diff --git a/booleans-targeted.conf b/booleans-targeted.conf index b05b5e2..f2e22cd 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -24,7 +24,7 @@ allow_ftpd_anon_write = false # Allow gssd to read temp directory. # -allow_gssd_read_tmp = false +allow_gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # diff --git a/policy-F13.patch b/policy-F13.patch index 3a8918f..53d5d35 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -517,8 +517,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.19/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2010-06-21 21:23:21.779174421 +0200 -@@ -51,6 +51,12 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2011-01-03 08:59:40.202042256 +0100 +@@ -24,6 +24,7 @@ + kernel_read_ring_buffer(dmesg_t) + kernel_clear_ring_buffer(dmesg_t) + kernel_change_ring_buffer_level(dmesg_t) ++kernel_read_system_state(dmesg_t) + kernel_list_proc(dmesg_t) + kernel_read_proc_symlinks(dmesg_t) + +@@ -51,6 +52,12 @@ userdom_use_user_terminals(dmesg_t) optional_policy(` @@ -1937,7 +1945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.19/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2010-05-28 09:41:59.960611623 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2011-01-07 10:32:51.757290974 +0100 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -2046,16 +2054,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te fs_search_auto_mountpoints(rpm_t) mls_file_read_all_levels(rpm_t) -@@ -132,6 +161,8 @@ +@@ -132,6 +161,10 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) +term_list_ptys(rpm_t) ++# needed in MLS ++term_use_console(rpm_t) + auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +186,7 @@ +@@ -155,6 +188,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -2063,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,7 +206,19 @@ +@@ -174,7 +208,19 @@ ') optional_policy(` @@ -2084,7 +2094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -182,36 +226,19 @@ +@@ -182,36 +228,19 @@ ') optional_policy(` @@ -2125,7 +2135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +249,15 @@ +@@ -222,12 +251,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -2141,7 +2151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +269,9 @@ +@@ -239,6 +271,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -2151,7 +2161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te dev_list_sysfs(rpm_script_t) -@@ -254,7 +287,9 @@ +@@ -254,7 +289,9 @@ fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) @@ -2161,7 +2171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +307,19 @@ +@@ -272,14 +309,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -2181,7 +2191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,8 +331,10 @@ +@@ -291,8 +333,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -2192,7 +2202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -@@ -308,12 +350,15 @@ +@@ -308,12 +352,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -2208,7 +2218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -326,13 +371,26 @@ +@@ -326,13 +373,26 @@ ') optional_policy(` @@ -2247,6 +2257,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool optional_policy(` mount_exec(sectoolm_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.19/policy/modules/admin/shorewall.fc +--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.fc 2011-01-04 15:04:49.174051690 +0100 +@@ -11,4 +11,6 @@ + /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + ++/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) ++ + /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-09-09 13:43:11.957085205 +0200 @@ -2877,16 +2897,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-26 10:37:40.688650931 +0200 -@@ -199,6 +199,7 @@ - - term_use_all_ttys(groupadd_t) - term_use_all_ptys(groupadd_t) ++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2011-01-07 10:29:10.209292372 +0100 +@@ -197,8 +197,8 @@ + selinux_compute_relabel_context(groupadd_t) + selinux_compute_user_contexts(groupadd_t) + +-term_use_all_ttys(groupadd_t) +-term_use_all_ptys(groupadd_t) ++term_use_all_terms(groupadd_t) +term_use_generic_ptys(groupadd_t) init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -209,6 +210,7 @@ +@@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) @@ -2894,7 +2917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. corecmd_exec_bin(groupadd_t) -@@ -256,7 +258,8 @@ +@@ -256,7 +257,8 @@ # Passwd local policy # @@ -2904,7 +2927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; -@@ -294,6 +297,8 @@ +@@ -294,6 +296,8 @@ term_use_all_ttys(passwd_t) term_use_all_ptys(passwd_t) @@ -2913,7 +2936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) -@@ -303,6 +308,9 @@ +@@ -303,6 +307,9 @@ # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -2923,7 +2946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman domain_use_interactive_fds(passwd_t) -@@ -315,6 +323,7 @@ +@@ -315,6 +322,7 @@ # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) @@ -2931,7 +2954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) -@@ -333,6 +342,7 @@ +@@ -333,6 +341,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2939,6 +2962,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_domtrans(passwd_t) +@@ -384,6 +393,7 @@ + + term_use_all_ttys(sysadm_passwd_t) + term_use_all_ptys(sysadm_passwd_t) ++term_use_all_terms(sysadm_passwd_t) + + auth_manage_shadow(sysadm_passwd_t) + auth_relabel_shadow(sysadm_passwd_t) @@ -427,7 +437,7 @@ # Useradd local policy # @@ -2956,7 +2987,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -498,12 +509,8 @@ +@@ -471,6 +482,7 @@ + + term_use_all_ttys(useradd_t) + term_use_all_ptys(useradd_t) ++term_use_all_terms(useradd_t) + + auth_domtrans_chk_passwd(useradd_t) + auth_rw_lastlog(useradd_t) +@@ -498,12 +510,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -2970,7 +3009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman mta_manage_spool(useradd_t) -@@ -527,6 +534,12 @@ +@@ -527,6 +535,12 @@ ') optional_policy(` @@ -4337,7 +4376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.19/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-05-28 09:41:59.978610931 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2011-01-04 15:08:31.384041746 +0100 @@ -21,6 +21,7 @@ type gpg_agent_t, gpg_agent_exec_t; type gpg_agent_tmp_t; @@ -4346,7 +4385,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; -@@ -50,13 +51,19 @@ +@@ -32,6 +33,8 @@ + ps_process_pattern($2, gpg_t) + allow $2 gpg_t:process { signull sigstop signal sigkill }; + ++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; ++ + # communicate with the user + allow gpg_helper_t $2:fd use; + allow gpg_helper_t $2:fifo_file write; +@@ -50,13 +53,19 @@ # Transition from the user domain to the agent domain. domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) @@ -4370,7 +4418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ') -@@ -78,6 +85,43 @@ +@@ -78,6 +87,43 @@ domtrans_pattern($1, gpg_exec_t, gpg_t) ') @@ -4414,7 +4462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## ## ## Send generic signals to user gpg processes. -@@ -95,3 +139,65 @@ +@@ -95,3 +141,65 @@ allow $1 gpg_t:process signal; ') @@ -7005,8 +7053,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.19/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sambagui.te 2010-05-28 09:42:00.003610619 +0200 -@@ -0,0 +1,66 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sambagui.te 2011-01-04 14:04:57.892041466 +0100 +@@ -0,0 +1,63 @@ +policy_module(sambagui,1.0.0) + +######################################## @@ -7041,11 +7089,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +corecmd_exec_bin(sambagui_t) + +files_read_etc_files(sambagui_t) ++files_read_usr_files(sambagui_t) +files_search_var_lib(sambagui_t) -+files_search_usr(sambagui_t) -+ -+# reading shadow by pdbedit -+#auth_read_shadow(sambagui_t) + +auth_use_nsswitch(sambagui_t) + @@ -8793,7 +8838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.7.19/policy/modules/apps/webalizer.te --- nsaserefpolicy/policy/modules/apps/webalizer.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2010-08-13 07:59:10.406085311 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2011-01-03 14:33:53.133051854 +0100 @@ -85,6 +85,7 @@ userdom_use_user_terminals(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) @@ -8802,6 +8847,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalize apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) +@@ -104,3 +105,8 @@ + optional_policy(` + nscd_socket_use(webalizer_t) + ') ++ ++optional_policy(` ++ squid_manage_logs(webalizer_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.19/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/apps/wine.fc 2010-05-28 09:42:00.014611294 +0200 @@ -9134,7 +9188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-09-01 11:58:19.510084657 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-03 14:29:17.539042734 +0100 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -9315,6 +9369,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## # +@@ -266,5 +293,5 @@ + allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; + + # Bind to any network address. +-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; ++allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; + allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.m4 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.m4 2010-07-14 10:38:30.694409837 +0200 @@ -11991,7 +12052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-11-23 10:17:21.568398712 +0100 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-07 10:48:13.921042668 +0100 @@ -46,15 +46,6 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -12043,7 +12104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -270,19 +273,29 @@ +@@ -270,19 +273,30 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -12060,6 +12121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) ++mls_file_downgrade(kernel_t) + +logging_manage_generic_logs(kernel_t) @@ -12073,7 +12135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel optional_policy(` hotplug_search_config(kernel_t) ') -@@ -359,6 +372,10 @@ +@@ -359,6 +373,10 @@ unconfined_domain_noaudit(kernel_t) ') @@ -12967,6 +13029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. +kernel_read_fs_sysctls(sysadm_t) +modutils_read_module_deps(sysadm_t) +miscfiles_read_hwdata(sysadm_t) +Binary files nsaserefpolicy/policy/modules/roles/.sysadm.te.swp and serefpolicy-3.7.19/policy/modules/roles/.sysadm.te.swp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc 2010-05-28 09:42:00.047610527 +0200 @@ -14659,7 +14722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt admin_pattern($1, abrt_var_cache_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-08-04 15:15:53.954335601 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2011-01-07 14:18:16.592043328 +0100 @@ -1,11 +1,19 @@ -policy_module(abrt, 1.0.1) @@ -14792,7 +14855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -103,22 +152,129 @@ +@@ -103,22 +152,130 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -14849,6 +14912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) + rpm_manage_cache(abrt_t) ++ rpm_manage_log(abrt_t) + rpm_manage_pid_files(abrt_t) + rpm_read_db(abrt_t) + rpm_signull(abrt_t) @@ -16973,8 +17037,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-11-10 09:41:46.688398097 +0100 -@@ -27,13 +27,13 @@ ++++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2011-01-04 16:26:00.197041921 +0100 +@@ -27,19 +27,21 @@ # # Local policy # @@ -16987,10 +17051,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; allow bitlbee_t self:fifo_file rw_fifo_file_perms; -allow bitlbee_t self:process signal; ++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; bitlbee_read_config(bitlbee_t) -@@ -81,6 +81,10 @@ + # tmp files + manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) ++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t ) ++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) + + # user account information is read and edited at runtime; give the usual + # r/w access to bitlbee_var_t +@@ -53,6 +55,7 @@ + corenet_udp_sendrecv_generic_node(bitlbee_t) + corenet_tcp_sendrecv_generic_if(bitlbee_t) + corenet_tcp_sendrecv_generic_node(bitlbee_t) ++corenet_tcp_bind_generic_node(bitlbee_t) + # Allow bitlbee to connect to jabber servers + corenet_tcp_connect_jabber_client_port(bitlbee_t) + corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) +@@ -81,6 +84,10 @@ libs_legacy_use_shared_libs(bitlbee_t) @@ -19038,8 +19119,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.19/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.fc 2010-12-01 13:47:05.132292116 +0100 -@@ -1,7 +1,32 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.fc 2011-01-07 11:32:18.772301640 +0100 +@@ -1,7 +1,33 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) @@ -19053,6 +19134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) @@ -25654,8 +25736,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te --- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-12-16 10:26:52.090042381 +0100 -@@ -0,0 +1,123 @@ ++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2011-01-07 14:17:21.054042273 +0100 +@@ -0,0 +1,141 @@ + +policy_module(mpd,1.0.0) + @@ -25711,6 +25793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + +manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) +manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) ++manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) + +manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) @@ -25726,6 +25809,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) + ++# needed by pulseaudio ++kernel_getattr_proc(mpd_t) +kernel_read_system_state(mpd_t) +kernel_read_kernel_sysctls(mpd_t) + @@ -25739,6 +25824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +corenet_tcp_bind_soundd_port(mpd_t) + +dev_read_sound(mpd_t) ++dev_write_sound(mpd_t) +dev_read_sysfs(mpd_t) + +files_read_usr_files(mpd_t) @@ -25767,7 +25853,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +') + +optional_policy(` -+ dbus_system_bus_client(mpd_t) ++ consolekit_dbus_chat(mpd_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(mpd_t) +') + +optional_policy(` @@ -25777,8 +25867,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +') + +optional_policy(` ++ rtkit_daemon_dontaudit_dbus_chat(mpd_t) ++') ++ ++optional_policy(` + udev_read_db(mpd_t) +') ++ ++ ++optional_policy(` ++ xserver_dontaudit_stream_connect(mpd_t) ++ xserver_dontaudit_read_xdm_pid(mpd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.19/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-08-17 15:06:26.581085303 +0200 @@ -26032,7 +26132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-12-03 10:28:21.175042789 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2011-01-04 15:53:26.314042349 +0100 @@ -21,8 +21,8 @@ type etc_mail_t; files_config_file(etc_mail_t) @@ -26044,7 +26144,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -57,15 +57,16 @@ +@@ -51,21 +51,24 @@ + + # newalias required this, not sure if it is needed in 'if' file + allow system_mail_t self:capability { dac_override fowner }; ++allow system_mail_t self:process setsched; ++ + allow system_mail_t self:fifo_file rw_fifo_file_perms; + + read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) @@ -26065,7 +26173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) -@@ -75,10 +76,15 @@ +@@ -75,10 +78,15 @@ selinux_getattr_fs(system_mail_t) @@ -26081,15 +26189,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -89,6 +95,7 @@ +@@ -89,6 +97,7 @@ apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_write_tmp_files(system_mail_t) ++ apache_dontaudit_rw_tmp_files(system_mail_t) ') optional_policy(` -@@ -100,6 +107,11 @@ +@@ -100,6 +109,11 @@ ') optional_policy(` @@ -26101,7 +26209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -107,6 +119,9 @@ +@@ -107,6 +121,9 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -26111,7 +26219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -120,12 +135,8 @@ +@@ -120,12 +137,8 @@ ') optional_policy(` @@ -26125,7 +26233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -142,7 +153,12 @@ +@@ -142,7 +155,12 @@ ') optional_policy(` @@ -26138,7 +26246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -154,18 +170,6 @@ +@@ -154,18 +172,6 @@ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -26157,7 +26265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -185,6 +189,10 @@ +@@ -185,6 +191,10 @@ ') optional_policy(` @@ -26168,7 +26276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -216,7 +224,8 @@ +@@ -216,7 +226,8 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -26178,7 +26286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -245,6 +254,10 @@ +@@ -245,6 +256,10 @@ mailman_read_data_symlinks(mailserver_delivery) ') @@ -26189,7 +26297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ######################################## # # User send mail local policy -@@ -288,3 +301,33 @@ +@@ -288,3 +303,33 @@ postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -32126,7 +32234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi init_labeled_script_domtrans($1, radiusd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-08-30 19:31:22.527085108 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/radius.te 2011-01-03 10:47:38.474042362 +0100 @@ -37,7 +37,7 @@ # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; @@ -32136,7 +32244,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; -@@ -131,6 +131,7 @@ +@@ -79,6 +79,7 @@ + corenet_udp_bind_radius_port(radiusd_t) + corenet_tcp_connect_mysqld_port(radiusd_t) + corenet_tcp_connect_snmp_port(radiusd_t) ++corenet_tcp_connect_postgresql_port(radiusd_t) + corenet_sendrecv_radius_server_packets(radiusd_t) + corenet_sendrecv_radacct_server_packets(radiusd_t) + corenet_sendrecv_mysqld_client_packets(radiusd_t) +@@ -131,6 +132,7 @@ optional_policy(` samba_read_var_files(radiusd_t) @@ -36031,7 +36147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi gen_require(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/squid.te 2010-05-28 09:42:00.191611098 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/squid.te 2011-01-03 09:56:23.355040924 +0100 @@ -14,6 +14,13 @@ ## gen_tunable(squid_connect_any, false) @@ -36077,7 +36193,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi optional_policy(` apache_content_template(squid) -@@ -186,8 +202,3 @@ +@@ -165,6 +181,7 @@ + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) + corenet_tcp_connect_http_cache_port(httpd_squid_script_t) ++ corenet_tcp_connect_squid_port(httpd_squid_script_t) + + sysnet_dns_name_resolve(httpd_squid_script_t) + +@@ -186,8 +203,3 @@ optional_policy(` udev_read_db(squid_t) ') @@ -36088,16 +36212,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-05-28 09:42:00.192610961 +0200 -@@ -1,4 +1,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2011-01-04 16:00:55.694041145 +0100 +@@ -1,4 +1,9 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + ++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++ +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -14,3 +17,6 @@ +@@ -14,3 +19,6 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -36472,7 +36598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-12-01 13:29:39.056062288 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-04 16:02:58.400042759 +0100 @@ -34,13 +34,12 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -36560,7 +36686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) -@@ -282,32 +287,39 @@ +@@ -282,36 +287,39 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -36601,28 +36727,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. -',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) -+') -+ -+optional_policy(` -+ daemontools_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` -@@ -315,7 +327,12 @@ +- kerberos_keytab_template(sshd, sshd_t) ++ amanda_search_lib(sshd_t) ') optional_policy(` -- daemontools_service_domain(sshd_t, sshd_exec_t) +@@ -319,10 +327,27 @@ + ') + + optional_policy(` ++ kerberos_keytab_template(sshd, sshd_t) ++') ++ ++optional_policy(` + ftp_dyntransition_sftpd(sshd_t) + ftp_dyntransition_sftpd_anon(sshd_t) +') + +optional_policy(` + gitosis_manage_lib_files(sshd_t) - ') - - optional_policy(` -@@ -323,6 +340,10 @@ ++') ++ ++optional_policy(` + inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` @@ -36633,7 +36763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +354,18 @@ +@@ -333,10 +358,18 @@ ') optional_policy(` @@ -37525,7 +37655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-16 17:06:29.681386750 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-01-07 14:27:09.212042336 +0100 @@ -1,5 +1,5 @@ -policy_module(virt, 1.3.2) @@ -37786,7 +37916,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -370,6 +440,8 @@ +@@ -318,6 +388,10 @@ + ') + + optional_policy(` ++ dmidecode_domtrans(virtd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(virtd_t) + + optional_policy(` +@@ -370,6 +444,8 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -37795,7 +37936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -407,6 +479,19 @@ +@@ -407,6 +483,19 @@ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -37815,7 +37956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -427,6 +512,7 @@ +@@ -427,6 +516,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -37823,7 +37964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -434,10 +520,12 @@ +@@ -434,10 +524,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -37836,7 +37977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -445,6 +533,11 @@ +@@ -445,6 +537,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -37848,7 +37989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -462,8 +555,13 @@ +@@ -462,8 +559,13 @@ ') optional_policy(` @@ -38026,7 +38167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-09-23 13:20:56.798386762 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2011-01-07 14:00:01.543041896 +0100 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -38308,16 +38449,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +867,7 @@ +@@ -805,7 +867,25 @@ ') files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; + read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ++') ++ ++##################################### ++## ++## Dontaudit Read XDM pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dontaudit_read_xdm_pid',` ++ gen_require(` ++ type xdm_var_run_t; ++ ') ++ ++ dontaudit $1 xdm_var_run_t:file read_file_perms; ') ######################################## -@@ -897,7 +959,7 @@ +@@ -897,7 +977,7 @@ ') logging_search_logs($1) @@ -38326,7 +38485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -916,7 +978,7 @@ +@@ -916,7 +996,7 @@ type xserver_log_t; ') @@ -38335,7 +38494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -964,6 +1026,44 @@ +@@ -964,6 +1044,44 @@ ######################################## ## @@ -38380,7 +38539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm temporary files. ## ## -@@ -1052,7 +1152,7 @@ +@@ -1052,7 +1170,7 @@ type xdm_tmp_t; ') @@ -38389,7 +38548,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1210,7 +1310,7 @@ +@@ -1187,6 +1305,25 @@ + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + ') + ++##################################### ++## ++## Dontaudit attempts to connect to xserver ++## over an unix stream socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_stream_connect',` ++ gen_require(` ++ type xserver_t, xserver_tmp_t; ++ ') ++ ++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ++') ++ + ######################################## + ## + ## Read X server temporary files. +@@ -1210,7 +1347,7 @@ ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -38398,7 +38583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## ## ## -@@ -1224,9 +1324,20 @@ +@@ -1224,9 +1361,20 @@ class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; @@ -38419,7 +38604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1361,330 @@ +@@ -1250,3 +1398,330 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -40597,7 +40782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-09-09 10:54:48.345085410 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-07 14:44:25.100042432 +0100 @@ -1,5 +1,5 @@ -policy_module(init, 1.14.2) @@ -40671,15 +40856,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -121,6 +139,7 @@ +@@ -121,6 +139,8 @@ corecmd_exec_bin(init_t) dev_read_sysfs(init_t) ++dev_read_urand(init_t) +dev_rw_generic_chr_files(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -169,6 +188,8 @@ +@@ -169,6 +189,8 @@ miscfiles_read_localization(init_t) @@ -40688,7 +40874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -192,10 +213,23 @@ +@@ -192,10 +214,23 @@ ') optional_policy(` @@ -40712,7 +40898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -213,7 +247,7 @@ +@@ -213,7 +248,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -40721,7 +40907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -242,6 +276,7 @@ +@@ -242,6 +277,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -40729,7 +40915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -259,13 +294,22 @@ +@@ -259,13 +295,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -40753,7 +40939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -299,6 +343,7 @@ +@@ -299,6 +344,7 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -40761,7 +40947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -325,8 +370,10 @@ +@@ -325,8 +371,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -40773,7 +40959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -342,6 +389,8 @@ +@@ -342,6 +390,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -40782,7 +40968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) -@@ -352,6 +401,8 @@ +@@ -352,6 +402,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -40791,7 +40977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -364,6 +415,7 @@ +@@ -364,6 +416,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -40799,7 +40985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -395,15 +447,16 @@ +@@ -395,15 +448,16 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -40818,7 +41004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) -@@ -437,6 +490,10 @@ +@@ -437,6 +491,10 @@ dev_create_generic_dirs(initrc_t) dev_delete_generic_dirs(initrc_t) @@ -40829,7 +41015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # openrc uses tmpfs for its state data fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file }) -@@ -471,7 +528,7 @@ +@@ -471,7 +529,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -40838,7 +41024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -495,6 +552,12 @@ +@@ -495,6 +553,12 @@ fs_read_tmpfs_symlinks(initrc_t) fs_rw_tmpfs_chr_files(initrc_t) @@ -40851,7 +41037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t storage_manage_fixed_disk(initrc_t) storage_dev_filetrans_fixed_disk(initrc_t) storage_getattr_removable_dev(initrc_t) -@@ -517,6 +580,23 @@ +@@ -517,6 +581,23 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -40875,7 +41061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -528,6 +608,8 @@ +@@ -528,6 +609,8 @@ optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) @@ -40884,7 +41070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -542,6 +624,35 @@ +@@ -542,6 +625,35 @@ ') ') @@ -40920,7 +41106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,6 +665,8 @@ +@@ -554,6 +666,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -40929,7 +41115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -578,6 +691,11 @@ +@@ -578,6 +692,11 @@ ') optional_policy(` @@ -40941,7 +41127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -594,6 +712,7 @@ +@@ -594,6 +713,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -40949,7 +41135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -695,7 +814,13 @@ +@@ -695,7 +815,13 @@ ') optional_policy(` @@ -40963,7 +41149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +843,10 @@ +@@ -718,6 +844,10 @@ ') optional_policy(` @@ -40974,7 +41160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -739,6 +868,10 @@ +@@ -739,6 +869,10 @@ ') optional_policy(` @@ -40985,7 +41171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -760,8 +893,6 @@ +@@ -760,8 +894,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -40994,7 +41180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -770,14 +901,21 @@ +@@ -770,14 +902,21 @@ ') optional_policy(` @@ -41016,7 +41202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +928,7 @@ +@@ -790,6 +929,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -41024,7 +41210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -798,11 +937,19 @@ +@@ -798,11 +938,19 @@ ') optional_policy(` @@ -41045,7 +41231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +959,25 @@ +@@ -812,6 +960,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -41071,7 +41257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +1003,35 @@ +@@ -837,3 +1004,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -41561,8 +41747,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.19/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-11-08 16:19:07.128446678 +0100 -@@ -77,9 +77,12 @@ ++++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2011-01-03 08:55:36.369042409 +0100 +@@ -32,7 +32,9 @@ + # + + allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; ++dontaudit iscsid_t self:capability { sys_ptrace }; + allow iscsid_t self:process { setrlimit setsched signal }; ++ + allow iscsid_t self:fifo_file rw_fifo_file_perms; + allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow iscsid_t self:unix_dgram_socket create_socket_perms; +@@ -65,6 +67,7 @@ + + kernel_read_network_state(iscsid_t) + kernel_read_system_state(iscsid_t) ++kernel_setsched(iscsid_t) + + corenet_all_recvfrom_unlabeled(iscsid_t) + corenet_all_recvfrom_netlabel(iscsid_t) +@@ -77,9 +80,12 @@ dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -41575,7 +41779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. files_read_etc_files(iscsid_t) -@@ -92,5 +95,5 @@ +@@ -92,5 +98,5 @@ miscfiles_read_localization(iscsid_t) optional_policy(` @@ -41598,7 +41802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. dev_read_sysfs(kdump_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-11-11 16:35:19.332397032 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2011-01-03 15:19:24.272041163 +0100 @@ -127,17 +127,23 @@ /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -41668,7 +41872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +320,153 @@ +@@ -319,14 +320,155 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -41821,6 +42025,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/plugins/video_filter/libvideo_filter_wrapper_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/qutim/libplugman\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -41977,7 +42183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.19/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2010-05-28 09:42:00.501610645 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2011-01-03 10:28:54.454042244 +0100 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -41989,7 +42195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -54,14 +58,16 @@ +@@ -54,18 +58,24 @@ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') @@ -42010,9 +42216,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -@@ -69,3 +75,5 @@ + /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -44582,7 +44790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-10-05 17:05:56.764651628 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2011-01-07 10:38:30.725042747 +0100 @@ -1,11 +1,18 @@ -policy_module(sysnetwork, 1.10.3) @@ -44693,7 +44901,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -306,6 +338,8 @@ +@@ -291,6 +323,10 @@ + term_dontaudit_use_ptmx(ifconfig_t) + term_dontaudit_use_generic_ptys(ifconfig_t) + ++# needed in signle user mode in MLS ++# bug #667071 ++term_read_console(ifconfig_t) ++ + files_dontaudit_read_root_files(ifconfig_t) + + init_use_fds(ifconfig_t) +@@ -306,6 +342,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -44702,7 +44921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -328,6 +362,8 @@ +@@ -328,6 +366,8 @@ optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) @@ -44711,7 +44930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -348,6 +384,7 @@ +@@ -348,6 +388,7 @@ optional_policy(` unconfined_dontaudit_rw_pipes(ifconfig_t) @@ -44719,7 +44938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -360,3 +397,9 @@ +@@ -360,3 +401,9 @@ xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 50853c9..8baf4da 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 80%{?dist} +Release: 81%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,17 @@ exit 0 %endif %changelog +* Fri Jan 7 2011 Miroslav Grepl 3.7.19-81 +- Allow s-c-samba to read usr files +- Make kernel_t domain MLS trusted for lowering the level of files +- Add label for /var/lib/tftpboot/grub directory +- Fixes for iscsi policy +- Allow dmesg to read system state +- squid apache script connects to the squid port +- /var/stockmaniac/templates_cache contains log files +- Allow radius to communicate with postgresql +- Add transition from unconfined_java_t to wine_t + * Wed Dec 22 2010 Miroslav Grepl 3.7.19-80 - Allow apache to read cobbler lib files