diff --git a/modules-minimum.conf b/modules-minimum.conf index c7f331c..e16ab64 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -2051,6 +2051,13 @@ xguest = module # courier = module +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + # Layer: apps # Module: livecd # diff --git a/modules-targeted.conf b/modules-targeted.conf index 9ec5785..ea24ca1 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2051,6 +2051,13 @@ xguest = module # courier = module +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + # Layer: apps # Module: livecd # diff --git a/policy-20100106.patch b/policy-20100106.patch index bc8da10..1ea23d0 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -904,6 +904,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Declarations +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.32/policy/modules/admin/shorewall.te +--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-01-18 18:24:22.571542610 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2010-04-13 14:13:03.163602020 +0200 +@@ -90,6 +90,10 @@ + userdom_dontaudit_list_admin_dir(shorewall_t) + + optional_policy(` ++ hostname_exec(shorewall_t) ++') ++ ++optional_policy(` + iptables_domtrans(shorewall_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.6.32/policy/modules/admin/shutdown.fc --- nsaserefpolicy/policy/modules/admin/shutdown.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/shutdown.fc 2010-03-11 21:20:40.173442296 +0100 @@ -1222,7 +1236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-03-26 07:54:33.452601074 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-04-13 15:01:31.593601647 +0200 @@ -23,8 +23,7 @@ # # chrome_sandbox local policy @@ -1233,7 +1247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; allow chrome_sandbox_t self:fifo_file manage_file_perms; allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; -@@ -45,10 +44,14 @@ +@@ -45,9 +44,14 @@ domain_dontaudit_read_all_domains_state(chrome_sandbox_t) @@ -1242,13 +1256,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_rwx_zero(chrome_sandbox_t) files_read_etc_files(chrome_sandbox_t) - -+fs_dontaudit_getattr_all_fs(chrome_sandbox_t) ++files_read_usr_files(chrome_sandbox_t) + ++fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + userdom_rw_user_tmpfs_files(chrome_sandbox_t) userdom_use_user_ptys(chrome_sandbox_t) - userdom_write_inherited_user_tmp_files(chrome_sandbox_t) -@@ -59,15 +62,17 @@ +@@ -59,15 +63,17 @@ miscfiles_read_fonts(chrome_sandbox_t) optional_policy(` @@ -1539,7 +1553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-03-11 21:20:40.181057088 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-04-13 14:14:27.276601329 +0200 @@ -112,11 +112,6 @@ userdom_use_user_terminals(gpg_t) @@ -1569,7 +1583,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; -@@ -271,6 +269,6 @@ +@@ -205,6 +203,7 @@ + # allow gpg to connect to the gpg agent + stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + ++corecmd_read_bin_symlinks(gpg_agent_t) + corecmd_search_bin(gpg_agent_t) + + domain_use_interactive_fds(gpg_agent_t) +@@ -271,6 +270,6 @@ ') optional_policy(` @@ -2150,7 +2172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-02-11 17:41:13.265459296 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-04-13 14:58:43.176867747 +0200 @@ -29,7 +29,7 @@ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; role $2 types sandbox_domain; @@ -2181,7 +2203,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, sandbox_file_type, sandbox_file_type); manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); -@@ -103,9 +104,10 @@ +@@ -79,6 +80,8 @@ + type $1_t, sandbox_domain; + domain_type($1_t) + ++ mls_rangetrans_target($1_t) ++ + type $1_file_t, sandbox_file_type; + files_type($1_file_t) + +@@ -103,9 +106,10 @@ # template(`sandbox_x_domain_template',` gen_require(` @@ -2193,16 +2224,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') type $1_t, sandbox_x_domain; -@@ -122,7 +124,7 @@ +@@ -121,8 +125,13 @@ + manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) ++ type $1_devpts_t; ++ term_pty($1_devpts_t) ++ term_create_pty($1_t, $1_devpts_t) ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ++ # window manager - miscfiles_setattr_fonts_dirs($1_t) + miscfiles_setattr_fonts_cache_dirs($1_t) allow $1_t self:capability setuid; type $1_client_t, sandbox_x_domain; -@@ -156,6 +158,8 @@ +@@ -156,6 +165,8 @@ ps_process_pattern(sandbox_xserver_t, $1_t) allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; allow sandbox_xserver_t $1_t:shm rw_shm_perms; @@ -2211,7 +2248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec($1_client_t, $1_file_t) manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) -@@ -163,10 +167,6 @@ +@@ -163,10 +174,6 @@ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) @@ -2222,18 +2259,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -187,3 +187,39 @@ +@@ -176,7 +183,7 @@ + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access + ## + ## + # +@@ -187,3 +194,94 @@ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ') + +######################################## +## -+## allow domain to delete sandbox files ++## Delete sandbox files +## +## +## -+## Domain to not audit. ++## Domain allowed access +## +## +# @@ -2247,11 +2293,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Delete sandbox sock files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_sock_files',` ++ gen_require(` ++ attribute sandbox_file_type; ++ ') ++ ++ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ++') ++ ++######################################## ++## ++## Allow domain to set the attributes ++## of the sandbox directory. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_setattr_dirs',` ++ gen_require(` ++ attribute sandbox_file_type; ++ ') ++ ++ allow $1 sandbox_file_type:dir setattr; ++') ++ ++######################################## ++## +## allow domain to delete sandbox files +## +## +## -+## Domain to not audit. ++## Domain allowed access +## +## +# @@ -2262,9 +2345,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) +') ++ ++######################################## ++## ++## allow domain to list sandbox dirs ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_list',` ++ gen_require(` ++ attribute sandbox_file_type; ++ ') ++ ++ allow $1 sandbox_file_type:dir list_dir_perms; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-02-11 17:45:05.778708766 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-04-13 14:57:35.509601481 +0200 @@ -10,14 +10,15 @@ # @@ -2282,7 +2383,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type sandbox_xserver_tmpfs_t; files_tmpfs_file(sandbox_xserver_tmpfs_t) -@@ -92,10 +93,6 @@ +@@ -81,6 +82,7 @@ + logging_send_audit_msgs(sandbox_xserver_t) + + userdom_use_user_terminals(sandbox_xserver_t) ++userdom_dontaudit_search_user_home_content(sandbox_xserver_t) + + xserver_entry_type(sandbox_xserver_t) + +@@ -92,10 +94,6 @@ ') ') @@ -2293,16 +2402,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # sandbox local policy -@@ -104,7 +101,7 @@ +@@ -103,17 +101,26 @@ + ## internal communication is often done using fifo and unix sockets. allow sandbox_domain self:fifo_file manage_file_perms; ++allow sandbox_domain self:sem create_sem_perms; ++allow sandbox_domain self:shm create_shm_perms; ++allow sandbox_domain self:msgq create_msgq_perms; allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; -allow sandbox_domain self:unix_dgram_socket create_socket_perms; +allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; ++ ++dev_rw_all_inherited_chr_files(sandbox_domain) ++dev_rw_all_inherited_blk_files(sandbox_domain) gen_require(` type usr_t, lib_t, locale_t; -@@ -132,7 +129,7 @@ + attribute exec_type; + ') + +-files_rw_all_inherited_files(sandbox_domain, -exec_type -usr_t -lib_t -locale_t ) ++files_rw_all_inherited_files(sandbox_domain, -exec_type -etc_t -usr_t -lib_t -locale_t ) + files_entrypoint_all_files(sandbox_domain) + ++files_read_etc_files(sandbox_domain) ++files_read_usr_files(sandbox_domain) ++ + miscfiles_read_localization(sandbox_domain) + + kernel_dontaudit_read_system_state(sandbox_domain) +@@ -125,14 +132,19 @@ + # + # sandbox_x_domain local policy + # +-## internal communication is often done using fifo and unix sockets. ++ + allow sandbox_x_domain self:fifo_file manage_file_perms; ++allow sandbox_x_domain self:sem create_sem_perms; ++allow sandbox_x_domain self:shm create_shm_perms; ++allow sandbox_x_domain self:msgq create_msgq_perms; ++allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; ++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; + allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; allow sandbox_x_domain self:shm create_shm_perms; allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -2311,7 +2453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -@@ -161,14 +158,14 @@ +@@ -161,14 +173,14 @@ auth_dontaudit_read_login_records(sandbox_x_domain) auth_dontaudit_write_login_records(sandbox_x_domain) @@ -2328,7 +2470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(sandbox_x_domain) term_use_ptmx(sandbox_x_domain) -@@ -179,12 +176,24 @@ +@@ -179,12 +191,24 @@ miscfiles_read_fonts(sandbox_x_domain) optional_policy(` @@ -2355,7 +2497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') userdom_dontaudit_use_user_terminals(sandbox_x_domain) -@@ -207,10 +216,8 @@ +@@ -207,10 +231,8 @@ corenet_tcp_connect_ipp_port(sandbox_x_client_t) @@ -2367,7 +2509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_fs_mount(sandbox_x_client_t) selinux_validate_context(sandbox_x_client_t) selinux_compute_access_vector(sandbox_x_client_t) -@@ -239,6 +246,8 @@ +@@ -239,6 +261,8 @@ kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t) dev_read_rand(sandbox_web_client_t) @@ -2376,7 +2518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Browse the web, connect to printer corenet_all_recvfrom_unlabeled(sandbox_web_client_t) -@@ -249,14 +258,19 @@ +@@ -249,14 +273,18 @@ corenet_raw_sendrecv_all_nodes(sandbox_web_client_t) corenet_tcp_sendrecv_http_port(sandbox_web_client_t) corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t) @@ -2385,7 +2527,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t) +corenet_tcp_connect_streaming_port(sandbox_web_client_t) +corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t) -+corenet_tcp_connect_speech_port(sandbox_web_client_t) corenet_tcp_connect_http_port(sandbox_web_client_t) corenet_tcp_connect_http_cache_port(sandbox_web_client_t) corenet_tcp_connect_ftp_port(sandbox_web_client_t) @@ -2396,7 +2537,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_http_client_packets(sandbox_web_client_t) corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t) corenet_sendrecv_ftp_client_packets(sandbox_web_client_t) -@@ -265,9 +279,8 @@ +@@ -265,9 +293,8 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t) corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t) @@ -2407,7 +2548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(sandbox_web_client_t) dbus_read_config(sandbox_web_client_t) -@@ -279,6 +292,8 @@ +@@ -279,6 +306,8 @@ selinux_compute_user_contexts(sandbox_web_client_t) seutil_read_default_contexts(sandbox_web_client_t) @@ -2416,7 +2557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nsplugin_read_rw_files(sandbox_web_client_t) nsplugin_rw_exec(sandbox_web_client_t) -@@ -310,7 +325,7 @@ +@@ -310,7 +339,7 @@ corenet_tcp_connect_all_ports(sandbox_net_client_t) corenet_sendrecv_all_client_packets(sandbox_net_client_t) @@ -2475,7 +2616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read VMWare system configuration files. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2010-01-18 18:24:22.655542539 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2010-03-10 16:02:37.539868524 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2010-04-13 14:17:51.582850944 +0200 @@ -32,6 +32,10 @@ type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) @@ -2487,15 +2628,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type vmware_log_t; typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; -@@ -78,6 +82,7 @@ +@@ -77,7 +81,10 @@ + allow vmware_host_t self:rawip_socket create_socket_perms; allow vmware_host_t self:tcp_socket create_socket_perms; ++can_exec(vmware_host_t, vmware_host_exec_t) ++ # cjp: the ro and rw files should be split up +manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -@@ -87,6 +92,11 @@ +@@ -87,6 +94,11 @@ manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) @@ -2507,7 +2651,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(vmware_host_t) kernel_read_system_state(vmware_host_t) -@@ -157,7 +167,6 @@ +@@ -110,6 +122,7 @@ + corecmd_exec_bin(vmware_host_t) + corecmd_exec_shell(vmware_host_t) + ++dev_rw_generic_chr_files(vmware_host_t) + dev_getattr_all_blk_files(vmware_host_t) + dev_read_sysfs(vmware_host_t) + dev_read_urand(vmware_host_t) +@@ -157,7 +170,6 @@ optional_policy(` xserver_read_tmp_files(vmware_host_t) xserver_read_xdm_pid(vmware_host_t) @@ -2636,7 +2788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-03-01 09:10:51.189491683 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-04-13 14:46:24.660601774 +0200 @@ -166,6 +166,7 @@ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) @@ -2645,10 +2797,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,8 +219,9 @@ +@@ -218,8 +219,11 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) -/usr/share/cluster/ocf-shellfunc -- gen_context(system_u:object_r:bin_t,s0) @@ -2656,7 +2810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) -@@ -237,6 +239,7 @@ +@@ -237,6 +241,7 @@ /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3251,7 +3405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-03-15 11:20:54.084614154 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-04-13 15:11:45.584851392 +0200 @@ -29,14 +29,39 @@ ######################################## @@ -3457,114 +3611,145 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of the ksm devices. ## ## -@@ -1963,7 +2114,7 @@ +@@ -1925,9 +2076,9 @@ + filetrans_pattern($1, device_t, lirc_device_t, chr_file) + ') - ######################################## +-######################################## ++####################################### ## --## Delete the lvm control device. -+## Do not audit attempts to read and write lvm control device. +-## Read the lvm comtrol device. ++## Getattr the lvm comtrol device. ## ## ## -@@ -1971,17 +2122,17 @@ +@@ -1935,17 +2086,17 @@ ## ## # --interface(`dev_delete_lvm_control_dev',` -+interface(`dev_dontaudit_rw_lvm_control',` +-interface(`dev_read_lvm_control',` ++interface(`dev_getattr_lvm_control',` gen_require(` -- type device_t, lvm_control_t; -+ type lvm_control_t; + type device_t, lvm_control_t; ') -- delete_chr_files_pattern($1, device_t, lvm_control_t) -+ dontaudit $1 lvm_control_t:chr_file rw_file_perms; +- read_chr_files_pattern($1, device_t, lvm_control_t) ++ getattr_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## --## Do not audit attempts to read and write lvm control device. -+## Delete the lvm control device. +-## Read and write the lvm control device. ++## Read the lvm comtrol device. ## ## ## -@@ -1989,15 +2140,14 @@ +@@ -1953,17 +2104,17 @@ ## ## # --interface(`dev_dontaudit_rw_lvm_control',` -+interface(`dev_delete_lvm_control_dev',` +-interface(`dev_rw_lvm_control',` ++interface(`dev_read_lvm_control',` gen_require(` -- type lvm_control_t; -+ type device_t, lvm_control_t; + type device_t, lvm_control_t; ') -- dontaudit $1 lvm_control_t:chr_file rw_file_perms; -+ delete_chr_files_pattern($1, device_t, lvm_control_t) +- rw_chr_files_pattern($1, device_t, lvm_control_t) ++ read_chr_files_pattern($1, device_t, lvm_control_t) ') -- ######################################## ## - ## dontaudit getattr raw memory devices (e.g. /dev/mem). -@@ -2018,7 +2168,7 @@ +-## Delete the lvm control device. ++## Read and write the lvm control device. + ## + ## + ## +@@ -1971,12 +2122,12 @@ + ## + ## + # +-interface(`dev_delete_lvm_control_dev',` ++interface(`dev_rw_lvm_control',` + gen_require(` + type device_t, lvm_control_t; + ') + +- delete_chr_files_pattern($1, device_t, lvm_control_t) ++ rw_chr_files_pattern($1, device_t, lvm_control_t) + ') ######################################## +@@ -1997,10 +2148,9 @@ + dontaudit $1 lvm_control_t:chr_file rw_file_perms; + ') + +- + ######################################## ## -## dontaudit getattr raw memory devices (e.g. /dev/mem). -+## Read raw memory devices (e.g. /dev/mem). ++## Delete the lvm control device. ## ## ## -@@ -2026,34 +2176,35 @@ +@@ -2008,12 +2158,12 @@ ## ## # --interface(`dev_dontaudit_read_memory_dev',` -+interface(`dev_read_raw_memory',` +-interface(`dev_dontaudit_getattr_memory_dev',` ++interface(`dev_delete_lvm_control_dev',` gen_require(` - type memory_device_t; -+ type device_t, memory_device_t; -+ attribute memory_raw_read; ++ type device_t, lvm_control_t; ') -- dontaudit $1 memory_device_t:chr_file read_chr_file_perms; -+ read_chr_files_pattern($1, device_t, memory_device_t) -+ -+ allow $1 self:capability sys_rawio; -+ typeattribute $1 memory_raw_read; +- dontaudit $1 memory_device_t:chr_file getattr; ++ delete_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## - ## --## Read raw memory devices (e.g. /dev/mem). -+## Do not audit attempts to read raw memory devices -+## (e.g. /dev/mem). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. +@@ -2026,12 +2176,12 @@ ## ## # --interface(`dev_read_raw_memory',` -+interface(`dev_dontaudit_read_raw_memory',` +-interface(`dev_dontaudit_read_memory_dev',` ++interface(`dev_dontaudit_getattr_memory_dev',` gen_require(` -- type device_t, memory_device_t; -- attribute memory_raw_read; -+ type memory_device_t; + type memory_device_t; ') -- read_chr_files_pattern($1, device_t, memory_device_t) -- -- allow $1 self:capability sys_rawio; -- typeattribute $1 memory_raw_read; -+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; +- dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++ dontaudit $1 memory_device_t:chr_file getattr; ') ######################################## -@@ -2468,6 +2619,26 @@ +@@ -2058,6 +2208,25 @@ + + ######################################## + ## ++## Do not audit attempts to read raw memory devices ++## (e.g. /dev/mem). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_raw_memory',` ++ gen_require(` ++ type memory_device_t; ++ ') ++ ++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++') ++ ++######################################## ++## + ## Write raw memory devices (e.g. /dev/mem). + ## + ## +@@ -2468,6 +2637,26 @@ ######################################## ## @@ -3591,7 +3776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write the memory type range registers (MTRR). ## ## -@@ -2590,8 +2761,7 @@ +@@ -2590,8 +2779,7 @@ type device_t, null_device_t; ') @@ -3601,7 +3786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2835,13 +3005,28 @@ +@@ -2835,13 +3023,28 @@ ######################################## ## ## Read from random number generator @@ -3631,7 +3816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # interface(`dev_read_rand',` gen_require(` -@@ -3383,13 +3568,22 @@ +@@ -3383,13 +3586,22 @@ ######################################## ## @@ -3656,7 +3841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # interface(`dev_read_sysfs',` gen_require(` -@@ -3425,13 +3619,54 @@ +@@ -3425,13 +3637,54 @@ ######################################## ## @@ -3712,7 +3897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # interface(`dev_read_urand',` gen_require(` -@@ -3553,6 +3788,24 @@ +@@ -3553,6 +3806,24 @@ ######################################## ## @@ -3737,7 +3922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a usbfs filesystem. ## ## -@@ -3741,6 +3994,24 @@ +@@ -3741,6 +4012,24 @@ getattr_chr_files_pattern($1, device_t, v4l_device_t) ') @@ -3897,7 +4082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2010-02-21 20:44:28.920309784 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-02-21 20:53:20.192309481 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-04-13 15:27:35.562850211 +0200 @@ -100,7 +100,7 @@ # HOME_ROOT # expanded by genhomedircon @@ -3907,6 +4092,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> +@@ -151,6 +151,10 @@ + /net -d gen_context(system_u:object_r:mnt_t,s0) + + # ++# /nsr ++# ++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) ++# + # /opt + # + /opt -d gen_context(system_u:object_r:usr_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-04-08 10:43:26.768115113 +0200 @@ -5671,7 +5867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_user_terminals(abrt_helper_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-01-18 18:24:22.729540009 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/afs.te 2010-04-02 10:04:52.832602649 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/afs.te 2010-04-13 14:21:06.657602292 +0200 @@ -1,5 +1,5 @@ -policy_module(afs, 1.5.0) @@ -5688,7 +5884,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow afs_t self:udp_socket create_socket_perms; allow afs_t self:fifo_file rw_file_perms; allow afs_t self:unix_stream_socket create_stream_socket_perms; -@@ -105,6 +105,12 @@ +@@ -88,6 +88,7 @@ + + fs_getattr_xattr_fs(afs_t) + fs_mount_nfs(afs_t) ++fs_read_nfs_symlinks(afs_t) + + kernel_rw_afs_state(afs_t) + +@@ -105,6 +106,12 @@ miscfiles_read_localization(afs_t) @@ -7167,6 +7371,185 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.6.32/policy/modules/services/denyhosts.fc +--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/denyhosts.fc 2010-04-13 14:45:02.621657560 +0200 +@@ -0,0 +1,7 @@ ++/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) ++ ++/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t, s0) ++ ++/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0) ++/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) ++/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.6.32/policy/modules/services/denyhosts.if +--- nsaserefpolicy/policy/modules/services/denyhosts.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/denyhosts.if 2010-04-13 14:45:02.622619355 +0200 +@@ -0,0 +1,87 @@ ++## Deny Hosts. ++## ++##

++## DenyHosts is a script intended to be run by Linux ++## system administrators to help thwart SSH server attacks ++## (also known as dictionary based attacks and brute force ++## attacks). ++##

++## ++ ++######################################## ++## ++## Execute a domain transition to run denyhosts. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`denyhosts_domtrans', ` ++ gen_require(` ++ type denyhosts_t, denyhosts_exec_t; ++ ') ++ ++ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) ++') ++ ++######################################## ++## ++## Execute denyhost server in the denyhost domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`denyhosts_initrc_domtrans', ` ++ gen_require(` ++ type denyhosts_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an denyhosts environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++# ++interface(`denyhosts_admin', ` ++ gen_require(` ++ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; ++ type denyhosts_var_log_t, denyhosts_initrc_exec_t; ++ ') ++ ++ allow $1 denyhosts_t:process { ptrace signal_perms getattr }; ++ ++ denyhosts_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 denyhosts_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, denyhosts_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, denyhosts_var_lib_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, denyhosts_var_log_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, denyhosts_var_lock_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.6.32/policy/modules/services/denyhosts.te +--- nsaserefpolicy/policy/modules/services/denyhosts.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/denyhosts.te 2010-04-13 14:45:02.622619355 +0200 +@@ -0,0 +1,73 @@ ++ ++policy_module(denyhosts, 1.0.0) ++ ++######################################## ++# ++# DenyHosts personal declarations. ++# ++ ++type denyhosts_t; ++type denyhosts_exec_t; ++init_daemon_domain(denyhosts_t, denyhosts_exec_t) ++ ++type denyhosts_initrc_exec_t; ++init_script_file(denyhosts_initrc_exec_t) ++ ++type denyhosts_var_lib_t; ++files_type(denyhosts_var_lib_t) ++ ++type denyhosts_var_lock_t; ++files_lock_file(denyhosts_var_lock_t) ++ ++type denyhosts_var_log_t; ++logging_log_file(denyhosts_var_log_t) ++ ++######################################## ++# ++# DenyHosts personal policy. ++# ++ ++allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; ++allow denyhosts_t self:tcp_socket create_socket_perms; ++allow denyhosts_t self:udp_socket create_socket_perms; ++ ++manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) ++files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file) ++ ++manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) ++manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) ++files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) ++ ++append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) ++create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) ++read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) ++setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) ++logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) ++ ++corecmd_exec_bin(denyhosts_t) ++ ++corenet_all_recvfrom_unlabeled(denyhosts_t) ++corenet_all_recvfrom_netlabel(denyhosts_t) ++corenet_tcp_sendrecv_generic_if(denyhosts_t) ++corenet_tcp_sendrecv_generic_node(denyhosts_t) ++corenet_tcp_bind_generic_node(denyhosts_t) ++corenet_sendrecv_smtp_client_packets(denyhosts_t) ++corenet_tcp_connect_smtp_port(denyhosts_t) ++ ++dev_read_urand(denyhosts_t) ++ ++kernel_read_system_state(denyhosts_t) ++ ++files_read_etc_files(denyhosts_t) ++ ++# /var/log/secure ++logging_read_generic_logs(denyhosts_t) ++ ++miscfiles_read_localization(denyhosts_t) ++ ++sysnet_manage_config(denyhosts_t) ++sysnet_etc_filetrans_config(denyhosts_t) ++ ++optional_policy(` ++ cron_system_entry(denyhosts_t, denyhosts_exec_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.32/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2010-01-18 18:24:22.778530038 +0100 +++ serefpolicy-3.6.32/policy/modules/services/devicekit.fc 2010-02-26 09:34:03.326558032 +0100 @@ -8788,11 +9171,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.6.32/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-03-01 15:13:35.203742322 +0100 -@@ -104,6 +104,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-04-13 18:06:53.669607083 +0200 +@@ -104,6 +104,8 @@ sysnet_read_config(innd_t) ++userdom_dgram_send(innd_t) +userdom_stream_connect(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -9448,7 +9832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-04-13 14:33:39.218868826 +0200 @@ -132,6 +132,7 @@ optional_policy(` @@ -9457,19 +9841,190 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-03-09 15:32:34.203753605 +0100 -@@ -104,6 +104,8 @@ +@@ -148,6 +149,10 @@ + ') + + optional_policy(` ++ munin_dontaudit_leaks(system_mail_t) ++') ++ ++optional_policy(` + nagios_read_tmp_files(system_mail_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.32/policy/modules/services/munin.fc +--- nsaserefpolicy/policy/modules/services/munin.fc 2010-01-18 18:24:22.814530636 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/munin.fc 2010-04-13 14:26:18.277602306 +0200 +@@ -6,6 +6,61 @@ + /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - auth_use_nsswitch(munin_t) ++# disk plugins ++/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++ ++# mail plugins ++/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++ ++# services plugins ++/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/named -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++ ++# system plugins ++/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/load -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/users -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++ + /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) + /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) + /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.32/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/munin.if 2010-04-13 15:08:54.365612326 +0200 +@@ -43,6 +43,24 @@ + files_search_etc($1) + ') + ++##################################### ++## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`munin_dontaudit_leaks',` ++ gen_require(` ++ type munin_t; ++ ') ++ ++ dontaudit $1 munin_t:tcp_socket { read write }; ++') ++ + ####################################### + ## + ## Append to the munin log. +@@ -102,6 +120,54 @@ + dontaudit $1 munin_var_lib_t:dir search_dir_perms; + ') -+init_read_utmp(munin_t) ++###################################### ++## ++## Create a set of derived types for various ++## munin plugins, ++## ++## ++## ++## The name to be used for deriving type names. ++## ++## ++# ++template(`munin_plugin_template',` ++ ++ gen_require(` ++ type munin_t, munin_exec_t; ++ type munin_etc_t; ++ ') ++ ++ type munin_$1_plugin_t; ++ type munin_$1_plugin_exec_t; ++ application_domain(munin_$1_plugin_t, munin_$1_plugin_exec_t) ++ role system_r types munin_$1_plugin_t; ++ ++ type munin_$1_plugin_tmp_t; ++ files_tmp_file(munin_$1_plugin_tmp_t) ++ ++ allow munin_$1_plugin_t self:fifo_file rw_fifo_file_perms; ++ ++ manage_files_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t) ++ manage_dirs_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t) ++ files_tmp_filetrans(munin_$1_plugin_t, munin_$1_plugin_tmp_t, { dir file }) ++ ++ # automatic transition rules from munin domain ++ # to specific munin plugin domain ++ domtrans_pattern(munin_t, munin_$1_plugin_exec_t, munin_$1_plugin_t) ++ ++ allow munin_$1_plugin_t munin_exec_t:file read_file_perms; ++ allow munin_$1_plugin_t munin_t:tcp_socket rw_socket_perms; ++ ++ read_lnk_files_pattern(munin_$1_plugin_t, munin_etc_t, munin_etc_t) ++ ++ kernel_read_system_state(munin_$1_plugin_t) ++ ++ corecmd_exec_bin(munin_$1_plugin_t) ++ ++ miscfiles_read_localization(munin_$1_plugin_t) ++') + - logging_send_syslog_msg(munin_t) - logging_read_all_logs(munin_t) + ######################################## + ## + ## All of the rules required to administrate +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te +--- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-04-13 14:38:35.134852697 +0200 +@@ -28,6 +28,20 @@ + type munin_var_run_t alias lrrd_var_run_t; + files_pid_file(munin_var_run_t) -@@ -134,6 +136,7 @@ ++# munin plugins declaration ++ ++munin_plugin_template(disk) ++permissive munin_disk_plugin_t; ++ ++munin_plugin_template(mail) ++permissive munin_mail_plugin_t; ++ ++munin_plugin_template(services) ++permissive munin_services_plugin_t; ++ ++munin_plugin_template(system) ++permissive munin_system_plugin_t; ++ + ######################################## + # + # Local policy +@@ -134,6 +148,7 @@ optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -9477,6 +10032,154 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_read_queue(munin_t) ') +@@ -166,3 +181,147 @@ + optional_policy(` + udev_read_db(munin_t) + ') ++ ++################################### ++# ++# local policy for disk plugins ++# ++ ++allow munin_disk_plugin_t self:tcp_socket create_stream_socket_perms; ++ ++rw_files_pattern(munin_disk_plugin_t, munin_var_lib_t, munin_var_lib_t) ++ ++corenet_tcp_connect_hddtemp_port(munin_disk_plugin_t) ++ ++corecmd_exec_shell(munin_disk_plugin_t) ++ ++files_read_etc_files(munin_disk_plugin_t) ++files_read_etc_runtime_files(munin_disk_plugin_t) ++ ++fs_getattr_all_fs(munin_disk_plugin_t) ++ ++dev_getattr_lvm_control(munin_disk_plugin_t) ++ ++dev_read_sysfs(munin_disk_plugin_t) ++dev_read_urand(munin_disk_plugin_t) ++ ++storage_getattr_fixed_disk_dev(munin_disk_plugin_t) ++ ++sysnet_read_config(munin_disk_plugin_t) ++ ++optional_policy(` ++ hddtemp_exec(munin_disk_plugin_t) ++') ++ ++optional_policy(` ++ fstools_exec(munin_disk_plugin_t) ++') ++ ++#################################### ++# ++# local policy for mail plugins ++# ++ ++allow munin_mail_plugin_t self:capability dac_override; ++ ++rw_files_pattern(munin_mail_plugin_t, munin_var_lib_t, munin_var_lib_t) ++ ++dev_read_urand(munin_mail_plugin_t) ++ ++files_read_etc_files(munin_mail_plugin_t) ++ ++fs_getattr_all_fs(munin_mail_plugin_t) ++ ++logging_read_generic_logs(munin_mail_plugin_t) ++ ++mta_read_config(munin_mail_plugin_t) ++mta_send_mail(munin_mail_plugin_t) ++mta_list_queue(munin_mail_plugin_t) ++mta_read_queue(munin_mail_plugin_t) ++ ++optional_policy(` ++ postfix_read_config(munin_mail_plugin_t) ++ postfix_list_spool(munin_mail_plugin_t) ++ postfix_getattr_spool_files(munin_mail_plugin_t) ++') ++ ++optional_policy(` ++ sendmail_read_log(munin_mail_plugin_t) ++') ++ ++################################### ++# ++# local policy for service plugins ++# ++ ++allow munin_services_plugin_t self:tcp_socket create_stream_socket_perms; ++allow munin_services_plugin_t self:udp_socket create_socket_perms; ++allow munin_services_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++ ++corenet_tcp_connect_all_ports(munin_services_plugin_t) ++corenet_tcp_connect_http_port(munin_services_plugin_t) ++ ++dev_read_urand(munin_services_plugin_t) ++dev_read_rand(munin_services_plugin_t) ++ ++fs_getattr_all_fs(munin_services_plugin_t) ++ ++files_read_etc_files(munin_services_plugin_t) ++ ++sysnet_read_config(munin_services_plugin_t) ++ ++optional_policy(` ++ cups_stream_connect(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ lpd_exec_lpr(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ mysql_read_config(munin_services_plugin_t) ++ mysql_stream_connect(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ netutils_domtrans_ping(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ snmp_read_snmp_var_lib_files(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ varnishd_read_lib_files(munin_services_plugin_t) ++') ++ ++################################## ++# ++# local policy for system plugins ++# ++ ++allow munin_system_plugin_t self:udp_socket create_socket_perms; ++ ++rw_files_pattern(munin_system_plugin_t, munin_var_lib_t, munin_var_lib_t) ++ ++kernel_read_network_state(munin_system_plugin_t) ++kernel_read_all_sysctls(munin_system_plugin_t) ++ ++corecmd_exec_shell(munin_system_plugin_t) ++ ++fs_getattr_all_fs(munin_system_plugin_t) ++ ++dev_read_sysfs(munin_system_plugin_t) ++dev_read_urand(munin_system_plugin_t) ++ ++domain_read_all_domains_state(munin_system_plugin_t) ++ ++# needed by users plugin ++init_read_utmp(munin_system_plugin_t) ++ ++sysnet_exec_ifconfig(munin_system_plugin_t) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-03-23 12:51:57.104389985 +0100 @@ -13337,6 +14040,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.32/policy/modules/services/varnishd.if +--- nsaserefpolicy/policy/modules/services/varnishd.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/varnishd.if 2010-04-13 14:36:06.397612500 +0200 +@@ -113,6 +113,25 @@ + manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) + ') + ++##################################### ++## ++## Read varnish lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`varnishd_read_lib_files',` ++ gen_require(` ++ type varnishd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) ++') ++ + ###################################### + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100 +++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-04-06 08:25:52.847789753 +0200 @@ -16212,8 +16944,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-30 16:31:01.466611238 +0200 -@@ -133,7 +133,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-04-13 15:32:35.079601752 +0200 +@@ -69,6 +69,8 @@ + + /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) + ++/opt/lgtonmc/bin/.*\.so(\.[0-9])? gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + ifdef(`distro_gentoo',` + # despite the extensions, they are actually libs + /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) +@@ -120,6 +122,8 @@ + + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib/nsr/(.*/)?.*\.so gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -133,7 +137,7 @@ /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16222,7 +16972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -245,8 +245,12 @@ +@@ -245,8 +249,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16235,7 +16985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -333,6 +337,8 @@ +@@ -333,6 +341,8 @@ /usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16244,7 +16994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -377,9 +383,6 @@ +@@ -377,9 +387,6 @@ /usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16254,7 +17004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -396,10 +399,8 @@ +@@ -396,10 +403,8 @@ /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16265,7 +17015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -432,9 +433,23 @@ +@@ -432,9 +437,23 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -16362,8 +17112,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sulogin_t self:process setexec; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-16 17:27:23.944598052 +0100 -@@ -24,6 +24,8 @@ ++++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-04-13 15:28:25.428850067 +0200 +@@ -6,6 +6,8 @@ + /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) + ++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) + /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) + /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) +@@ -24,6 +26,8 @@ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -16372,7 +17131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -63,9 +65,14 @@ +@@ -63,9 +67,14 @@ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -17111,15 +17870,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-01-18 18:24:22.968540028 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-03-01 16:01:07.867490672 +0100 -@@ -11,6 +11,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-04-13 14:47:39.733850947 +0200 +@@ -11,7 +11,10 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100 +++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100 @@ -17396,7 +18158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_mnt(xend_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100 -+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-25 12:03:02.296616618 +0100 ++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-04-13 15:18:36.940600248 +0200 @@ -28,8 +28,7 @@ # # All socket classes. @@ -17416,7 +18178,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -291,7 +290,8 @@ +@@ -274,7 +273,8 @@ + define(`read_blk_file_perms',`{ getattr open read lock ioctl }') + define(`append_blk_file_perms',`{ getattr open append lock ioctl }') + define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') +-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') ++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') + define(`create_blk_file_perms',`{ getattr create }') + define(`rename_blk_file_perms',`{ getattr rename }') + define(`delete_blk_file_perms',`{ getattr unlink }') +@@ -291,7 +291,8 @@ define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') diff --git a/selinux-policy.spec b/selinux-policy.spec index 33361ea..cf5c8ef 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 110%{?dist} +Release: 111%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,13 @@ exit 0 %endif %changelog +* Tue Apr 13 2010 Miroslav Grepl 3.6.32-111 +- Allow shorewall to execute hostname +- Allow gpg-agent to read symbolic links in bin directories +- Allow vmware-host to read and write generic character device files +- Add munin plugin policy from F13 +- Add denyhosts polict from F13 + * Thu Apr 8 2010 Miroslav Grepl 3.6.32-110 - Add label for /opt/google/chrome/chrome-sandbox - Allow asterisk to bind and connect to sip tcp ports