger_var_run_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.6.32/policy/modules/services/certmonger.te +--- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/certmonger.te 2009-12-11 14:32:48.000000000 -0500 +@@ -0,0 +1,74 @@ ++policy_module(certmonger,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type certmonger_t; ++type certmonger_exec_t; ++init_daemon_domain(certmonger_t, certmonger_exec_t) ++ ++permissive certmonger_t; ++ ++type certmonger_initrc_exec_t; ++init_script_file(certmonger_initrc_exec_t) ++ ++type certmonger_var_run_t; ++files_pid_file(certmonger_var_run_t) ++ ++type certmonger_var_lib_t; ++files_type(certmonger_var_lib_t) ++ ++######################################## ++# ++# certmonger local policy ++# ++ ++allow certmonger_t self:capability { kill sys_nice }; ++allow certmonger_t self:process { fork getsched setsched sigkill }; ++allow certmonger_t self:fifo_file rw_file_perms; ++allow certmonger_t self:unix_stream_socket create_stream_socket_perms; ++allow certmonger_t self:tcp_socket create_stream_socket_perms; ++allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; ++ ++manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) ++manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) ++files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) ++ ++manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) ++manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) ++files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) ++ ++domain_use_interactive_fds(certmonger_t) ++ ++corenet_tcp_sendrecv_generic_if(certmonger_t) ++corenet_tcp_sendrecv_generic_node(certmonger_t) ++corenet_tcp_sendrecv_all_ports(certmonger_t) ++corenet_tcp_connect_certmaster_port(certmonger_t) ++ ++dev_read_urand(certmonger_t) ++ ++files_read_etc_files(certmonger_t) ++files_read_usr_files(certmonger_t) ++files_list_tmp(certmonger_t) ++ ++miscfiles_read_localization(certmonger_t) ++miscfiles_manage_cert_files(certmonger_t) ++ ++logging_send_syslog_msg(certmonger_t) ++ ++sysnet_dns_name_resolve(certmonger_t) ++ ++optional_policy(` ++ dbus_system_bus_client(certmonger_t) ++ dbus_connect_system_bus(certmonger_t) ++') ++ ++optional_policy(` ++ kerberos_use(certmonger_t) ++') ++ ++optional_policy(` ++ unconfined_dbus_send(certmonger_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2009-12-03 13:45:11.000000000 -0500 @@ -14795,7 +15219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-15 09:04:10.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -14857,7 +15281,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) -@@ -250,6 +262,7 @@ +@@ -232,6 +244,7 @@ + selinux_compute_access_vector(cupsd_t) + selinux_validate_context(cupsd_t) + ++init_rw_script_semaphores(cupsd_t) + init_exec_script_files(cupsd_t) + init_read_utmp(cupsd_t) + +@@ -250,6 +263,7 @@ miscfiles_read_localization(cupsd_t) # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) @@ -14865,7 +15297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) -@@ -317,6 +330,10 @@ +@@ -317,6 +331,10 @@ ') optional_policy(` @@ -14876,7 +15308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol udev_read_db(cupsd_t) ') -@@ -327,7 +344,7 @@ +@@ -327,7 +345,7 @@ allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; @@ -14885,7 +15317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -378,6 +395,8 @@ +@@ -378,6 +396,8 @@ dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -14894,7 +15326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -407,6 +426,7 @@ +@@ -407,6 +427,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -14902,7 +15334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(cupsd_config_t) -@@ -419,12 +439,15 @@ +@@ -419,12 +440,15 @@ ') optional_policy(` @@ -14920,7 +15352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +469,10 @@ +@@ -446,6 +470,10 @@ ') optional_policy(` @@ -14931,7 +15363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(cupsd_config_t) ') -@@ -457,6 +484,10 @@ +@@ -457,6 +485,10 @@ udev_read_db(cupsd_config_t) ') @@ -14942,7 +15374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Cups lpd support -@@ -542,6 +573,8 @@ +@@ -542,6 +574,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -14951,7 +15383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +589,15 @@ +@@ -556,11 +590,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -14967,7 +15399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +638,9 @@ +@@ -601,6 +639,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14977,7 +15409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +667,7 @@ +@@ -627,6 +668,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -16988,7 +17420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-12-05 05:54:55.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-12-14 07:10:30.000000000 -0500 @@ -16,13 +16,9 @@ type lircd_etc_t; files_type(lircd_etc_t) @@ -17004,7 +17436,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # lircd local policy -@@ -34,15 +30,27 @@ +@@ -30,19 +26,32 @@ + + allow lircd_t self:process signal; + allow lircd_t self:unix_dgram_socket create_socket_perms; ++allow lircd_t self:fifo_file rw_file_perms; + # etc file read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) @@ -17317,10 +17754,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.32/policy/modules/services/mysql.fc +--- nsaserefpolicy/policy/modules/services/mysql.fc 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/mysql.fc 2009-12-14 07:05:13.000000000 -0500 +@@ -21,6 +21,7 @@ + # + /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) + /var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) ++/var/lib/mysql/.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) + + /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-03 13:45:11.000000000 -0500 -@@ -136,10 +136,17 @@ ++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-11 15:50:04.000000000 -0500 +@@ -136,10 +136,19 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -17331,6 +17779,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +domain_read_all_domains_state(mysqld_safe_t) + ++files_dontaudit_search_all_mountpoints(mysqld_safe_t) ++ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) kernel_read_system_state(mysqld_safe_t) @@ -17338,7 +17788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(mysqld_safe_t) -@@ -152,7 +159,7 @@ +@@ -152,7 +161,7 @@ miscfiles_read_localization(mysqld_safe_t) @@ -17349,8 +17799,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_write_log(mysqld_safe_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-12-03 13:45:11.000000000 -0500 -@@ -1,16 +1,26 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-12-15 10:06:29.000000000 -0500 +@@ -1,16 +1,52 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) @@ -17366,8 +17816,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) @@ -17382,9 +17830,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++ ++ ++ ++# check disk plugins ++/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++ ++# system plugins ++/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++ ++# services plugins ++/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2009-12-15 10:06:29.000000000 -0500 @@ -64,7 +64,7 @@ ######################################## @@ -17417,7 +17893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -92,10 +91,82 @@ +@@ -92,10 +91,119 @@ ## ## # @@ -17454,6 +17930,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Create a set of derived types for various ++## nagios plugins, ++## ++## ++## ++## The name to be used for deriving type names. ++## ++## ++# ++template(`nagios_plugin_template',` ++ ++ gen_require(` ++ type nagios_t, nrpe_t; ++ ') ++ ++ type nagios_$1_plugin_t; ++ type nagios_$1_plugin_exec_t; ++ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) ++ role system_r types nagios_$1_plugin_t; ++ ++ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; ++ ++ # automatic transition rules from nrpe domain ++ # to specific nagios plugin domain ++ domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) ++ ++ # needed by command.cfg ++ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) ++ ++ # cjp: leaked file descriptor ++ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; ++ ++ miscfiles_read_localization(nagios_$1_plugin_t) ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an nagios environment +## @@ -17505,8 +18018,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-12-03 13:45:11.000000000 -0500 -@@ -10,13 +10,12 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-12-15 10:06:29.000000000 -0500 +@@ -6,17 +6,23 @@ + # Declarations + # + ++## ++##

++## Allow fenced domain to connect to the network using TCP. ++##

++## ++gen_tunable(nagios_plugin_dontaudit_bind_port, false) ++ + type nagios_t; type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -17523,7 +18047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type nagios_log_t; logging_log_file(nagios_log_t) -@@ -26,6 +25,9 @@ +@@ -26,6 +32,9 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) @@ -17533,24 +18057,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +35,16 @@ +@@ -33,6 +42,31 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) +type nrpe_var_run_t; +files_pid_file(nrpe_var_run_t) + -+type nagios_checkdisk_plugin_t; -+type nagios_checkdisk_plugin_exec_t; -+application_domain(nagios_checkdisk_plugin_t, nagios_checkdisk_plugin_exec_t) -+role system_r types nagios_checkdisk_plugin_t; ++# creates nagios_checkdisk_plugin_exec_t for executable ++# and nagios_checkdisk_plugin_t for domain ++nagios_plugin_template(checkdisk) ++ ++# creates nagios_services_plugin_exec_t for executable ++# and nagios_services_plugin_t for domain ++nagios_plugin_template(services) ++ ++# creates nagios_system_plugin_exec_t for executable ++# and nagios_system_plugin_t for domain ++nagios_plugin_template(system) ++ ++type nagios_system_plugin_tmp_t; ++files_tmp_file(nagios_system_plugin_tmp_t) ++ ++nagios_plugin_template(unconfined) ++unconfined_domain(nagios_unconfined_plugin_t) + +permissive nagios_checkdisk_plugin_t; ++permissive nagios_services_plugin_t; ++permissive nagios_system_plugin_t; + ######################################## # # Nagios local policy -@@ -45,6 +57,9 @@ +@@ -45,6 +79,9 @@ allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:udp_socket create_socket_perms; @@ -17560,7 +18099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) allow nagios_t nagios_etc_t:dir list_dir_perms; -@@ -60,6 +75,8 @@ +@@ -60,6 +97,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -17569,7 +18108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -86,6 +103,7 @@ +@@ -86,6 +125,7 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -17577,7 +18116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -@@ -127,52 +145,59 @@ +@@ -127,52 +167,59 @@ # # Nagios CGI local policy # @@ -17644,10 +18183,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow nrpe_t self:process { setpgid signal_perms }; allow nrpe_t self:fifo_file rw_fifo_file_perms; +allow nrpe_t self:tcp_socket create_stream_socket_perms; ++ ++domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) -allow nrpe_t nrpe_etc_t:file read_file_perms; -+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) -+ +read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) files_search_etc(nrpe_t) @@ -17662,7 +18201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +208,19 @@ +@@ -183,15 +230,19 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -17682,29 +18221,91 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -209,3 +238,22 @@ +@@ -209,3 +260,84 @@ optional_policy(` udev_read_db(nrpe_t) ') + -+####################################### ++ ++###################################### +# -+# nagios check_disk and check_ide_smart plugin local policy ++# local policy for disk check plugins +# + +# needed by ioctl() +allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; + -+# leaked file descriptor -+dontaudit nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write }; -+ +files_read_etc_runtime_files(nagios_checkdisk_plugin_t) + +fs_getattr_all_fs(nagios_checkdisk_plugin_t) + +storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + -+miscfiles_read_localization(nagios_checkdisk_plugin_t) ++ ++####################################### ++# ++# local policy for service check plugins ++# ++allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; ++allow nagios_services_plugin_t self:process { signal sigkill }; ++ ++allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_services_plugin_t self:udp_socket create_socket_perms; ++ ++corecmd_exec_bin(nagios_services_plugin_t) ++ ++corenet_tcp_connect_all_ports(nagios_services_plugin_t) ++corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) ++ ++auth_use_nsswitch(nagios_services_plugin_t) ++ ++domain_read_all_domains_state(nagios_services_plugin_t) ++ ++files_read_usr_files(nagios_services_plugin_t) ++ ++# just workaround for now ++tunable_policy(`nagios_plugin_dontaudit_bind_port',` ++ corenet_dontaudit_tcp_bind_all_ports(nagios_services_plugin_t) ++ corenet_dontaudit_udp_bind_all_ports(nagios_services_plugin_t) ++') ++ ++optional_policy(` ++ netutils_domtrans_ping(nagios_services_plugin_t) ++') ++ ++optional_policy(` ++ mysql_stream_connect(nagios_services_plugin_t) ++') ++ ++###################################### ++# ++# local policy for system check plugins ++# ++ ++allow nagios_system_plugin_t self:capability dac_override; ++ ++# check_log ++manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) ++manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) ++files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) ++ ++corecmd_exec_bin(nagios_system_plugin_t) ++corecmd_exec_shell(nagios_system_plugin_t) ++ ++kernel_read_system_state(nagios_system_plugin_t) ++kernel_read_kernel_sysctls(nagios_system_plugin_t) ++ ++files_read_etc_files(nagios_system_plugin_t) ++ ++dev_read_sysfs(nagios_system_plugin_t) ++dev_read_urand(nagios_system_plugin_t) ++ ++domain_read_all_domains_state(nagios_system_plugin_t) ++ ++# needed by check_users plugin ++optional_policy(` ++ init_read_utmp(nagios_system_plugin_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-12-03 13:45:11.000000000 -0500 @@ -17817,7 +18418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-12-14 07:14:00.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -17912,7 +18513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +138,40 @@ +@@ -116,25 +138,41 @@ seutil_read_config(NetworkManager_t) @@ -17939,6 +18540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) # Read gnome-keyring ++userdom_read_home_certs(NetworkManager_t) userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) + @@ -17960,7 +18562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -146,8 +183,25 @@ +@@ -146,8 +184,25 @@ ') optional_policy(` @@ -17988,7 +18590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,23 +209,51 @@ +@@ -155,23 +210,51 @@ ') optional_policy(` @@ -18042,7 +18644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -179,12 +261,15 @@ +@@ -179,12 +262,15 @@ ') optional_policy(` @@ -21631,8 +22233,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2009-12-03 13:45:11.000000000 -0500 -@@ -0,0 +1,394 @@ ++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2009-12-15 09:30:10.000000000 -0500 +@@ -0,0 +1,398 @@ + +policy_module(rhcs,1.0.0) + @@ -21850,6 +22452,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ corosync_stream_connect(fenced_t) ++') ++ ++optional_policy(` + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) +') @@ -22566,7 +23172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-12-14 07:30:54.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -22740,7 +23346,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -713,12 +752,23 @@ +@@ -700,6 +739,8 @@ + + miscfiles_read_localization(swat_t) + ++userdom_dontaudit_search_admin_dir(swat_t) ++ + optional_policy(` + cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) +@@ -713,12 +754,23 @@ kerberos_use(swat_t) ') @@ -22765,7 +23380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -866,6 +916,18 @@ +@@ -866,6 +918,18 @@ # optional_policy(` @@ -22784,7 +23399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +938,12 @@ +@@ -876,9 +940,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -23511,7 +24126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.32/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/smartmon.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/smartmon.te 2009-12-15 08:26:09.000000000 -0500 @@ -19,14 +19,18 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -23541,7 +24156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) -@@ -66,10 +71,13 @@ +@@ -66,10 +71,15 @@ fs_search_auto_mountpoints(fsdaemon_t) mls_file_read_all_levels(fsdaemon_t) @@ -23552,10 +24167,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) +storage_manage_fixed_disk(fsdaemon_t) ++storage_read_scsi_generic(fsdaemon_t) ++storage_write_scsi_generic(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) -@@ -80,6 +88,8 @@ +@@ -80,6 +90,8 @@ miscfiles_read_localization(fsdaemon_t) @@ -23564,7 +24181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_dns_name_resolve(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -@@ -91,6 +101,7 @@ +@@ -91,6 +103,7 @@ optional_policy(` seutil_sigchld_newrole(fsdaemon_t) @@ -23574,7 +24191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.32/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/snmp.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/snmp.if 2009-12-14 06:47:27.000000000 -0500 @@ -50,6 +50,24 @@ ######################################## @@ -25279,8 +25896,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-12-03 13:45:11.000000000 -0500 -@@ -0,0 +1,58 @@ ++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-12-14 07:57:56.000000000 -0500 +@@ -0,0 +1,59 @@ + +policy_module(tuned,1.0.0) + @@ -25307,6 +25924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +dontaudit tuned_t self:capability { dac_override sys_tty_config }; ++allow tuned_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +files_pid_filetrans(tuned_t, tuned_var_run_t, { file }) @@ -25990,7 +26608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-12-12 08:20:15.000000000 -0500 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -26036,7 +26654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,27 +75,55 @@ +@@ -48,27 +75,56 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -26070,6 +26688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow virtd_t self:tcp_socket create_stream_socket_perms; -allow virtd_t self:tun_socket create; +allow virtd_t self:tun_socket create_socket_perms; ++allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; @@ -26096,7 +26715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -76,6 +131,7 @@ +@@ -76,6 +132,7 @@ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) @@ -26104,7 +26723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -@@ -86,7 +142,8 @@ +@@ -86,7 +143,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -26114,7 +26733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -97,30 +154,50 @@ +@@ -97,40 +155,75 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -26126,10 +26745,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_rw_tun_tap_dev(virtd_t) -dev_read_sysfs(virtd_t) -+dev_rw_sysfs(virtd_t) ++dev_getattr_all_chr_files(virtd_t) dev_read_rand(virtd_t) +dev_rw_kvm(virtd_t) -+dev_getattr_all_chr_files(virtd_t) ++dev_rw_mtrr(virtd_t) ++dev_rw_sysfs(virtd_t) # Init script handling domain_use_interactive_fds(virtd_t) @@ -26168,14 +26788,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -128,9 +205,22 @@ - miscfiles_read_localization(virtd_t) - miscfiles_read_certs(virtd_t) +-miscfiles_read_localization(virtd_t) + miscfiles_read_certs(virtd_t) ++miscfiles_read_hwdata(virtd_t) ++miscfiles_read_localization(virtd_t) ++ +modutils_read_module_deps(virtd_t) +modutils_read_module_config(virtd_t) +modutils_manage_module_config(virtd_t) -+ + logging_send_syslog_msg(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) @@ -26191,7 +26813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -168,22 +258,36 @@ +@@ -168,22 +261,36 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -26202,6 +26824,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) ++') ++ ++optional_policy(` ++ kerberos_keytab_template(virtd, virtd_t) ') -#optional_policy(` @@ -26209,11 +26835,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# polkit_domtrans_resolve(virtd_t) -#') +optional_policy(` -+ kerberos_keytab_template(virtd, virtd_t) -+') - - optional_policy(` -- qemu_domtrans(virtd_t) + lvm_domtrans(virtd_t) +') + @@ -26223,8 +26844,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -26233,7 +26855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +300,152 @@ +@@ -196,8 +303,154 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -26242,6 +26864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + udev_domtrans(virtd_t) ++ udev_read_db(virtd_t) ') optional_policy(` @@ -26268,6 +26891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dontaudit svirt_t virt_content_t:dir write; + +userdom_search_user_home_content(svirt_t) ++userdom_read_user_home_content_symlinks(svirt_t) +userdom_read_all_users_state(svirt_t) + +allow svirt_t self:udp_socket create_socket_perms; @@ -27395,7 +28019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-10 15:28:03.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-15 10:07:56.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -27534,15 +28158,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -236,6 +255,7 @@ +@@ -233,9 +252,13 @@ + + allow xdm_t iceauth_home_t:file read_file_perms; + ++dev_read_rand(iceauth_t) ++ fs_search_auto_mountpoints(iceauth_t) userdom_use_user_terminals(iceauth_t) +userdom_read_user_tmp_files(iceauth_t) ++userdom_read_all_users_state(iceauth_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,25 +270,33 @@ +@@ -245,30 +268,49 @@ + fs_manage_cifs_files(iceauth_t) + ') + ++ifdef(`hide_broken_symptoms', ` ++ dev_dontaudit_rw_dri(iceauth_t) ++ dev_dontaudit_rw_generic_dev_nodes(iceauth_t) ++ fs_list_inotifyfs(iceauth_t) ++ term_dontaudit_use_unallocated_ttys(iceauth_t) ++ ++ optional_policy(` ++ mozilla_dontaudit_rw_user_home_files(iceauth_t) ++ ') ++') ++ + ######################################## + # # Xauth local policy # @@ -27580,7 +28226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -278,6 +306,12 @@ +@@ -278,6 +320,12 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -27593,7 +28239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_xdm_tmp_files(xauth_t) -@@ -289,6 +323,16 @@ +@@ -289,6 +337,16 @@ fs_manage_cifs_files(xauth_t) ') @@ -27610,7 +28256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -300,20 +344,31 @@ +@@ -300,20 +358,31 @@ # XDM Local policy # @@ -27645,7 +28291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +380,43 @@ +@@ -325,26 +394,43 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -27696,7 +28342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +430,7 @@ +@@ -358,6 +444,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -27704,7 +28350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +439,14 @@ +@@ -366,10 +453,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -27720,7 +28366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +466,13 @@ +@@ -389,11 +480,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -27734,7 +28380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +480,7 @@ +@@ -401,6 +494,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -27742,7 +28388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +493,17 @@ +@@ -413,14 +507,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -27762,7 +28408,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +514,15 @@ +@@ -431,9 +528,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -27778,7 +28424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +531,7 @@ +@@ -442,6 +545,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -27786,7 +28432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +540,7 @@ +@@ -450,6 +554,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -27794,7 +28440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +551,12 @@ +@@ -460,10 +565,12 @@ logging_read_generic_logs(xdm_t) @@ -27809,7 +28455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +565,10 @@ +@@ -472,6 +579,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -27820,7 +28466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +601,12 @@ +@@ -504,10 +615,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -27833,7 +28479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +614,47 @@ +@@ -515,12 +628,47 @@ ') optional_policy(` @@ -27881,7 +28527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -535,6 +669,7 @@ +@@ -535,6 +683,7 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -27889,7 +28535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -542,6 +677,39 @@ +@@ -542,6 +691,39 @@ ') optional_policy(` @@ -27929,7 +28575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +718,9 @@ +@@ -550,8 +732,9 @@ ') optional_policy(` @@ -27941,7 +28587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +729,6 @@ +@@ -560,7 +743,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -27949,7 +28595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +739,10 @@ +@@ -571,6 +753,10 @@ ') optional_policy(` @@ -27960,7 +28606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +759,9 @@ +@@ -587,10 +773,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27972,7 +28618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +773,12 @@ +@@ -602,9 +787,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27985,7 +28631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +790,14 @@ +@@ -616,13 +804,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -28001,7 +28647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +810,19 @@ +@@ -635,9 +824,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28021,7 +28667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +856,6 @@ +@@ -671,7 +870,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28029,7 +28675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +865,12 @@ +@@ -681,9 +879,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28043,7 +28689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +885,12 @@ +@@ -698,8 +899,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28056,7 +28702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +912,7 @@ +@@ -721,6 +926,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28064,7 +28710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +935,7 @@ +@@ -743,7 +949,7 @@ ') ifdef(`enable_mls',` @@ -28073,7 +28719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +967,20 @@ +@@ -775,12 +981,20 @@ ') optional_policy(` @@ -28095,7 +28741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +1007,12 @@ +@@ -807,12 +1021,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28112,7 +28758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1028,14 @@ +@@ -828,9 +1042,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28127,7 +28773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1050,14 @@ +@@ -845,11 +1064,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28143,7 +28789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1090,8 @@ +@@ -882,6 +1104,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -28152,7 +28798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1116,8 @@ +@@ -906,6 +1130,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -28161,7 +28807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1185,49 @@ +@@ -973,17 +1199,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28773,7 +29419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /var diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-12-15 09:04:50.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -28794,7 +29440,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # daemons started from init will # inherit fds from init for the console -@@ -272,6 +278,7 @@ +@@ -195,6 +201,8 @@ + ') + + ifdef(`hide_broken_symptoms',` ++ files_dontaudit_search_all_mountpoints($1) ++ + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` +@@ -272,6 +280,7 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -28802,7 +29457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -280,6 +287,36 @@ +@@ -280,6 +289,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -28839,7 +29494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -546,7 +583,7 @@ +@@ -546,7 +585,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -28848,7 +29503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -619,18 +656,19 @@ +@@ -619,18 +658,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -28872,7 +29527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,19 +684,39 @@ +@@ -646,19 +686,39 @@ # interface(`init_domtrans_script',` gen_require(` @@ -28916,7 +29571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -904,6 +962,24 @@ +@@ -904,6 +964,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -28941,7 +29596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Execute all init scripts in the caller domain. -@@ -1123,7 +1199,7 @@ +@@ -1123,7 +1201,7 @@ type initrc_t; ') @@ -28950,7 +29605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,6 +1367,25 @@ +@@ -1291,6 +1369,25 @@ ######################################## ## @@ -28976,7 +29631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1616,51 @@ +@@ -1521,3 +1618,70 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29028,6 +29683,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') ++ ++######################################## ++## ++## RW initrc_t user SysV sempaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_rw_script_semaphores',` ++ gen_require(` ++ attribute initrc_t; ++ ') ++ ++ allow $1 initrc_t:sem rw_sem_perms; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-12-03 13:45:11.000000000 -0500 @@ -30222,7 +30896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-07 09:47:51.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-15 09:23:04.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -30429,7 +31103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +308,107 @@ +@@ -307,10 +308,109 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -30447,6 +31121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30537,6 +31212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-12-03 13:45:11.000000000 -0500 @@ -31204,8 +31880,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # gentoo init scripts still manage this file diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.32/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-12-03 13:45:11.000000000 -0500 -@@ -1,5 +1,24 @@ ++++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-12-12 07:37:57.000000000 -0500 +@@ -1,5 +1,25 @@ ## Policy for kernel module utilities +###################################### @@ -31224,13 +31900,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + -+ getattr_files_pattern($1,modules_object_t,modules_dep_t) ++ files_search_kernel_modules($1) ++ allow $1 modules_dep_t:file getattr; +') + ######################################## ## ## Read the dependencies of kernel modules. -@@ -41,8 +60,8 @@ +@@ -41,8 +61,8 @@ files_search_etc($1) files_search_boot($1) @@ -31241,7 +31918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -61,7 +80,7 @@ +@@ -61,7 +81,7 @@ type modules_conf_t; ') @@ -31250,7 +31927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -80,7 +99,26 @@ +@@ -80,7 +100,26 @@ type modules_conf_t; ') @@ -32845,7 +33522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-12-15 09:09:12.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -33010,7 +33687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) -@@ -269,15 +286,23 @@ +@@ -269,15 +286,24 @@ # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -33019,6 +33696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(ifconfig_t) +files_read_etc_runtime_files(ifconfig_t) ++files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -33035,7 +33713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(ifconfig_t) -@@ -294,6 +319,8 @@ +@@ -294,6 +320,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -33044,7 +33722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -330,8 +357,22 @@ +@@ -330,8 +358,22 @@ ') optional_policy(` @@ -33082,7 +33760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.32/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-12-12 08:19:13.000000000 -0500 @@ -168,4 +168,43 @@ dev_list_all_dev_nodes($1) @@ -34017,7 +34695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-10 15:29:01.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-15 09:02:01.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -34029,7 +34707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -41,80 +42,93 @@ +@@ -41,80 +42,91 @@ allow system_r $1_r; term_user_pty($1_t, user_devpts_t) @@ -34142,35 +34820,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) -+ files_dontaudit_getattr_all_dirs($1_usertype) -+ files_dontaudit_list_non_security($1_usertype) -+ files_dontaudit_getattr_all_files($1_usertype) -+ files_dontaudit_getattr_non_security_symlinks($1_usertype) -+ files_dontaudit_getattr_non_security_pipes($1_usertype) -+ files_dontaudit_getattr_non_security_sockets($1_usertype) - +- - libs_exec_ld_so($1_t) -+ storage_rw_fuse($1_usertype) - +- - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) -+ auth_use_nsswitch($1_usertype) - +- - sysnet_read_config($1_t) -+ libs_exec_ld_so($1_usertype) - +- - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. - allow $1_t self:process execmem; - ') +- +- tunable_policy(`allow_execmem && allow_execstack',` +- # Allow making the stack executable via mprotect. +- allow $1_t self:process execstack; ++ files_dontaudit_getattr_all_dirs($1_usertype) ++ files_dontaudit_list_non_security($1_usertype) ++ files_dontaudit_getattr_all_files($1_usertype) ++ files_dontaudit_getattr_non_security_symlinks($1_usertype) ++ files_dontaudit_getattr_non_security_pipes($1_usertype) ++ files_dontaudit_getattr_non_security_sockets($1_usertype) ++ ++ storage_rw_fuse($1_usertype) ++ ++ libs_exec_ld_so($1_usertype) ++ + miscfiles_read_certs($1_usertype) + miscfiles_read_localization($1_usertype) + miscfiles_read_man_pages($1_usertype) + miscfiles_read_public_files($1_usertype) - -- tunable_policy(`allow_execmem && allow_execstack',` -- # Allow making the stack executable via mprotect. -- allow $1_t self:process execstack; ++ + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) @@ -34178,7 +34859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -147,6 +161,7 @@ +@@ -147,6 +159,7 @@ interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -34186,7 +34867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') role $1 types { user_home_t user_home_dir_t }; -@@ -157,6 +172,7 @@ +@@ -157,6 +170,7 @@ # type_member $2 user_home_dir_t:dir user_home_dir_t; @@ -34194,7 +34875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; -@@ -168,27 +184,6 @@ +@@ -168,27 +182,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -34222,7 +34903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -220,9 +215,10 @@ +@@ -220,9 +213,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -34234,7 +34915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -232,17 +228,20 @@ +@@ -232,17 +226,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -34265,7 +34946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -250,25 +249,23 @@ +@@ -250,25 +247,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -34295,7 +34976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -303,6 +300,7 @@ +@@ -303,6 +298,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -34303,7 +34984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -322,6 +320,7 @@ +@@ -322,6 +318,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -34311,7 +34992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($1) ') -@@ -368,46 +367,41 @@ +@@ -368,46 +365,41 @@ ####################################### ## @@ -34378,7 +35059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -412,7 +406,7 @@ +@@ -412,7 +404,7 @@ ####################################### ## @@ -34387,7 +35068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -420,35 +414,58 @@ +@@ -420,35 +412,58 @@ ## is the prefix for user_t). ## ## @@ -34431,17 +35112,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_read_video_dev($1) + dev_write_video_dev($1) + dev_rw_wireless($1) -+ -+ miscfiles_dontaudit_write_fonts($1) -+ -+ optional_policy(` -+ udev_read_db($1) -+ ') - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) ++ miscfiles_dontaudit_write_fonts($1) ++ ++ optional_policy(` ++ udev_read_db($1) ++ ') ++ + optional_policy(` + setroubleshoot_dontaudit_dbus_chat($1) + ') @@ -34465,7 +35146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -498,7 +515,7 @@ +@@ -498,7 +513,7 @@ attribute unpriv_userdomain; ') @@ -34474,7 +35155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -508,182 +525,213 @@ +@@ -508,182 +523,215 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -34539,6 +35220,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + ++ auth_use_nsswitch($1_usertype) ++ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -34609,19 +35292,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + chrome_role($1_r, $1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + avahi_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- canna_stream_connect($1_t) + bluetooth_dbus_chat($1_usertype) ') @@ -34772,9 +35455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -34785,7 +35466,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -35462,7 +36145,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary files. ## ## -@@ -2205,30 +2421,49 @@ +@@ -2205,21 +2421,40 @@ ## ## # @@ -35486,16 +36169,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`userdom_read_user_tmp_symlinks',` ++## ++## ++# +interface(`userdom_dontaudit_manage_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ gen_require(` ++ type user_tmp_t; ++ ') ++ + dontaudit $1 user_tmp_t:file manage_file_perms; +') + @@ -35506,18 +36187,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_user_tmp_symlinks',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) - ') + ## + ## + # @@ -2276,6 +2511,46 @@ ######################################## ## diff --git a/selinux-policy.spec b/selinux-policy.spec index 2985949..d5ccdfa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 58%{?dist} +Release: 59%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -181,7 +181,7 @@ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ selinuxenabled; \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ fixfiles -C ${FILE_CONTEXT}.pre restore; \ - restorecon -R /var/log /var/run 2> /dev/null; \ + restorecon -R /root /var/log /var/run /var/lib 2> /dev/null;\ rm -f ${FILE_CONTEXT}.pre; \ fi; @@ -449,6 +449,38 @@ exit 0 %endif %changelog +* Tue Dec 15 2009 Dan Walsh 3.6.32-59 +- Dontaudit udp_socket leaks for xauth_t +- Dontaudit rules for iceauth_t +- Let locate read symlinks on noxattr file systems +- Remove wine from unconfined domain if unconfined pp removed +- Add labels for vhostmd +- Add port 546 as a dhcpc port +- Add labeled for /dev/dahdi +- Add certmonger policy +- Allow sysadm to communicate with racoon and zebra +- Allow dbus service dbus_chat with unconfined_t +- Fixes for xguest +- Add dontaudits for abrt +- file contexts for mythtv +- Lots of fixes for asterisk +- Fix file context for certmaster +- Add log dir for dovecot +- Policy for ksmtuned +- File labeling and fixes for mysql and mysql_safe +- New plugin infrstructure for nagios +- Allow nut_upsd_t dac_override +- File context fixes for nx +- Allow oddjob_mkhomedir to create homedir +- Add pcscd_pub interfaces to be used by xdm +- Add stream connect from fenced to corosync +- Fixes for swat +- Allow fsdaemon to manage scsi devices +- Policy for tgtd +- Policy for vhostmd +- Allow ipsec to create tmp files +- Change label on fusermount + * Thu Dec 10 2009 Dan Walsh 3.6.32-58 - Dontaudit udp_socket leaks for xauth_t