From 485ded565a4071b6b38890242d6bd1d6ca622e14 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 05 2010 22:09:02 +0000 Subject: - Add cobbler policy from dgrift --- diff --git a/policy-F13.patch b/policy-F13.patch index 9cac576..c720937 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1894,8 +1894,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.5/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/apps/chrome.te 2009-12-21 13:49:59.000000000 -0500 -@@ -0,0 +1,83 @@ ++++ serefpolicy-3.7.5/policy/modules/apps/chrome.te 2010-01-05 11:37:05.000000000 -0500 +@@ -0,0 +1,84 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -1961,7 +1961,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +') + +optional_policy(` -+ gnome_write_inherited_config(chrome_sandbox_t) ++ gnome_rw_inherited_config(chrome_sandbox_t) ++ gnome_list_home_config(chrome_sandbox_t) +') + +optional_policy(` @@ -2338,8 +2339,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.5/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/apps/gnome.if 2009-12-21 13:07:09.000000000 -0500 -@@ -84,10 +84,201 @@ ++++ serefpolicy-3.7.5/policy/modules/apps/gnome.if 2010-01-05 10:04:21.000000000 -0500 +@@ -84,10 +84,207 @@ # interface(`gnome_manage_config',` gen_require(` @@ -2377,12 +2378,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## read gnome homedir content (.config) +## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## +## +## +## The type of the user domain. @@ -2403,12 +2398,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## read gconf config files +## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## +## +## +## The type of the user domain. @@ -2529,7 +2518,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + +######################################## +## -+## Write all inherited gnome home config ++## read gnome homedir content (.config) ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`gnome_list_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ allow $1 config_home_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Read/Write all inherited gnome home config +## +## +## @@ -2537,7 +2544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## +# -+interface(`gnome_write_inherited_config',` ++interface(`gnome_rw_inherited_config',` + gen_require(` + attribute gnome_home_type; + ') @@ -4737,8 +4744,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.5/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-22 11:04:52.000000000 -0500 -@@ -0,0 +1,222 @@ ++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2010-01-05 17:01:46.000000000 -0500 +@@ -0,0 +1,223 @@ + +## policy for sandbox + @@ -4845,9 +4852,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# +template(`sandbox_x_domain_template',` + gen_require(` -+ type xserver_exec_t; ++ type xserver_exec_t, sandbox_devpts_t; + type sandbox_xserver_t; + attribute sandbox_domain, sandbox_x_domain; ++ attribute sandbox_file_type; + ') + + type $1_t, sandbox_x_domain; @@ -4963,8 +4971,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-23 12:55:41.000000000 -0500 -@@ -0,0 +1,342 @@ ++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2010-01-05 15:56:30.000000000 -0500 +@@ -0,0 +1,343 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -4977,6 +4985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# + +sandbox_domain_template(sandbox) ++sandbox_x_domain_template(sandbox_min) +sandbox_x_domain_template(sandbox_x) +sandbox_x_domain_template(sandbox_web) +sandbox_x_domain_template(sandbox_net) @@ -5067,7 +5076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +## internal communication is often done using fifo and unix sockets. +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; -+allow sandbox_domain self:unix_dgram_socket create_socket_perms; ++allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; + +gen_require(` + type usr_t, lib_t, locale_t; @@ -5124,7 +5133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +auth_dontaudit_read_login_records(sandbox_x_domain) +auth_dontaudit_write_login_records(sandbox_x_domain) -+#auth_use_nsswitch(sandbox_x_domain) ++auth_use_nsswitch(sandbox_x_domain) +auth_search_pam_console_data(sandbox_x_domain) + +init_read_utmp(sandbox_x_domain) @@ -5178,7 +5187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +corenet_tcp_connect_ipp_port(sandbox_x_client_t) + -+#auth_use_nsswitch(sandbox_x_client_t) ++auth_use_nsswitch(sandbox_x_client_t) + +dbus_system_bus_client(sandbox_x_client_t) +dbus_read_config(sandbox_x_client_t) @@ -5238,7 +5247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t) +corenet_tcp_connect_speech_port(sandbox_web_client_t) + -+#auth_use_nsswitch(sandbox_web_client_t) ++auth_use_nsswitch(sandbox_web_client_t) + +dbus_system_bus_client(sandbox_web_client_t) +dbus_read_config(sandbox_web_client_t) @@ -5281,7 +5290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +corenet_tcp_connect_all_ports(sandbox_net_client_t) +corenet_sendrecv_all_client_packets(sandbox_net_client_t) + -+#auth_use_nsswitch(sandbox_net_client_t) ++auth_use_nsswitch(sandbox_net_client_t) + +dbus_system_bus_client(sandbox_net_client_t) +dbus_read_config(sandbox_net_client_t) @@ -5818,7 +5827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2010-01-04 12:10:28.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2010-01-05 10:16:34.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5827,7 +5836,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -87,32 +88,41 @@ +@@ -84,35 +85,45 @@ + network_port(clamd, tcp,3310,s0) + network_port(clockspeed, udp,4041,s0) + network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) ++network_port(cobbler, tcp,25151,s0) network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -5872,7 +5885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) -@@ -128,8 +138,9 @@ +@@ -128,8 +139,9 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) @@ -5883,7 +5896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -138,21 +149,29 @@ +@@ -138,21 +150,29 @@ network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) @@ -5914,7 +5927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -172,30 +191,38 @@ +@@ -172,30 +192,38 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -5956,7 +5969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -224,6 +251,8 @@ +@@ -224,6 +252,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -6550,7 +6563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib/nfs/rpc_pipefs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2010-01-04 15:43:02.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2010-01-05 10:16:34.000000000 -0500 @@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6614,7 +6627,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Remove entries from the root directory. ## ## -@@ -2107,6 +2141,8 @@ +@@ -1504,6 +1538,24 @@ + + ######################################## + ## ++## List the /boot directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_boot',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Search the /boot directory. + ## + ## +@@ -2107,6 +2159,8 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -6623,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2189,6 +2225,24 @@ +@@ -2189,6 +2243,24 @@ ######################################## ## @@ -6648,7 +6686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2594,6 +2648,11 @@ +@@ -2594,6 +2666,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -6660,7 +6698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3311,6 +3370,64 @@ +@@ -3311,6 +3388,64 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -6725,7 +6763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3496,6 +3613,32 @@ +@@ -3496,6 +3631,32 @@ ######################################## ## @@ -6758,7 +6796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3709,6 +3852,8 @@ +@@ -3709,6 +3870,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -6767,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3817,7 +3962,12 @@ +@@ -3817,7 +3980,12 @@ type usr_t; ') @@ -6781,7 +6819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3856,6 +4006,7 @@ +@@ -3856,6 +4024,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -6789,7 +6827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3880,6 +4031,24 @@ +@@ -3880,6 +4049,24 @@ ######################################## ## @@ -6814,7 +6852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -4500,6 +4669,24 @@ +@@ -4500,6 +4687,24 @@ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -6839,7 +6877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4772,6 +4959,25 @@ +@@ -4772,6 +4977,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -6865,7 +6903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -4831,6 +5037,24 @@ +@@ -4831,6 +5055,24 @@ ######################################## ## @@ -6890,7 +6928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private ## type using a type transition. ## -@@ -4880,6 +5104,24 @@ +@@ -4880,6 +5122,24 @@ ######################################## ## @@ -6915,7 +6953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -4933,6 +5175,7 @@ +@@ -4933,6 +5193,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -6923,7 +6961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5001,6 +5244,24 @@ +@@ -5001,6 +5262,24 @@ ######################################## ## @@ -6948,7 +6986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5189,12 +5450,15 @@ +@@ -5189,12 +5468,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -6965,7 +7003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5215,3 +5479,192 @@ +@@ -5215,3 +5497,192 @@ typeattribute $1 files_unconfined_type; ') @@ -10438,7 +10476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_use_ldap(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.5/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/apache.fc 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/apache.fc 2010-01-05 11:53:09.000000000 -0500 @@ -2,11 +2,15 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -10471,7 +10509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,31 +39,51 @@ +@@ -32,14 +39,28 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10500,10 +10538,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) +@@ -47,16 +68,21 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -10523,7 +10560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +91,33 @@ +@@ -64,11 +90,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10560,8 +10597,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.5/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-22 10:55:59.000000000 -0500 -@@ -13,21 +13,16 @@ ++++ serefpolicy-3.7.5/policy/modules/services/apache.if 2010-01-05 10:16:34.000000000 -0500 +@@ -13,21 +13,17 @@ # template(`apache_content_template',` gen_require(` @@ -10569,6 +10606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ++ type httpd_sys_content_t; ') - # allow write access to public file transfer - # services files. @@ -10585,7 +10623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_type(httpd_$1_htaccess_t) # Type that CGI scripts run as -@@ -42,20 +37,22 @@ +@@ -42,20 +38,22 @@ # The following three are the only areas that # scripts can read, read/write, or append to @@ -10616,7 +10654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -65,29 +62,26 @@ +@@ -65,29 +63,26 @@ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory @@ -10660,7 +10698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -96,6 +90,7 @@ +@@ -96,6 +91,7 @@ dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) @@ -10668,7 +10706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) -@@ -109,34 +104,21 @@ +@@ -109,34 +105,21 @@ seutil_dontaudit_search_config(httpd_$1_script_t) @@ -10716,7 +10754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -@@ -149,9 +131,13 @@ +@@ -149,9 +132,13 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -10730,10 +10768,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; -@@ -175,50 +161,6 @@ - miscfiles_read_localization(httpd_$1_script_t) - ') +@@ -173,50 +160,7 @@ + libs_read_lib_files(httpd_$1_script_t) + miscfiles_read_localization(httpd_$1_script_t) +- ') +- - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; @@ -10776,12 +10816,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_$1_script_t) - ') -- ') -- ++ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; + ') + optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -227,15 +169,13 @@ +@@ -227,15 +171,13 @@ optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) @@ -10799,7 +10838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -258,8 +198,8 @@ +@@ -258,8 +200,8 @@ attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t; type httpd_user_script_t, httpd_user_script_exec_t; @@ -10810,7 +10849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') role $1 types httpd_user_script_t; -@@ -268,26 +208,26 @@ +@@ -268,26 +210,26 @@ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; @@ -10857,7 +10896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -@@ -365,6 +305,24 @@ +@@ -365,6 +307,24 @@ domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -10882,7 +10921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Send a null signal to apache. -@@ -441,6 +399,25 @@ +@@ -441,6 +401,25 @@ ######################################## ## ## Do not audit attempts to read and write Apache @@ -10908,7 +10947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## TCP sockets. ## ## -@@ -503,6 +480,105 @@ +@@ -503,6 +482,105 @@ ######################################## ## @@ -11014,7 +11053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow the specified domain to read ## apache configuration files. ## -@@ -579,7 +655,7 @@ +@@ -579,7 +657,7 @@ ## ## ## @@ -11023,7 +11062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## ## ## -@@ -715,6 +791,7 @@ +@@ -715,6 +793,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -11031,7 +11070,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -782,6 +859,32 @@ +@@ -758,6 +837,27 @@ + + ######################################## + ## ++## Allow the specified domain to list ++## apache system content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_list_sys_content',` ++ gen_require(` ++ type httpd_sys_content_t; ++ ') ++ ++ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ++ files_search_var($1) ++') ++ ++######################################## ++## + ## Allow the specified domain to manage + ## apache system content files. + ## +@@ -782,6 +882,32 @@ ######################################## ## @@ -11064,7 +11131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Execute all web scripts in the system ## script domain. ## -@@ -791,16 +894,18 @@ +@@ -791,16 +917,18 @@ ## ## # @@ -11087,7 +11154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -859,6 +964,8 @@ +@@ -859,6 +987,8 @@ ## ## # @@ -11096,7 +11163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; -@@ -884,7 +991,7 @@ +@@ -884,7 +1014,7 @@ type httpd_squirrelmail_t; ') @@ -11105,7 +11172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1043,6 +1150,44 @@ +@@ -1043,6 +1173,44 @@ ######################################## ## @@ -11150,7 +11217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## All of the rules required to administrate an apache environment ## ## -@@ -1072,11 +1217,17 @@ +@@ -1072,11 +1240,17 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -11168,7 +11235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_manage_all_content($1) miscfiles_manage_public_files($1) -@@ -1096,12 +1247,57 @@ +@@ -1096,12 +1270,57 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -11229,7 +11296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/apache.te 2009-12-29 18:35:26.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/apache.te 2010-01-05 11:36:05.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -11640,15 +11707,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -+ cobbler_search_lib(httpd_t) ++ ccs_read_config(httpd_t) +') + +optional_policy(` -+ ccs_read_config(httpd_t) ++ cvs_read_data(httpd_t) +') + +optional_policy(` -+ cvs_read_data(httpd_t) ++ cobbler_search_var_lib(httpd_t) +') + +optional_policy(` @@ -12343,22 +12410,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.5/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/bind.if 2010-01-04 16:21:41.000000000 -0500 -@@ -235,7 +235,7 @@ ++++ serefpolicy-3.7.5/policy/modules/services/bind.if 2010-01-05 11:33:07.000000000 -0500 +@@ -2,6 +2,25 @@ ######################################## ## --## Do not audit attempts to set the attributes -+## Allow domain to set the attributes - ## of the BIND pid directory. ++## Execute bind server in the bind domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`bind_initrc_domtrans',` ++ gen_require(` ++ type named_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, named_initrc_exec_t) ++') ++ ++######################################## ++## + ## Execute ndc in the ndc domain. ## ## -@@ -254,6 +254,25 @@ +@@ -192,6 +211,25 @@ ######################################## ## -+## Allow domain to set attributes -+## of the BIND zone directory. ++## Manage BIND zone files. +## +## +## @@ -12366,46 +12449,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind +## +## +# -+interface(`bind_setattr_zone_dirs',` ++interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + -+ allow $1 named_zone_t:dir setattr; ++ files_search_var($1) ++ manage_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## - ## Read BIND zone files. + ## Search the BIND cache directory. ## ## -@@ -287,6 +306,25 @@ +@@ -235,7 +273,7 @@ ######################################## ## -+## Execute bind server in the bind domain. +-## Do not audit attempts to set the attributes ++## Allow domain to set the attributes + ## of the BIND pid directory. + ## + ## +@@ -254,6 +292,25 @@ + + ######################################## + ## ++## Allow domain to set attributes ++## of the BIND zone directory. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+# -+interface(`bind_initrc_domtrans',` ++interface(`bind_setattr_zone_dirs',` + gen_require(` -+ type named_initrc_exec_t; ++ type named_zone_t; + ') + -+ init_labeled_script_domtrans($1, named_initrc_exec_t) ++ allow $1 named_zone_t:dir setattr; +') + +######################################## +## - ## All of the rules required to administrate - ## an bind environment + ## Read BIND zone files. ## -@@ -319,7 +357,7 @@ + ## +@@ -319,7 +376,7 @@ bind_run_ndc($1, $2) @@ -13487,21 +13580,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.5/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/cobbler.fc 2009-12-21 13:07:09.000000000 -0500 -@@ -0,0 +1,2 @@ ++++ serefpolicy-3.7.5/policy/modules/services/cobbler.fc 2010-01-05 11:53:21.000000000 -0500 +@@ -0,0 +1,9 @@ ++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) ++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) + -+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) ++ ++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) ++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) ++ ++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.5/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/cobbler.if 2009-12-21 13:07:09.000000000 -0500 -@@ -0,0 +1,44 @@ ++++ serefpolicy-3.7.5/policy/modules/services/cobbler.if 2010-01-05 14:48:53.000000000 -0500 +@@ -0,0 +1,186 @@ ++## Cobbler installation server. ++## ++##

++## Cobbler is a Linux installation server that allows for ++## rapid setup of network installation environments. It ++## glues together and automates many associated Linux ++## tasks so you do not have to hop between lots of various ++## commands and applications when rolling out new systems, ++## and, in some cases, changing existing ones. ++##

++## ++ ++######################################## +## -+## Cobbler var_lib_t ++## Read Cobbler content in /etc +## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_read_config',` ++ gen_require(` ++ type cobbler_etc_t; ++ ') ++ ++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## Cobbler log files (leaked fd). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_dontaudit_rw_log',` ++ gen_require(` ++ type cobbler_var_log_t; ++ ') ++ ++ dontaudit $1 cobbler_var_log_t:file rw_file_perms; ++') + +######################################## +## -+## Read cobbler lib files. ++## Read cobbler files in /var/lib +## +## +## @@ -13509,20 +13655,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +## +## +# -+interface(`cobbler_read_lib_files',` ++interface(`cobbler_read_var_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ allow $1 cobbler_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + ++######################################## ++## ++## Manage cobbler files in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_manage_var_lib_files',` ++ gen_require(` ++ type cobbler_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ files_search_var_lib($1) ++') + +######################################## +## -+## Read cobbler lib files. ++## Search cobbler dirs in /var/lib +## +## +## @@ -13530,24 +13693,213 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +## +## +# -+interface(`cobbler_search_lib',` ++interface(`cobbler_search_var_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + -+ allow $1 cobbler_var_lib_t:dir search_dir_perms; ++ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + ++######################################## ++## ++## Execute a domain transition to run cobblerd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cobblerd_domtrans',` ++ gen_require(` ++ type cobblerd_t, cobblerd_exec_t; ++ ') ++ ++ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) ++') ++ ++######################################## ++## ++## Execute cobblerd server in the cobblerd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`cobblerd_initrc_domtrans',` ++ gen_require(` ++ type cobblerd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an cobblerd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cobblerd_admin',` ++ gen_require(` ++ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; ++ type cobbler_etc_t; ++ type httpd_cobbler_content_rw_t; ++ ') ++ ++ allow $1 cobblerd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, cobblerd_t, cobblerd_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, cobbler_etc_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, cobbler_var_lib_t) ++ ++ files_search_var_log($1) ++ admin_pattern($1, cobbler_var_log_t) ++ ++ admin_pattern($1, httpd_cobbler_content_rw_t) ++ ++ cobblerd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 cobblerd_initrc_exec_t system_r; ++ allow $2 system_r; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.5/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/cobbler.te 2009-12-21 13:07:09.000000000 -0500 -@@ -0,0 +1,5 @@ ++++ serefpolicy-3.7.5/policy/modules/services/cobbler.te 2010-01-05 14:49:42.000000000 -0500 +@@ -0,0 +1,115 @@ ++ ++policy_module(cobbler, 1.0.0) + -+policy_module(cobbler, 1.10.0) ++######################################## ++# ++# Cobbler personal declarations. ++# ++type cobblerd_t; ++type cobblerd_exec_t; ++init_daemon_domain(cobblerd_t, cobblerd_exec_t) ++ ++type cobblerd_initrc_exec_t; ++init_script_file(cobblerd_initrc_exec_t) ++ ++type cobbler_etc_t; ++files_config_file(cobbler_etc_t) ++ ++type cobbler_var_log_t; ++logging_log_file(cobbler_var_log_t) + +type cobbler_var_lib_t; +files_type(cobbler_var_lib_t) ++ ++apache_content_template(cobbler) ++manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) ++manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) ++ ++######################################## ++# ++# Cobbler personal policy. ++# ++ ++allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; ++allow cobblerd_t self:process { getsched setsched signal }; ++allow cobblerd_t self:fifo_file rw_fifo_file_perms; ++allow cobblerd_t self:tcp_socket create_stream_socket_perms; ++ ++read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) ++ ++manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) ++manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) ++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) ++ ++append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) ++ ++corecmd_exec_bin(cobblerd_t) ++corecmd_exec_shell(cobblerd_t) ++ ++corenet_all_recvfrom_netlabel(cobblerd_t) ++corenet_all_recvfrom_unlabeled(cobblerd_t) ++corenet_sendrecv_cobbler_server_packets(cobblerd_t) ++corenet_tcp_bind_cobbler_port(cobblerd_t) ++corenet_tcp_bind_generic_node(cobblerd_t) ++corenet_tcp_sendrecv_generic_if(cobblerd_t) ++corenet_tcp_sendrecv_generic_node(cobblerd_t) ++corenet_tcp_sendrecv_generic_port(cobblerd_t) ++ ++dev_read_urand(cobblerd_t) ++ ++files_read_usr_files(cobblerd_t) ++ ++files_list_boot(cobblerd_t) ++ ++files_list_tmp(cobblerd_t) ++ ++kernel_read_system_state(cobblerd_t) ++ ++miscfiles_read_localization(cobblerd_t) ++ ++sysnet_read_config(cobblerd_t) ++sysnet_rw_dhcp_config(cobblerd_t) ++sysnet_write_config(cobblerd_t) ++ ++ ++optional_policy(` ++ apache_list_sys_content(cobblerd_t) ++') ++ ++optional_policy(` ++ bind_read_config(cobblerd_t) ++ bind_write_config(cobblerd_t) ++ bind_domtrans_ndc(cobblerd_t) ++ bind_domtrans(cobblerd_t) ++ bind_initrc_domtrans(cobblerd_t) ++ bind_manage_zone(cobblerd_t) ++') ++ ++optional_policy(` ++ dhcpd_domtrans(cobblerd_t) ++ dhcpd_initrc_domtrans(cobblerd_t) ++') ++ ++optional_policy(` ++ dnsmasq_domtrans(cobblerd_t) ++ dnsmasq_initrc_domtrans(cobblerd_t) ++ dnsmasq_write_config(cobblerd_t) ++') ++ ++optional_policy(` ++ rpm_exec(cobblerd_t) ++') ++ ++optional_policy(` ++ rsync_read_config(cobblerd_t) ++ rsync_write_config(cobblerd_t) ++') ++ ++optional_policy(` ++ tftp_manage_tftpdir_dirs(cobblerd_t) ++ tftp_manage_tftpdir_files(cobblerd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.5/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.5/policy/modules/services/consolekit.fc 2009-12-21 13:07:09.000000000 -0500 @@ -15389,14 +15741,127 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.7.5/policy/modules/services/dhcp.if +--- nsaserefpolicy/policy/modules/services/dhcp.if 2009-07-23 14:11:04.000000000 -0400 ++++ serefpolicy-3.7.5/policy/modules/services/dhcp.if 2010-01-05 10:17:02.000000000 -0500 +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Transition to dhcpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dhcpd_domtrans',` ++ gen_require(` ++ type dhcpd_t, dhcpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) ++') ++ ++######################################## ++## + ## Set the attributes of the DCHP + ## server state files. + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.5/policy/modules/services/dnsmasq.fc +--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.fc 2010-01-05 10:17:02.000000000 -0500 +@@ -1,3 +1,4 @@ ++/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) + /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.5/policy/modules/services/dnsmasq.if +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-07-23 14:11:04.000000000 -0400 ++++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.if 2010-01-05 10:17:02.000000000 -0500 +@@ -136,6 +136,44 @@ + + ######################################## + ## ++## Read dnsmasq config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`dnsmasq_read_config',` ++ gen_require(` ++ type dnsmasq_etc_t; ++ ') ++ ++ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Write to dnsmasq config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`dnsmasq_write_config',` ++ gen_require(` ++ type dnsmasq_etc_t; ++ ') ++ ++ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) ++ files_search_etc($1) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an dnsmasq environment + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.5/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.te 2009-12-21 13:07:09.000000000 -0500 -@@ -83,6 +83,18 @@ ++++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.te 2010-01-05 11:38:45.000000000 -0500 +@@ -13,6 +13,9 @@ + type dnsmasq_initrc_exec_t; + init_script_file(dnsmasq_initrc_exec_t) + ++type dnsmasq_etc_t; ++files_config_file(dnsmasq_etc_t) ++ + type dnsmasq_lease_t; + files_type(dnsmasq_lease_t) + +@@ -34,6 +37,8 @@ + allow dnsmasq_t self:packet_socket create_socket_perms; + allow dnsmasq_t self:rawip_socket create_socket_perms; + ++read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) ++ + # dhcp leases + manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) + files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -66,8 +71,6 @@ + + domain_use_interactive_fds(dnsmasq_t) + +-# allow access to dnsmasq.conf +-files_read_etc_files(dnsmasq_t) + files_read_etc_runtime_files(dnsmasq_t) + + fs_getattr_all_fs(dnsmasq_t) +@@ -83,6 +86,18 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) optional_policy(` -+ cobbler_read_lib_files(dnsmasq_t) ++ cobbler_read_var_lib_files(dnsmasq_t) +') + +optional_policy(` @@ -20319,7 +20784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.5/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/postfix.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/postfix.te 2010-01-05 10:56:37.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -20591,7 +21056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -388,6 +437,15 @@ +@@ -388,6 +437,16 @@ ') optional_policy(` @@ -20601,13 +21066,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + +optional_policy(` + spamassassin_domtrans_client(postfix_pipe_t) ++ spamassassin_kill_client(postfix_pipe_t) +') + +optional_policy(` uucp_domtrans_uux(postfix_pipe_t) ') -@@ -415,6 +473,10 @@ +@@ -415,6 +474,10 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -20618,7 +21084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -424,8 +486,11 @@ +@@ -424,8 +487,11 @@ ') optional_policy(` @@ -20632,7 +21098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -451,6 +516,15 @@ +@@ -451,6 +517,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -20648,7 +21114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -464,6 +538,7 @@ +@@ -464,6 +539,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -20656,7 +21122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -505,7 +580,7 @@ +@@ -505,7 +581,7 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -20665,7 +21131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +610,18 @@ +@@ -535,9 +611,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -20684,7 +21150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +643,22 @@ +@@ -559,20 +644,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -22674,9 +23140,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.7.5/policy/modules/services/rsync.fc +--- nsaserefpolicy/policy/modules/services/rsync.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.5/policy/modules/services/rsync.fc 2010-01-05 10:17:02.000000000 -0500 +@@ -1,3 +1,4 @@ ++/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) + + /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.5/policy/modules/services/rsync.if +--- nsaserefpolicy/policy/modules/services/rsync.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.5/policy/modules/services/rsync.if 2010-01-05 10:17:02.000000000 -0500 +@@ -103,3 +103,41 @@ + + can_exec($1, rsync_exec_t) + ') ++ ++######################################## ++## ++## Read rsync config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`rsync_read_config',` ++ gen_require(` ++ type rsync_etc_t; ++ ') ++ ++ read_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Write to rsync config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`rsync_write_config',` ++ gen_require(` ++ type rsync_etc_t; ++ ') ++ ++ write_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.5/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/rsync.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/rsync.te 2010-01-05 10:17:02.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -22691,7 +23210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn ## Allow rsync to export any files/directories read only. ##

## -@@ -24,7 +31,6 @@ +@@ -24,10 +31,12 @@ type rsync_t; type rsync_exec_t; @@ -22699,7 +23218,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn application_executable_file(rsync_exec_t) role system_r types rsync_t; -@@ -126,4 +132,19 @@ ++type rsync_etc_t; ++files_config_file(rsync_etc_t) ++ + type rsync_data_t; + files_type(rsync_data_t) + +@@ -57,6 +66,8 @@ + allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + #end for identd + ++read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) ++ + allow rsync_t rsync_data_t:dir list_dir_perms; + read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +@@ -126,4 +137,19 @@ auth_read_all_symlinks_except_shadow(rsync_t) auth_tunable_read_shadow(rsync_t) ') @@ -22999,7 +23533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/samba.te 2010-01-04 16:03:08.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/samba.te 2010-01-05 17:02:50.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -23171,7 +23705,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -638,11 +673,13 @@ +@@ -626,23 +661,23 @@ + allow swat_t self:udp_socket create_socket_perms; + allow swat_t self:unix_stream_socket connectto; + +-allow swat_t nmbd_t:process { signal signull }; +- +-allow swat_t nmbd_exec_t:file mmap_file_perms; +-can_exec(swat_t, nmbd_exec_t) +- +-allow swat_t nmbd_var_run_t:file { lock read unlink }; +- + samba_domtrans_smbd(swat_t) + allow swat_t smbd_t:process { signal signull }; ++allow smbd_t swat_t:process signal; ++ ++samba_domtrans_nmbd(swat_t) ++allow swat_t nmbd_t:process { signal signull }; ++allow nmbd_t swat_t:process signal; allow swat_t smbd_var_run_t:file { lock unlink }; @@ -23187,7 +23738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,7 +694,7 @@ +@@ -657,7 +692,7 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -23196,7 +23747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -700,6 +737,8 @@ +@@ -700,6 +735,8 @@ miscfiles_read_localization(swat_t) @@ -23205,7 +23756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +752,23 @@ +@@ -713,12 +750,23 @@ kerberos_use(swat_t) ') @@ -23230,7 +23781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -866,6 +916,18 @@ +@@ -866,6 +914,18 @@ # optional_policy(` @@ -23249,7 +23800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +938,12 @@ +@@ -876,9 +936,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -24120,8 +24671,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.5/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/spamassassin.if 2009-12-21 13:07:09.000000000 -0500 -@@ -111,6 +111,27 @@ ++++ serefpolicy-3.7.5/policy/modules/services/spamassassin.if 2010-01-05 11:36:41.000000000 -0500 +@@ -111,6 +111,45 @@ ') domtrans_pattern($1, spamc_exec_t, spamc_t) @@ -24130,6 +24681,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + +######################################## +## ++## Send kill signal to spamassassin client ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`spamassassin_kill_client',` ++ gen_require(` ++ type spamc_t; ++ ') ++ ++ allow $1 spamc_t:process sigkill; ++') ++ ++######################################## ++## +## Manage spamc home files. +## +## @@ -24149,7 +24718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -166,7 +187,9 @@ +@@ -166,7 +205,9 @@ ') files_search_var_lib($1) @@ -24159,7 +24728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -225,3 +248,69 @@ +@@ -225,3 +266,69 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -25439,6 +26008,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.5/policy/modules/services/tftp.if +--- nsaserefpolicy/policy/modules/services/tftp.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.5/policy/modules/services/tftp.if 2010-01-05 10:17:02.000000000 -0500 +@@ -2,6 +2,44 @@ + + ######################################## + ## ++## Manage tftp /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_manage_tftpdir_dirs',` ++ gen_require(` ++ type tftpdir_rw_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++') ++ ++######################################## ++## ++## Manage tftp /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_manage_tftpdir_files',` ++ gen_require(` ++ type tftpdir_rw_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++') ++ ++######################################## ++## + ## Read tftp content + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.5/policy/modules/services/tgtd.if --- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500 +++ serefpolicy-3.7.5/policy/modules/services/tgtd.if 2009-12-21 13:07:09.000000000 -0500 @@ -25902,7 +26519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.5/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/virt.if 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/virt.if 2010-01-05 07:43:54.000000000 -0500 @@ -136,7 +136,7 @@ ') @@ -26158,7 +26775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.5/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/virt.te 2010-01-04 13:22:20.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/virt.te 2010-01-05 11:47:44.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -26421,7 +27038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -196,8 +312,157 @@ +@@ -196,8 +312,159 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -26541,11 +27158,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +corenet_tcp_bind_virt_migration_port(virt_domain) +corenet_tcp_connect_virt_migration_port(virt_domain) + ++dev_read_rand(virt_domain) +dev_read_sound(virt_domain) -+dev_write_sound(virt_domain) ++dev_read_urand(virt_domain) +dev_rw_ksm(virt_domain) +dev_rw_kvm(virt_domain) +dev_rw_qemu(virt_domain) ++dev_write_sound(virt_domain) + +domain_use_interactive_fds(virt_domain) + @@ -30385,7 +31004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.5/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.fc 2009-12-21 17:46:12.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/system/miscfiles.fc 2010-01-05 11:54:27.000000000 -0500 @@ -42,6 +42,7 @@ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31684,11 +32303,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-22 11:49:02.000000000 -0500 -@@ -11,15 +11,22 @@ ++++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2010-01-05 10:18:05.000000000 -0500 +@@ -11,15 +11,24 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) @@ -31709,7 +32330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') # -@@ -51,9 +58,12 @@ +@@ -51,9 +60,12 @@ /var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 26f9afe..cf1ca32 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.5 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Tue Jan 5 2010 Dan Walsh 3.7.5-7 +- Add cobbler policy from dgrift + * Mon Jan 4 2010 Dan Walsh 3.7.5-6 - add usbmon device - Add allow rulse for devicekit_disk