From 739db21a4a8e111f0bb73516fd1cbb0a745a691a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 03 2008 22:18:31 +0000 Subject: - Cleanup policy --- diff --git a/policy-20080710.patch b/policy-20080710.patch deleted file mode 100644 index 8fc7906..0000000 --- a/policy-20080710.patch +++ /dev/null @@ -1,34446 +0,0 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.13/Makefile ---- nsaserefpolicy/Makefile 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.13/Makefile 2008-10-28 10:56:19.000000000 -0400 -@@ -311,20 +311,22 @@ - - # parse-rolemap modulename,outputfile - define parse-rolemap -- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 -+ echo "" >> $2 -+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 - endef - - # perrole-expansion modulename,outputfile - define perrole-expansion -- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -- $(call parse-rolemap,$1,$2) -- $(verbose) echo "')" >> $2 -- -- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -- $(call parse-rolemap-compat,$1,$2) -- $(verbose) echo "')" >> $2 -+ echo "No longer doing perrole-expansion" -+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -+# $(call parse-rolemap,$1,$2) -+# $(verbose) echo "')" >> $2 -+ -+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -+# $(call parse-rolemap-compat,$1,$2) -+# $(verbose) echo "')" >> $2 - endef - - # create-base-per-role-tmpl modulenames,outputfile -@@ -523,6 +525,10 @@ - @mkdir -p $(appdir)/users - $(verbose) $(INSTALL) -m 644 $^ $@ - -+$(appdir)/initrc_context: $(tmpdir)/initrc_context -+ @mkdir -p $(appdir) -+ $(verbose) $(INSTALL) -m 644 $< $@ -+ - $(appdir)/%: $(appconf)/% - @mkdir -p $(appdir) - $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.13/Rules.modular ---- nsaserefpolicy/Rules.modular 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/Rules.modular 2008-10-28 10:56:19.000000000 -0400 -@@ -73,8 +73,8 @@ - $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) -- $(call perrole-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call perrole-expansion,$(basename $(@F)),$@.role) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - $(tmpdir)/%.mod.fc: $(m4support) %.fc -@@ -129,7 +129,7 @@ - @test -d $(tmpdir) || mkdir -p $(tmpdir) - # define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ -- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) -+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - - $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -@@ -146,7 +146,7 @@ - $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ -- $(call parse-rolemap,base,$@) -+# $(call parse-rolemap,base,$@) - - $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -@@ -192,6 +192,16 @@ - - ######################################## - # -+# Remove the dontaudit rules from the base.conf -+# -+enableaudit: $(base_conf) -+ @test -d $(tmpdir) || mkdir -p $(tmpdir) -+ @echo "Removing dontaudit rules from $(^F)" -+ $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit -+ $(verbose) mv $(tmpdir)/base.audit $(base_conf) -+ -+######################################## -+# - # Appconfig files - # - $(appdir)/customizable_types: $(base_conf) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.13/config/appconfig-mcs/default_contexts ---- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,15 +1,6 @@ --system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 --system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 --system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 --system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -+system_r:crond_t:s0 system_r:system_crond_t:s0 -+system_r:local_login_t:s0 user_r:user_t:s0 -+system_r:remote_login_t:s0 user_r:user_t:s0 -+system_r:sshd_t:s0 user_r:user_t:s0 - system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 --system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -- --staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -- --sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -- --user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 -+system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context ---- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context 2008-10-28 10:56:19.000000000 -0400 -@@ -1 +1 @@ --sysadm_r:sysadm_t:s0 -+system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,6 @@ -+system_r:local_login_t:s0 guest_r:guest_t:s0 -+system_r:remote_login_t:s0 guest_r:guest_t:s0 -+system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_t:s0 -+system_r:initrc_su_t:s0 guest_r:guest_t:s0 -+guest_r:guest_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,11 +1,7 @@ --system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 - system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 - --staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 --sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 --user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -- - # - # Uncomment if you want to automatically login as sysadm_r - # --#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.5.13/config/appconfig-mcs/seusers ---- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/seusers 2008-10-28 11:08:43.000000000 -0400 -@@ -1,3 +1,3 @@ - system_u:system_u:s0-mcs_systemhigh --root:root:s0-mcs_systemhigh --__default__:user_u:s0 -+root:unconfined_u:s0-mcs_systemhigh -+__default__:unconfined_u:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,10 +1,12 @@ - system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 - system_r:remote_login_t:s0 staff_r:staff_t:s0 - system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --system_r:crond_t:s0 staff_r:staff_crond_t:s0 -+system_r:crond_t:s0 staff_r:staff_t:s0 - system_r:xdm_t:s0 staff_r:staff_t:s0 - staff_r:staff_su_t:s0 staff_r:staff_t:s0 - staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 -+system_r:initrc_su_t:s0 staff_r:staff_t:s0 -+staff_r:staff_t:s0 staff_r:staff_t:s0 - sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 - sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -6,4 +6,6 @@ - system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 - system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 - system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 -+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 -+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 - system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,8 +1,9 @@ - system_r:local_login_t:s0 user_r:user_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 --system_r:crond_t:s0 user_r:user_crond_t:s0 -+system_r:crond_t:s0 user_r:user_t:s0 - system_r:xdm_t:s0 user_r:user_t:s0 - user_r:user_su_t:s0 user_r:user_t:s0 - user_r:user_sudo_t:s0 user_r:user_t:s0 -- -+system_r:initrc_su_t:s0 user_r:user_t:s0 -+user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context ---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context 2008-10-28 10:56:19.000000000 -0400 -@@ -1 +1 @@ --system_u:sysadm_r:sysadm_t:s0 -+system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,7 @@ -+system_r:local_login_t xguest_r:xguest_t:s0 -+system_r:remote_login_t xguest_r:xguest_t:s0 -+system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_t:s0 -+system_r:xdm_t xguest_r:xguest_t:s0 -+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 -+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.13/config/appconfig-mls/default_contexts ---- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,15 +1,6 @@ --system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 --system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 --system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 --system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -+system_r:crond_t:s0 system_r:system_crond_t:s0 -+system_r:local_login_t:s0 user_r:user_t:s0 -+system_r:remote_login_t:s0 user_r:user_t:s0 -+system_r:sshd_t:s0 user_r:user_t:s0 - system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 --system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -- --staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -- --sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -- --user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 -+system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,4 @@ -+system_r:local_login_t:s0 guest_r:guest_t:s0 -+system_r:remote_login_t:s0 guest_r:guest_t:s0 -+system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts ---- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,11 +1,11 @@ --system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 --system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -+system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 - --staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 --sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 --user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 - - # - # Uncomment if you want to automatically login as sysadm_r - # --#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 - system_r:remote_login_t:s0 staff_r:staff_t:s0 - system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --system_r:crond_t:s0 staff_r:staff_crond_t:s0 -+system_r:crond_t:s0 staff_r:staff_t:s0 - system_r:xdm_t:s0 staff_r:staff_t:s0 - staff_r:staff_su_t:s0 staff_r:staff_t:s0 - staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - system_r:local_login_t:s0 user_r:user_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 --system_r:crond_t:s0 user_r:user_crond_t:s0 -+system_r:crond_t:s0 user_r:user_t:s0 - system_r:xdm_t:s0 user_r:user_t:s0 - user_r:user_su_t:s0 user_r:user_t:s0 - user_r:user_sudo_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,7 @@ -+system_r:local_login_t xguest_r:xguest_t:s0 -+system_r:remote_login_t xguest_r:xguest_t:s0 -+system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_t:s0 -+system_r:xdm_t xguest_r:xguest_t:s0 -+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 -+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,4 @@ -+system_r:local_login_t guest_r:guest_t -+system_r:remote_login_t guest_r:guest_t -+system_r:sshd_t guest_r:guest_t -+system_r:crond_t guest_r:guest_crond_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts ---- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,11 +1,7 @@ - system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t - system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t - --staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t --sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t --user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -- - # - # Uncomment if you want to automatically login as sysadm_r - # --#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -+system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t - system_r:remote_login_t staff_r:staff_t - system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t --system_r:crond_t staff_r:staff_crond_t -+system_r:crond_t staff_r:staff_t - system_r:xdm_t staff_r:staff_t - staff_r:staff_su_t staff_r:staff_t - staff_r:staff_sudo_t staff_r:staff_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - system_r:local_login_t user_r:user_t - system_r:remote_login_t user_r:user_t - system_r:sshd_t user_r:user_t --system_r:crond_t user_r:user_crond_t -+system_r:crond_t user_r:user_t - system_r:xdm_t user_r:user_t - user_r:user_su_t user_r:user_t - user_r:user_sudo_t user_r:user_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,5 @@ -+system_r:local_login_t xguest_r:xguest_t -+system_r:remote_login_t xguest_r:xguest_t -+system_r:sshd_t xguest_r:xguest_t -+system_r:crond_t xguest_r:xguest_crond_t -+system_r:xdm_t xguest_r:xguest_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors ---- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-10-28 10:56:19.000000000 -0400 -@@ -616,6 +616,7 @@ - nlmsg_write - nlmsg_relay - nlmsg_readpriv -+ nlmsg_tty_audit - } - - class netlink_ip6fw_socket -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.13/policy/global_tunables ---- nsaserefpolicy/policy/global_tunables 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/global_tunables 2008-10-28 10:56:19.000000000 -0400 -@@ -34,7 +34,7 @@ - - ## - ##

--## Enable polyinstantiated directory support. -+## Allow login programs to use polyinstantiated directories. - ##

- ## - gen_tunable(allow_polyinstantiation,false) -@@ -61,15 +61,6 @@ - - ## - ##

--## Allow email client to various content. --## nfs, samba, removable devices, user temp --## and untrusted content files --##

--## --gen_tunable(mail_read_content,false) -- --## --##

- ## Allow any files/directories to be exported read/write via NFS. - ##

- ## -@@ -129,3 +120,12 @@ - ##

- ## - gen_tunable(write_untrusted_content,false) -+ -+## -+##

-+## Allow direct login to the console device. Required for System 390 -+##

-+## -+gen_tunable(allow_console_login,false) -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.5.13/policy/mls ---- nsaserefpolicy/policy/mls 2008-09-24 09:07:29.000000000 -0400 -+++ serefpolicy-3.5.13/policy/mls 2008-10-28 10:56:19.000000000 -0400 -@@ -381,11 +381,18 @@ - ( t1 == mlsxwinread )); - - # the x_drawable "write" ops (implicit single level) --mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage } -+mlsconstrain x_drawable { create destroy write setattr send manage } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -+# the x_drawable "write" ops that have special handling on root window -+mlsconstrain x_drawable { add_child remove_child } -+ (( l1 eq l2 ) or -+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ ( t1 == mlsxwinwrite ) or -+ ( t2 eq rootwindow_type )); -+ - # No MLS restrictions: x_drawable { show hide override } - - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.13/policy/modules/admin/anaconda.te ---- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/anaconda.te 2008-10-28 10:56:19.000000000 -0400 -@@ -31,6 +31,7 @@ - modutils_domtrans_insmod(anaconda_t) - - seutil_domtrans_semanage(anaconda_t) -+seutil_domtrans_setsebool(anaconda_t) - - unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.13/policy/modules/admin/certwatch.te ---- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te 2008-10-28 10:56:19.000000000 -0400 -@@ -27,6 +27,8 @@ - - fs_list_inotifyfs(certwatch_t) - -+auth_rw_cache(certwatch_t) -+ - libs_use_ld_so(certwatch_t) - libs_use_shared_libs(certwatch_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.13/policy/modules/admin/consoletype.te ---- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/consoletype.te 2008-10-28 10:56:19.000000000 -0400 -@@ -8,9 +8,11 @@ - - type consoletype_t; - type consoletype_exec_t; --application_executable_file(consoletype_exec_t) --init_domain(consoletype_t, consoletype_exec_t) --init_system_domain(consoletype_t, consoletype_exec_t) -+#dont transition from initrc -+#init_domain(consoletype_t, consoletype_exec_t) -+#init_system_domain(consoletype_t, consoletype_exec_t) -+application_domain(consoletype_t, consoletype_exec_t) -+ - role system_r types consoletype_t; - - ######################################## -@@ -42,6 +44,7 @@ - mls_file_read_all_levels(consoletype_t) - mls_file_write_all_levels(consoletype_t) - -+term_use_console(consoletype_t) - term_use_all_terms(consoletype_t) - - init_use_fds(consoletype_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-14 11:58:10.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-11-03 14:20:02.000000000 -0500 -@@ -26,10 +26,12 @@ - # - - allow kismet_t self:capability { net_admin net_raw setuid setgid }; -+allow kismet_t self:process signal; - allow kismet_t self:fifo_file rw_file_perms; - allow kismet_t self:packet_socket create_socket_perms; --allow kismet_t self:unix_dgram_socket create_socket_perms; -+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; - allow kismet_t self:unix_stream_socket create_stream_socket_perms; -+allow kismet_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) - allow kismet_t kismet_log_t:dir setattr; -@@ -43,10 +45,18 @@ - allow kismet_t kismet_var_run_t:dir manage_dir_perms; - files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) - --kernel_search_debugfs(kismet_t) -- - corecmd_exec_bin(kismet_t) - -+corenet_all_recvfrom_unlabeled(kismet_t) -+corenet_all_recvfrom_netlabel(kismet_t) -+corenet_tcp_sendrecv_all_if(kismet_t) -+corenet_tcp_sendrecv_all_nodes(kismet_t) -+corenet_tcp_sendrecv_all_ports(kismet_t) -+corenet_tcp_bind_all_nodes(kismet_t) -+corenet_tcp_bind_kismet_port(kismet_t) -+ -+kernel_search_debugfs(kismet_t) -+ - auth_use_nsswitch(kismet_t) - - files_read_etc_files(kismet_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.13/policy/modules/admin/logwatch.te ---- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te 2008-10-28 10:56:19.000000000 -0400 -@@ -54,18 +54,19 @@ - domain_read_all_domains_state(logwatch_t) - - files_list_var(logwatch_t) -+files_read_var_symlinks(logwatch_t) - files_read_etc_files(logwatch_t) - files_read_etc_runtime_files(logwatch_t) - files_read_usr_files(logwatch_t) - files_search_spool(logwatch_t) - files_search_mnt(logwatch_t) --files_dontaudit_search_home(logwatch_t) --files_dontaudit_search_boot(logwatch_t) - # Execs df and if file system mounted with a context avc raised --files_dontaudit_search_all_dirs(logwatch_t) -+files_search_all(logwatch_t) -+files_getattr_all_file_type_fs(logwatch_t) - - fs_getattr_all_fs(logwatch_t) - fs_dontaudit_list_auto_mountpoints(logwatch_t) -+fs_list_inotifyfs(logwatch_t) - - term_dontaudit_getattr_pty_dirs(logwatch_t) - term_dontaudit_list_ptys(logwatch_t) -@@ -131,4 +132,5 @@ - - optional_policy(` - samba_read_log(logwatch_t) -+ samba_read_share_files(logwatch_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-14 11:58:10.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-29 09:05:23.000000000 -0400 -@@ -130,6 +130,8 @@ - files_read_etc_files(ping_t) - files_dontaudit_search_var(ping_t) - -+kernel_read_system_state(ping_t) -+ - auth_use_nsswitch(ping_t) - - libs_use_ld_so(ping_t) -@@ -149,6 +151,10 @@ - ') - - optional_policy(` -+ munin_append_log(ping_t) -+') -+ -+optional_policy(` - pcmcia_use_cardmgr_fds(ping_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.13/policy/modules/admin/prelink.te ---- nsaserefpolicy/policy/modules/admin/prelink.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/prelink.te 2008-10-28 10:56:19.000000000 -0400 -@@ -26,7 +26,7 @@ - # Local policy - # - --allow prelink_t self:capability { chown dac_override fowner fsetid }; -+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; - allow prelink_t self:process { execheap execmem execstack signal }; - allow prelink_t self:fifo_file rw_fifo_file_perms; - -@@ -40,7 +40,7 @@ - read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) - logging_log_filetrans(prelink_t, prelink_log_t, file) - --allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom }; -+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; - files_tmp_filetrans(prelink_t, prelink_tmp_t, file) - fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) - -@@ -49,8 +49,7 @@ - allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; - - kernel_read_system_state(prelink_t) --kernel_dontaudit_search_kernel_sysctl(prelink_t) --kernel_dontaudit_search_sysctl(prelink_t) -+kernel_read_kernel_sysctls(prelink_t) - - corecmd_manage_all_executables(prelink_t) - corecmd_relabel_all_executables(prelink_t) -@@ -65,6 +64,8 @@ - files_read_etc_files(prelink_t) - files_read_etc_runtime_files(prelink_t) - files_dontaudit_read_all_symlinks(prelink_t) -+files_manage_usr_files(prelink_t) -+files_relabelfrom_usr_files(prelink_t) - - fs_getattr_xattr_fs(prelink_t) - -@@ -81,6 +82,11 @@ - - miscfiles_read_localization(prelink_t) - -+# prelink executables in the user homedir -+unprivuser_manage_home_content_files(prelink_t) -+unprivuser_mmap_home_content_files(prelink_t) -+unprivuser_dontaudit_home_content_files(prelink_t) -+ - optional_policy(` - amanda_manage_lib(prelink_t) - ') -@@ -88,3 +94,7 @@ - optional_policy(` - cron_system_entry(prelink_t, prelink_exec_t) - ') -+ -+optional_policy(` -+ unconfined_domain(prelink_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.13/policy/modules/admin/rpm.fc ---- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.fc 2008-11-03 11:39:36.000000000 -0500 -@@ -11,7 +11,8 @@ - - /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -- -+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) - - ifdef(`distro_redhat', ` -@@ -21,14 +22,17 @@ - /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') - - /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - - /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -- --/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) - /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) -+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - # SuSE - ifdef(`distro_suse', ` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.13/policy/modules/admin/rpm.if ---- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-11-03 17:02:00.000000000 -0500 -@@ -152,6 +152,24 @@ - - ######################################## - ## -+## dontaudit read and write an unnamed RPM pipe. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`rpm_dontaudit_rw_pipes',` -+ gen_require(` -+ type rpm_t; -+ ') -+ -+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## rpm over dbus. - ## -@@ -173,6 +191,48 @@ - - ######################################## - ## -+## dontaudit attempts to Send and receive messages from -+## rpm over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_dontaudit_dbus_chat',` -+ gen_require(` -+ type rpm_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 rpm_t:dbus send_msg; -+ dontaudit rpm_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## rpm_script over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_script_dbus_chat',` -+ gen_require(` -+ type rpm_script_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 rpm_script_t:dbus send_msg; -+ allow rpm_script_t $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Create, read, write, and delete the RPM log. - ## - ## -@@ -192,6 +252,24 @@ - - ######################################## - ## -+## Search RPM log directory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`rpm_search_log',` -+ gen_require(` -+ type rpm_log_t; -+ ') -+ -+ allow $1 rpm_log_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Inherit and use file descriptors from RPM scripts. - ## - ## -@@ -210,6 +288,24 @@ - - ######################################## - ## -+## dontaudit and use file descriptors from RPM scripts. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`rpm_dontaudit_use_script_fds',` -+ gen_require(` -+ type rpm_script_t; -+ ') -+ -+ dontaudit $1 rpm_script_t:fd use; -+') -+ -+######################################## -+## - ## Create, read, write, and delete RPM - ## script temporary files. - ## -@@ -225,7 +321,29 @@ - ') - - files_search_tmp($1) -+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -+') -+ -+######################################## -+## -+## read, RPM -+## script temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_read_script_tmp_files',` -+ gen_require(` -+ type rpm_script_tmp_t; -+ ') -+ -+ read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -+ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - ') - - ######################################## -@@ -289,3 +407,175 @@ - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; - ') -+ -+ -+######################################## -+## -+## Allow application to transition to rpm_script domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_transition_script',` -+ gen_require(` -+ type rpm_script_t; -+ ') -+ -+ allow $1 rpm_script_t:process transition; -+ -+ allow $1 rpm_script_t:fd use; -+ allow rpm_script_t $1:fd use; -+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms; -+ allow rpm_script_t $1:process sigchld; -+') -+ -+######################################## -+## -+## allow domain to read, -+## write RPM tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`rpm_rw_tmp_files',` -+ gen_require(` -+ type rpm_tmp_t; -+ ') -+ -+ allow $1 rpm_tmp_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read, -+## write RPM tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`rpm_dontaudit_rw_tmp_files',` -+ gen_require(` -+ type rpm_tmp_t; -+ ') -+ -+ dontaudit $1 rpm_tmp_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read, -+## write RPM shm -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`rpm_dontaudit_rw_shm',` -+ gen_require(` -+ type rpm_t; -+ ') -+ -+ dontaudit $1 rpm_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Read/write rpm tmpfs files. -+## -+## -+##

-+## Read/write rpm tmpfs files. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_rw_tmpfs_files',` -+ gen_require(` -+ type rpm_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 rpm_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t) -+ read_lnk_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t) -+') -+ -+######################################## -+## -+## Transition to system_r when execute an rpm script -+## -+## -+##

-+## Execute rpm script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+## -+## -+## -+## Role to transition from. -+## -+## -+interface(`rpm_role_transition',` -+ gen_require(` -+ type rpm_exec_t; -+ ') -+ -+ role_transition $1 rpm_exec_t system_r; -+') -+ -+######################################## -+## -+## Do not audit attempts to write, and delete the -+## RPM var run files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`rpm_dontaudit_write_pid_files',` -+ gen_require(` -+ type rpm_var_run_t; -+ ') -+ -+ dontaudit $1 rpm_var_run_t:file write_file_perms; -+') -+ -+######################################## -+## -+## Send a null signal to rpm. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_signull',` -+ gen_require(` -+ type rpm_t; -+ ') -+ -+ allow $1 rpm_t:process signull; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.13/policy/modules/admin/rpm.te ---- nsaserefpolicy/policy/modules/admin/rpm.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -31,6 +31,9 @@ - files_type(rpm_var_lib_t) - typealias rpm_var_lib_t alias var_lib_rpm_t; - -+type rpm_var_run_t; -+files_pid_file(rpm_var_run_t) -+ - type rpm_script_t; - type rpm_script_exec_t; - domain_obj_id_change_exemption(rpm_script_t) -@@ -52,7 +55,8 @@ - # rpm Local policy - # - --allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod }; -+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; -+ - allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow rpm_t self:process { getattr setexec setfscreate setrlimit }; - allow rpm_t self:fd use; -@@ -68,6 +72,8 @@ - allow rpm_t self:sem create_sem_perms; - allow rpm_t self:msgq create_msgq_perms; - allow rpm_t self:msg { send receive }; -+allow rpm_t self:dir search; -+allow rpm_t self:file rw_file_perms;; - - allow rpm_t rpm_log_t:file manage_file_perms; - logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -87,8 +93,12 @@ - manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) - files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) - -+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -+files_pid_filetrans(rpm_t, rpm_var_run_t, file) -+ - kernel_read_system_state(rpm_t) - kernel_read_kernel_sysctls(rpm_t) -+kernel_read_network_state_symlinks(rpm_t) - - corecmd_exec_all_executables(rpm_t) - -@@ -115,6 +125,7 @@ - fs_manage_nfs_symlinks(rpm_t) - fs_getattr_all_fs(rpm_t) - fs_search_auto_mountpoints(rpm_t) -+fs_list_inotifyfs(rpm_t) - - mls_file_read_all_levels(rpm_t) - mls_file_write_all_levels(rpm_t) -@@ -177,10 +188,20 @@ - ') - - optional_policy(` -+ optional_policy(` - hal_dbus_chat(rpm_t) - ') - - optional_policy(` -+ networkmanager_dbus_chat(rpm_t) -+ ') -+ -+ optional_policy(` -+ dbus_system_domain(rpm_t, rpm_exec_t) -+ ') -+') -+ -+optional_policy(` - prelink_domtrans(rpm_t) - ') - -@@ -188,6 +209,7 @@ - unconfined_domain(rpm_t) - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) -+ unconfined_dbus_chat(rpm_script_t) - ') - - ifdef(`TODO',` -@@ -213,8 +235,8 @@ - # rpm-script Local policy - # - --allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; --allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill }; -+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; - allow rpm_script_t self:fd use; - allow rpm_script_t self:fifo_file rw_fifo_file_perms; - allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -225,12 +247,15 @@ - allow rpm_script_t self:sem create_sem_perms; - allow rpm_script_t self:msgq create_msgq_perms; - allow rpm_script_t self:msg { send receive }; -+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; - - allow rpm_script_t rpm_tmp_t:file read_file_perms; - - allow rpm_script_t rpm_script_tmp_t:dir mounton; - manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) - manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) - files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) - - manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -283,6 +308,7 @@ - auth_use_nsswitch(rpm_script_t) - # ideally we would not need this - auth_manage_all_files_except_shadow(rpm_script_t) -+auth_relabel_shadow(rpm_script_t) - - corecmd_exec_all_executables(rpm_script_t) - -@@ -296,6 +322,7 @@ - files_exec_etc_files(rpm_script_t) - files_read_etc_runtime_files(rpm_script_t) - files_exec_usr_files(rpm_script_t) -+files_relabel_all_files(rpm_script_t) - - init_domtrans_script(rpm_script_t) - -@@ -315,6 +342,7 @@ - seutil_domtrans_loadpolicy(rpm_script_t) - seutil_domtrans_setfiles(rpm_script_t) - seutil_domtrans_semanage(rpm_script_t) -+seutil_domtrans_setsebool(rpm_script_t) - - userdom_use_all_users_fds(rpm_script_t) - -@@ -333,6 +361,10 @@ - ') - - optional_policy(` -+ lvm_domtrans(rpm_script_t) -+') -+ -+optional_policy(` - tzdata_domtrans(rpm_t) - tzdata_domtrans(rpm_script_t) - ') -@@ -340,6 +372,7 @@ - optional_policy(` - unconfined_domain(rpm_script_t) - unconfined_domtrans(rpm_script_t) -+ unconfined_execmem_domtrans(rpm_script_t) - - optional_policy(` - java_domtrans(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.13/policy/modules/admin/su.if ---- nsaserefpolicy/policy/modules/admin/su.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/su.if 2008-10-28 10:56:19.000000000 -0400 -@@ -41,15 +41,13 @@ - - allow $2 $1_su_t:process signal; - -- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; -+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; -- allow $1_su_t self:key { search write }; -+ allow $1_su_t self:key manage_key_perms; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; -- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:unix_stream_socket create_stream_socket_perms; - -- # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) - - # By default, revert to the calling domain when a shell is executed. -@@ -89,28 +87,24 @@ - libs_use_ld_so($1_su_t) - libs_use_shared_libs($1_su_t) - -+ logging_send_audit_msgs($1_su_t) - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - -- ifdef(`distro_rhel4',` -- domain_role_change_exemption($1_su_t) -- domain_subj_id_change_exemption($1_su_t) -- domain_obj_id_change_exemption($1_su_t) -- -- selinux_get_fs_mount($1_su_t) -- selinux_validate_context($1_su_t) -- selinux_compute_access_vector($1_su_t) -- selinux_compute_create_context($1_su_t) -- selinux_compute_relabel_context($1_su_t) -- selinux_compute_user_contexts($1_su_t) -+ auth_login_pgm_domain($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) -- ') -+ -+ # Deal with unconfined_terminals. -+ term_use_all_user_ttys($1_su_t) -+ term_use_all_user_ptys($1_su_t) -+ term_relabel_all_user_ttys($1_su_t) -+ term_relabel_all_user_ptys($1_su_t) - - optional_policy(` - cron_read_pipes($1_su_t) -@@ -120,10 +114,17 @@ - kerberos_use($1_su_t) - ') - -- ifdef(`TODO',` -- # Caused by su - init scripts -- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; -- ') dnl end TODO -+ optional_policy(` -+ xserver_domtrans_user_xauth($1, $1_su_t) -+ ') -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_search_nfs($1_su_t) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_search_cifs($1_su_t) -+ ') - ') - - ####################################### -@@ -172,14 +173,14 @@ - domain_interactive_fd($1_su_t) - role $3 types $1_su_t; - -- allow $2 $1_su_t:process signal; -+ allow $2 $1_su_t:process { getsched signal }; - -- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; -+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; -- allow $1_su_t self:process { setexec setsched setrlimit }; -+ allow $1_su_t self:process { getsched setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; -- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:key { search write }; -+ allow $1_su_t $1_t:key search; - - # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) -@@ -188,7 +189,7 @@ - corecmd_shell_domtrans($1_su_t, $2) - allow $2 $1_su_t:fd use; - allow $2 $1_su_t:fifo_file rw_file_perms; -- allow $2 $1_su_t:process sigchld; -+ allow $2 $1_su_t:process { getsched signal sigchld }; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) -@@ -203,15 +204,15 @@ - # needed for pam_rootok - selinux_compute_access_vector($1_su_t) - -- auth_domtrans_user_chk_passwd($1, $1_su_t) -+ auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t }) - auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) -- auth_rw_faillog($1_su_t) - -- corecmd_search_bin($1_su_t) -+ corecmd_exec_bin($1_su_t) - - domain_use_interactive_fds($1_su_t) - -+ files_read_usr_symlinks($1_su_t) - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) -@@ -226,12 +227,14 @@ - libs_use_ld_so($1_su_t) - libs_use_shared_libs($1_su_t) - -+ logging_send_audit_msgs($1_su_t) - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - -- userdom_use_user_terminals($1, $1_su_t) -+ sysadm_search_home_dirs($1_su_t) - userdom_search_user_home_dirs($1, $1_su_t) -+ userdom_use_user_terminals($1, $1_su_t) - - ifdef(`distro_rhel4',` - domain_role_change_exemption($1_su_t) -@@ -295,13 +298,7 @@ - xserver_domtrans_user_xauth($1, $1_su_t) - ') - -- ifdef(`TODO',` -- allow $1_su_t $1_home_t:file manage_file_perms; -- -- # Access sshd cookie files. -- allow $1_su_t sshd_tmp_t:file rw_file_perms; -- file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) -- ') dnl end TODO -+ userdom_search_all_users_home_dirs($1_su_t) - ') - - ####################################### -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.13/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/sudo.if 2008-10-28 10:56:19.000000000 -0400 -@@ -55,7 +55,7 @@ - # - - # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; -+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; -@@ -68,33 +68,36 @@ - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; -+ allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_t:key search; - - # Enter this derived domain from the user domain - domtrans_pattern($2, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $2) -+ corecmd_bin_domtrans($1_sudo_t, $2) - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_search_key($1_sudo_t) -+ kernel_link_key($1_sudo_t) - - dev_read_urand($1_sudo_t) -+ dev_rw_generic_usb_dev($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - -- auth_domtrans_chk_passwd($1_sudo_t) -+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) -- corecmd_getattr_all_executables($1_sudo_t) -+ corecmd_exec_all_executables($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +109,50 @@ - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) -+ files_list_tmp($1_sudo_t) - - init_rw_utmp($1_sudo_t) - - libs_use_ld_so($1_sudo_t) - libs_use_shared_libs($1_sudo_t) - -+ logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - -- userdom_manage_user_home_content_files($1, $1_sudo_t) -- userdom_manage_user_home_content_symlinks($1, $1_sudo_t) -- userdom_manage_user_tmp_files($1, $1_sudo_t) -- userdom_manage_user_tmp_symlinks($1, $1_sudo_t) -+ mta_per_role_template($1, $1_sudo_t, $3) -+ -+ unprivuser_manage_home_content_files($1_sudo_t) -+ unprivuser_manage_home_content_symlinks($1_sudo_t) -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files($1_sudo_t) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_files($1_sudo_t) -+ ') -+ unprivuser_manage_tmp_files($1_sudo_t) -+ unprivuser_manage_tmp_symlinks($1_sudo_t) -+ userdom_exec_user_home_content_files($1, $1_sudo_t) - userdom_use_user_terminals($1, $1_sudo_t) - userdom_use_unpriv_users_fds($1_sudo_t) - # for some PAM modules and for cwd -+ sysadm_search_home_content_dirs($1_sudo_t) - userdom_dontaudit_search_all_users_home_content($1_sudo_t) -+ userdom_manage_all_users_keys($1_sudo_t) - -- ifdef(`TODO',` -- # for when the network connection is killed -- dontaudit unpriv_userdomain $1_sudo_t:process signal; -- -- ifdef(`mta.te', ` -- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -- ') -+ domain_role_change_exemption($1_sudo_t) -+ userdom_spec_domtrans_all_users($1_sudo_t) - -- ') dnl end TODO -+ selinux_validate_context($1_sudo_t) -+ selinux_compute_relabel_context($1_sudo_t) -+ selinux_getattr_fs($1_sudo_t) -+ seutil_read_config($1_sudo_t) -+ seutil_search_default_contexts($1_sudo_t) -+ -+ term_use_all_user_ttys($1_sudo_t) -+ term_use_all_user_ptys($1_sudo_t) -+ term_relabel_all_user_ttys($1_sudo_t) -+ term_relabel_all_user_ptys($1_sudo_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te ---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te 2008-10-28 10:56:19.000000000 -0400 -@@ -22,12 +22,16 @@ - dev_read_urand(tmpreaper_t) - - fs_getattr_xattr_fs(tmpreaper_t) -+fs_list_inotifyfs(tmpreaper_t) - - files_read_etc_files(tmpreaper_t) - files_read_var_lib_files(tmpreaper_t) - files_purge_tmp(tmpreaper_t) - # why does it need setattr? - files_setattr_all_tmp_dirs(tmpreaper_t) -+files_getattr_lost_found_dirs(tmpreaper_t) -+files_getattr_all_dirs(tmpreaper_t) -+files_getattr_all_files(tmpreaper_t) - - mls_file_read_all_levels(tmpreaper_t) - mls_file_write_all_levels(tmpreaper_t) -@@ -42,6 +46,26 @@ - - cron_system_entry(tmpreaper_t, tmpreaper_exec_t) - -+userdom_delete_all_users_home_content_dirs(tmpreaper_t) -+userdom_delete_all_users_home_content_files(tmpreaper_t) -+userdom_delete_all_users_home_content_symlinks(tmpreaper_t) -+ -+optional_policy(` -+ amavis_manage_spool_files(tmpreaper_t) -+') -+ -+optional_policy(` -+ apache_delete_sys_content_rw(tmpreaper_t) -+') -+ -+optional_policy(` -+ kismet_manage_log(tmpreaper_t) -+') -+ - optional_policy(` - lpd_manage_spool(tmpreaper_t) - ') -+ -+optional_policy(` -+ unconfined_domain(tmpreaper_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.13/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/usermanage.te 2008-10-28 10:56:19.000000000 -0400 -@@ -97,6 +97,7 @@ - - # allow checking if a shell is executable - corecmd_check_exec_shell(chfn_t) -+corecmd_exec_bin(chfn_t) - - domain_use_interactive_fds(chfn_t) - -@@ -236,9 +237,9 @@ - seutil_read_config(groupadd_t) - - userdom_use_unpriv_users_fds(groupadd_t) -- - # for when /root is the cwd - sysadm_dontaudit_search_home_dirs(groupadd_t) -+userdom_dontaudit_search_all_users_home_content(groupadd_t) - - optional_policy(` - dpkg_use_fds(groupadd_t) -@@ -298,6 +299,7 @@ - term_use_all_user_ttys(passwd_t) - term_use_all_user_ptys(passwd_t) - -+auth_domtrans_chk_passwd(passwd_t) - auth_manage_shadow(passwd_t) - auth_relabel_shadow(passwd_t) - auth_etc_filetrans_shadow(passwd_t) -@@ -317,6 +319,7 @@ - # /usr/bin/passwd asks for w access to utmp, but it will operate - # correctly without it. Do not audit write denials to utmp. - init_dontaudit_rw_utmp(passwd_t) -+init_use_fds(passwd_t) - - libs_use_ld_so(passwd_t) - libs_use_shared_libs(passwd_t) -@@ -335,6 +338,7 @@ - # user generally runs this from their home directory, so do not audit a search - # on user home dir - userdom_dontaudit_search_all_users_home_content(passwd_t) -+unprivuser_stream_connect(passwd_t) - - optional_policy(` - nscd_domtrans(passwd_t) -@@ -502,6 +506,9 @@ - seutil_domtrans_setfiles(useradd_t) - - userdom_use_unpriv_users_fds(useradd_t) -+# for when /root is the cwd -+sysadm_dontaudit_search_home_dirs(useradd_t) -+userdom_dontaudit_search_all_users_home_content(useradd_t) - # Add/remove user home directories - userdom_manage_all_users_home_content_dirs(useradd_t) - userdom_manage_all_users_home_content_files(useradd_t) -@@ -524,6 +531,16 @@ - ') - - optional_policy(` -+ tunable_policy(`samba_domain_controller',` -+ samba_append_log(useradd_t) -+ ') -+') -+ -+optional_policy(` - rpm_use_fds(useradd_t) - rpm_rw_pipes(useradd_t) - ') -+ -+optional_policy(` -+ unconfined_domain(useradd_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.5.13/policy/modules/admin/vbetool.if ---- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.if 2008-10-28 10:56:19.000000000 -0400 -@@ -18,3 +18,34 @@ - corecmd_search_bin($1) - domtrans_pattern($1, vbetool_exec_t, vbetool_t) - ') -+ -+######################################## -+## -+## Execute vbetool in the vbetool domain, and -+## allow the specified role the vbetool domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the vbetool domain. -+## -+## -+## -+## -+## The type of the terminal allow the vbetool domain to use. -+## -+## -+# -+interface(`vbetool_run',` -+ gen_require(` -+ type vbetool_t; -+ ') -+ -+ vbetool_domtrans($1) -+ role $2 types vbetool_t; -+ allow vbetool_t $3:chr_file rw_term_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.13/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.te 2008-10-28 10:56:19.000000000 -0400 -@@ -23,6 +23,9 @@ - dev_rwx_zero(vbetool_t) - dev_read_sysfs(vbetool_t) - -+domain_mmap_low_type(vbetool_t) -+domain_mmap_low(vbetool_t) -+ - term_use_unallocated_ttys(vbetool_t) - - libs_use_ld_so(vbetool_t) -@@ -35,3 +38,9 @@ - hal_write_log(vbetool_t) - hal_dontaudit_append_lib_files(vbetool_t) - ') -+ -+optional_policy(` -+ xserver_exec_pid(vbetool_t) -+ xserver_write_pid(vbetool_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.13/policy/modules/admin/vpn.if ---- nsaserefpolicy/policy/modules/admin/vpn.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/vpn.if 2008-10-28 10:56:19.000000000 -0400 -@@ -53,6 +53,24 @@ - - ######################################## - ## -+## Send sigkill to VPN clients. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`vpn_sigkill',` -+ gen_require(` -+ type vpnc_t; -+ ') -+ -+ allow $1 vpnc_t:process sigkill; -+') -+ -+######################################## -+## - ## Send generic signals to VPN clients. - ## - ## -@@ -71,6 +89,24 @@ - - ######################################## - ## -+## Send signull to VPN clients. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`vpn_signull',` -+ gen_require(` -+ type vpnc_t; -+ ') -+ -+ allow $1 vpnc_t:process signull; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## Vpnc over dbus. - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.13/policy/modules/apps/ethereal.fc ---- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,4 @@ --HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) -+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0) - - /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) - /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.13/policy/modules/apps/ethereal.if ---- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.if 2008-10-28 10:56:19.000000000 -0400 -@@ -35,6 +35,7 @@ - template(`ethereal_per_role_template',` - - gen_require(` -+ type ethereal_home_t, ethereal_tmp_t; - type ethereal_exec_t; - ') - -@@ -48,12 +49,8 @@ - application_domain($1_ethereal_t, ethereal_exec_t) - role $3 types $1_ethereal_t; - -- type $1_ethereal_home_t alias $1_ethereal_rw_t; -- files_poly_member($1_ethereal_home_t) -- userdom_user_home_content($1, $1_ethereal_home_t) -- -- type $1_ethereal_tmp_t; -- files_tmp_file($1_ethereal_tmp_t) -+ typealias ethereal_home_t alias $1_ethereal_home_t; -+ typealias ethereal_tmp_t alias $1_ethereal_tmp_t; - - type $1_ethereal_tmpfs_t; - files_tmpfs_file($1_ethereal_tmpfs_t) -@@ -78,15 +75,15 @@ - corecmd_search_bin($1_ethereal_t) - - # /home/.ethereal -- manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) -- manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) -- manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) -- userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir) -+ manage_dirs_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t) -+ manage_files_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t) -+ manage_lnk_files_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t) -+ userdom_user_home_dir_filetrans($1, $1_ethereal_t, ethereal_home_t, dir) - - # Store temporary files -- manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t) -- manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t) -- files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) -+ manage_dirs_pattern($1_ethereal_t, ethereal_tmp_t, ethereal_tmp_t) -+ manage_files_pattern($1_ethereal_t, ethereal_tmp_t, ethereal_tmp_t) -+ files_tmp_filetrans($1_ethereal_t, ethereal_tmp_t, { dir file }) - - manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) - manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) -@@ -99,12 +96,12 @@ - allow $1_ethereal_t $2:fd use; - allow $1_ethereal_t $2:process sigchld; - -- manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) -- manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) -- manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) -- relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) -- relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) -- relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) -+ manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t) -+ manage_files_pattern($2, ethereal_home_t, ethereal_home_t) -+ manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t) -+ relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t) -+ relabel_files_pattern($2, ethereal_home_t, ethereal_home_t) -+ relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t) - - kernel_read_kernel_sysctls($1_ethereal_t) - kernel_read_system_state($1_ethereal_t) -@@ -134,7 +131,7 @@ - - sysnet_read_config($1_ethereal_t) - -- userdom_manage_user_home_content_files($1, $1_ethereal_t) -+ unprivuser_manage_home_content_files($1_ethereal_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_ethereal_t) -@@ -152,28 +149,11 @@ - nscd_socket_use($1_ethereal_t) - ') - -- # Manual transition from userhelper -- optional_policy(` -- userhelper_use_user_fd($1, $1_ethereal_t) -- userhelper_sigchld_user($1, $1_ethereal_t) -- ') -- - optional_policy(` - xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t) - xserver_create_xdm_tmp_sockets($1_ethereal_t) - ') - -- ifdef(`TODO',` -- # Why does it write this? -- optional_policy(` -- dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; -- ') -- #TODO -- gnome_application($1_ethereal, $1) -- gnome_file_dialog($1_ethereal, $1) -- # FIXME: policy is incomplete -- ') -- - ') - - ####################################### -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.13/policy/modules/apps/ethereal.te ---- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.te 2008-10-28 10:56:19.000000000 -0400 -@@ -16,6 +16,13 @@ - type tethereal_tmp_t; - files_tmp_file(tethereal_tmp_t) - -+type ethereal_home_t; -+files_poly_member(ethereal_home_t) -+userdom_user_home_content(user, ethereal_home_t) -+ -+type ethereal_tmp_t; -+files_tmp_file(ethereal_tmp_t) -+ - ######################################## - # - # Tethereal policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.13/policy/modules/apps/games.if ---- nsaserefpolicy/policy/modules/apps/games.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/games.if 2008-10-28 10:56:19.000000000 -0400 -@@ -130,10 +130,10 @@ - - sysnet_read_config($1_games_t) - -- userdom_manage_user_tmp_dirs($1,$1_games_t) -- userdom_manage_user_tmp_files($1,$1_games_t) -- userdom_manage_user_tmp_symlinks($1,$1_games_t) -- userdom_manage_user_tmp_sockets($1,$1_games_t) -+ unprivuser_manage_tmp_dirs($1_games_t) -+ unprivuser_manage_tmp_files($1_games_t) -+ unprivuser_manage_tmp_symlinks($1_games_t) -+ unprivuser_manage_tmp_sockets($1_games_t) - # Suppress .icons denial until properly implemented - userdom_dontaudit_read_user_home_content_files($1,$1_games_t) - -@@ -165,3 +165,23 @@ - ') - ') - ') -+ -+######################################## -+## -+## Allow the specified domain to read/write -+## games data. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`games_rw_data',` -+ gen_require(` -+ type games_data_t; -+ ') -+ -+ rw_files_pattern($1, games_data_t, games_data_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.13/policy/modules/apps/gnome.fc ---- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,8 +1,10 @@ --HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) --HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) -+HOME_DIR/.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) -+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) - --/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) -+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - --/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0) -- --/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -+# Don't use because toolchain is broken -+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -+HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.13/policy/modules/apps/gnome.if ---- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.if 2008-10-30 16:10:55.000000000 -0400 -@@ -36,6 +36,7 @@ - gen_require(` - type gconfd_exec_t, gconf_etc_t; - attribute gnomedomain; -+ type gconf_home_t, gconf_tmp_t; - ') - - ############################## -@@ -47,14 +48,9 @@ - application_domain($1_gconfd_t, gconfd_exec_t) - role $3 types $1_gconfd_t; - -- type $1_gconf_home_t; -- userdom_user_home_content($1, $1_gconf_home_t) -- -- type $1_gnome_home_t; -- userdom_user_home_content($1, $1_gnome_home_t) -- -- type $1_gconf_tmp_t; -- files_tmp_file($1_gconf_tmp_t) -+ typealias gnome_home_t alias $1_gnome_home_t; -+ typealias gconf_home_t alias $1_gconf_home_t; -+ typealias gconf_tmp_t alias $1_gconf_tmp_t; - - ############################## - # -@@ -64,21 +60,18 @@ - allow $1_gconfd_t self:process getsched; - allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; - -- manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t) -- manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t) -- userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir) -- -- manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t) -- manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t) -- userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file }) -- -- domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t) -- allow $1_gconfd_t $2:fd use; -- allow $1_gconfd_t $2:fifo_file write; -- allow $1_gconfd_t $2:unix_stream_socket connectto; -+ manage_dirs_pattern($1_gconfd_t, gconf_home_t, gconf_home_t) -+ manage_files_pattern($1_gconfd_t, gconf_home_t, gconf_home_t) - -- allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; -- read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t) -+ manage_dirs_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t) -+ manage_files_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t) -+ userdom_user_home_dir_filetrans($1, $1_gconfd_t, gconf_home_t, dir) -+ userdom_user_tmp_filetrans($1, $1_gconfd_t, gconf_tmp_t, { dir file }) -+ userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t, dir) -+ -+ domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t) -+ allow $1_gconfd_t $2:unix_stream_socket connectto; -+ allow $2 $1_gconfd_t:unix_stream_socket connectto; - - ps_process_pattern($2, $1_gconfd_t) - -@@ -86,6 +79,10 @@ - - files_read_etc_files($1_gconfd_t) - -+ fs_list_inotifyfs($1_gconfd_t) -+ -+ auth_use_nsswitch($1_gconfd_t) -+ - libs_use_ld_so($1_gconfd_t) - libs_use_shared_libs($1_gconfd_t) - -@@ -93,11 +90,8 @@ - - logging_send_syslog_msg($1_gconfd_t) - -- userdom_manage_user_tmp_sockets($1, $1_gconfd_t) -- userdom_manage_user_tmp_dirs($1, $1_gconfd_t) -- userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir) -- -- gnome_stream_connect_gconf_template($1, $2) -+ unprivuser_manage_tmp_sockets($1_gconfd_t) -+ unprivuser_manage_tmp_dirs($1_gconfd_t) - - optional_policy(` - nscd_dontaudit_search_pid($1_gconfd_t) -@@ -107,6 +101,10 @@ - xserver_use_xdm_fds($1_gconfd_t) - xserver_rw_xdm_pipes($1_gconfd_t) - ') -+ -+# optional_policy(` -+# mozilla_stream_connect_template($1, $1_gconfd_t) -+# ') - ') - - ######################################## -@@ -127,20 +125,39 @@ - # - template(`gnome_stream_connect_gconf_template',` - gen_require(` -- type $1_gconfd_t, $1_gconf_tmp_t; -+ type $1_gconfd_t, gconf_tmp_t; - ') - -- read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t) -+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 $1_gconfd_t:unix_stream_socket connectto; - ') - -+ -+######################################## -+## -+## Send general signals to all gconf domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_signal_all',` -+ gen_require(` -+ attribute gnomedomain; -+ ') -+ -+ allow $1 gnomedomain:process signal; -+') -+ - ######################################## - ## - ## Run gconfd in the role-specific gconfd domain. - ## - ## - ##

--## Run gconfd in the role-specfic gconfd domain. -+## Run gconfd in the role-specific gconfd domain. - ##

- ##

- ## This is a templated interface, and should only -@@ -169,7 +186,7 @@ - - ######################################## - ##

--## manage gnome homedir content (.config) -+## read gnome homedir content (.config) - ## - ## - ## -@@ -183,11 +200,96 @@ - ## - ## - # -+template(`gnome_read_gnome_config',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ -+ read_files_pattern($2, gnome_home_t, gnome_home_t) -+') -+ -+######################################## -+## -+## manage gnome homedir content (.config) -+## -+## -+## nn -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# - template(`gnome_manage_user_gnome_config',` - gen_require(` -- type $1_gnome_home_t; -+ type gnome_home_t; -+ ') -+ -+ manage_dirs_pattern($2, gnome_home_t, gnome_home_t) -+ manage_files_pattern($2, gnome_home_t, gnome_home_t) -+ manage_lnk_files_pattern($2, gnome_home_t, gnome_home_t) -+') -+ -+######################################## -+## -+## Execute gconf programs in -+## in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_exec_gconf',` -+ gen_require(` -+ type gconfd_exec_t; -+ ') -+ -+ can_exec($1, gconfd_exec_t) -+') -+######################################## -+## -+## Read gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_gconf_home_files',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ -+ read_files_pattern($1, gconf_home_t, gconf_home_t) -+') -+ -+######################################## -+## -+## Connect to gnome over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`gnome_stream_connect',` -+ gen_require(` -+ type gnome_home_t; - ') - -- allow $2 $1_gnome_home_t:dir manage_dir_perms; -- allow $2 $1_gnome_home_t:file manage_file_perms; -+ # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te ---- nsaserefpolicy/policy/modules/apps/gnome.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2008-10-28 10:56:19.000000000 -0400 -@@ -8,8 +8,34 @@ - - attribute gnomedomain; - --type gconf_etc_t; --files_type(gconf_etc_t) -- - type gconfd_exec_t; - application_executable_file(gconfd_exec_t) -+ -+type gnome_home_t; -+userdom_user_home_type(gnome_home_t) -+userdom_user_home_content(user, gnome_home_t) -+ -+type gconf_home_t; -+userdom_user_home_content(user, gconf_home_t) -+ -+type gconf_tmp_t; -+files_tmp_file(gconf_tmp_t) -+ -+typealias gnome_home_t alias unconfined_gnome_home_t; -+typealias gconf_home_t alias unconfined_gconf_home_t; -+typealias gconf_tmp_t alias unconfined_gconf_tmp_t; -+ -+ -+############################## -+# -+# Declarations -+# -+type gconfd_t, gnomedomain; -+application_domain(gconfd_t, gconfd_exec_t) -+role system_r types gconfd_exec_t; -+ -+############################## -+# -+# Local Policy -+# -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.13/policy/modules/apps/gpg.fc ---- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,9 +1,9 @@ --HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) -+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) - --/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) -+/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0) - /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) - /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) - /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) - --/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) --/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -+/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.13/policy/modules/apps/gpg.if ---- nsaserefpolicy/policy/modules/apps/gpg.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-10-28 10:56:19.000000000 -0400 -@@ -37,6 +37,9 @@ - template(`gpg_per_role_template',` - gen_require(` - type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t; -+ type gpg_t, gpg_helper_t; -+ type gpg_agent_t, gpg_pinentry_t; -+ type gpg_agent_tmp_t, gpg_secret_t; - ') - - ######################################## -@@ -44,290 +47,60 @@ - # Declarations - # - -- type $1_gpg_t; -- application_domain($1_gpg_t, gpg_exec_t) -- role $3 types $1_gpg_t; -- -- type $1_gpg_agent_t; -- application_domain($1_gpg_agent_t, gpg_agent_exec_t) -- role $3 types $1_gpg_agent_t; -- -- type $1_gpg_agent_tmp_t; -- files_tmp_file($1_gpg_agent_tmp_t) -- -- type $1_gpg_secret_t; -- userdom_user_home_content($1, $1_gpg_secret_t) -- -- type $1_gpg_helper_t; -- application_domain($1_gpg_helper_t, gpg_helper_exec_t) -- role $3 types $1_gpg_helper_t; -- -- type $1_gpg_pinentry_t; -- application_domain($1_gpg_pinentry_t, pinentry_exec_t) -- role $3 types $1_gpg_pinentry_t; -- -- ######################################## -- # -- # GPG local policy -- # -- -- allow $1_gpg_t self:capability { ipc_lock setuid }; -- allow { $2 $1_gpg_t } $1_gpg_t:process signal; -- # setrlimit is for ulimit -c 0 -- allow $1_gpg_t self:process { setrlimit setcap setpgid }; -- -- allow $1_gpg_t self:fifo_file rw_fifo_file_perms; -- allow $1_gpg_t self:tcp_socket create_stream_socket_perms; -- -- # transition from the gpg domain to the helper domain -- domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) -- -- manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t) -- manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t) -- allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms; -- userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir) -- -- # transition from the userdomain to the derived domain -- domtrans_pattern($2, gpg_exec_t, $1_gpg_t) -- -- # allow ps to show gpg -- ps_process_pattern($2, $1_gpg_t) -- -- corenet_all_recvfrom_unlabeled($1_gpg_t) -- corenet_all_recvfrom_netlabel($1_gpg_t) -- corenet_tcp_sendrecv_all_if($1_gpg_t) -- corenet_udp_sendrecv_all_if($1_gpg_t) -- corenet_tcp_sendrecv_all_nodes($1_gpg_t) -- corenet_udp_sendrecv_all_nodes($1_gpg_t) -- corenet_tcp_sendrecv_all_ports($1_gpg_t) -- corenet_udp_sendrecv_all_ports($1_gpg_t) -- corenet_tcp_connect_all_ports($1_gpg_t) -- corenet_sendrecv_all_client_packets($1_gpg_t) -- -- dev_read_rand($1_gpg_t) -- dev_read_urand($1_gpg_t) -- -- fs_getattr_xattr_fs($1_gpg_t) -- -- domain_use_interactive_fds($1_gpg_t) -- -- files_read_etc_files($1_gpg_t) -- files_read_usr_files($1_gpg_t) -- files_dontaudit_search_var($1_gpg_t) -- -- libs_use_shared_libs($1_gpg_t) -- libs_use_ld_so($1_gpg_t) -- -- miscfiles_read_localization($1_gpg_t) -- -- logging_send_syslog_msg($1_gpg_t) -+ typealias gpg_t alias $1_gpg_t; -+ role $3 types gpg_t; - -- sysnet_read_config($1_gpg_t) -+ typealias gpg_agent_t alias $1_gpg_agent_t; -+ role $3 types gpg_agent_t; - -- userdom_use_user_terminals($1, $1_gpg_t) -+ typealias gpg_helper_t alias $1_gpg_helper_t; -+ role $3 types gpg_helper_t; - -- optional_policy(` -- nis_use_ypbind($1_gpg_t) -- ') -- -- ifdef(`TODO',` -- # Read content to encrypt/decrypt/sign -- read_content($1_gpg_t, $1) -- -- # Write content to encrypt/decrypt/sign -- write_trusted($1_gpg_t, $1) -- ') dnl end TODO -- -- ######################################## -- # -- # GPG helper local policy -- # -- -- # for helper programs (which automatically fetch keys) -- # Note: this is only tested with the hkp interface. If you use eg the -- # mail interface you will likely need additional permissions. -- -- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; -- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; -- -- # communicate with the user -- allow $1_gpg_helper_t $2:fd use; -- allow $1_gpg_helper_t $2:fifo_file write; -- -- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; -+ typealias gpg_pinentry_t alias $1_gpg_pinentry_t; -+ role $3 types gpg_pinentry_t; - -- corenet_all_recvfrom_unlabeled($1_gpg_helper_t) -- corenet_all_recvfrom_netlabel($1_gpg_helper_t) -- corenet_tcp_sendrecv_all_if($1_gpg_helper_t) -- corenet_raw_sendrecv_all_if($1_gpg_helper_t) -- corenet_udp_sendrecv_all_if($1_gpg_helper_t) -- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t) -- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t) -- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t) -- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t) -- corenet_udp_sendrecv_all_ports($1_gpg_helper_t) -- corenet_tcp_bind_all_nodes($1_gpg_helper_t) -- corenet_udp_bind_all_nodes($1_gpg_helper_t) -- corenet_tcp_connect_all_ports($1_gpg_helper_t) -- -- dev_read_urand($1_gpg_helper_t) -- -- files_read_etc_files($1_gpg_helper_t) -- # for nscd -- files_dontaudit_search_var($1_gpg_helper_t) -+ typealias gpg_agent_tmp_t alias $1_gpg_agent_tmp_t; -+ typealias gpg_secret_t alias $1_gpg_secret_t; - -- libs_use_ld_so($1_gpg_helper_t) -- libs_use_shared_libs($1_gpg_helper_t) -- -- sysnet_read_config($1_gpg_helper_t) -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_dontaudit_rw_nfs_files($1_gpg_helper_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_dontaudit_rw_cifs_files($1_gpg_helper_t) -- ') -- -- optional_policy(` -- xserver_use_xdm_fds($1_gpg_t) -- xserver_rw_xdm_pipes($1_gpg_t) -- ') -- -- ######################################## -- # -- # GPG agent local policy -- # -+ # transition from the userdomain to the derived domain -+ domtrans_pattern($2, gpg_exec_t, gpg_t) - -- # rlimit: gpg-agent wants to prevent coredumps -- allow $1_gpg_agent_t self:process setrlimit; -+ # Transition from the user domain to the derived domain. -+ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) - -- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; -- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms; -+ allow $2 gpg_t:process signal_perms; - -- # Allow the gpg-agent to manage its tmp files (socket) -- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) -- manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) -- manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) -- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) -- -- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) -- manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) -- manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) -+ # Thunderbird leaks descriptors -+ dontaudit gpg_t $2:tcp_socket rw_socket_perms; -+ dontaudit gpg_t $2:udp_socket rw_socket_perms; -+ dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms; -+ dontaudit gpg_helper_t $2:udp_socket rw_socket_perms; -+ #Leaked File Descriptors -+ dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; - -- # allow gpg to connect to the gpg agent -- stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t) -+ # allow ps to show gpg -+ ps_process_pattern($2, gpg_t) - - # allow ps to show gpg-agent - ps_process_pattern($2, $1_gpg_agent_t) - - # Allow the user shell to signal the gpg-agent program. -- allow $2 $1_gpg_agent_t:process { signal sigkill signull }; -- -- # Allow the user to manage gpg-agent tmp files (socket) -- manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) -- manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) -- manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) -- -- # Transition from the user domain to the derived domain. -- domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) -- -- corecmd_search_bin($1_gpg_agent_t) -- -- domain_use_interactive_fds($1_gpg_agent_t) -- -- libs_use_ld_so($1_gpg_agent_t) -- libs_use_shared_libs($1_gpg_agent_t) -- -- miscfiles_read_localization($1_gpg_agent_t) -+ allow $2 gpg_agent_t:process signal_perms; - -+ userdom_use_user_terminals($1, gpg_t) - # Write to the user domain tty. -- userdom_use_user_terminals($1, $1_gpg_agent_t) -- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -- userdom_search_user_home_dirs($1, $1_gpg_agent_t) -- -- tunable_policy(`gpg_agent_env_file',` -- # write ~/.gpg-agent-info or a similar to the users home dir -- # or subdir (gpg-agent --write-env-file option) -- # -- userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file) -- userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t) -- userdom_manage_user_home_content_files($1, $1_gpg_agent_t) -- ') -+ userdom_use_user_terminals($1, gpg_agent_t) - -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs($1_gpg_agent_t) -- fs_manage_nfs_files($1_gpg_agent_t) -- fs_manage_nfs_symlinks($1_gpg_agent_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs($1_gpg_agent_t) -- fs_manage_cifs_files($1_gpg_agent_t) -- fs_manage_cifs_symlinks($1_gpg_agent_t) -- ') -- -- ############################## -- # -- # Pinentry local policy -- # -- -- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms; -- -- # we need to allow gpg-agent to call pinentry so it can get the passphrase -- # from the user. -- domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) -- -- # read /proc/meminfo -- kernel_read_system_state($1_gpg_pinentry_t) -- -- files_read_usr_files($1_gpg_pinentry_t) -- # read /etc/X11/qtrc -- files_read_etc_files($1_gpg_pinentry_t) -- -- libs_use_ld_so($1_gpg_pinentry_t) -- libs_use_shared_libs($1_gpg_pinentry_t) -- -- miscfiles_read_fonts($1_gpg_pinentry_t) -- miscfiles_read_localization($1_gpg_pinentry_t) -- -- # for .Xauthority -- userdom_read_user_home_content_files($1, $1_gpg_pinentry_t) -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files($1_gpg_pinentry_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files($1_gpg_pinentry_t) -- ') -- -- optional_policy(` -- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t) -- ') -- -- ifdef(`TODO',` -- allow $1_gpg_pinentry_t tmp_t:dir { getattr search }; -- -- # wants to put some lock files into the user home dir, seems to work fine without -- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; -- dontaudit $1_gpg_pinentry_t $1_home_t:file write; -- -- tunable_policy(`use_nfs_home_dirs',` -- dontaudit $1_gpg_pinentry_t nfs_t:dir write; -- dontaudit $1_gpg_pinentry_t nfs_t:file write; -- ') -+ # communicate with the user -+ allow gpg_helper_t $2:fd use; -+ allow gpg_helper_t $2:fifo_file rw_fifo_file_perms; - -- tunable_policy(`use_samba_home_dirs',` -- dontaudit $1_gpg_pinentry_t cifs_t:dir write; -- dontaudit $1_gpg_pinentry_t cifs_t:file write; -- ') -+ unprivuser_manage_home_content_files(gpg_helper_t) - -- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; -- ') dnl end TODO -+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) -+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) -+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.13/policy/modules/apps/gpg.te ---- nsaserefpolicy/policy/modules/apps/gpg.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.te 2008-10-28 10:56:19.000000000 -0400 -@@ -15,15 +15,255 @@ - gen_tunable(gpg_agent_env_file, false) - - # Type for gpg or pgp executables. -+type gpg_t; - type gpg_exec_t; -+application_domain(gpg_t, gpg_exec_t) -+ -+type gpg_helper_t; - type gpg_helper_exec_t; --application_executable_file(gpg_exec_t) --application_executable_file(gpg_helper_exec_t) -+application_domain(gpg_helper_t, gpg_helper_exec_t) - - # Type for the gpg-agent executable. -+type gpg_agent_t; - type gpg_agent_exec_t; --application_executable_file(gpg_agent_exec_t) -+application_domain(gpg_agent_t, gpg_agent_exec_t) - - # type for the pinentry executable -+type gpg_pinentry_t; - type pinentry_exec_t; --application_executable_file(pinentry_exec_t) -+application_domain(gpg_pinentry_t, pinentry_exec_t) -+ -+type gpg_agent_tmp_t; -+files_tmp_file(gpg_agent_tmp_t) -+ -+type gpg_secret_t; -+userdom_user_home_content(user, gpg_secret_t) -+ -+######################################## -+# -+# GPG local policy -+# -+ -+allow gpg_t self:capability { ipc_lock setuid }; -+allow gpg_t self:process signal; -+# setrlimit is for ulimit -c 0 -+allow gpg_t self:process { setrlimit getcap setcap setpgid }; -+ -+allow gpg_t self:fifo_file rw_fifo_file_perms; -+allow gpg_t self:tcp_socket create_stream_socket_perms; -+ -+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -+allow gpg_t gpg_secret_t:dir create_dir_perms; -+ -+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) -+ -+kernel_read_sysctl(gpg_t) -+ -+unprivuser_home_dir_filetrans_home_content(gpg_t, file) -+unprivuser_home_dir_filetrans(gpg_t, gpg_secret_t, dir) -+unprivuser_manage_home_content_files(gpg_t) -+unprivuser_manage_tmp_files(gpg_t) -+unprivuser_stream_connect(gpg_t) -+ -+# transition from the gpg domain to the helper domain -+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) -+ -+corenet_all_recvfrom_unlabeled(gpg_t) -+corenet_all_recvfrom_netlabel(gpg_t) -+corenet_tcp_sendrecv_all_if(gpg_t) -+corenet_udp_sendrecv_all_if(gpg_t) -+corenet_tcp_sendrecv_all_nodes(gpg_t) -+corenet_udp_sendrecv_all_nodes(gpg_t) -+corenet_tcp_sendrecv_all_ports(gpg_t) -+corenet_udp_sendrecv_all_ports(gpg_t) -+corenet_tcp_connect_all_ports(gpg_t) -+corenet_sendrecv_all_client_packets(gpg_t) -+ -+dev_read_rand(gpg_t) -+dev_read_urand(gpg_t) -+ -+fs_getattr_xattr_fs(gpg_t) -+fs_list_inotifyfs(gpg_t) -+ -+domain_use_interactive_fds(gpg_t) -+ -+files_read_etc_files(gpg_t) -+files_read_usr_files(gpg_t) -+files_dontaudit_search_var(gpg_t) -+ -+auth_use_nsswitch(gpg_t) -+ -+libs_use_shared_libs(gpg_t) -+libs_use_ld_so(gpg_t) -+ -+miscfiles_read_localization(gpg_t) -+ -+logging_send_syslog_msg(gpg_t) -+ -+######################################## -+# -+# GPG helper local policy -+# -+ -+allow gpg_helper_t self:process { getsched setsched }; -+ -+# for helper programs (which automatically fetch keys) -+# Note: this is only tested with the hkp interface. If you use eg the -+# mail interface you will likely need additional permissions. -+ -+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; -+allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; -+ -+dontaudit gpg_helper_t gpg_secret_t:file read; -+ -+corenet_all_recvfrom_unlabeled(gpg_helper_t) -+corenet_all_recvfrom_netlabel(gpg_helper_t) -+corenet_tcp_sendrecv_all_if(gpg_helper_t) -+corenet_raw_sendrecv_all_if(gpg_helper_t) -+corenet_udp_sendrecv_all_if(gpg_helper_t) -+corenet_tcp_sendrecv_all_nodes(gpg_helper_t) -+corenet_udp_sendrecv_all_nodes(gpg_helper_t) -+corenet_raw_sendrecv_all_nodes(gpg_helper_t) -+corenet_tcp_sendrecv_all_ports(gpg_helper_t) -+corenet_udp_sendrecv_all_ports(gpg_helper_t) -+corenet_tcp_bind_all_nodes(gpg_helper_t) -+corenet_udp_bind_all_nodes(gpg_helper_t) -+corenet_tcp_connect_all_ports(gpg_helper_t) -+ -+files_read_etc_files(gpg_helper_t) -+ -+fs_list_inotifyfs(gpg_helper_t) -+ -+auth_use_nsswitch(gpg_helper_t) -+ -+libs_use_ld_so(gpg_helper_t) -+libs_use_shared_libs(gpg_helper_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_rw_nfs_files(gpg_helper_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_rw_cifs_files(gpg_helper_t) -+') -+ -+optional_policy(` -+ xserver_use_xdm_fds(gpg_t) -+ xserver_rw_xdm_pipes(gpg_t) -+') -+ -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(gpg_t) -+ fs_manage_nfs_files(gpg_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(gpg_t) -+ fs_manage_cifs_files(gpg_t) -+') -+ -+######################################## -+# -+# GPG agent local policy -+# -+ -+# rlimit: gpg-agent wants to prevent coredumps -+allow gpg_agent_t self:process setrlimit; -+ -+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; -+allow gpg_agent_t self:fifo_file rw_fifo_file_perms; -+ -+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+ -+# allow gpg to connect to the gpg agent -+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+ -+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) -+ -+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) -+ -+corecmd_search_bin(gpg_agent_t) -+ -+domain_use_interactive_fds(gpg_agent_t) -+ -+libs_use_ld_so(gpg_agent_t) -+libs_use_shared_libs(gpg_agent_t) -+ -+miscfiles_read_localization(gpg_agent_t) -+ -+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -+unprivuser_search_home_dirs(gpg_agent_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(gpg_agent_t) -+ fs_manage_nfs_files(gpg_agent_t) -+ fs_manage_nfs_symlinks(gpg_agent_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(gpg_agent_t) -+ fs_manage_cifs_files(gpg_agent_t) -+ fs_manage_cifs_symlinks(gpg_agent_t) -+') -+ -+tunable_policy(`gpg_agent_env_file',` -+ # write ~/.gpg-agent-info or a similar to the users home dir -+ # or subdir (gpg-agent --write-env-file option) -+ # -+ unprivuser_home_dir_filetrans_home_content(gpg_agent_t, file) -+ unprivuser_manage_home_content_dirs(gpg_agent_t) -+ unprivuser_manage_home_content_files(gpg_agent_t) -+') -+ -+############################## -+# -+# Pinentry local policy -+# -+ -+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; -+ -+# we need to allow gpg-agent to call pinentry so it can get the passphrase -+# from the user. -+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) -+ -+# read /proc/meminfo -+kernel_read_system_state(gpg_pinentry_t) -+ -+files_read_usr_files(gpg_pinentry_t) -+# read /etc/X11/qtrc -+files_read_etc_files(gpg_pinentry_t) -+ -+libs_use_ld_so(gpg_pinentry_t) -+libs_use_shared_libs(gpg_pinentry_t) -+ -+miscfiles_read_fonts(gpg_pinentry_t) -+miscfiles_read_localization(gpg_pinentry_t) -+ -+# for .Xauthority -+unprivuser_read_home_content_files(gpg_pinentry_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_read_nfs_files(gpg_pinentry_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(gpg_pinentry_t) -+') -+ -+optional_policy(` -+ xserver_stream_connect_xdm_xserver(gpg_pinentry_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.13/policy/modules/apps/java.fc ---- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -3,14 +3,15 @@ - # - /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) - /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - - # - # /usr - # - /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,11 @@ - /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) --/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) --/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+ -+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.13/policy/modules/apps/java.if ---- nsaserefpolicy/policy/modules/apps/java.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.if 2008-10-28 10:56:19.000000000 -0400 -@@ -32,7 +32,7 @@ - ## - ## - # --template(`java_per_role_template',` -+template(`java_plugin_per_role_template',` - gen_require(` - type java_exec_t; - ') -@@ -57,18 +57,21 @@ - # Local policy - # - -- allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; -+ allow $1_javaplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched }; - allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms; -- allow $1_javaplugin_t self:tcp_socket create_socket_perms; -+ allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms; - allow $1_javaplugin_t self:udp_socket create_socket_perms; - -+ allow $1_javaplugin_t $1_t:process signull; -+ allow $1_javaplugin_t $1_t:unix_stream_socket connectto; -+ allow $1_t $1_javaplugin_t:unix_stream_socket connectto; - allow $1_javaplugin_t $2:unix_stream_socket connectto; -- allow $1_javaplugin_t $2:unix_stream_socket { read write }; -- userdom_write_user_tmp_sockets($1, $1_javaplugin_t) -+ allow $1_javaplugin_t $2:tcp_socket { read write }; - - manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t) - manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t) - files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir }) -+ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; - - manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) - manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) -@@ -76,14 +79,9 @@ - manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) - fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - -- rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t) -- read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t) -- - can_exec($1_javaplugin_t, java_exec_t) - -- # The user role is authorized for this domain. -- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) -- allow $1_javaplugin_t $2:fd use; -+ domtrans_pattern($2, java_exec_t, $1_javaplugin_t) - # Unrestricted inheritance from the caller. - allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; - allow $1_javaplugin_t $2:process signull; -@@ -94,7 +92,7 @@ - kernel_read_system_state($1_javaplugin_t) - - # Search bin directory under javaplugin for javaplugin executable -- corecmd_search_bin($1_javaplugin_t) -+ corecmd_exec_bin($1_javaplugin_t) - - corenet_all_recvfrom_unlabeled($1_javaplugin_t) - corenet_all_recvfrom_netlabel($1_javaplugin_t) -@@ -107,10 +105,12 @@ - corenet_tcp_connect_all_ports($1_javaplugin_t) - corenet_sendrecv_all_client_packets($1_javaplugin_t) - -+ dev_list_sysfs($1_javaplugin_t) - dev_read_sound($1_javaplugin_t) - dev_write_sound($1_javaplugin_t) - dev_read_urand($1_javaplugin_t) - dev_read_rand($1_javaplugin_t) -+ dev_write_rand($1_javaplugin_t) - - files_read_etc_files($1_javaplugin_t) - files_read_usr_files($1_javaplugin_t) -@@ -122,6 +122,9 @@ - - fs_getattr_xattr_fs($1_javaplugin_t) - fs_dontaudit_rw_tmpfs_files($1_javaplugin_t) -+ fs_getattr_tmpfs($1_javaplugin_t) -+ -+ auth_use_nsswitch($1_javaplugin_t) - - libs_use_ld_so($1_javaplugin_t) - libs_use_shared_libs($1_javaplugin_t) -@@ -132,23 +135,23 @@ - # Read global fonts and font config - miscfiles_read_fonts($1_javaplugin_t) - -- sysnet_read_config($1_javaplugin_t) -- -+ unprivuser_manage_home_content_files($1_javaplugin_t) - userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t) - userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t) - userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t) -- userdom_manage_user_home_content_dirs($1, $1_javaplugin_t) -- userdom_manage_user_home_content_files($1, $1_javaplugin_t) -- userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t) -- userdom_manage_user_home_content_pipes($1, $1_javaplugin_t) -- userdom_manage_user_home_content_sockets($1, $1_javaplugin_t) -- userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file }) -+ unprivuser_manage_tmp_dirs($1_javaplugin_t) -+ unprivuser_manage_tmp_files($1_javaplugin_t) -+ unprivuser_manage_tmp_sockets($1_javaplugin_t) -+ userdom_read_user_tmpfs_files($1, $1_javaplugin_t) -+ unprivuser_manage_home_content_dirs($1_javaplugin_t) -+ unprivuser_manage_home_content_files($1_javaplugin_t) -+ unprivuser_manage_home_content_symlinks($1_javaplugin_t) -+ unprivuser_manage_home_content_pipes($1_javaplugin_t) -+ unprivuser_manage_home_content_sockets($1_javaplugin_t) -+ unprivuser_home_dir_filetrans_home_content($1_javaplugin_t, { file lnk_file sock_file fifo_file }) - - tunable_policy(`allow_java_execstack',` - allow $1_javaplugin_t self:process execstack; -- -- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; -- - libs_legacy_use_shared_libs($1_javaplugin_t) - libs_legacy_use_ld_so($1_javaplugin_t) - -@@ -156,16 +159,63 @@ - ') - - optional_policy(` -- nis_use_ypbind($1_javaplugin_t) -+ xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t) - ') - -- optional_policy(` -- nscd_socket_use($1_javaplugin_t) - ') - -- optional_policy(` -- xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t) -+####################################### -+## -+## The per role template for the java module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for java applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`java_per_role_template',` -+ gen_require(` -+ type java_exec_t; - ') -+ -+ type $1_java_t; -+ domain_type($1_java_t) -+ domain_entry_file($1_java_t, java_exec_t) -+ role $3 types $1_java_t; -+ -+ domain_interactive_fd($1_java_t) -+ -+ userdom_unpriv_usertype($1, $1_java_t) -+ -+ allow $1_java_t self:process { getsched sigkill execheap execmem execstack }; -+ -+ allow $2 $1_java_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; -+ allow $1_java_t $2:tcp_socket { read write }; -+ -+ domtrans_pattern($2, java_exec_t, $1_java_t) -+ -+ dev_read_urand($1_java_t) -+ dev_read_rand($1_java_t) -+ -+ fs_dontaudit_rw_tmpfs_files($1_java_t) - ') - - ######################################## -@@ -219,3 +269,85 @@ - corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, java_t) - ') -+ -+######################################## -+## -+## Execute a java in the specified domain -+## -+## -+##

-+## Execute the java command in the specified domain. This allows -+## the specified domain to execute any file -+## on these filesystems in the specified -+## domain. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`java_spec_domtrans',` -+ gen_require(` -+ type java_exec_t; -+ ') -+ -+ domain_trans($1, java_exec_t, $2) -+ type_transition $1 java_exec_t:process $2; -+') -+ -+######################################## -+## -+## Execute java in the java domain, and -+## allow the specified role the java domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the java domain. -+## -+## -+## -+## -+## The type of the terminal allow the java domain to use. -+## -+## -+# -+interface(`java_run',` -+ gen_require(` -+ type java_t; -+ ') -+ -+ java_domtrans($1) -+ role $2 types java_t; -+ allow java_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Execute the java program in the java domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`java_exec',` -+ gen_require(` -+ type java_exec_t; -+ ') -+ -+ ca_exec($1, java_exec_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.13/policy/modules/apps/java.te ---- nsaserefpolicy/policy/modules/apps/java.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,16 +6,10 @@ - # Declarations - # - --## --##

--## Allow java executable stack --##

--## --gen_tunable(allow_java_execstack, false) -- - type java_t; - type java_exec_t; - init_system_domain(java_t, java_exec_t) -+typealias java_t alias unconfined_java_t; - - ######################################## - # -@@ -23,11 +17,28 @@ - # - - # execheap is needed for itanium/BEA jrocket --allow java_t self:process { execstack execmem execheap }; -+allow java_t self:process { getsched sigkill execheap execmem execstack }; - -+optional_policy(` - init_dbus_chat_script(java_t) -+ optional_policy(` -+ hal_dbus_chat(java_t) -+ ') - - optional_policy(` -- unconfined_domain_noaudit(java_t) - unconfined_dbus_chat(java_t) - ') -+') -+ -+optional_policy(` -+ rpm_domtrans(java_t) -+') -+ -+optional_policy(` -+ unconfined_domain_noaudit(java_t) -+') -+ -+optional_policy(` -+ xserver_rw_xdm_xserver_shm(java_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.13/policy/modules/apps/livecd.fc ---- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/livecd.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.13/policy/modules/apps/livecd.if ---- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/livecd.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,56 @@ -+ -+## policy for livecd -+ -+######################################## -+## -+## Execute a domain transition to run livecd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`livecd_domtrans',` -+ gen_require(` -+ type livecd_t; -+ type livecd_exec_t; -+ ') -+ -+ domtrans_pattern($1, livecd_exec_t, livecd_t) -+') -+ -+ -+######################################## -+## -+## Execute livecd in the livecd domain, and -+## allow the specified role the livecd domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the livecd domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`livecd_run',` -+ gen_require(` -+ type livecd_t; -+ ') -+ -+ livecd_domtrans($1) -+ role $2 types livecd_t; -+ allow livecd_t $3:chr_file rw_term_perms; -+ -+ seutil_run_setfiles_mac(livecd_t, $2, $3) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.13/policy/modules/apps/livecd.te ---- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/livecd.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,26 @@ -+policy_module(livecd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type livecd_t; -+type livecd_exec_t; -+application_domain(livecd_t, livecd_exec_t) -+role system_r types livecd_t; -+ -+######################################## -+# -+# livecd local policy -+# -+dontaudit livecd_t self:capability2 mac_admin; -+ -+unconfined_domain_noaudit(livecd_t) -+domain_ptrace_all_domains(livecd_t) -+ -+optional_policy(` -+ hal_dbus_chat(livecd_t) -+') -+ -+seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.13/policy/modules/apps/loadkeys.te ---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/loadkeys.te 2008-10-28 10:56:19.000000000 -0400 -@@ -32,7 +32,6 @@ - term_dontaudit_use_console(loadkeys_t) - term_use_unallocated_ttys(loadkeys_t) - --init_dontaudit_use_fds(loadkeys_t) - init_dontaudit_use_script_ptys(loadkeys_t) - - libs_use_ld_so(loadkeys_t) -@@ -45,3 +44,7 @@ - optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) - ') -+ -+unprivuser_dontaudit_write_home_content_files(loadkeys_t) -+unprivuser_dontaudit_list_home_dirs(loadkeys_t) -+sysadm_dontaudit_list_home_dirs(loadkeys_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.13/policy/modules/apps/mono.if ---- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mono.if 2008-10-28 10:56:19.000000000 -0400 -@@ -21,7 +21,106 @@ - - ######################################## - ## --## Execute the mono program in the caller domain. -+## Read and write to mono shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`mono_rw_shm',` -+ gen_require(` -+ type mono_t; -+ ') -+ -+ allow $1 mono_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Execute mono in the mono domain, and -+## allow the specified role the mono domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the mono domain. -+## -+## -+## -+## -+## The type of the terminal allow the mono domain to use. -+## -+## -+# -+interface(`mono_run',` -+ gen_require(` -+ type mono_t; -+ ') -+ -+ mono_domtrans($1) -+ role $2 types mono_t; -+ allow mono_t $3:chr_file rw_term_perms; -+') -+ -+####################################### -+## -+## The per role template for the mono module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for mono applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`mono_per_role_template',` -+ gen_require(` -+ type mono_exec_t; -+ ') -+ -+ type $1_mono_t; -+ domain_type($1_mono_t) -+ domain_entry_file($1_mono_t, mono_exec_t) -+ role $3 types $1_mono_t; -+ -+ domain_interactive_fd($1_mono_t) -+ -+ userdom_unpriv_usertype($1, $1_mono_t) -+ -+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; -+ allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; -+ -+ domtrans_pattern($2, mono_exec_t, $1_mono_t) -+ -+ fs_dontaudit_rw_tmpfs_files($1_mono_t) -+ corecmd_bin_domtrans($1_mono_t, $1_t) -+') -+ -+######################################## -+## -+## Execute the mono program in the mono domain. - ## - ## - ## -@@ -31,7 +130,7 @@ - # - interface(`mono_exec',` - gen_require(` -- type mono_t, mono_exec_t; -+ type mono_exec_t; - ') - - corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.13/policy/modules/apps/mono.te ---- nsaserefpolicy/policy/modules/apps/mono.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mono.te 2008-10-28 10:56:19.000000000 -0400 -@@ -15,7 +15,7 @@ - # Local policy - # - --allow mono_t self:process { execheap execmem }; -+allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; - - unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) - -@@ -46,3 +46,7 @@ - unconfined_dbus_chat(mono_t) - unconfined_dbus_connect(mono_t) - ') -+ -+optional_policy(` -+ xserver_rw_xdm_xserver_shm(mono_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.13/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,8 +1,8 @@ --HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) --HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) --HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) --HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) --HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - - # - # /bin -@@ -17,7 +17,6 @@ - # - # /etc - # --/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0) - - # - # /lib -@@ -29,3 +28,5 @@ - /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.13/policy/modules/apps/mozilla.if ---- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.if 2008-10-28 10:56:19.000000000 -0400 -@@ -35,7 +35,10 @@ - template(`mozilla_per_role_template',` - gen_require(` - type mozilla_conf_t, mozilla_exec_t; -+ type mozilla_home_t, mozilla_tmp_t; - ') -+ gen_tunable(browser_confine_$1, false) -+ gen_tunable(browser_write_$1_data, false) - - ######################################## - # -@@ -45,36 +48,44 @@ - application_domain($1_mozilla_t, mozilla_exec_t) - role $3 types $1_mozilla_t; - -- type $1_mozilla_home_t alias $1_mozilla_rw_t; -- files_poly_member($1_mozilla_home_t) -- userdom_user_home_content($1, $1_mozilla_home_t) -- - type $1_mozilla_tmpfs_t; - files_tmpfs_file($1_mozilla_tmpfs_t) - -+ typealias mozilla_home_t alias $1_mozilla_home_t; -+ typealias mozilla_tmp_t alias $1_mozilla_tmp_t; -+ -+ ######################################## -+ # -+ # Local booleans -+ # -+ - ######################################## - # - # Local policy - # - - allow $1_mozilla_t self:capability { sys_nice setgid setuid }; -- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit }; -+ allow $1_mozilla_t self:process { ptrace sigkill signal signull setsched getsched setrlimit }; - allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; - allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; - allow $1_mozilla_t self:sem create_sem_perms; - allow $1_mozilla_t self:socket create_socket_perms; - allow $1_mozilla_t self:unix_stream_socket { listen accept }; - # Browse the web, connect to printer -- allow $1_mozilla_t self:tcp_socket create_socket_perms; -- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms; -+ allow $1_mozilla_t self:tcp_socket create_stream_socket_perms; - - # for bash - old mozilla binary - can_exec($1_mozilla_t, mozilla_exec_t) - -+ domain_read_all_domains_state($1_mozilla_t) -+ -+ fs_getattr_tmpfs($1_mozilla_t) -+ fs_manage_tmpfs_files($1_mozilla_t) -+ - # X access, Home files -- manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) -- manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) -- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) -+ manage_dirs_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t) -+ manage_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t) -+ manage_lnk_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t) - userdom_search_user_home_dirs($1, $1_mozilla_t) - - # Mozpluggerrc -@@ -89,22 +100,47 @@ - allow $2 $1_mozilla_t:unix_stream_socket connectto; - - # X access, Home files -- manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) -- manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) -- manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) -- relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) -- relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) -- relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) -- -- manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) -- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) -- manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) -- manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) -- fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) -+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t) -+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) -+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) -+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) -+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - - allow $1_mozilla_t $2:process signull; - -+ tunable_policy(`browser_confine_$1',` - domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) -+ ',` -+ can_exec($2, mozilla_exec_t) -+ ') -+ -+ unprivuser_read_home_content_files($1_mozilla_t) -+ unprivuser_read_home_content_symlinks($1_mozilla_t) -+ unprivuser_read_tmp_files($1_mozilla_t) -+ unprivuser_manage_tmp_dirs($1_mozilla_t) -+ unprivuser_manage_tmp_files($1_mozilla_t) -+ unprivuser_manage_tmp_sockets($1_mozilla_t) -+ userdom_tmp_filetrans_user_tmp($1, $1_mozilla_t, { file dir sock_file }) -+ userdom_read_user_tmpfs_files($1, $1_mozilla_t) -+ -+ ifdef(`enable_mls',`',` -+ fs_search_removable($1_mozilla_t) -+ fs_read_removable_files($1_mozilla_t) -+ fs_read_removable_symlinks($1_mozilla_t) -+ ') -+ -+ tunable_policy(`browser_write_$1_data',` -+ unprivuser_manage_home_content_dirs($1_mozilla_t) -+ unprivuser_manage_home_content_files($1_mozilla_t) -+ unprivuser_manage_home_content_symlinks($1_mozilla_t) -+ unprivuser_manage_home_content_pipes($1_mozilla_t) -+ unprivuser_home_dir_filetrans_home_content($1_mozilla_t, { file dir lnk_file }) -+ ',` -+ # helper apps will try to create .files -+ userdom_dontaudit_create_user_home_content_files($1, $1_mozilla_t) -+ userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_mozilla_home_t, dir) -+ ') - # Unrestricted inheritance from the caller. - allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; - -@@ -112,17 +148,20 @@ - ps_process_pattern($2, $1_mozilla_t) - allow $2 $1_mozilla_t:process signal_perms; - -+ kernel_read_fs_sysctls($1_mozilla_t) - kernel_read_kernel_sysctls($1_mozilla_t) - kernel_read_network_state($1_mozilla_t) - # Access /proc, sysctl -- kernel_read_system_state($1_mozilla_t) -- kernel_read_net_sysctls($1_mozilla_t) -+ kernel_dontaudit_read_system_state($1_mozilla_t) -+# kernel_read_system_state($1_mozilla_t) -+# kernel_read_net_sysctls($1_mozilla_t) - - # Look for plugins - corecmd_list_bin($1_mozilla_t) - # for bash - old mozilla binary - corecmd_exec_shell($1_mozilla_t) - corecmd_exec_bin($1_mozilla_t) -+ application_exec($1_mozilla_t) - - # Browse the web, connect to printer - corenet_all_recvfrom_unlabeled($1_mozilla_t) -@@ -137,9 +176,9 @@ - corenet_tcp_sendrecv_ipp_port($1_mozilla_t) - corenet_tcp_connect_http_port($1_mozilla_t) - corenet_tcp_connect_http_cache_port($1_mozilla_t) -+ corenet_tcp_connect_flash_port($1_mozilla_t) - corenet_tcp_connect_ftp_port($1_mozilla_t) - corenet_tcp_connect_ipp_port($1_mozilla_t) -- corenet_tcp_connect_generic_port($1_mozilla_t) - corenet_sendrecv_http_client_packets($1_mozilla_t) - corenet_sendrecv_http_cache_client_packets($1_mozilla_t) - corenet_sendrecv_ftp_client_packets($1_mozilla_t) -@@ -165,13 +204,28 @@ - files_read_var_files($1_mozilla_t) - files_read_var_symlinks($1_mozilla_t) - files_dontaudit_getattr_boot_dirs($1_mozilla_t) -+ files_dontaudit_list_non_security($1_mozilla_t) -+ files_dontaudit_getattr_non_security_files($1_mozilla_t) -+ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t) -+ files_dontaudit_getattr_non_security_pipes($1_mozilla_t) -+ files_dontaudit_getattr_non_security_sockets($1_mozilla_t) -+ -+ dev_dontaudit_getattr_all_blk_files($1_mozilla_t) -+ dev_dontaudit_getattr_all_chr_files($1_mozilla_t) - - fs_search_auto_mountpoints($1_mozilla_t) - fs_list_inotifyfs($1_mozilla_t) -+ fs_manage_dos_dirs($1_mozilla_t) -+ fs_manage_dos_files($1_mozilla_t) - fs_rw_tmpfs_files($1_mozilla_t) -+ fs_read_noxattr_fs_files($1_mozilla_t) -+ -+ selinux_dontaudit_getattr_fs($1_mozilla_t) - - term_dontaudit_getattr_pty_dirs($1_mozilla_t) - -+ auth_use_nsswitch($1_mozilla_t) -+ - libs_use_ld_so($1_mozilla_t) - libs_use_shared_libs($1_mozilla_t) - -@@ -180,17 +234,10 @@ - miscfiles_read_fonts($1_mozilla_t) - miscfiles_read_localization($1_mozilla_t) - -- # Browse the web, connect to printer -- sysnet_dns_name_resolve($1_mozilla_t) -- sysnet_read_config($1_mozilla_t) -- -- userdom_manage_user_home_content_dirs($1, $1_mozilla_t) -- userdom_manage_user_home_content_files($1, $1_mozilla_t) -- userdom_manage_user_home_content_symlinks($1, $1_mozilla_t) -- userdom_manage_user_tmp_dirs($1, $1_mozilla_t) -- userdom_manage_user_tmp_files($1, $1_mozilla_t) -- userdom_manage_user_tmp_sockets($1, $1_mozilla_t) -+ userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t) -+ userdom_dontaudit_use_user_terminals($1, $1_mozilla_t) - -+ xserver_read_xdm_pid($1_mozilla_t) - xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t) - xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) - xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) -@@ -211,131 +258,8 @@ - fs_manage_cifs_symlinks($1_mozilla_t) - ') - -- # Uploads, local html -- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -- fs_list_auto_mountpoints($1_mozilla_t) -- files_list_home($1_mozilla_t) -- fs_read_nfs_files($1_mozilla_t) -- fs_read_nfs_symlinks($1_mozilla_t) -- -- ',` -- files_dontaudit_list_home($1_mozilla_t) -- fs_dontaudit_list_auto_mountpoints($1_mozilla_t) -- fs_dontaudit_read_nfs_files($1_mozilla_t) -- fs_dontaudit_list_nfs($1_mozilla_t) -- ') -- -- tunable_policy(`mozilla_read_content && use_samba_home_dirs',` -- fs_list_auto_mountpoints($1_mozilla_t) -- files_list_home($1_mozilla_t) -- fs_read_cifs_files($1_mozilla_t) -- fs_read_cifs_symlinks($1_mozilla_t) -- ',` -- files_dontaudit_list_home($1_mozilla_t) -- fs_dontaudit_list_auto_mountpoints($1_mozilla_t) -- fs_dontaudit_read_cifs_files($1_mozilla_t) -- fs_dontaudit_list_cifs($1_mozilla_t) -- ') -- -- tunable_policy(`mozilla_read_content',` -- userdom_list_user_tmp($1, $1_mozilla_t) -- userdom_read_user_tmp_files($1, $1_mozilla_t) -- userdom_read_user_tmp_symlinks($1, $1_mozilla_t) -- userdom_search_user_home_dirs($1, $1_mozilla_t) -- userdom_read_user_home_content_files($1, $1_mozilla_t) -- userdom_read_user_home_content_symlinks($1, $1_mozilla_t) -- -- ifdef(`enable_mls',`',` -- fs_search_removable($1_mozilla_t) -- fs_read_removable_files($1_mozilla_t) -- fs_read_removable_symlinks($1_mozilla_t) -- ') -- ',` -- files_dontaudit_list_tmp($1_mozilla_t) -- files_dontaudit_list_home($1_mozilla_t) -- fs_dontaudit_list_removable($1_mozilla_t) -- fs_dontaudit_read_removable_files($1_mozilla_t) -- userdom_dontaudit_list_user_tmp($1, $1_mozilla_t) -- userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t) -- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) -- userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t) -- ') -- -- tunable_policy(`mozilla_read_content && read_default_t',` -- files_list_default($1_mozilla_t) -- files_read_default_files($1_mozilla_t) -- files_read_default_symlinks($1_mozilla_t) -- ',` -- files_dontaudit_read_default_files($1_mozilla_t) -- files_dontaudit_list_default($1_mozilla_t) -- ') -- -- tunable_policy(`mozilla_read_content && read_untrusted_content',` -- files_list_tmp($1_mozilla_t) -- files_list_home($1_mozilla_t) -- userdom_search_user_home_dirs($1, $1_mozilla_t) -- -- userdom_list_user_untrusted_content($1, $1_mozilla_t) -- userdom_read_user_untrusted_content_files($1, $1_mozilla_t) -- userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t) -- userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t) -- userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t) -- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t) -- ',` -- files_dontaudit_list_tmp($1_mozilla_t) -- files_dontaudit_list_home($1_mozilla_t) -- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) -- userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t) -- userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t) -- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t) -- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t) -- ') -- -- # Save web pages -- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` -- files_search_home($1_mozilla_t) -- -- fs_search_auto_mountpoints($1_mozilla_t) -- fs_manage_nfs_dirs($1_mozilla_t) -- fs_manage_nfs_files($1_mozilla_t) -- fs_manage_nfs_symlinks($1_mozilla_t) -- ',` -- fs_dontaudit_list_auto_mountpoints($1_mozilla_t) -- fs_dontaudit_manage_nfs_dirs($1_mozilla_t) -- fs_dontaudit_manage_nfs_files($1_mozilla_t) -- ') -- -- tunable_policy(`write_untrusted_content && use_samba_home_dirs',` -- files_search_home($1_mozilla_t) -- -- fs_search_auto_mountpoints($1_mozilla_t) -- fs_manage_cifs_dirs($1_mozilla_t) -- fs_manage_cifs_files($1_mozilla_t) -- fs_manage_cifs_symlinks($1_mozilla_t) -- ',` -- fs_dontaudit_list_auto_mountpoints($1_mozilla_t) -- fs_dontaudit_manage_cifs_dirs($1_mozilla_t) -- fs_dontaudit_manage_cifs_files($1_mozilla_t) -- ') -- -- tunable_policy(`write_untrusted_content',` -- files_search_home($1_mozilla_t) -- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t) -- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file) -- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir) -- -- userdom_manage_user_untrusted_content_files($1, $1_mozilla_t) -- userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir }) -- userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir }) -- ',` -- files_dontaudit_list_home($1_mozilla_t) -- files_dontaudit_list_tmp($1_mozilla_t) -- -- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) -- userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t) -- userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t) -- userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t) -- -+ optional_policy(` -+ alsa_read_rw_config($1_mozilla_t) - ') - - optional_policy(` -@@ -350,57 +274,50 @@ - optional_policy(` - cups_read_rw_config($1_mozilla_t) - cups_dbus_chat($1_mozilla_t) -+ cups_stream_connect($1_mozilla_t) - ') - - optional_policy(` - dbus_system_bus_client_template($1_mozilla, $1_mozilla_t) -- dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t) -+# dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t) -+ dbus_chat_user_bus($1, $1_mozilla_t) -+ dbus_connectto_user_bus($1, $1_mozilla_t) - ') - - optional_policy(` -- gnome_stream_connect_gconf_template($1, $1_mozilla_t) -+ networkmanager_dbus_chat($1_mozilla_t) - ') - - optional_policy(` -- java_domtrans_user_javaplugin($1, $1_mozilla_t) -+ gnome_exec_gconf($1_mozilla_t) - ') - - optional_policy(` -- lpd_domtrans_user_lpr($1, $1_mozilla_t) -+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r) - ') - -+# optional_policy(` -+# openoffice_plugin_per_role_template($1, $1_mozilla_t, $1_r) -+# ') -+ - optional_policy(` -- mplayer_domtrans_user_mplayer($1, $1_mozilla_t) -- mplayer_read_user_home_files($1, $1_mozilla_t) -+ lpd_domtrans_user_lpr($1, $1_mozilla_t) - ') - - optional_policy(` -- nscd_socket_use($1_mozilla_t) -+ nsplugin_domtrans_user($1, $1_mozilla_t) -+ nsplugin_domtrans_user_config($1, $1_mozilla_t) - ') - - optional_policy(` -- thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) -+ mplayer_domtrans_mplayer($1, $1_mozilla_t) -+ mplayer_read_user_home_files($1, $1_mozilla_t) - ') - -- ifdef(`TODO',` -- #NOTE commented out in strict. -- ######### Launch email client, and make webcal links work -- #ifdef(`evolution.te', ` -- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) -- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -- #') -- -- # Macros for mozilla/mozilla (or other browser) domains. -- # FIXME: Rules were removed to centralize policy in a gnome_app macro -- # A similar thing might be necessary for mozilla compiled without GNOME -- # support (is this possible?). -- -- # GNOME integration - optional_policy(` -- gnome_application($1_mozilla, $1) -- gnome_file_dialog($1_mozilla, $1) -- ') -+ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) - ') -+ - ') - - ######################################## -@@ -430,11 +347,11 @@ - # - template(`mozilla_read_user_home_files',` - gen_require(` -- type $1_mozilla_home_t; -+ type mozilla_home_t; - ') - -- allow $2 $1_mozilla_home_t:dir list_dir_perms; -- allow $2 $1_mozilla_home_t:file read_file_perms; -+ allow $2 mozilla_home_t:dir list_dir_perms; -+ allow $2 mozilla_home_t:file read_file_perms; - ') - - ######################################## -@@ -464,11 +381,10 @@ - # - template(`mozilla_write_user_home_files',` - gen_require(` -- type $1_mozilla_home_t; -+ type mozilla_home_t; - ') - -- allow $2 $1_mozilla_home_t:dir list_dir_perms; -- allow $2 $1_mozilla_home_t:file write; -+ write_files_pattern($2, mozilla_home_t, mozilla_home_t) - ') - - ######################################## -@@ -573,3 +489,27 @@ - - allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; - ') -+ -+######################################## -+## -+## mozilla connection template. -+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`mozilla_stream_connect_template',` -+ gen_require(` -+ type $1_mozilla_t; -+ ') -+ -+ allow $2 $1_mozilla_t:unix_stream_socket connectto; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.13/policy/modules/apps/mozilla.te ---- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,15 +6,20 @@ - # Declarations - # - --## --##

--## Control mozilla content access --##

--## --gen_tunable(mozilla_read_content, false) -- - type mozilla_conf_t; - files_config_file(mozilla_conf_t) - - type mozilla_exec_t; - application_executable_file(mozilla_exec_t) -+ -+type mozilla_home_t alias user_mozilla_rw_t; -+files_poly_member(mozilla_home_t) -+userdom_user_home_content(user, mozilla_home_t) -+ -+type mozilla_tmp_t; -+files_tmp_file(mozilla_tmp_t) -+ -+typealias mozilla_home_t alias unconfined_mozilla_home_t; -+typealias mozilla_tmp_t alias unconfined_mozilla_tmp_t; -+typealias mozilla_home_t alias user_mozilla_home_t; -+typealias mozilla_tmp_t alias user_mozilla_tmp_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc ---- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,13 +1,9 @@ - # --# /etc --# --/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) -- --# - # /usr - # -+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) - /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) - /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) - /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) - --HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) -+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.13/policy/modules/apps/mplayer.if ---- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.if 2008-10-28 10:56:19.000000000 -0400 -@@ -34,7 +34,8 @@ - # - template(`mplayer_per_role_template',` - gen_require(` -- type mencoder_exec_t, mplayer_exec_t, mplayer_etc_t; -+ type mencoder_exec_t, mplayer_exec_t; -+ type user_mplayer_home_t; - ') - - ######################################## -@@ -50,9 +51,7 @@ - application_domain($1_mplayer_t, mplayer_exec_t) - role $3 types $1_mplayer_t; - -- type $1_mplayer_home_t alias $1_mplayer_rw_t; -- files_poly_member($1_mplayer_home_t) -- userdom_user_home_content($1,$1_mplayer_home_t) -+ typealias mplayer_home_t alias $1_mplayer_home_t; - - type $1_mplayer_tmpfs_t; - files_tmpfs_file($1_mplayer_tmpfs_t) -@@ -62,9 +61,9 @@ - # mencoder local policy - # - -- manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) -- manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) -- manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) -+ manage_dirs_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t) -+ manage_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t) -+ manage_lnk_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t) - - # Read global config - allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms; -@@ -200,7 +199,7 @@ - ') - - tunable_policy(`write_untrusted_content',` -- userdom_manage_user_untrusted_content_files($1, $1_mplayer_t) -+ unprivuser_manage_untrusted_content_files($1_mplayer_t) - ') - - # Save encoded files -@@ -255,9 +254,9 @@ - allow $1_mplayer_t self:fifo_file rw_fifo_file_perms; - allow $1_mplayer_t self:sem create_sem_perms; - -- manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) -- manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) -- manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) -+ manage_dirs_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t) -+ manage_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t) -+ manage_lnk_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t) - userdom_search_user_home_dirs($1, $1_mplayer_t) - - manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t) -@@ -272,12 +271,12 @@ - read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t) - - # Home access -- manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -- manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -- manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -- relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -- relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -- relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -+ manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) -+ manage_files_pattern($2, mplayer_home_t, mplayer_home_t) -+ manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) -+ relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) -+ relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) -+ relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) - - # domain transition - domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) -@@ -307,6 +306,7 @@ - dev_write_sound_mixer($1_mplayer_t) - # RTC clock - dev_read_realtime_clock($1_mplayer_t) -+ dev_read_urand($1_mplayer_t) - - # Access to DVD/CD/V4L - storage_raw_read_removable_device($1_mplayer_t) -@@ -340,6 +340,7 @@ - userdom_read_user_tmp_symlinks($1, $1_mplayer_t) - userdom_read_user_home_content_files($1, $1_mplayer_t) - userdom_read_user_home_content_symlinks($1, $1_mplayer_t) -+ userdom_write_user_tmp_sockets($1, $1_mplayer_t) - - xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t) - -@@ -467,9 +468,11 @@ - ## - ## - # --template(`mplayer_domtrans_user_mplayer',` -+template(`mplayer_domtrans_mplayer',` - gen_require(` -- type $1_mplayer_t, mplayer_exec_t; -+ type mplayer_exec_t; -+ type $1_mplayer_t; -+ - ') - - domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) -@@ -477,6 +480,25 @@ - - ######################################## - ## -+## Execute mplayer in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`mplayer_exec',` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ -+ can_exec($1, mplayer_exec_t) -+') -+ -+######################################## -+## - ## Read mplayer per user homedir - ## - ## -@@ -502,8 +524,8 @@ - # - template(`mplayer_read_user_home_files',` - gen_require(` -- type $1_mplayer_home_t; -+ type mplayer_home_t; - ') - -- read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) -+ read_files_pattern($2, mplayer_home_t, mplayer_home_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.13/policy/modules/apps/mplayer.te ---- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.te 2008-10-28 10:56:19.000000000 -0400 -@@ -22,3 +22,7 @@ - type mplayer_exec_t; - corecmd_executable_file(mplayer_exec_t) - application_executable_file(mplayer_exec_t) -+ -+type mplayer_home_t alias user_mplayer_rw_t; -+userdom_user_home_content(user, mplayer_home_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc ---- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-10-28 10:57:58.000000000 -0400 -@@ -0,0 +1,11 @@ -+ -+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) -+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -+ -+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if ---- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,297 @@ -+ -+## policy for nsplugin -+ -+######################################## -+## -+## Create, read, write, and delete -+## nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_manage_rw_files',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ allow $1 nsplugin_rw_t:file manage_file_perms; -+ allow $1 nsplugin_rw_t:dir rw_dir_perms; -+') -+ -+######################################## -+## -+## Manage nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_manage_rw',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`nsplugin_per_role_template_notrans',` -+ gen_require(` -+ type nsplugin_rw_t; -+ type nsplugin_home_t; -+ type nsplugin_exec_t; -+ type nsplugin_config_exec_t; -+ type nsplugin_t; -+ type nsplugin_config_t; -+ ') -+ -+ role $3 types nsplugin_t; -+ role $3 types nsplugin_config_t; -+ -+ allow nsplugin_t $2:process signull; -+ -+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ can_exec($2, nsplugin_rw_t) -+ -+ #Leaked File Descriptors -+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms; -+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms; -+ allow nsplugin_t $2:unix_stream_socket connectto; -+ dontaudit nsplugin_t $2:process ptrace; -+ -+ allow $2 nsplugin_t:process { getattr ptrace signal_perms }; -+ allow $2 nsplugin_t:unix_stream_socket connectto; -+ -+ # Connect to pulseaudit server -+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) -+ gnome_stream_connect(nsplugin_t, $2) -+ -+ userdom_use_user_terminals($1, nsplugin_t) -+ userdom_use_user_terminals($1, nsplugin_config_t) -+ userdom_dontaudit_setattr_user_home_content_files($1, nsplugin_t) -+ -+ optional_policy(` -+ dbus_dontaudit_connectto_user_bus($1, nsplugin_t) -+ ') -+ -+ xserver_common_app($1, nsplugin_t) -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`nsplugin_per_role_template',` -+ gen_require(` -+ type nsplugin_exec_t; -+ type nsplugin_config_exec_t; -+ type nsplugin_t; -+ type nsplugin_config_t; -+ ') -+ -+ nsplugin_per_role_template_notrans($1, $2, $3) -+ -+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) -+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_domtrans_user',` -+ gen_require(` -+ type nsplugin_exec_t; -+ type nsplugin_t; -+ ') -+ -+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) -+') -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_domtrans_user_config',` -+ gen_require(` -+ type nsplugin_config_exec_t; -+ type nsplugin_config_t; -+ ') -+ -+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) -+') -+ -+######################################## -+## -+## Search nsplugin rw directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_search_rw_dir',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ allow $1 nsplugin_rw_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Read nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_read_rw_files',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+') -+ -+######################################## -+## -+## Exec nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_rw_exec',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ can_exec($1, nsplugin_rw_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te ---- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-06 12:46:21.000000000 -0500 -@@ -0,0 +1,272 @@ -+ -+policy_module(nsplugin, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

-+## Allow nsplugin code to execmem/execstack -+##

-+## -+gen_tunable(allow_nsplugin_execmem, false) -+ -+type nsplugin_exec_t; -+application_executable_file(nsplugin_exec_t) -+ -+type nsplugin_config_exec_t; -+application_executable_file(nsplugin_config_exec_t) -+ -+type nsplugin_rw_t; -+files_type(nsplugin_rw_t) -+ -+type nsplugin_tmp_t; -+files_tmp_file(nsplugin_tmp_t) -+ -+type nsplugin_home_t; -+files_poly_member(nsplugin_home_t) -+userdom_user_home_content(user, nsplugin_home_t) -+typealias nsplugin_home_t alias user_nsplugin_home_t; -+ -+type nsplugin_t; -+domain_type(nsplugin_t) -+domain_entry_file(nsplugin_t, nsplugin_exec_t) -+ -+type nsplugin_config_t; -+domain_type(nsplugin_config_t) -+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) -+ -+application_executable_file(nsplugin_exec_t) -+application_executable_file(nsplugin_config_exec_t) -+ -+ -+######################################## -+# -+# nsplugin local policy -+# -+dontaudit nsplugin_t self:capability sys_tty_config; -+allow nsplugin_t self:fifo_file rw_file_perms; -+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; -+ -+allow nsplugin_t self:sem create_sem_perms; -+allow nsplugin_t self:shm create_shm_perms; -+allow nsplugin_t self:msgq create_msgq_perms; -+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow nsplugin_t self:unix_dgram_socket create_socket_perms; -+ -+tunable_policy(`allow_nsplugin_execmem',` -+ allow nsplugin_t self:process { execstack execmem }; -+ allow nsplugin_config_t self:process { execstack execmem }; -+') -+ -+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) -+userdom_user_home_content_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) -+unprivuser_dontaudit_write_home_content_files(nsplugin_t) -+userdom_manage_tmpfs(nsplugin_t) -+ -+corecmd_exec_bin(nsplugin_t) -+corecmd_exec_shell(nsplugin_t) -+ -+corenet_all_recvfrom_unlabeled(nsplugin_t) -+corenet_all_recvfrom_netlabel(nsplugin_t) -+corenet_tcp_connect_flash_port(nsplugin_t) -+corenet_tcp_connect_streaming_port(nsplugin_t) -+corenet_tcp_connect_pulseaudio_port(nsplugin_t) -+corenet_tcp_connect_http_port(nsplugin_t) -+corenet_tcp_connect_http_cache_port(nsplugin_t) -+corenet_tcp_sendrecv_generic_if(nsplugin_t) -+corenet_tcp_sendrecv_all_nodes(nsplugin_t) -+corenet_tcp_connect_ipp_port(nsplugin_t) -+ -+domain_dontaudit_read_all_domains_state(nsplugin_t) -+ -+dev_read_rand(nsplugin_t) -+dev_read_sound(nsplugin_t) -+dev_write_sound(nsplugin_t) -+dev_read_video_dev(nsplugin_t) -+dev_write_video_dev(nsplugin_t) -+dev_getattr_dri_dev(nsplugin_t) -+dev_rwx_zero(nsplugin_t) -+ -+kernel_read_kernel_sysctls(nsplugin_t) -+kernel_read_system_state(nsplugin_t) -+ -+files_dontaudit_getattr_lost_found_dirs(nsplugin_t) -+files_dontaudit_list_home(nsplugin_t) -+files_read_usr_files(nsplugin_t) -+files_read_etc_files(nsplugin_t) -+files_read_config_files(nsplugin_t) -+ -+fs_list_inotifyfs(nsplugin_t) -+fs_getattr_tmpfs(nsplugin_t) -+fs_getattr_xattr_fs(nsplugin_t) -+fs_search_auto_mountpoints(nsplugin_t) -+ -+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) -+ -+term_dontaudit_getattr_all_user_ptys(nsplugin_t) -+term_dontaudit_getattr_all_user_ttys(nsplugin_t) -+ -+auth_use_nsswitch(nsplugin_t) -+ -+libs_use_ld_so(nsplugin_t) -+libs_use_shared_libs(nsplugin_t) -+libs_exec_ld_so(nsplugin_t) -+ -+miscfiles_read_localization(nsplugin_t) -+miscfiles_read_fonts(nsplugin_t) -+ -+unprivuser_manage_tmp_dirs(nsplugin_t) -+unprivuser_manage_tmp_files(nsplugin_t) -+unprivuser_manage_tmp_sockets(nsplugin_t) -+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file }) -+unprivuser_read_tmpfs_files(nsplugin_t) -+unprivuser_rw_semaphores(nsplugin_t) -+unprivuser_delete_tmpfs_files(nsplugin_t) -+ -+unprivuser_read_home_content_symlinks(nsplugin_t) -+unprivuser_read_home_content_files(nsplugin_t) -+unprivuser_read_tmp_files(nsplugin_t) -+userdom_write_user_tmp_sockets(user, nsplugin_t) -+unprivuser_dontaudit_append_home_content_files(nsplugin_t) -+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t) -+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t) -+ -+optional_policy(` -+ alsa_read_rw_config(nsplugin_t) -+') -+ -+optional_policy(` -+ cups_stream_connect(nsplugin_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client_template(nsplugin, nsplugin_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf(nsplugin_t) -+ gnome_manage_user_gnome_config(user, nsplugin_t) -+ gnome_read_gconf_home_files(nsplugin_t) -+ allow nsplugin_t gnome_home_t:sock_file write; -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(user, nsplugin_t) -+ mozilla_write_user_home_files(user, nsplugin_t) -+') -+ -+optional_policy(` -+ mplayer_exec(nsplugin_t) -+ mplayer_read_user_home_files(user, nsplugin_t) -+') -+ -+optional_policy(` -+ unconfined_execmem_signull(nsplugin_t) -+ unconfined_delete_tmpfs_files(nsplugin_t) -+') -+ -+optional_policy(` -+ xserver_stream_connect_xdm(nsplugin_t) -+ xserver_stream_connect_xdm_xserver(nsplugin_t) -+ xserver_rw_xdm_xserver_shm(nsplugin_t) -+ xserver_read_xdm_tmp_files(nsplugin_t) -+ xserver_read_xdm_pid(nsplugin_t) -+ xserver_read_user_xauth(user, nsplugin_t) -+ xserver_read_user_iceauth(user, nsplugin_t) -+ xserver_use_user_fonts(user, nsplugin_t) -+ xserver_manage_home_fonts(nsplugin_t) -+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t) -+') -+ -+######################################## -+# -+# nsplugin_config local policy -+# -+ -+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -+allow nsplugin_config_t self:process { setsched sigkill getsched execmem }; -+#execing pulseaudio -+dontaudit nsplugin_t self:process { getcap setcap }; -+ -+allow nsplugin_config_t self:fifo_file rw_file_perms; -+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; -+ -+fs_list_inotifyfs(nsplugin_config_t) -+fs_search_auto_mountpoints(nsplugin_config_t) -+ -+can_exec(nsplugin_config_t, nsplugin_rw_t) -+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+ -+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+ -+corecmd_exec_bin(nsplugin_config_t) -+corecmd_exec_shell(nsplugin_config_t) -+ -+kernel_read_system_state(nsplugin_config_t) -+ -+files_read_etc_files(nsplugin_config_t) -+files_read_usr_files(nsplugin_config_t) -+files_dontaudit_search_home(nsplugin_config_t) -+files_list_tmp(nsplugin_config_t) -+ -+auth_use_nsswitch(nsplugin_config_t) -+ -+libs_use_ld_so(nsplugin_config_t) -+libs_use_shared_libs(nsplugin_config_t) -+ -+miscfiles_read_localization(nsplugin_config_t) -+miscfiles_read_fonts(nsplugin_config_t) -+ -+userdom_search_all_users_home_content(nsplugin_config_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(nsplugin_t) -+ fs_manage_nfs_files(nsplugin_t) -+ fs_read_nfs_symlinks(nsplugin_t) -+ fs_manage_nfs_named_pipes(nsplugin_t) -+ fs_manage_nfs_dirs(nsplugin_config_t) -+ fs_manage_nfs_files(nsplugin_config_t) -+ fs_manage_nfs_named_pipes(nsplugin_config_t) -+ fs_read_nfs_symlinks(nsplugin_config_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(nsplugin_t) -+ fs_manage_cifs_files(nsplugin_t) -+ fs_read_cifs_symlinks(nsplugin_t) -+ fs_manage_cifs_named_pipes(nsplugin_t) -+ fs_manage_cifs_dirs(nsplugin_config_t) -+ fs_manage_cifs_files(nsplugin_config_t) -+ fs_manage_cifs_named_pipes(nsplugin_config_t) -+ fs_read_cifs_symlinks(nsplugin_config_t) -+') -+ -+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) -+ -+optional_policy(` -+ xserver_read_home_fonts(nsplugin_config_t) -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(user, nsplugin_config_t) -+') -+ -+optional_policy(` -+ gen_require(` -+ type unconfined_mono_t; -+ ') -+ allow nsplugin_t unconfined_mono_t:process signull; -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc ---- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,3 @@ -+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.13/policy/modules/apps/openoffice.if ---- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,106 @@ -+## Openoffice -+ -+####################################### -+## -+## The per role template for the openoffice module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for openoffice plugins that are executed by a browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+interface(`openoffice_plugin_per_role_template',` -+ gen_require(` -+ type openoffice_exec_t; -+ type $1_openoffice_t; -+ ') -+ -+ ######################################## -+ # -+ # Local policy -+ # -+ -+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t) -+ allow $2 $1_openoffice_t:process { signal sigkill }; -+') -+ -+####################################### -+## -+## The per role template for the openoffice module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for openoffice applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`openoffice_per_role_template',` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ -+ type $1_openoffice_t; -+ domain_type($1_openoffice_t) -+ domain_entry_file($1_openoffice_t, openoffice_exec_t) -+ role $3 types $1_openoffice_t; -+ -+ domain_interactive_fd($1_openoffice_t) -+ -+ userdom_unpriv_usertype($1, $1_openoffice_t) -+ userdom_exec_user_home_content_files($1, $1_openoffice_t) -+ -+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; -+ -+ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; -+ allow $1_openoffice_t $2:tcp_socket { read write }; -+ -+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t) -+ -+ dev_read_urand($1_openoffice_t) -+ dev_read_rand($1_openoffice_t) -+ -+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t) -+ -+ allow $2 $1_openoffice_t:process { signal sigkill }; -+ allow $1_openoffice_t $2:unix_stream_socket connectto; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.13/policy/modules/apps/openoffice.te ---- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,14 @@ -+ -+policy_module(openoffice, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type openoffice_t; -+type openoffice_exec_t; -+application_domain(openoffice_t, openoffice_exec_t) -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc ---- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,2 +1,4 @@ - - /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if ---- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if 2008-10-28 10:56:19.000000000 -0400 -@@ -16,4 +16,38 @@ - ') - - domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) -+ allow $1 podsleuth_t:process signal; - ') -+ -+ -+######################################## -+## -+## Execute podsleuth in the podsleuth domain, and -+## allow the specified role the podsleuth domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the podsleuth domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`podsleuth_run',` -+ gen_require(` -+ type podsleuth_t; -+ ') -+ -+ podsleuth_domtrans($1) -+ role $2 types podsleuth_t; -+ dontaudit podsleuth_t $3:chr_file rw_term_perms; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te ---- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te 2008-10-28 10:56:19.000000000 -0400 -@@ -11,24 +11,55 @@ - application_domain(podsleuth_t, podsleuth_exec_t) - role system_r types podsleuth_t; - -+type podsleuth_tmp_t; -+files_tmp_file(podsleuth_tmp_t) -+ -+type podsleuth_cache_t; -+files_type(podsleuth_cache_t) -+ - ######################################## - # - # podsleuth local policy - # -- --allow podsleuth_t self:process { signal getsched execheap execmem }; -+allow podsleuth_t self:capability { sys_admin sys_rawio }; -+allow podsleuth_t self:process { ptrace signal getsched execheap execmem }; - allow podsleuth_t self:fifo_file rw_file_perms; - allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; -+allow podsleuth_t self:sem create_sem_perms; -+allow podsleuth_t self:tcp_socket create_stream_socket_perms; -+allow podsleuth_t self:udp_socket create_socket_perms; - - kernel_read_system_state(podsleuth_t) - -+corecmd_exec_bin(podsleuth_t) -+corenet_tcp_connect_http_port(podsleuth_t) -+ - dev_read_urand(podsleuth_t) - - files_read_etc_files(podsleuth_t) - -+fs_mount_dos_fs(podsleuth_t) -+fs_unmount_dos_fs(podsleuth_t) -+fs_getattr_dos_fs(podsleuth_t) -+fs_read_dos_files(podsleuth_t) -+fs_search_dos(podsleuth_t) -+ -+allow podsleuth_t podsleuth_tmp_t:dir mounton; -+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) -+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -+ -+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) -+ -+storage_raw_rw_fixed_disk(podsleuth_t) -+ - libs_use_ld_so(podsleuth_t) - libs_use_shared_libs(podsleuth_t) - -+sysnet_dns_name_resolve(podsleuth_t) -+ - miscfiles_read_localization(podsleuth_t) - - dbus_system_bus_client_template(podsleuth, podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc ---- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,2 +1,4 @@ - /usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -+ -+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if ---- nsaserefpolicy/policy/modules/apps/qemu.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-10-28 10:56:19.000000000 -0400 -@@ -48,6 +48,91 @@ - allow qemu_t $3:chr_file rw_file_perms; - ') - -+####################################### -+## -+## The per role template for the qemu module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for qemu web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`qemu_per_role_template_notrans',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ role $3 types qemu_t; -+ -+ xserver_common_app($1, qemu_t) -+') -+ -+####################################### -+## -+## The per role template for the qemu module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for qemu web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`qemu_per_role_template',` -+ gen_require(` -+ type qemu_exec_t; -+ ') -+ -+ qemu_per_role_template_notrans($1, $2, $3) -+ -+ domtrans_pattern($2, qemu_exec_t, qemu_t) -+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) -+ ') -+ - ######################################## - ## - ## Allow the domain to read state files in /proc. -@@ -68,6 +153,64 @@ - - ######################################## - ## -+## Set the schedule on qemu. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qemu_setsched',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ allow $1 qemu_t:process setsched; -+') -+ -+######################################## -+## -+## Execute qemu_exec_t -+## in the specified domain but do not -+## do it automatically. This is an explicit -+## transition, requiring the caller to use setexeccon(). -+## -+## -+##

-+## Execute qemu_exec_t -+## in the specified domain. This allows -+## the specified domain to qemu programs -+## on these filesystems in the specified -+## domain. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`qemu_spec_domtrans',` -+ gen_require(` -+ type qemu_exec_t; -+ ') -+ -+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) -+ domain_transition_pattern($1, qemu_exec_t, $2) -+ -+ allow $3 $1:fd use; -+ allow $3 $1:fifo_file rw_fifo_file_perms; -+ allow $3 $1:process sigchld; -+') -+ -+######################################## -+## - ## Send a signal to qemu. - ## - ## -@@ -104,7 +247,71 @@ - - ######################################## - ## --## Execute a domain transition to run qemu unconfined. -+## Execute qemu programs in the qemu domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the PAM domain. -+## -+## -+## -+## -+## The type of the terminal allow the PAM domain to use. -+## -+## -+# -+interface(`qemu_runas',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ qemu_domtrans($1) -+ allow qemu_t $3:chr_file rw_file_perms; -+') -+ -+######################################## -+## -+## Execute qemu programs in the role. -+## -+## -+## -+## The role to allow the PAM domain. -+## -+## -+# -+interface(`qemu_role',` -+ gen_require(` -+ type qemu_t; -+ ') -+ role $1 types qemu_t; -+') -+ -+######################################## -+## -+## Execute qemu unconfined programs in the role. -+## -+## -+## -+## The role to allow the PAM domain. -+## -+## -+# -+interface(`qemu_unconfined_role',` -+ gen_require(` -+ type qemu_unconfined_t; -+ ') -+ role $1 types qemu_unconfined_t; -+') -+ -+ -+######################################## -+## -+## Execute a domain transition to run qemu. - ## - ## - ## -@@ -122,6 +329,36 @@ - - ######################################## - ## -+## Execute qemu programs in the qemu unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the PAM domain. -+## -+## -+## -+## -+## The type of the terminal allow the PAM domain to use. -+## -+## -+# -+interface(`qemu_runas_unconfined',` -+ gen_require(` -+ type qemu_unconfined_t; -+ ') -+ -+ qemu_domtrans_unconfined($1) -+ allow qemu_unconfined_t $3:chr_file rw_file_perms; -+') -+ -+ -+######################################## -+## - ## Creates types and rules for a basic - ## qemu process domain. - ## -@@ -133,85 +370,32 @@ - # - template(`qemu_domain_template',` - -- ############################## -- # -- # Local Policy -- # -+ gen_require(` -+ attribute qemutype; -+ ') - -- type $1_t; -- domain_type($1_t) -+ type $1_t, qemutype; - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - -- ############################## -- # -- # Local Policy -- # -+ type $1_tmpfs_t; -+ files_tmpfs_file($1_tmpfs_t) - -- allow $1_t self:capability { dac_read_search dac_override }; -- allow $1_t self:process { execstack execmem signal getsched }; -- allow $1_t self:fifo_file rw_file_perms; -- allow $1_t self:shm create_shm_perms; -- allow $1_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_t self:tcp_socket create_stream_socket_perms; -+ type $1_image_t; -+ virt_image($1_image_t) -+ -+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) -+ manage_files_pattern($1_t, $1_image_t, $1_image_t) -+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - -- kernel_read_system_state($1_t) -- -- corenet_all_recvfrom_unlabeled($1_t) -- corenet_all_recvfrom_netlabel($1_t) -- corenet_tcp_sendrecv_all_if($1_t) -- corenet_tcp_sendrecv_all_nodes($1_t) -- corenet_tcp_sendrecv_all_ports($1_t) -- corenet_tcp_bind_all_nodes($1_t) -- corenet_tcp_bind_vnc_port($1_t) -- corenet_rw_tun_tap_dev($1_t) -- --# dev_rw_kvm($1_t) -- -- domain_use_interactive_fds($1_t) -- -- files_read_etc_files($1_t) -- files_read_usr_files($1_t) -- files_read_var_files($1_t) -- files_search_all($1_t) -- -- fs_list_inotifyfs($1_t) -- fs_rw_anon_inodefs_files($1_t) -- fs_rw_tmpfs_files($1_t) -- -- storage_raw_write_removable_device($1_t) -- storage_raw_read_removable_device($1_t) -- -- term_use_ptmx($1_t) -- term_getattr_pty_fs($1_t) -- term_use_generic_ptys($1_t) -- -- libs_use_ld_so($1_t) -- libs_use_shared_libs($1_t) -- -- miscfiles_read_localization($1_t) -- -- sysnet_read_config($1_t) -- --# optional_policy(` --# samba_domtrans_smb($1_t) --# ') -- -- optional_policy(` -- virt_manage_images($1_t) -- virt_read_config($1_t) -- virt_read_lib_files($1_t) -- ') -- -- optional_policy(` -- xserver_stream_connect_xdm_xserver($1_t) -- xserver_read_xdm_tmp_files($1_t) -- xserver_read_xdm_pid($1_t) --# xserver_xdm_rw_shm($1_t) -- ') -+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te ---- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,6 +6,8 @@ - # Declarations - # - -+attribute qemutype; -+ - ## - ##

- ## Allow qemu to connect fully to the network -@@ -13,16 +15,102 @@ - ## - gen_tunable(qemu_full_network, false) - -+## -+##

-+## Allow qemu to use nfs file systems -+##

-+## -+gen_tunable(qemu_use_nfs, true) -+ -+## -+##

-+## Allow qemu to use cifs/Samba file systems -+##

-+## -+gen_tunable(qemu_use_cifs, true) -+ - type qemu_exec_t; - qemu_domain_template(qemu) - application_domain(qemu_t, qemu_exec_t) - role system_r types qemu_t; - -+type qemu_cache_t; -+files_type(qemu_cache_t) -+ -+######################################## -+# -+# qemu common policy -+# -+allow qemutype self:capability { dac_read_search dac_override }; -+allow qemutype self:process { execstack execmem signal getsched signull }; -+ -+allow qemutype self:fifo_file rw_file_perms; -+allow qemutype self:shm create_shm_perms; -+allow qemutype self:unix_stream_socket create_stream_socket_perms; -+allow qemutype self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t) -+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t) -+files_var_filetrans(qemu_t, qemu_cache_t, { file dir }) -+ -+kernel_read_system_state(qemutype) -+ -+corenet_all_recvfrom_unlabeled(qemutype) -+corenet_all_recvfrom_netlabel(qemutype) -+corenet_tcp_sendrecv_all_if(qemutype) -+corenet_tcp_sendrecv_all_nodes(qemutype) -+corenet_tcp_sendrecv_all_ports(qemutype) -+corenet_tcp_bind_all_nodes(qemutype) -+corenet_tcp_bind_vnc_port(qemutype) -+corenet_rw_tun_tap_dev(qemutype) -+ -+dev_read_sound(qemutype) -+dev_write_sound(qemutype) -+dev_rw_kvm(qemutype) -+dev_rw_qemu(qemutype) -+ -+domain_use_interactive_fds(qemutype) -+ -+files_read_etc_files(qemutype) -+files_read_usr_files(qemutype) -+files_read_var_files(qemutype) -+files_search_all(qemutype) -+ -+fs_list_inotifyfs(qemutype) -+fs_rw_anon_inodefs_files(qemutype) -+fs_rw_tmpfs_files(qemutype) -+ -+term_use_ptmx(qemutype) -+term_getattr_pty_fs(qemutype) -+term_use_generic_ptys(qemutype) -+ -+auth_use_nsswitch(qemutype) -+ -+libs_use_ld_so(qemutype) -+libs_use_shared_libs(qemutype) -+ -+miscfiles_read_localization(qemutype) -+ -+optional_policy(` -+ virt_read_config(qemutype) -+ virt_read_lib_files(qemutype) -+') -+ -+optional_policy(` -+ xserver_stream_connect_xdm_xserver(qemutype) -+ xserver_read_xdm_tmp_files(qemutype) -+ xserver_read_xdm_pid(qemutype) -+ xserver_rw_xdm_xserver_shm(qemutype) -+') -+ - ######################################## - # - # qemu local policy - # - -+storage_raw_write_removable_device(qemu_t) -+storage_raw_read_removable_device(qemu_t) -+ - tunable_policy(`qemu_full_network',` - allow qemu_t self:udp_socket create_socket_perms; - -@@ -35,6 +123,30 @@ - corenet_tcp_connect_all_ports(qemu_t) - ') - -+tunable_policy(`qemu_use_nfs',` -+ fs_manage_nfs_files(qemu_t) -+') -+ -+tunable_policy(`qemu_use_cifs',` -+ fs_manage_cifs_dirs(qemu_t) -+') -+ -+optional_policy(` -+ samba_domtrans_smb(qemu_t) -+') -+ -+optional_policy(` -+ virt_manage_images(qemu_t) -+') -+ -+optional_policy(` -+ xen_rw_image_files(qemu_t) -+') -+ -+optional_policy(` -+ xen_rw_image_files(qemu_t) -+') -+ - ######################################## - # - # qemu_unconfined local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc ---- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2008-11-04 09:44:32.000000000 -0500 -@@ -0,0 +1,4 @@ -+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if ---- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2008-11-04 10:25:22.000000000 -0500 -@@ -0,0 +1,2 @@ -+## system-config-samba policy -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te ---- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-04 10:21:56.000000000 -0500 -@@ -0,0 +1,60 @@ -+policy_module(sambagui,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type sambagui_t; -+type sambagui_exec_t; -+ -+dbus_system_domain(sambagui_t, sambagui_exec_t) -+ -+######################################## -+# -+# system-config-samba local policy -+# -+ -+allow sambagui_t self:fifo_file rw_fifo_file_perms; -+ -+# handling with samba conf files -+samba_append_log(sambagui_t) -+samba_manage_config(sambagui_t) -+samba_manage_var_files(sambagui_t) -+samba_initrc_domtrans(sambagui_t) -+samba_domtrans_smb(sambagui_t) -+samba_domtrans_nmb(sambagui_t) -+ -+# execut apps of system-config-samba -+corecmd_exec_shell(sambagui_t) -+corecmd_exec_bin(sambagui_t) -+ -+files_read_etc_files(sambagui_t) -+files_search_var_lib(sambagui_t) -+files_search_usr(sambagui_t) -+ -+fs_list_inotifyfs(sambagui_t) -+ -+libs_use_ld_so(sambagui_t) -+libs_use_shared_libs(sambagui_t) -+ -+# reading shadow by pdbedit -+#auth_read_shadow(sambagui_t) -+ -+miscfiles_read_localization(sambagui_t) -+ -+# read meminfo -+kernel_read_system_state(sambagui_t) -+ -+dev_dontaudit_read_urand(sambagui_t) -+nscd_dontaudit_search_pid(sambagui_t) -+ -+optional_policy(` -+ consoletype_exec(sambagui_t) -+') -+ -+optional_policy(` -+ polkit_dbus_chat(sambagui_t) -+') -+ -+permissive sambagui_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc ---- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - # - # /home - # --HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) -+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0) - - # - # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.13/policy/modules/apps/screen.if ---- nsaserefpolicy/policy/modules/apps/screen.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/screen.if 2008-10-28 10:56:19.000000000 -0400 -@@ -35,6 +35,7 @@ - template(`screen_per_role_template',` - gen_require(` - type screen_dir_t, screen_exec_t; -+ type user_screen_ro_home_t; - ') - - ######################################## -@@ -50,8 +51,9 @@ - type $1_screen_tmp_t; - files_tmp_file($1_screen_tmp_t) - -- type $1_screen_ro_home_t; -- files_type($1_screen_ro_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_screen_ro_home_t alias $1_screen_ro_home_t; -+ ') - - type $1_screen_var_run_t; - files_pid_file($1_screen_var_run_t) -@@ -81,9 +83,9 @@ - filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) - files_pid_filetrans($1_screen_t, screen_dir_t, dir) - -- allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; -- read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t) -- read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t) -+ allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms; -+ read_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t) -+ read_lnk_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t) - - allow $1_screen_t $2:process signal; - -@@ -91,12 +93,12 @@ - allow $2 $1_screen_t:process signal; - allow $1_screen_t $2:process signal; - -- manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) -- manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) -- manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) -- relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) -- relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) -- relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) -+ manage_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) -+ manage_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) -+ manage_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) -+ relabel_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) -+ relabel_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) -+ relabel_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) - - kernel_read_system_state($1_screen_t) - kernel_read_kernel_sysctls($1_screen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.13/policy/modules/apps/screen.te ---- nsaserefpolicy/policy/modules/apps/screen.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/screen.te 2008-10-28 10:56:19.000000000 -0400 -@@ -11,3 +11,7 @@ - - type screen_exec_t; - application_executable_file(screen_exec_t) -+ -+type user_screen_ro_home_t; -+userdom_user_home_content(user, user_screen_ro_home_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc ---- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -3,4 +3,4 @@ - # - /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) - --HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) -+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.13/policy/modules/apps/thunderbird.if ---- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if 2008-10-28 10:56:19.000000000 -0400 -@@ -43,9 +43,9 @@ - application_domain($1_thunderbird_t, thunderbird_exec_t) - role $3 types $1_thunderbird_t; - -- type $1_thunderbird_home_t alias $1_thunderbird_rw_t; -- files_poly_member($1_thunderbird_home_t) -- userdom_user_home_content($1, $1_thunderbird_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_thunderbird_home_t alias $1_thunderbird_home_t; -+ ') - - type $1_thunderbird_tmpfs_t; - files_tmpfs_file($1_thunderbird_tmpfs_t) -@@ -64,9 +64,9 @@ - allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; - - # Access ~/.thunderbird -- manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) -- manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) -- manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) -+ manage_dirs_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t) -+ manage_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t) -+ manage_lnk_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t) - userdom_search_user_home_dirs($1, $1_thunderbird_t) - - manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t) -@@ -87,13 +87,13 @@ - ps_process_pattern($2,$1_thunderbird_t) - - # Access ~/.thunderbird -- manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) -- manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) -- manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) -- -- relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) -- relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) -- relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) -+ manage_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) -+ manage_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) -+ manage_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) -+ -+ relabel_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) -+ relabel_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) -+ relabel_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) - - # Allow netstat - kernel_read_network_state($1_thunderbird_t) -@@ -153,10 +153,10 @@ - miscfiles_read_fonts($1_thunderbird_t) - miscfiles_read_localization($1_thunderbird_t) - -- userdom_manage_user_tmp_dirs($1, $1_thunderbird_t) -+ unprivuser_manage_tmp_dirs($1_thunderbird_t) - userdom_read_user_tmp_files($1, $1_thunderbird_t) - userdom_write_user_tmp_sockets($1, $1_thunderbird_t) -- userdom_manage_user_tmp_sockets($1, $1_thunderbird_t) -+ unprivuser_manage_tmp_sockets($1_thunderbird_t) - # .kde/....gtkrc - userdom_read_user_home_content_files($1, $1_thunderbird_t) - -@@ -294,8 +294,8 @@ - files_search_home($1_thunderbird_t) - files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file) - files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir) -- userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t) -- userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t) -+ unprivuser_manage_untrusted_content_files($1_thunderbird_t) -+ unprivuser_manage_untrusted_content_tmp_files($1_thunderbird_t) - userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) - ',` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.13/policy/modules/apps/thunderbird.te ---- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te 2008-10-28 10:56:19.000000000 -0400 -@@ -8,3 +8,7 @@ - - type thunderbird_exec_t; - application_executable_file(thunderbird_exec_t) -+ -+type user_thunderbird_home_t alias user_thunderbird_rw_t; -+userdom_user_home_content(user, user_thunderbird_home_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.13/policy/modules/apps/tvtime.if ---- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if 2008-10-28 10:56:19.000000000 -0400 -@@ -35,6 +35,7 @@ - template(`tvtime_per_role_template',` - gen_require(` - type tvtime_exec_t; -+ type user_tvtime_home_t, user_tvtime_tmp_t; - ') - - ######################################## -@@ -46,12 +47,10 @@ - application_domain($1_tvtime_t, tvtime_exec_t) - role $3 types $1_tvtime_t; - -- type $1_tvtime_home_t alias $1_tvtime_rw_t; -- userdom_user_home_content($1, $1_tvtime_home_t) -- files_poly_member($1_tvtime_home_t) -- -- type $1_tvtime_tmp_t; -- files_tmp_file($1_tvtime_tmp_t) -+ ifelse(`$1',`user',`',` -+ typealias user_tvtime_home_t alias $1_tvtime_home_t; -+ typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t; -+ ') - - type $1_tvtime_tmpfs_t; - files_tmpfs_file($1_tvtime_tmpfs_t) -@@ -67,14 +66,14 @@ - allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; - - # X access, Home files -- manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) -- manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) -- manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) -- userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir) -- -- manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t) -- manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t) -- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir }) -+ manage_dirs_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t) -+ manage_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t) -+ manage_lnk_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t) -+ userdom_user_home_dir_filetrans($1, $1_tvtime_t, user_tvtime_home_t, dir) -+ -+ manage_dirs_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t) -+ manage_files_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t) -+ files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t, { file dir }) - - manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) - manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) -@@ -86,12 +85,12 @@ - domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t) - - # X access, Home files -- manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) -- manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) -- manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) -- relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) -- relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) -- relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) -+ manage_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t) -+ manage_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) -+ manage_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) -+ relabel_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t) -+ relabel_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) -+ relabel_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_tvtime_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.13/policy/modules/apps/tvtime.te ---- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te 2008-10-28 10:56:19.000000000 -0400 -@@ -11,3 +11,9 @@ - - type tvtime_dir_t; - files_pid_file(tvtime_dir_t) -+ -+type user_tvtime_home_t alias user_tvtime_rw_t; -+userdom_user_home_content(user, user_tvtime_home_t) -+ -+type user_tvtime_tmp_t; -+files_tmp_file(user_tvtime_tmp_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.13/policy/modules/apps/uml.fc ---- nsaserefpolicy/policy/modules/apps/uml.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/uml.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - # - # HOME_DIR/ - # --HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) -+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:user_uml_rw_t,s0) - - # - # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.13/policy/modules/apps/vmware.fc ---- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,9 +1,9 @@ - # - # HOME_DIR/ - # --HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) --HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0) --HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) -+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_home_t,s0) -+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_home_t,s0) -+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_home_t,s0) - - # - # /etc -@@ -21,32 +21,26 @@ - /usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) -+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) - - /usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) --/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) -+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - --ifdef(`distro_redhat',` --/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) --/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) --') -- - /usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) - /usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) - /usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - --/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) --/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) -- - ifdef(`distro_gentoo',` - /opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - /opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -@@ -63,6 +57,7 @@ - ') - - /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -- - /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) - /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) -+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.13/policy/modules/apps/vmware.if ---- nsaserefpolicy/policy/modules/apps/vmware.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/vmware.if 2008-10-28 10:56:19.000000000 -0400 -@@ -47,11 +47,8 @@ - domain_entry_file($1_vmware_t, vmware_exec_t) - role $3 types $1_vmware_t; - -- type $1_vmware_conf_t; -- userdom_user_home_content($1, $1_vmware_conf_t) -- -- type $1_vmware_file_t; -- userdom_user_home_content($1, $1_vmware_file_t) -+ typealias vmware_home_t alias $1_vmware_file_t; -+ typealias vmware_home_t alias $1_vmware_conf_t; - - type $1_vmware_tmp_t; - files_tmp_file($1_vmware_tmp_t) -@@ -84,12 +81,9 @@ - - can_exec($1_vmware_t, vmware_exec_t) - -- # User configuration files -- allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms; -- - # VMWare disks -- manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t) -- manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t) -+ manage_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t) -+ manage_lnk_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t) - - allow $1_vmware_t $1_vmware_tmp_t:file execute; - manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.13/policy/modules/apps/vmware.te ---- nsaserefpolicy/policy/modules/apps/vmware.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/vmware.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,9 @@ - type vmware_exec_t; - corecmd_executable_file(vmware_exec_t) - -+type vmware_home_t; -+userdom_user_home_content(user, vmware_home_t) -+ - # VMWare host programs - type vmware_host_t; - type vmware_host_exec_t; -@@ -32,7 +35,7 @@ - - allow vmware_host_t self:capability { setgid setuid net_raw }; - dontaudit vmware_host_t self:capability sys_tty_config; --allow vmware_host_t self:process signal_perms; -+allow vmware_host_t self:process { execstack execmem signal_perms }; - allow vmware_host_t self:fifo_file rw_fifo_file_perms; - allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; - allow vmware_host_t self:rawip_socket create_socket_perms; -@@ -48,6 +51,8 @@ - manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) - logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) - -+files_search_home(vmware_host_t) -+ - kernel_read_kernel_sysctls(vmware_host_t) - kernel_list_proc(vmware_host_t) - kernel_read_proc_symlinks(vmware_host_t) -@@ -108,3 +113,13 @@ - optional_policy(` - udev_read_db(vmware_host_t) - ') -+ -+optional_policy(` -+ unconfined_domain(vmware_host_t) -+') -+ -+optional_policy(` -+ xserver_rw_xdm_xserver_shm(vmware_host_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te ---- nsaserefpolicy/policy/modules/apps/webalizer.te 2008-10-16 17:21:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te 2008-10-28 19:20:51.000000000 -0400 -@@ -68,6 +68,7 @@ - - fs_search_auto_mountpoints(webalizer_t) - fs_getattr_xattr_fs(webalizer_t) -+fs_rw_anon_inodefs_files(webalizer_t) - - files_read_etc_files(webalizer_t) - files_read_etc_runtime_files(webalizer_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc ---- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,3 +2,4 @@ - - /opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wine.if 2008-10-28 10:56:19.000000000 -0400 -@@ -49,3 +49,53 @@ - role $2 types wine_t; - allow wine_t $3:chr_file rw_term_perms; - ') -+ -+####################################### -+## -+## The per role template for the wine module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for wine applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`wine_per_role_template',` -+ gen_require(` -+ type wine_exec_t; -+ ') -+ -+ type $1_wine_t; -+ domain_type($1_wine_t) -+ domain_entry_file($1_wine_t, wine_exec_t) -+ role $3 types $1_wine_t; -+ -+ domain_interactive_fd($1_wine_t) -+ -+ userdom_unpriv_usertype($1, $1_wine_t) -+ -+ allow $1_wine_t self:process { execheap execmem }; -+ -+ domtrans_pattern($2, wine_exec_t, $1_wine_t) -+ -+ optional_policy(` -+ xserver_rw_xdm_xserver_shm($1_wine_t) -+ ') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.13/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wine.te 2008-10-28 10:56:19.000000000 -0400 -@@ -9,6 +9,7 @@ - type wine_t; - type wine_exec_t; - application_domain(wine_t, wine_exec_t) -+role system_r types wine_t; - - ######################################## - # -@@ -17,10 +18,17 @@ - - optional_policy(` - allow wine_t self:process { execstack execmem execheap }; -+ domain_mmap_low_type(wine_t) -+ domain_mmap_low(wine_t) - unconfined_domain_noaudit(wine_t) - files_execmod_all_files(wine_t) - -+') -+ - optional_policy(` - hal_dbus_chat(wine_t) - ') -+ -+optional_policy(` -+ xserver_rw_xdm_xserver_shm(wine_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if ---- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if 2008-10-28 10:56:19.000000000 -0400 -@@ -134,7 +134,7 @@ - - sysnet_read_config($1_wireshark_t) - -- userdom_manage_user_home_content_files($1, $1_wireshark_t) -+ unprivuser_manage_home_content_files($1_wireshark_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_wireshark_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.5.13/policy/modules/apps/wm.fc ---- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/wm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,3 @@ -+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.5.13/policy/modules/apps/wm.if ---- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/wm.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,178 @@ -+## Window Manager. -+ -+####################################### -+## -+## Template to create types and rules common to -+## any window manager domains. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## -+# -+template(`wm_domain_template',` -+ gen_require(` -+ type wm_exec_t; -+ type xserver_exec_t; -+ type tmpfs_t; -+ type proc_t; -+ type security_t, selinux_config_t; -+ type $1_t; -+ type $1_tmp_t; -+ type info_xproperty_t, xselection_t; -+ type $2_t, $2_xproperty_t, $2_input_xevent_t, $2_manage_xevent_t, $2_property_xevent_t; -+ type $2_focus_xevent_t, $2_client_xevent_t; -+ type $2_rootwindow_t, $2_xserver_t, $2_xserver_tmp_t; -+ type $1_xproperty_t; -+ type memory_device_t; -+ type output_xext_t; -+ type security_xext_t; -+ type $1_home_t; -+ type $1_tty_device_t; -+ type shell_exec_t; -+ type default_t; -+ type home_root_t; -+ type $1_home_dir_t; -+ type $2_home_t; -+ -+ class x_colormap all_x_colormap_perms; -+ class x_device all_x_device_perms; -+ class x_drawable all_x_drawable_perms; -+ class x_property all_x_property_perms; -+ class x_server all_x_server_perms; -+ class x_resource all_x_resource_perms; -+ class x_screen all_x_screen_perms; -+ class x_synthetic_event all_x_synthetic_event_perms; -+ class x_event all_x_event_perms; -+ class x_selection all_x_selection_perms; -+ class x_extension all_x_extension_perms; -+ attribute $1_x_domain; -+ ') -+ -+ type $1_wm_t; -+ domain_type($1_wm_t) -+ domain_entry_file($1_wm_t,wm_exec_t) -+ role $1_r types $1_wm_t; -+ -+ domtrans_pattern($1_t, wm_exec_t, $1_wm_t) -+ -+ type $1_wm_tmpfs_t; -+# xserver_use($2, $1, $1_wm_t) -+ xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t) -+ -+ files_read_etc_files($1_wm_t) -+ -+ libs_use_ld_so($1_wm_t) -+ libs_use_shared_libs($1_wm_t) -+ -+ nscd_dontaudit_search_pid($1_wm_t) -+ -+ miscfiles_read_localization($1_wm_t) -+ -+ dev_read_urand($1_wm_t) -+ -+ files_list_tmp($1_wm_t) -+ -+ allow $1_wm_t proc_t:file { read getattr }; -+ -+ allow $1_wm_t info_xproperty_t:x_property { write create }; -+ -+ allow $1_wm_t self:process getsched; -+ allow $1_wm_t self:x_drawable blend; -+ -+ allow $1_wm_t tmpfs_t:file { read write }; -+ -+ allow $1_wm_t usr_t:file { read getattr }; -+ allow $1_wm_t usr_t:lnk_file read; -+ -+ allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name getattr add_name }; -+ allow $1_wm_t $1_tmp_t:sock_file { write create unlink }; -+ -+ allow $1_wm_t $1_t:unix_stream_socket connectto; -+ allow $1_wm_t self:fifo_file { write read }; -+ -+ -+ allow $1_wm_t $2_client_xevent_t:x_synthetic_event send; -+ allow $1_wm_t $2_focus_xevent_t:x_event receive; -+ allow $1_wm_t $2_input_xevent_t:x_event receive; -+ allow $1_wm_t $2_manage_xevent_t:x_event receive; -+ allow $1_wm_t $2_manage_xevent_t:x_synthetic_event { receive send }; -+ allow $1_wm_t $2_property_xevent_t:x_event receive; -+ allow $1_wm_t $2_xproperty_t:x_property { read write destroy }; -+ allow $1_wm_t $2_rootwindow_t:x_colormap { install uninstall use add_color remove_color read }; -+ allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override }; -+ allow $1_wm_t $2_xproperty_t:x_property { write read }; -+ allow $1_wm_t $2_xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write }; -+ allow $1_wm_t $2_xserver_t:x_resource { read write }; -+ allow $1_wm_t $2_xserver_t:x_screen setattr; -+ allow $1_wm_t xselection_t:x_selection setattr; -+ -+ allow $1_wm_t $2_t:x_drawable { get_property setattr show receive manage send read getattr list_child set_property }; -+ allow $1_wm_t $2_t:x_resource { read write }; -+ -+ ifdef(`enable_mls',` -+ mls_file_read_all_levels($1_wm_t) -+ mls_file_write_all_levels($1_wm_t) -+ -+ mls_xwin_read_all_levels($1_wm_t) -+ mls_xwin_write_all_levels($1_wm_t) -+ -+ mls_fd_use_all_levels($1_wm_t) -+ ') -+ -+ corecmd_exec_bin($1_wm_t) -+ can_exec($1_wm_t, { shell_exec_t }) -+ domtrans_pattern($1_wm_t,bin_t,$1_t) -+ -+ allow $1_t $1_wm_t:unix_stream_socket connectto; -+ allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child }; -+ -+ allow $1_t $1_wm_t:process signal; -+ -+ optional_policy(` -+ dbus_system_bus_client_template($1_wm,$1_wm_t) -+ dbus_user_bus_client_template($1,$1_wm,$1_wm_t) -+ ') -+ -+ allow $1_wm_t $1_home_t:dir { search getattr }; -+ allow $1_wm_t $1_tty_device_t:chr_file { write read }; -+ allow $1_wm_t $1_xproperty_t:x_property { read write destroy }; -+ allow $1_wm_t default_t:dir search; -+ allow $1_wm_t home_root_t:dir search; -+ allow $1_wm_t $1_home_dir_t:dir search; -+ allow $1_wm_t $2_xserver_tmp_t:dir search; -+ allow $1_wm_t $2_xserver_tmp_t:lnk_file read; -+ allow $1_wm_t $1_home_dir_t:dir search_dir_perms; -+ manage_files_pattern($1_wm_t,$1_tmp_t,$1_tmp_t) -+ allow $1_wm_t $2_home_t:file { write read getattr }; -+ allow $1_wm_t $2_xserver_t:unix_stream_socket connectto; -+ allow $1_wm_t $2_xserver_tmp_t:sock_file write; -+ manage_lnk_files_pattern($1_wm_t, $2_xserver_tmp_t, $2_xserver_tmp_t) -+ allow $1_wm_t security_xext_t:x_extension { query use }; -+') -+ -+######################################## -+## -+## Execute the wm program in the wm domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`wm_exec',` -+ gen_require(` -+ type wm_exec_t; -+ ') -+ -+ can_exec($1, wm_exec_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.5.13/policy/modules/apps/wm.te ---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/wm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,10 @@ -+policy_module(wm,0.0.4) -+ -+######################################## -+# -+# Declarations -+# -+ -+type wm_exec_t; -+ -+wm_domain_template(user,xdm) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -129,6 +129,8 @@ - /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) - ') - -+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ - # - # /usr - # -@@ -184,10 +186,8 @@ - /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) - - /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) --/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -292,3 +292,14 @@ - ifdef(`distro_suse',` - /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) - ') -+/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0) -+ -+/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ -+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -+ -+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.13/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if 2008-10-28 10:56:19.000000000 -0400 -@@ -894,6 +894,7 @@ - - read_lnk_files_pattern($1, bin_t, bin_t) - can_exec($1, chroot_exec_t) -+ allow $1 self:capability sys_chroot; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-29 11:09:14.000000000 -0400 -@@ -1441,10 +1441,11 @@ - # - interface(`corenet_tcp_bind_all_unreserved_ports',` - gen_require(` -- attribute port_type, reserved_port_type; -+ attribute port_type; -+ type hi_reserved_port_t, reserved_port_t; - ') - -- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; -+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind; - ') - - ######################################## -@@ -1459,10 +1460,11 @@ - # - interface(`corenet_udp_bind_all_unreserved_ports',` - gen_require(` -- attribute port_type, reserved_port_type; -+ attribute port_type; -+ type hi_reserved_port_t, reserved_port_t; - ') - -- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; -+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-04 09:01:51.000000000 -0500 -@@ -79,11 +79,13 @@ - network_port(auth, tcp,113,s0) - network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) - type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict -+network_port(certmaster, tcp,51235,s0) - network_port(clamd, tcp,3310,s0) - network_port(clockspeed, udp,4041,s0) - network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) - network_port(comsat, udp,512,s0) - network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) -+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) - network_port(cvs, tcp,2401,s0, udp,2401,s0) - network_port(dcc, udp,6276,s0, udp,6277,s0) - network_port(dbskkd, tcp,1178,s0) -@@ -93,6 +95,7 @@ - network_port(distccd, tcp,3632,s0) - network_port(dns, udp,53,s0, tcp,53,s0) - network_port(fingerd, tcp,79,s0) -+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) - network_port(ftp_data, tcp,20,s0) - network_port(ftp, tcp,21,s0) - network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -117,6 +120,8 @@ - network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) - network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) - network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -+network_port(kismet, tcp,2501,s0) -+network_port(kprop, tcp,754,s0) - network_port(ktalkd, udp,517,s0, udp,518,s0) - network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) - type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -126,6 +131,7 @@ - network_port(mmcc, tcp,5050,s0, udp,5050,s0) - network_port(monopd, tcp,1234,s0) - network_port(msnp, tcp,1863,s0, udp,1863,s0) -+network_port(munin, tcp,4949,s0, udp,4949,s0) - network_port(mysqld, tcp,1186,s0, tcp,3306,s0) - portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) - network_port(nessus, tcp,1241,s0) -@@ -137,11 +143,13 @@ - network_port(pegasus_http, tcp,5988,s0) - network_port(pegasus_https, tcp,5989,s0) - network_port(postfix_policyd, tcp,10031,s0) -+network_port(pulseaudio, tcp,4713,s0) - network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) - network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) - network_port(portmap, udp,111,s0, tcp,111,s0) - network_port(postgresql, tcp,5432,s0) - network_port(postgrey, tcp,60000,s0) -+network_port(prelude, tcp,4690,s0, udp,4690,s0) - network_port(printer, tcp,515,s0) - network_port(ptal, tcp,5703,s0) - network_port(pxe, udp,4011,s0) -@@ -159,9 +167,10 @@ - network_port(rwho, udp,513,s0) - network_port(smbd, tcp,137-139,s0, tcp,445,s0) - network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) --network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) -+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) - network_port(spamd, tcp,783,s0) - network_port(ssh, tcp,22,s0) -+network_port(streaming, tcp, 1755, s0, udp, 1755, s0) - network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) - type socks_port_t, port_type; dnl network_port(socks) # no defined portcon - type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -170,13 +179,16 @@ - network_port(syslogd, udp,514,s0) - network_port(telnetd, tcp,23,s0) - network_port(tftp, udp,69,s0) --network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) -+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) - network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) - network_port(transproxy, tcp,8081,s0) - type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon - network_port(uucpd, tcp,540,s0) -+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) - network_port(vnc, tcp,5900,s0) - network_port(wccp, udp,2048,s0) -+# Reserve 100 ports for vnc/virt machines -+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) - network_port(whois, tcp,43,s0, udp,43,s0) - network_port(xdmcp, udp,177,s0, tcp,177,s0) - network_port(xen, tcp,8002,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,7 +1,7 @@ - - /dev -d gen_context(system_u:object_r:device_t,s0) - /dev/.* gen_context(system_u:object_r:device_t,s0) -- -+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -12,42 +12,59 @@ - /dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0) - /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) - /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) -+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) - /dev/full -c gen_context(system_u:object_r:null_device_t,s0) -+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) - /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) - /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) -+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) -+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) - /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -+/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) -+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) - /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) - /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -+/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) - /dev/null -c gen_context(system_u:object_r:null_device_t,s0) - /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) - /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -@@ -69,14 +86,14 @@ - /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) --/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) --/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) --/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) - ifdef(`distro_suse', ` - /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) - ') - /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) - /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) - /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -91,6 +108,7 @@ - - /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) - -+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) - /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) - -@@ -98,13 +116,23 @@ - - /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) - -+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) - - /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) -+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - - /dev/pts(/.*)? <> - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-10-28 10:56:19.000000000 -0400 -@@ -65,7 +65,7 @@ - - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) -- relabelfrom_lnk_files_pattern($1, device_t, device_node) -+ relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1,device_t,{ device_t device_node }) -@@ -167,6 +167,25 @@ - - ######################################## - ## -+## Manage of directories in /dev. -+## -+## -+## -+## Domain allowed to relabel. -+## -+## -+# -+interface(`dev_manage_generic_dirs',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ manage_dirs_pattern($1, device_t, device_t) -+') -+ -+ -+######################################## -+## - ## Delete a directory in the device directory. - ## - ## -@@ -667,6 +686,7 @@ - ') - - dontaudit $1 device_node:blk_file getattr; -+ dev_dontaudit_getattr_generic_blk_files($1) - ') - - ######################################## -@@ -704,6 +724,7 @@ - ') - - dontaudit $1 device_node:chr_file getattr; -+ dev_dontaudit_getattr_generic_chr_files($1) - ') - - ######################################## -@@ -1160,6 +1181,25 @@ - - ######################################## - ## -+## Set the attributes of the CPU -+## microcode and id interfaces. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_cpu_dev',` -+ gen_require(` -+ type device_t, cpu_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, cpu_device_t) -+') -+ -+######################################## -+## - ## Read the CPU identity. - ## - ## -@@ -1958,6 +1998,42 @@ - - ######################################## - ## -+## Get the attributes of the null device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_null_dev',` -+ gen_require(` -+ type device_t, null_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, null_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the null device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_null_dev',` -+ gen_require(` -+ type device_t, null_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, null_device_t) -+') -+ -+######################################## -+## - ## Read and write to the null device (/dev/null). - ## - ## -@@ -2769,6 +2845,24 @@ - - ######################################## - ## -+## Read generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_generic_usb_dev',` -+ gen_require(` -+ type usb_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, usb_device_t) -+') -+ -+######################################## -+## - ## Read and write generic the USB devices. - ## - ## -@@ -2787,6 +2881,97 @@ - - ######################################## - ## -+## Read and write generic the USB fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_generic_usb_pipes',` -+ gen_require(` -+ type usb_device_t; -+ ') -+ -+ allow $1 device_t:dir search_dir_perms; -+ allow $1 usb_device_t:fifo_file rw_fifo_file_perms; -+') -+ -+######################################## -+## -+## Get the attributes of the kvm devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_kvm_dev',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, kvm_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the kvm devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_kvm_dev',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, kvm_device_t) -+') -+ -+######################################## -+## -+## Read the kvm devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_kvm',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, kvm_device_t) -+') -+ -+######################################## -+## -+## Read and write to kvm devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_kvm',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, kvm_device_t) -+') -+ -+######################################## -+## - ## Mount a usbfs filesystem. - ## - ## -@@ -3322,3 +3507,223 @@ - - typeattribute $1 devices_unconfined_type; - ') -+ -+######################################## -+## -+## Get the attributes of the autofs device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_autofs_dev',` -+ gen_require(` -+ type device_t, autofs_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, autofs_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes of -+## the autofs device node. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_getattr_autofs_dev',` -+ gen_require(` -+ type autofs_device_t; -+ ') -+ -+ dontaudit $1 autofs_device_t:chr_file getattr; -+') -+ -+######################################## -+## -+## Set the attributes of the autofs device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_autofs_dev',` -+ gen_require(` -+ type device_t, autofs_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, autofs_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to set the attributes of -+## the autofs device node. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_setattr_autofs_dev',` -+ gen_require(` -+ type autofs_device_t; -+ ') -+ -+ dontaudit $1 autofs_device_t:chr_file setattr; -+') -+ -+######################################## -+## -+## Read and write the autofs device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_autofs',` -+ gen_require(` -+ type device_t, autofs_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, autofs_device_t) -+') -+ -+######################################## -+## -+## Get the attributes of the network control device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_netcontrol',` -+ gen_require(` -+ type device_t, netcontrol_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, netcontrol_device_t) -+') -+ -+######################################## -+## -+## Read the network control identity. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_netcontrol',` -+ gen_require(` -+ type device_t, netcontrol_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, netcontrol_device_t) -+') -+ -+######################################## -+## -+## Read and write the the network control device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_netcontrol',` -+ gen_require(` -+ type device_t, netcontrol_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, netcontrol_device_t) -+') -+ -+######################################## -+## -+## Get the attributes of the QEMU -+## microcode and id interfaces. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, qemu_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the QEMU -+## microcode and id interfaces. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, qemu_device_t) -+') -+ -+######################################## -+## -+## Read the QEMU device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, qemu_device_t) -+') -+ -+######################################## -+## -+## Read and write the the QEMU device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, qemu_device_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2008-10-28 10:56:19.000000000 -0400 -@@ -32,6 +32,12 @@ - type apm_bios_t; - dev_node(apm_bios_t) - -+# -+# Type for /dev/autofs -+# -+type autofs_device_t; -+dev_node(autofs_device_t) -+ - type cardmgr_dev_t; - dev_node(cardmgr_dev_t) - files_tmp_file(cardmgr_dev_t) -@@ -49,6 +55,12 @@ - type cpu_device_t; - dev_node(cpu_device_t) - -+# -+# network control devices -+# -+type netcontrol_device_t; -+dev_node(netcontrol_device_t) -+ - # for the IBM zSeries z90crypt hardware ssl accelorator - type crypt_device_t; - dev_node(crypt_device_t) -@@ -66,12 +78,25 @@ - dev_node(framebuf_device_t) - - # -+# Type for /dev/ipmi/0 -+# -+type ipmi_device_t; -+dev_node(ipmi_device_t) -+ -+# - # Type for /dev/kmsg - # - type kmsg_device_t; - dev_node(kmsg_device_t) - - # -+# kvm_device_t is the type of -+# /dev/kvm -+# -+type kvm_device_t; -+dev_node(kvm_device_t) -+ -+# - # Type for /dev/mapper/control - # - type lvm_control_t; -@@ -118,6 +143,12 @@ - dev_node(nvram_device_t) - - # -+# qemu control devices -+# -+type qemu_device_t; -+dev_node(qemu_device_t) -+ -+# - # Type for /dev/pmu - # - type power_device_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-16 17:21:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.if 2008-10-28 10:56:19.000000000 -0400 -@@ -1247,18 +1247,34 @@ - ## - ## - # --interface(`domain_mmap_low',` -+interface(`domain_mmap_low_type',` - gen_require(` - attribute mmap_low_domain_type; - ') - -- allow $1 self:memprotect mmap_zero; -- - typeattribute $1 mmap_low_domain_type; - ') - - ######################################## - ## -+## Ability to mmap a low area of the address space, -+## as configured by /proc/sys/kernel/mmap_min_addr. -+## Preventing such mappings helps protect against -+## exploiting null deref bugs in the kernel. -+## -+## -+## -+## Domain allowed to mmap low memory. -+## -+## -+# -+interface(`domain_mmap_low',` -+ -+ allow $1 self:memprotect mmap_zero; -+') -+ -+######################################## -+## - ## Allow specified type to receive labeled - ## networking packets from all domains, over - ## all protocols (TCP, UDP, etc) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-28 10:56:19.000000000 -0400 -@@ -5,6 +5,13 @@ - # - # Declarations - # -+## -+##

-+## Allow all domains to use other domains file descriptors -+##

-+## -+# -+gen_tunable(allow_domain_fd_use, true) - - # Mark process types as domains - attribute domain; -@@ -80,11 +87,14 @@ - allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; - allow domain self:file rw_file_perms; - kernel_read_proc_symlinks(domain) -+kernel_read_crypto_sysctls(domain) -+ - # Every domain gets the key ring, so we should default - # to no one allowed to look at it; afs kernel support creates - # a keyring - kernel_dontaudit_search_key(domain) - kernel_dontaudit_link_key(domain) -+userdom_dontaudit_search_all_users_keys(domain) - - # create child processes in the domain - allow domain self:process { fork sigchld }; -@@ -113,6 +123,7 @@ - optional_policy(` - xserver_dontaudit_use_xdm_fds(domain) - xserver_dontaudit_rw_xdm_pipes(domain) -+ xserver_dontaudit_rw_xdm_home_files(domain) - ') - - ######################################## -@@ -131,6 +142,9 @@ - allow unconfined_domain_type domain:fd use; - allow unconfined_domain_type domain:fifo_file rw_file_perms; - -+allow unconfined_domain_type domain:dbus send_msg; -+allow domain unconfined_domain_type:dbus send_msg; -+ - # Act upon any other process. - allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; - -@@ -140,7 +154,7 @@ - - # For /proc/pid - allow unconfined_domain_type domain:dir list_dir_perms; --allow unconfined_domain_type domain:file read_file_perms; -+allow unconfined_domain_type domain:file rw_file_perms; - allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; - - # act on all domains keys -@@ -148,3 +162,39 @@ - - # receive from all domains over labeled networking - domain_all_recvfrom_all_domains(unconfined_domain_type) -+ -+tunable_policy(`allow_domain_fd_use',` -+ # Allow all domains to use fds past to them -+ allow domain domain:fd use; -+') -+ -+optional_policy(` -+ cron_dontaudit_write_system_job_tmp_files(domain) -+ cron_rw_pipes(domain) -+ifdef(`hide_broken_symptoms',` -+ cron_dontaudit_rw_tcp_sockets(domain) -+ allow domain domain:key search; -+') -+') -+ -+ifdef(`hide_broken_symptoms',` -+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain) -+') -+ -+optional_policy(` -+ rpm_rw_pipes(domain) -+ rpm_dontaudit_use_script_fds(domain) -+ rpm_dontaudit_write_pid_files(domain) -+') -+ -+optional_policy(` -+ rhgb_dontaudit_use_ptys(domain) -+') -+ -+optional_policy(` -+ unconfined_dontaudit_rw_pipes(domain) -+ unconfined_sigchld(domain) -+') -+ -+# broken kernel -+dontaudit can_change_object_identity can_change_object_identity:key link; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.13/policy/modules/kernel/files.fc ---- nsaserefpolicy/policy/modules/kernel/files.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -32,6 +32,7 @@ - /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /boot/lost\+found/.* <> - /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -+/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) - - # - # /emul -@@ -49,6 +50,7 @@ - /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -+/etc/hosts.deny -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-10-29 12:09:50.000000000 -0400 -@@ -110,6 +110,11 @@ - ## - # - interface(`files_config_file',` -+ gen_require(` -+ attribute etcfile; -+ ') -+ -+ typeattribute $1 etcfile; - files_type($1) - ') - -@@ -1060,6 +1065,24 @@ - ## - ## - # -+interface(`files_relabel_all_file_type_fs',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ allow $1 file_type:filesystem { relabelfrom relabelto }; -+') -+ -+######################################## -+## -+## Relabel a filesystem to the type of a file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# - interface(`files_relabelto_all_file_type_fs',` - gen_require(` - attribute file_type; -@@ -1303,6 +1326,24 @@ - - ######################################## - ## -+## Remove entries from the tmp directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_tmp_dir_entry',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 tmp_t:dir del_entry_dir_perms; -+') -+ -+######################################## -+## - ## Unmount a rootfs filesystem. - ## - ## -@@ -1889,6 +1930,26 @@ - - ######################################## - ## -+## Read config files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_config_files',` -+ gen_require(` -+ attribute etcfile; -+ ') -+ -+ allow $1 etcfile:dir list_dir_perms; -+ read_files_pattern($1, etcfile, etcfile) -+ read_lnk_files_pattern($1, etcfile, etcfile) -+') -+ -+######################################## -+## - ## Do not audit attempts to write generic files in /etc. - ## - ## -@@ -2224,6 +2285,49 @@ - - ######################################## - ## -+## Delete directories on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ delete_dirs_pattern($1, file_t, file_t) -+') -+ -+######################################## -+## -+## Delete files on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_isid_type_files',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ delete_files_pattern($1, file_t, file_t) -+ delete_lnk_files_pattern($1, file_t, file_t) -+ delete_fifo_files_pattern($1, file_t, file_t) -+ delete_sock_files_pattern($1, file_t, file_t) -+ delete_blk_files_pattern($1, file_t, file_t) -+ delete_chr_files_pattern($1, file_t, file_t) -+') -+ -+######################################## -+## - ## Do not audit attempts to search directories on new filesystems - ## that have not yet been labeled. - ## -@@ -2744,6 +2848,24 @@ - - ######################################## - ## -+## read files in /mnt. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_mnt_files',` -+ gen_require(` -+ type mnt_t; -+ ') -+ -+ read_files_pattern($1, mnt_t, mnt_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete symbolic links in /mnt. - ## - ## -@@ -3394,6 +3516,8 @@ - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) - ') - - ######################################## -@@ -3471,6 +3595,47 @@ - - ######################################## - ## -+## Delete generic directories in /usr in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_usr_dirs',` -+ gen_require(` -+ type usr_t; -+ ') -+ -+ delete_dirs_pattern($1, usr_t, usr_t) -+') -+ -+######################################## -+## -+## Delete generic files in /usr in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_usr_files',` -+ gen_require(` -+ type usr_t; -+ ') -+ -+ delete_files_pattern($1, usr_t, usr_t) -+ delete_lnk_files_pattern($1, usr_t, usr_t) -+ delete_fifo_files_pattern($1, usr_t, usr_t) -+ delete_sock_files_pattern($1, usr_t, usr_t) -+ delete_blk_files_pattern($1, usr_t, usr_t) -+ delete_chr_files_pattern($1, usr_t, usr_t) -+') -+ -+######################################## -+## - ## Get the attributes of files in /usr. - ## - ## -@@ -3547,6 +3712,24 @@ - - ######################################## - ## -+## dontaudit write of /usr files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_dontaudit_write_usr_files',` -+ gen_require(` -+ type usr_t; -+ ') -+ -+ dontaudit $1 usr_t:file write; -+') -+ -+######################################## -+## - ## Relabel a file to the type used in /usr. - ## - ## -@@ -4433,6 +4616,25 @@ - - ######################################## - ## -+## Read generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ list_dirs_pattern($1,var_t,var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## - ## Read and write generic process ID files. - ## - ## -@@ -4761,12 +4963,14 @@ - allow $1 poly_t:dir { create mounton }; - fs_unmount_xattr_fs($1) - -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ - ifdef(`distro_redhat',` - # namespace.init - files_search_home($1) - corecmd_exec_bin($1) - seutil_domtrans_setfiles($1) -- mount_domtrans($1) - ') - ') - -@@ -4787,3 +4991,71 @@ - - typeattribute $1 files_unconfined_type; - ') -+ -+######################################## -+## -+## Create a core files in / -+## -+## -+##

-+## Create a core file in /, -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_dump_core',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ manage_files_pattern($1, root_t, root_t) -+') -+ -+######################################## -+## -+## Create a default directory in / -+## -+## -+##

-+## Create a default_t direcrory in / -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_create_default_dir',` -+ gen_require(` -+ type root_t, default_t; -+ ') -+ -+ allow $1 default_t:dir create; -+ filetrans_pattern($1, root_t, default_t, dir) -+') -+ -+######################################## -+## -+## manage generic symbolic links -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_run_t,var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.13/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.te 2008-10-28 10:56:19.000000000 -0400 -@@ -52,11 +52,14 @@ - # - # etc_t is the type of the system etc directories. - # --type etc_t; -+attribute etcfile; -+ -+type etc_t, etcfile; - files_type(etc_t) - # compatibility aliases for removed types: - typealias etc_t alias automount_etc_t; - typealias etc_t alias snmpd_etc_t; -+typealias etc_t alias gconf_etc_t; - - # - # etc_runtime_t is the type of various -@@ -174,6 +177,7 @@ - # - type var_run_t; - files_pid_file(var_run_t) -+files_mountpoint(var_run_t) - - # - # var_spool_t is the type of /var/spool -@@ -197,10 +201,7 @@ - # - # Rules for all tmp file types - # -- --allow tmpfile tmp_t:filesystem associate; -- --fs_associate_tmpfs(tmpfile) -+allow file_type tmp_t:filesystem associate; - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-29 08:25:22.000000000 -0400 -@@ -535,6 +535,24 @@ - - ######################################## - ## -+## Mounton a CIFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_cifs',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ allow $1 cifs_t:dir mounton; -+') -+ -+######################################## -+## - ## Remount a CIFS or SMB network filesystem. - ## This allows some mount options to be changed. - ## -@@ -737,6 +755,7 @@ - attribute noxattrfs; - ') - -+ list_dirs_pattern($1, noxattrfs, noxattrfs) - read_files_pattern($1, noxattrfs, noxattrfs) - ') - -@@ -779,6 +798,25 @@ - ######################################## - ## - ## Do not audit attempts to read -+## dirs on a CIFS or SMB filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_cifs_dirs',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ dontaudit $1 cifs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read - ## files on a CIFS or SMB filesystem. - ## - ## -@@ -955,6 +993,46 @@ - - ######################################## - ## -+## Append files -+## on a CIFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_append_cifs_files',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ append_files_pattern($1, cifs_t, cifs_t) -+') -+ -+######################################## -+## -+## dontaudit Append files -+## on a CIFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_dontaudit_append_cifs_files',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ dontaudit $1 cifs_t:file append; -+') -+ -+######################################## -+## - ## Do not audit attempts to create, read, - ## write, and delete files - ## on a CIFS or SMB network filesystem. -@@ -1209,6 +1287,25 @@ - - ######################################## - ## -+## Create, read, write, and delete dirs -+## on a DOS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_dos_dirs',` -+ gen_require(` -+ type dosfs_t; -+ ') -+ -+ manage_dirs_pattern($1, dosfs_t, dosfs_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete files - ## on a DOS filesystem. - ## -@@ -1228,6 +1325,26 @@ - - ######################################## - ## -+## Read and write files on hugetlbfs files -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_hugetlbfs_files',` -+ gen_require(` -+ type hugetlbfs_t; -+ -+ ') -+ -+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+') -+ -+######################################## -+## - ## Read eventpollfs files. - ## - ## -@@ -1287,24 +1404,6 @@ - - ######################################## - ## --## Read and write hugetlbfs files. --## --## --## --## Domain allowed access. --## --## --# --interface(`fs_rw_hugetlbfs_files',` -- gen_require(` -- type hugetlbfs_t; -- ') -- -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) --') -- --######################################## --## - ## Search inotifyfs filesystem. - ## - ## -@@ -1478,6 +1577,24 @@ - - ######################################## - ## -+## Mounton a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_nfs',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:dir mounton; -+') -+ -+######################################## -+## - ## Remount a NFS filesystem. This allows - ## some mount options to be changed. - ## -@@ -1681,7 +1798,7 @@ - type nfs_t; - ') - -- dontaudit $1 nfs_t:file { read write }; -+ dontaudit $1 nfs_t:file rw_file_perms; - ') - - ######################################## -@@ -2002,6 +2119,47 @@ - - ######################################## - ## -+## Append files -+## on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_append_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ append_files_pattern($1, nfs_t, nfs_t) -+') -+ -+######################################## -+## -+## dontaudit Append files -+## on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_dontaudit_append_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ dontaudit $1 nfs_t:file append; -+') -+ -+ -+######################################## -+## - ## Do not audit attempts to create, - ## read, write, and delete files - ## on a NFS filesystem. -@@ -2996,6 +3154,7 @@ - type tmpfs_t; - ') - -+ dontaudit $1 tmpfs_t:dir rw_dir_perms; - dontaudit $1 tmpfs_t:file rw_file_perms; - ') - -@@ -3132,6 +3291,25 @@ - - ######################################## - ## -+## Read and write block nodes on removable filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_removable_blk_files',` -+ gen_require(` -+ type removable_t; -+ ') -+ -+ allow $1 removable_t:dir list_dir_perms; -+ rw_blk_files_pattern($1, removable_t, removable_t) -+') -+ -+######################################## -+## - ## Relabel block nodes on tmpfs filesystems. - ## - ## -@@ -3317,6 +3495,7 @@ - ') - - allow $1 filesystem_type:filesystem getattr; -+ files_getattr_all_file_type_fs($1) - ') - - ######################################## -@@ -3644,3 +3823,142 @@ - relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) - ') -+ -+######################################## -+## -+## Search directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_search_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to create, read, -+## write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ manage_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## -+## Read, a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_read_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ read_files_pattern($1,fusefs_t,fusefs_t) -+') -+ -+######################################## -+## -+## Read symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+ -+######################################## -+## -+## Do not audit attempts to create, -+## read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:file manage_file_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-10-28 10:56:19.000000000 -0400 -@@ -21,7 +21,6 @@ - - # Use xattrs for the following filesystem types. - # Requires that a security xattr handler exist for the filesystem. --fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); -@@ -76,6 +75,11 @@ - allow cpusetfs_t self:filesystem associate; - genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) - -+type ecryptfs_t; -+fs_noxattr_type(ecryptfs_t) -+files_mountpoint(ecryptfs_t) -+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) -+ - type eventpollfs_t; - fs_type(eventpollfs_t) - # change to task SID 20060628 -@@ -141,6 +145,8 @@ - fs_noxattr_type(vmblock_t) - files_mountpoint(vmblock_t) - genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) -+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) -+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) - - type vxfs_t; - fs_noxattr_type(vxfs_t) -@@ -241,6 +247,7 @@ - genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) - genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) -+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-28 10:56:19.000000000 -0400 -@@ -1198,6 +1198,7 @@ - ') - - dontaudit $1 proc_type:dir list_dir_perms; -+ dontaudit $1 proc_type:file getattr; - ') - - ######################################## -@@ -1234,9 +1235,11 @@ - interface(`kernel_read_sysctl',` - gen_require(` - type sysctl_t; -+ type proc_t; - ') - - list_dirs_pattern($1, proc_t, sysctl_t) -+ read_files_pattern($1, sysctl_t, sysctl_t) - ') - - ######################################## -@@ -1569,6 +1572,26 @@ - - ######################################## - ## -+## Read generic crypto sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_read_crypto_sysctls',` -+ gen_require(` -+ type proc_t, sysctl_t, sysctl_crypto_t; -+ ') -+ -+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) -+ -+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) -+') -+ -+######################################## -+## - ## Read generic kernel sysctls. - ## - ## -@@ -1768,6 +1791,7 @@ - ') - - dontaudit $1 sysctl_type:dir list_dir_perms; -+ dontaudit $1 sysctl_type:file read_file_perms; - ') - - ######################################## -@@ -2582,6 +2606,24 @@ - - ######################################## - ## -+## Relabel to unlabeled context . -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_relabelto_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir_file_class_set relabelto; -+') -+ -+######################################## -+## - ## Unconfined access to kernel module resources. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-28 10:56:19.000000000 -0400 -@@ -63,6 +63,15 @@ - genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) - - # -+# infinibandeventfs fs -+# -+ -+type infinibandeventfs_t; -+fs_type(infinibandeventfs_t) -+allow infinibandeventfs_t self:filesystem associate; -+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) -+ -+# - # kvmFS - # - -@@ -120,6 +129,10 @@ - type sysctl_rpc_t, sysctl_type; - genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) - -+# /proc/sys/crypto directory and files -+type sysctl_crypto_t, sysctl_type; -+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) -+ - # /proc/sys/fs directory and files - type sysctl_fs_t, sysctl_type; - files_mountpoint(sysctl_fs_t) -@@ -160,6 +173,7 @@ - # - type unlabeled_t; - sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -+fs_associate(unlabeled_t) - - # These initial sids are no longer used, and can be removed: - sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -274,6 +288,8 @@ - fs_rw_tmpfs_chr_files(kernel_t) - ') - -+unprivuser_home_dir_filetrans_home_content(kernel_t, { file dir }) -+ - tunable_policy(`read_default_t',` - files_list_default(kernel_t) - files_read_default_files(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.13/policy/modules/kernel/selinux.if ---- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if 2008-10-28 10:56:19.000000000 -0400 -@@ -164,6 +164,7 @@ - type security_t; - ') - -+ selinux_dontaudit_getattr_fs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file { getattr read }; - ') -@@ -185,6 +186,7 @@ - type security_t; - ') - -+ selinux_get_fs_mount($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read }; - ') -@@ -265,6 +267,34 @@ - - ######################################## - ## -+## Allow caller to read the state of Booleans -+## -+## -+##

-+## Allow caller read the state of Booleans -+##

-+## -+## -+## -+## The process type allowed to set the Boolean. -+## -+## -+## -+# -+interface(`selinux_get_boolean',` -+ gen_require(` -+ type security_t; -+ attribute booleans_type; -+ bool secure_mode_policyload; -+ ') -+ -+ allow $1 security_t:dir list_dir_perms; -+ allow $1 booleans_type:dir list_dir_perms; -+ allow $1 booleans_type:file read_file_perms; -+') -+ -+######################################## -+## - ## Allow caller to set the state of Booleans to - ## enable or disable conditional portions of the policy. - ## -@@ -288,11 +318,13 @@ - interface(`selinux_set_boolean',` - gen_require(` - type security_t; -+ attribute booleans_type; - bool secure_mode_policyload; - ') - - allow $1 security_t:dir list_dir_perms; -- allow $1 security_t:file { getattr read write }; -+ allow $1 booleans_type:dir list_dir_perms; -+ allow $1 booleans_type:file { getattr read write }; - - if(!secure_mode_policyload) { - allow $1 security_t:security setbool; -@@ -510,3 +542,23 @@ - - typeattribute $1 selinux_unconfined_type; - ') -+ -+######################################## -+## -+## Generate a file context for a boolean type -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`selinux_genbool',` -+ gen_require(` -+ attribute booleans_type; -+ ') -+ -+ type $1, booleans_type; -+ fs_type($1) -+ mls_trusted_object($1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.13/policy/modules/kernel/selinux.te ---- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-10-16 17:21:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,7 @@ - attribute can_setenforce; - attribute can_setsecparam; - attribute selinux_unconfined_type; -+attribute booleans_type; - - # - # security_t is the target type when checking -@@ -23,6 +24,11 @@ - genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) - genfscon securityfs / gen_context(system_u:object_r:security_t,s0) - -+type boolean_t, booleans_type; -+fs_type(boolean_t) -+mls_trusted_object(boolean_t) -+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0) -+ - neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; - neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; - neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-11-05 13:22:07.000000000 -0500 -@@ -36,7 +36,7 @@ - /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) - /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) --/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - ifdef(`distro_redhat', ` - /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if 2008-10-28 10:56:19.000000000 -0400 -@@ -250,9 +250,11 @@ - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.13/policy/modules/roles/guest.fc ---- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/guest.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.13/policy/modules/roles/guest.if ---- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/guest.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,161 @@ -+## Least privledge terminal user role -+ -+######################################## -+## -+## Change to the guest role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`guest_role_change_template',` -+ userdom_role_change_template($1, guest) -+') -+ -+######################################## -+## -+## Change from the guest role. -+## -+## -+##

-+## Change from the guest role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`guest_role_change_to_template',` -+ userdom_role_change_template(guest, $1) -+') -+ -+######################################## -+## -+## Search the guest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_search_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 guest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search the guest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`guest_dontaudit_search_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ dontaudit $1 guest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete guest -+## home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_manage_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 guest_home_dir_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Relabel to guest home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_relabelto_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 guest_home_dir_t:dir relabelto; -+') -+ -+######################################## -+## -+## Do not audit attempts to append to the guest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`guest_dontaudit_append_home_content_files',` -+ gen_require(` -+ type guest_home_t; -+ ') -+ -+ dontaudit $1 guest_home_t:file append; -+') -+ -+######################################## -+## -+## Read files in the guest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_read_home_content_files',` -+ gen_require(` -+ type guest_home_dir_t, guest_home_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 { guest_home_dir_t guest_home_t }:dir list_dir_perms; -+ read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) -+ read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.13/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/guest.te 2008-10-28 11:05:34.000000000 -0400 -@@ -0,0 +1,36 @@ -+ -+policy_module(guest, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_user_template(guest) -+ -+######################################## -+# -+# Local policy -+# -+ -+optional_policy(` -+ java_per_role_template(guest, guest_t, guest_r) -+') -+ -+optional_policy(` -+ mono_per_role_template(guest, guest_t, guest_r) -+') -+ -+ -+optional_policy(` -+ gen_require(` -+ type xguest_t; -+ role xguest_r; -+ ') -+ -+ mozilla_per_role_template(xguest, xguest_t, xguest_r) -+') -+ -+gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.13/policy/modules/roles/logadm.fc ---- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/logadm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.13/policy/modules/roles/logadm.if ---- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/logadm.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,44 @@ -+## Audit administrator role -+ -+######################################## -+## -+## Change to the generic user role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`logadm_role_change_template',` -+ userdom_role_change_template($1, logadm) -+') -+ -+######################################## -+## -+## Change from the generic user role. -+## -+## -+##

-+## Change from the generic user role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`logadm_role_change_to_template',` -+ userdom_role_change_template(logadm, $1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.13/policy/modules/roles/logadm.te ---- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/logadm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,20 @@ -+ -+policy_module(logadm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role logadm_r; -+ -+userdom_base_user_template(logadm) -+ -+######################################## -+# -+# logadmin local policy -+# -+ -+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+ -+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/staff.te 2008-10-29 12:02:31.000000000 -0400 -@@ -4,27 +4,68 @@ - ######################################## - # - # Declarations --# - -+# - role staff_r; - --userdom_unpriv_user_template(staff) -+userdom_admin_login_user_template(staff) - - ######################################## - # - # Local policy - # - -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) -+ -+auth_domtrans_pam_console(staff_t) -+ -+libs_manage_shared_libs(staff_t) -+ - optional_policy(` - auditadm_role_change_template(staff) - ') - - optional_policy(` -+ kerneloops_manage_tmp_files(staff_t) -+') -+ -+optional_policy(` -+ logadm_role_change_template(staff) -+') -+ -+optional_policy(` -+ postgresql_userdom_template(staff, staff_t, staff_r) -+') -+ -+optional_policy(` - secadm_role_change_template(staff) - ') - - optional_policy(` -+ ssh_per_role_template(staff, staff_t, staff_r) -+') -+ -+optional_policy(` - sysadm_role_change_template(staff) - sysadm_dontaudit_use_terms(staff_t) - ') - -+optional_policy(` -+ usernetctl_run(staff_t, staff_r, { staff_devpts_t staff_tty_device_t }) -+') -+ -+optional_policy(` -+ unconfined_role_change_template(staff) -+') -+ -+optional_policy(` -+ webadm_role_change_template(staff) -+') -+ -+optional_policy(` -+ cron_admin_template(sysadm) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if ---- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2008-10-28 11:21:02.000000000 -0400 -@@ -334,10 +334,10 @@ - # - interface(`sysadm_getattr_home_dirs',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- allow $1 sysadm_home_dir_t:dir getattr; -+ allow $1 admin_home_t:dir getattr; - ') - - ######################################## -@@ -354,10 +354,29 @@ - # - interface(`sysadm_dontaudit_getattr_home_dirs',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- dontaudit $1 sysadm_home_dir_t:dir getattr; -+ dontaudit $1 admin_home_t:dir getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to write to -+## sysadm users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sysadm_dontaudit_write_home_dirs',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:dir write; - ') - - ######################################## -@@ -372,10 +391,10 @@ - # - interface(`sysadm_search_home_dirs',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- allow $1 sysadm_home_dir_t:dir search_dir_perms; -+ allow $1 admin_home_t:dir search_dir_perms; - ') - - ######################################## -@@ -391,10 +410,10 @@ - # - interface(`sysadm_dontaudit_search_home_dirs',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; -+ dontaudit $1 admin_home_t:dir search_dir_perms; - ') - - ######################################## -@@ -409,10 +428,10 @@ - # - interface(`sysadm_list_home_dirs',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- allow $1 sysadm_home_dir_t:dir list_dir_perms; -+ allow $1 admin_home_t:dir list_dir_perms; - ') - - ######################################## -@@ -428,10 +447,10 @@ - # - interface(`sysadm_dontaudit_list_home_dirs',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- dontaudit $1 sysadm_home_dir_t:dir list_dir_perms; -+ dontaudit $1 admin_home_t:dir list_dir_perms; - ') - - ######################################## -@@ -458,10 +477,10 @@ - # - interface(`sysadm_home_dir_filetrans',` - gen_require(` -- type sysadm_home_dir_t; -+ type admin_home_t; - ') - -- filetrans_pattern($1, sysadm_home_dir_t, $2, $3) -+ filetrans_pattern($1, admin_home_t, $2, $3) - ') - - ######################################## -@@ -476,10 +495,10 @@ - # - interface(`sysadm_search_home_content_dirs',` - gen_require(` -- type sysadm_home_dir_t, sysadm_home_t; -+ type admin_home_t; - ') - -- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms; -+ allow $1 admin_home_t:dir search_dir_perms; - ') - - ######################################## -@@ -494,13 +513,12 @@ - # - interface(`sysadm_read_home_content_files',` - gen_require(` -- type sysadm_home_dir_t, sysadm_home_t; -+ type admin_home_t; - ') - - files_search_home($1) -- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; -- read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) -- read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) -+ read_files_pattern($1, admin_home_t, admin_home_t) -+ read_lnk_files_pattern($1, admin_home_t, admin_home_t) - ') - - ######################################## -@@ -516,13 +534,33 @@ - # - interface(`sysadm_dontaudit_read_home_content_files',` - gen_require(` -- type sysadm_home_dir_t, sysadm_home_t; -+ type admin_home_t; - ') - -- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; -- dontaudit $1 sysadm_home_t:dir search_dir_perms; -- dontaudit $1 sysadm_home_t:file read_file_perms; -+ dontaudit $1 admin_home_t:dir list_dir_perms; -+ dontaudit $1 admin_home_t:file read_file_perms; -+ - ') -+######################################## -+## -+## Do not audit attempts to read sym links in the sysadm -+## home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sysadm_dontaudit_read_home_sym_links',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; -+ -+') -+ - - ######################################## - ## -@@ -536,12 +574,12 @@ - # - interface(`sysadm_read_tmp_files',` - gen_require(` -- type sysadm_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($1) -- allow $1 sysadm_tmp_t:dir list_dir_perms; -- read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) -- read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) -+ allow $1 user_tmp_t:dir list_dir_perms; -+ read_files_pattern($1, user_tmp_t, user_tmp_t) -+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te ---- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-11-03 17:03:51.000000000 -0500 -@@ -15,7 +14,7 @@ - - role sysadm_r; - --userdom_admin_user_template(sysadm) -+userdom_admin_login_user_template(sysadm) - - ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) -@@ -110,10 +109,6 @@ - ') - - optional_policy(` -- cron_admin_template(sysadm) --') -- --optional_policy(` - cvs_exec(sysadm_t) - ') - -@@ -171,6 +166,10 @@ - ') - - optional_policy(` -+ kerberos_exec_kadmind(sysadm_t) -+') -+ -+optional_policy(` - kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - ') - -@@ -215,8 +214,8 @@ - - optional_policy(` - netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) -- netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) -- netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) -+# netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) -+# netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if ---- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-10-30 13:58:02.000000000 -0400 -@@ -62,6 +62,26 @@ - files_home_filetrans($1, user_home_dir_t, dir) - ') - -+ -+######################################## -+## -+## Create generic user home directories -+## with automatic file type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_home_dir_filetrans',` -+ gen_require(` -+ type user_home_dir_t; -+ ') -+ -+ filetrans_pattern($1, user_home_dir_t, $2, $3) -+') -+ - ######################################## - ## - ## Search generic user home directories. -@@ -77,6 +97,7 @@ - type user_home_dir_t; - ') - -+ files_search_home($1) - allow $1 user_home_dir_t:dir search_dir_perms; - ') - -@@ -177,11 +198,29 @@ - # - interface(`unprivuser_manage_home_content_dirs',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ attribute user_home_dir_type, user_home_type; - ') - - files_search_home($1) -- manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ manage_dirs_pattern($1, { user_home_dir_type user_home_type }, user_home_type) -+') -+ -+######################################## -+## -+## Don't audit list on the user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_dontaudit_list_home_dirs',` -+ gen_require(` -+ type user_home_t, user_home_dir_t; -+ ') -+ -+ dontaudit $1 { user_home_dir_t user_home_t }:dir list_dir_perms; - ') - - ######################################## -@@ -236,11 +275,30 @@ - # - interface(`unprivuser_mmap_home_content_files',` - gen_require(` -- type user_home_t; -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ allow $1 user_home_type:file execute; -+') -+ -+######################################## -+## -+## Read link files in generic user home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_read_home_content_symlinks',` -+ gen_require(` -+ type user_home_t, user_home_dir_t; - ') - - files_search_home($1) -- allow $1 user_home_t:file execute; -+ read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - ') - - ######################################## -@@ -342,3 +400,542 @@ - manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - ') - -+######################################## -+## -+## Do not audit attempts to write user home files. -+## -+## -+##

-+## Do not audit attempts to write user home files. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+template(`unprivuser_dontaudit_write_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file write; -+ -+ fs_dontaudit_list_nfs($1) -+ fs_dontaudit_rw_nfs_files($1) -+ -+ fs_dontaudit_list_cifs($1) -+ fs_dontaudit_rw_cifs_files($1) -+') -+ -+######################################## -+## -+## Do not audit attempts to unlink user home files. -+## -+## -+##

-+## Do not audit attempts to unlink user home files. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+template(`unprivuser_dontaudit_unlink_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file unlink; -+') -+ -+######################################## -+## -+## Do not audit attempts to manage users -+## temporary directories. -+## -+## -+##

-+## Do not audit attempts to manage users -+## temporary directories. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+template(`unprivuser_dontaudit_manage_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:dir manage_dir_perms; -+') -+ -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary named sockets. -+## -+## -+##

-+## Create, read, write, and delete user -+## temporary named sockets. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_manage_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Read all unprivileged users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_read_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ read_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Write all unprivileged users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_write_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ write_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Write all unprivileged users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_manage_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Write all unprivileged users lnk_files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_manage_tmp_symlinks',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to relabel unpriv user -+## home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_dontaudit_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:file { relabelto relabelfrom }; -+') -+ -+######################################## -+## -+## unlink all unprivileged users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_unlink_tmp_files',` -+ gen_require(` -+ attribute user_tmpfile; -+ ') -+ -+ files_delete_tmp_dir_entry($1) -+ allow $1 user_tmpfile:file unlink; -+') -+ -+######################################## -+## -+## Connect to unpriviledged users over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_stream_connect',` -+ gen_require(` -+ attribute user_tmpfile; -+ attribute userdomain; -+ ') -+ -+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary directories. -+## -+## -+##

-+## Create, read, write, and delete user -+## temporary directories. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_manage_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_dirs_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary named pipes. -+## -+## -+##

-+## Create, read, write, and delete user -+## temporary named pipes. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_manage_tmp_pipes',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Manage user untrusted files. -+## -+## -+##

-+## Create, read, write, and delete untrusted files. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_manage_untrusted_content_files',` -+ gen_require(` -+ type user_untrusted_content_t; -+ ') -+ -+ manage_files_pattern($1, user_untrusted_content_t, user_untrusted_content_t) -+') -+ -+######################################## -+## -+## Manage user untrusted tmp files. -+## -+## -+##

-+## Create, read, write, and delete untrusted tmp files. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_manage_untrusted_content_tmp_files',` -+ gen_require(` -+ type user_untrusted_content_tmp_t; -+ ') -+ -+ manage_files_pattern($1, user_untrusted_content_tmp_t, user_untrusted_content_tmp_t) -+') -+ -+######################################## -+## -+## RW unpriviledged user SysV sempaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_rw_semaphores',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:sem rw_sem_perms; -+') -+ -+######################################## -+## -+## Read user tmpfs files. -+## -+## -+##

-+##

-+## read user temporary file system files -+##

-+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_read_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+') -+ -+######################################## -+## -+## Unlink user tmpfs files. -+## -+## -+##

-+## Read/write user tmpfs files. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`unprivuser_delete_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 user_tmpfs_t:dir list_dir_perms; -+ delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+') -+ -+######################################## -+## -+## append all unprivileged users home directory -+## files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_append_home_content_files',` -+ gen_require(` -+ attribute user_home_dir_type, user_home_type; -+ ') -+ -+ files_search_home($1) -+ allow $1 user_home_type:dir list_dir_perms; -+ append_files_pattern($1, { user_home_dir_type user_home_type }, user_home_type) -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_append_nfs_files($1) -+ ') -+ tunable_policy(`use_samba_home_dirs',` -+ fs_append_cifs_files($1) -+ ') -+') -+ -+######################################## -+## -+## dontaudit append all unprivileged users home directory -+## files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_dontaudit_append_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:file append_file_perms; -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_append_nfs_files($1) -+ ') -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_append_cifs_files($1) -+ ') -+') -+ -+######################################## -+## -+## dontaudit Read all unprivileged users home directory -+## files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_dontaudit_read_home_content_files',` -+ gen_require(` -+ attribute user_home_dir_type, user_home_type; -+ ') -+ -+ files_search_home($1) -+ dontaudit $1 user_home_type:dir list_dir_perms; -+ dontaudit $1 user_home_type:file read_file_perms; -+ dontaudit $1 user_home_type:file read_lnk_file_perms; -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_read_nfs_files($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_read_cifs_files($1) -+ ') -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te 2008-10-28 19:21:12.000000000 -0400 -@@ -13,3 +13,18 @@ - - userdom_unpriv_user_template(user) - -+optional_policy(` -+ kerneloops_dontaudit_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ postgresql_userdom_template(user, user_t, user_r) -+') -+ -+optional_policy(` -+ rpm_dontaudit_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ setroubleshoot_dontaudit_stream_connect(user_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.13/policy/modules/roles/webadm.fc ---- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/webadm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# No webadm file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.13/policy/modules/roles/webadm.if ---- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/webadm.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,44 @@ -+## Policy for webadm role -+ -+######################################## -+## -+## Change to the generic user role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`webadm_role_change_template',` -+ userdom_role_change_template($1, webadm) -+') -+ -+######################################## -+## -+## Change from the generic user role. -+## -+## -+##

-+## Change from the generic user role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`webadm_role_change_to_template',` -+ userdom_role_change_template(webadm, $1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.13/policy/modules/roles/webadm.te ---- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/webadm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,65 @@ -+ -+policy_module(webadm, 1.0.0) -+ -+## -+##

-+## Allow webadm to read files in users home directories -+##

-+## -+gen_tunable(webadm_read_user_files, false) -+ -+## -+##

-+## Allow webadm to manage files in users home directories -+##

-+## -+gen_tunable(webadm_manage_user_files, false) -+ -+######################################## -+# -+# Declarations -+# -+ -+role webadm_r; -+ -+userdom_base_user_template(webadm) -+ -+######################################## -+# -+# webadmin local policy -+# -+ -+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+ -+files_dontaudit_search_all_dirs(webadm_t) -+files_manage_generic_locks(webadm_t) -+files_list_var(webadm_t) -+ -+selinux_get_enforce_mode(webadm_t) -+seutil_domtrans_setfiles(webadm_t) -+ -+logging_send_syslog_msg(webadm_t) -+ -+unprivuser_dontaudit_search_home_dirs(webadm_t) -+ -+optional_policy(` -+ sysadm_role_change_template(webadm) -+ sysadm_dontaudit_read_home_content_files(webadm_t) -+') -+ -+apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t }) -+ -+optional_policy(` -+tunable_policy(`webadm_read_user_files',` -+ unprivuser_read_home_content_files(webadm_t) -+ unprivuser_read_tmp_files(webadm_t) -+') -+') -+ -+optional_policy(` -+tunable_policy(`webadm_manage_user_files',` -+ unprivuser_manage_home_content_dirs(webadm_t) -+ unprivuser_read_tmp_files(webadm_t) -+ unprivuser_write_tmp_files(webadm_t) -+') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.13/policy/modules/roles/xguest.fc ---- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.13/policy/modules/roles/xguest.if ---- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,161 @@ -+## Least privledge X Windows user role -+ -+######################################## -+## -+## Change to the xguest role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`xguest_role_change_template',` -+ userdom_role_change_template($1, xguest) -+') -+ -+######################################## -+## -+## Change from the xguest role. -+## -+## -+##

-+## Change from the xguest role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`xguest_role_change_to_template',` -+ userdom_role_change_template(xguest, $1) -+') -+ -+######################################## -+## -+## Search the xguest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_search_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 xguest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search the xguest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xguest_dontaudit_search_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ dontaudit $1 xguest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete xguest -+## home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_manage_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 xguest_home_dir_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Relabel to xguest home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_relabelto_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 xguest_home_dir_t:dir relabelto; -+') -+ -+######################################## -+## -+## Do not audit attempts to append to the xguest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xguest_dontaudit_append_home_content_files',` -+ gen_require(` -+ type xguest_home_t; -+ ') -+ -+ dontaudit $1 xguest_home_t:file append; -+') -+ -+######################################## -+## -+## Read files in the xguest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_read_home_content_files',` -+ gen_require(` -+ type xguest_home_dir_t, xguest_home_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 { xguest_home_dir_t xguest_home_t }:dir list_dir_perms; -+ read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) -+ read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.te 2008-10-28 11:05:26.000000000 -0400 -@@ -0,0 +1,83 @@ -+ -+policy_module(xguest, 1.0.0) -+ -+## -+##

-+## Allow xguest users to mount removable media -+##

-+## -+gen_tunable(xguest_mount_media, false) -+ -+## -+##

-+## Allow xguest to configure Network Manager -+##

-+## -+gen_tunable(xguest_connect_network, false) -+ -+## -+##

-+## Allow xguest to use blue tooth devices -+##

-+## -+gen_tunable(xguest_use_bluetooth, false) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_xwindows_user_template(xguest) -+ -+######################################## -+# -+# Local policy -+# -+ -+#optional_policy(` -+# mozilla_per_role_template(xguest, xguest_t, xguest_r) -+#') -+ -+optional_policy(` -+ java_per_role_template(xguest, xguest_t, xguest_r) -+') -+ -+optional_policy(` -+ mono_per_role_template(xguest, xguest_t, xguest_r) -+') -+ -+# Allow mounting of file systems -+optional_policy(` -+ tunable_policy(`xguest_mount_media',` -+ hal_dbus_chat(xguest_t) -+ init_read_utmp(xguest_t) -+ auth_list_pam_console_data(xguest_t) -+ kernel_read_fs_sysctls(xguest_t) -+ files_dontaudit_getattr_boot_dirs(xguest_t) -+ files_search_mnt(xguest_t) -+ fs_manage_noxattr_fs_files(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_getattr_noxattr_fs(xguest_t) -+ fs_read_noxattr_fs_symlinks(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ hal_dbus_chat(xguest_t) -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ networkmanager_dbus_chat(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_use_bluetooth',` -+ bluetooth_dbus_chat(xguest_t) -+ ') -+') -+gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.13/policy/modules/services/aide.if ---- nsaserefpolicy/policy/modules/services/aide.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/aide.if 2008-10-28 10:56:19.000000000 -0400 -@@ -70,9 +70,11 @@ - allow $1 aide_t:process { ptrace signal_perms }; - ps_process_pattern($1, aide_t) - -+ aide_run($1, $2, $3) -+ - files_list_etc($1) -- manage_files_pattern($1, aide_db_t, aide_db_t) -+ admin_pattern($1, aide_db_t, aide_db_t) - - logging_list_logs($1) -- manage_files_pattern($1, aide_log_t, aide_log_t) -+ admin_pattern($1, aide_log_t, aide_log_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-03 11:12:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,12 +1,13 @@ --HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) -+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - - /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) --/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) - /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) - /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) - - /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -22,6 +23,7 @@ - /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - -+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -@@ -32,12 +34,14 @@ - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - -+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - - /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,6 +51,7 @@ - - /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,8 +55,10 @@ - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+ - /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - -+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +71,21 @@ - /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - - /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) - /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) - - /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+ -+#Bugzilla file context -+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) -+#viewvc file context -+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.13/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.if 2008-10-28 10:56:19.000000000 -0400 -@@ -13,21 +13,16 @@ - # - template(`apache_content_template',` - gen_require(` -- attribute httpdcontent; - attribute httpd_exec_scripts; - attribute httpd_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; - ') -- # allow write access to public file transfer -- # services files. -- gen_tunable(allow_httpd_$1_script_anon_write, false) -- - #This type is for webpages -- type httpd_$1_content_t, httpdcontent; # customizable -+ type httpd_$1_content_t; - files_type(httpd_$1_content_t) - - # This type is used for .htaccess files -- type httpd_$1_htaccess_t; # customizable; -+ type httpd_$1_htaccess_t; - files_type(httpd_$1_htaccess_t) - - # Type that CGI scripts run as -@@ -42,20 +37,22 @@ - - # The following three are the only areas that - # scripts can read, read/write, or append to -- type httpd_$1_script_ro_t, httpdcontent; # customizable -- files_type(httpd_$1_script_ro_t) -+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - -- type httpd_$1_script_rw_t, httpdcontent; # customizable -- files_type(httpd_$1_script_rw_t) -+ type httpd_$1_content_rw_t; -+ files_type(httpd_$1_content_rw_t) -+ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; - -- type httpd_$1_script_ra_t, httpdcontent; # customizable -- files_type(httpd_$1_script_ra_t) -+ type httpd_$1_content_ra_t; -+ files_type(httpd_$1_content_ra_t) -+ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; - -- allow httpd_t httpd_$1_htaccess_t:file read_file_perms; -+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; - - allow httpd_$1_script_t self:fifo_file rw_file_perms; - allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -65,29 +62,26 @@ - dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - - # Allow the script process to search the cgi directory, and users directory -- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; -+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) - logging_search_logs(httpd_$1_script_t) - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; -+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - -- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- -- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) -+ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ -+ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) - - kernel_dontaudit_search_sysctl(httpd_$1_script_t) - kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -96,6 +90,7 @@ - dev_read_urand(httpd_$1_script_t) - - corecmd_exec_all_executables(httpd_$1_script_t) -+ application_exec_all(httpd_$1_script_t) - - files_exec_etc_files(httpd_$1_script_t) - files_read_etc_files(httpd_$1_script_t) -@@ -111,34 +106,21 @@ - - seutil_dontaudit_search_config(httpd_$1_script_t) - -- tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_$1_script_t httpdcontent:file entrypoint; -- -- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- can_exec(httpd_$1_script_t, httpdcontent) -- ') -- -- tunable_policy(`allow_httpd_$1_script_anon_write',` -- miscfiles_manage_public_files(httpd_$1_script_t) -- ') -- - # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` -- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- -- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -+ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ -+ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ -+ allow httpd_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -@@ -151,9 +133,13 @@ - # privileged users run the script: - domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; -+ - # apache runs the script: - domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; -+ - allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - -@@ -177,50 +163,6 @@ - miscfiles_read_localization(httpd_$1_script_t) - ') - -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_$1_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) -- corenet_all_recvfrom_netlabel(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_if(httpd_$1_script_t) -- corenet_udp_sendrecv_all_if(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) -- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- -- sysnet_read_config(httpd_$1_script_t) -- ') -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_$1_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) -- corenet_all_recvfrom_netlabel(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_if(httpd_$1_script_t) -- corenet_udp_sendrecv_all_if(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) -- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_tcp_connect_all_ports(httpd_$1_script_t) -- corenet_sendrecv_all_client_packets(httpd_$1_script_t) -- -- sysnet_read_config(httpd_$1_script_t) -- ') -- -- optional_policy(` -- mta_send_mail(httpd_$1_script_t) -- ') -- -- optional_policy(` -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_$1_script_t) -- ') -- ') -- - optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -229,10 +171,6 @@ - - optional_policy(` - postgresql_unpriv_client(httpd_$1_script_t) -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_$1_script_t) -- ') - ') - - optional_policy(` -@@ -275,72 +213,77 @@ - template(`apache_per_role_template', ` - gen_require(` - attribute httpdcontent, httpd_script_domains; -- attribute httpd_exec_scripts, httpd_user_content_type; -- attribute httpd_user_script_exec_type; -- type httpd_t, httpd_suexec_t, httpd_log_t; -+ attribute httpd_exec_scripts; -+ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t; -+ type httpd_user_content_t; -+ type httpd_user_script_t; -+ type httpd_user_content_ra_t; -+ type httpd_user_content_rw_t; -+ type httpd_user_content_t; -+ type httpd_user_script_exec_t; -+ type httpd_user_htaccess_t; - ') - -- apache_content_template($1) - -- typeattribute httpd_$1_content_t httpd_user_content_type; -- typeattribute httpd_$1_script_ra_t httpd_user_content_type; -- typeattribute httpd_$1_script_rw_t httpd_user_content_type; -- typeattribute httpd_$1_script_ro_t httpd_user_content_type; -- typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type; -- -- typeattribute httpd_$1_script_t httpd_script_domains; -- userdom_user_home_content($1,httpd_$1_content_t) -- -- role $3 types httpd_$1_script_t; -- -- allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; -- -- allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom }; -- -- manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- -- manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- -- manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -- manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -- manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -- relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -- relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -- relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -+ ifelse(`$1',`user',`',` -+ typealias httpd_user_content_t alias httpd_$1_script_t; -+ typealias httpd_user_content_ra_t alias httpd_$1_script_ra_t; -+ typealias httpd_user_content_rw_t alias httpd_$1_script_rw_t; -+ typealias httpd_user_content_t alias httpd_$1_script_ro_t; -+ typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t; -+ typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t; -+ ') -+ -+ -+ role $3 types httpd_user_script_t; -+ -+ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; -+ -+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; -+ -+ manage_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ manage_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ manage_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ relabel_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ relabel_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ relabel_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ -+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ -+ manage_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ manage_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ manage_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ relabel_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ relabel_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ relabel_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ -+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - - tunable_policy(`httpd_enable_cgi',` - # If a user starts a script by hand it gets the proper context -- domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t) -+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_$1_script_t httpdcontent:file entrypoint; -- -- domtrans_pattern($2, httpdcontent, httpd_$1_script_t) -+ can_exec(httpd_user_script_t, httpd_user_content_t) - ') - - # allow accessing files/dirs below the users home dir - tunable_policy(`httpd_enable_homedirs',` -- userdom_search_user_home_dirs($1,httpd_t) -- userdom_search_user_home_dirs($1,httpd_suexec_t) -- userdom_search_user_home_dirs($1,httpd_$1_script_t) -+ userdom_search_user_home_dirs(user, httpd_t) -+ userdom_search_user_home_dirs(user, httpd_suexec_t) -+ userdom_search_user_home_dirs(user, httpd_user_script_t) -+ userdom_search_user_home_dirs(user, httpd_sys_script_t) - ') - ') - -@@ -362,12 +305,11 @@ - # - template(`apache_read_user_scripts',` - gen_require(` -- type httpd_$1_script_exec_t; -+ type httpd_user_script_exec_t; - ') -- -- allow $2 httpd_$1_script_exec_t:dir list_dir_perms; -- read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -- read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) -+ allow $2 httpd_user_script_exec_t:dir list_dir_perms; -+ read_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ read_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - ') - - ######################################## -@@ -388,12 +330,12 @@ - # - template(`apache_read_user_content',` - gen_require(` -- type httpd_$1_content_t; -+ type httpd_user_content_t; - ') - -- allow $2 httpd_$1_content_t:dir list_dir_perms; -- read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) -- read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) -+ allow $2 httpd_user_content_t:dir list_dir_perms; -+ read_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ read_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) - ') - - ######################################## -@@ -771,6 +713,7 @@ - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) - ') - - ######################################## -@@ -790,7 +733,7 @@ - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -- allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; -+ allow $1 httpd_modules_t:lnk_file read_file_perms; - can_exec($1,httpd_modules_t) - ') - -@@ -838,6 +781,32 @@ - - ######################################## - ## -+## Allow the specified domain to delete -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr -+interface(`apache_delete_sys_content_rw',` -+ gen_require(` -+ type httpd_sys_content_rw_t; -+ ') -+ -+ files_search_tmp($1) -+ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+') -+ -+######################################## -+## - ## Execute all web scripts in the system - ## script domain. - ## -@@ -851,12 +820,16 @@ - # sysadm_t to run scripts - interface(`apache_domtrans_sys_script',` - gen_require(` -- attribute httpdcontent; - type httpd_sys_script_t; -+ type httpd_sys_content_t; -+ ') -+ -+ tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -- domtrans_pattern($1, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t) - ') - ') - -@@ -942,7 +915,7 @@ - type httpd_squirrelmail_t; - ') - -- allow $1 httpd_squirrelmail_t:file { getattr read }; -+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) - ') - - ######################################## -@@ -1033,16 +1006,16 @@ - # - interface(`apache_manage_all_user_content',` - gen_require(` -- attribute httpd_user_content_type, httpd_user_script_exec_type; -+ type httpd_user_content_t, httpd_user_script_exec_t; - ') - -- manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) -- manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) -- manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) -+ manage_dirs_pattern($1, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t) -+ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - -- manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -- manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -- manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -+ manage_dirs_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ manage_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ manage_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - ') - - ######################################## -@@ -1098,3 +1071,160 @@ - - allow httpd_t $1:process signal; - ') -+ -+######################################## -+## -+## Allow the specified domain to search -+## apache bugzilla directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_search_bugzilla_dirs',` -+ gen_require(` -+ type httpd_bugzilla_content_t; -+ ') -+ -+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write Apache -+## bugzill script unix domain stream sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` -+ gen_require(` -+ type httpd_bugzilla_script_t; -+ ') -+ -+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## -+## All of the rules required to administrate an apache environment -+## -+## -+## -+## Prefix of the domain. Example, user would be -+## the prefix for the uder_t domain. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the apache domain. -+## -+## -+## -+# -+interface(`apache_admin',` -+ -+ gen_require(` -+ type httpd_t, httpd_initrc_exec_t, httpd_config_t; -+ type httpd_log_t, httpd_modules_t, httpd_lock_t; -+ type httpd_var_run_t; -+ attribute httpdcontent; -+ attribute httpd_script_exec_type; -+ type httpd_bool_t; -+ type httpd_php_tmp_t; -+ type httpd_suexec_tmp_t; -+ type httpd_tmp_t; -+ -+ ') -+ -+ allow $1 httpd_t:process { getattr ptrace signal_perms }; -+ ps_process_pattern($1, httpd_t) -+ -+ init_labeled_script_domtrans($1, httpd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 httpd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ apache_manage_all_content($1) -+ miscfiles_manage_public_files($1) -+ -+ files_search_etc($1) -+ admin_pattern($1, httpd_config_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, httpd_log_t) -+ -+ admin_pattern($1, httpd_modules_t) -+ -+ admin_pattern($1, httpd_lock_t) -+ files_lock_filetrans($1, httpd_lock_t, file) -+ -+ admin_pattern($1, httpd_var_run_t) -+ files_pid_filetrans($1, httpd_var_run_t, file) -+ -+ kernel_search_proc($1) -+ allow $1 httpd_t:dir list_dir_perms; -+ ps_process_pattern($1, httpd_t) -+ read_lnk_files_pattern($1, httpd_t, httpd_t) -+ -+ admin_pattern($1, httpdcontent) -+ admin_pattern($1, httpd_script_exec_type) -+ -+ seutil_domtrans_setfiles($1) -+ -+ admin_pattern($1, httpd_tmp_t) -+ admin_pattern($1, httpd_php_tmp_t) -+ admin_pattern($1, httpd_suexec_tmp_t) -+ files_tmp_filetrans($1, httpd_tmp_t, { file dir }) -+ -+ifdef(`TODO',` -+ apache_set_booleans($1, $2, $3, httpd_bool_t ) -+ seutil_setsebool_per_role_template($1, httpd, $3) -+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; -+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; -+') -+') -+ -+######################################## -+## -+## Mark content as being readable by standard apache processes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`apache_ro_content',` -+ gen_require(` -+ attribute httpd_ro_content; -+ ') -+ typeattribute $1 httpd_ro_content; -+') -+ -+######################################## -+## -+## Mark content as being read/write by standard apache processes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`apache_rw_content',` -+ gen_require(` -+ attribute httpd_rw_content; -+ ') -+ typeattribute $1 httpd_rw_content; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-11-06 08:30:48.000000000 -0500 -@@ -20,6 +19,8 @@ - # Declarations - # - -+selinux_genbool(httpd_bool_t) -+ - ## - ##

- ## Allow Apache to modify public files -@@ -31,10 +32,17 @@ - - ## - ##

--## Allow Apache to use mod_auth_pam -+## Allow httpd scripts and modules execmem/execstack - ##

- ## --gen_tunable(allow_httpd_mod_auth_pam, false) -+gen_tunable(httpd_execmem, false) -+ -+## -+##

-+## Allow Apache to communicate with avahi service via dbus -+##

-+## -+gen_tunable(httpd_dbus_avahi, false) - - ## - ##

-@@ -45,7 +53,14 @@ - - ## - ##

--## Allow HTTPD scripts and modules to connect to the network using TCP. -+## Allow http daemon to send mail -+##

-+## -+gen_tunable(httpd_can_sendmail, false) -+ -+## -+##

-+## Allow HTTPD scripts and modules to connect to the network - ##

- ## - gen_tunable(httpd_can_network_connect, false) -@@ -109,14 +124,35 @@ - ## - gen_tunable(httpd_unified, false) - -+## -+##

-+## Allow httpd to access nfs file systems -+##

-+## -+gen_tunable(httpd_use_nfs, false) -+ -+## -+##

-+## Allow httpd to access cifs file systems -+##

-+## -+gen_tunable(httpd_use_cifs, false) -+ -+## -+##

-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. -+##

-+## -+gen_tunable(allow_httpd_sys_script_anon_write, false) -+ -+attribute httpd_ro_content; -+attribute httpd_rw_content; - attribute httpdcontent; --attribute httpd_user_content_type; - - # domains that can exec all users scripts - attribute httpd_exec_scripts; - - attribute httpd_script_exec_type; --attribute httpd_user_script_exec_type; - - # user script domains - attribute httpd_script_domains; -@@ -141,6 +177,9 @@ - domain_entry_file(httpd_helper_t, httpd_helper_exec_t) - role system_r types httpd_helper_t; - -+type httpd_initrc_exec_t; -+init_script_file(httpd_initrc_exec_t) -+ - type httpd_lock_t; - files_lock_file(httpd_lock_t) - -@@ -181,6 +220,10 @@ - # setup the system domain for system CGI scripts - apache_content_template(sys) - -+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable -+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable -+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable -+ - type httpd_tmp_t; - files_tmp_file(httpd_tmp_t) - -@@ -202,12 +245,16 @@ - prelink_object_file(httpd_modules_t) - ') - -+apache_content_template(user) -+userdom_user_home_content(user, httpd_user_content_t) -+typealias httpd_user_content_t alias httpd_unconfined_content_t; -+ - ######################################## - # - # Apache server local policy - # - --allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; -+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; - dontaudit httpd_t self:capability { net_admin sys_tty_config }; - allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow httpd_t self:fd use; -@@ -249,6 +296,7 @@ - allow httpd_t httpd_modules_t:dir list_dir_perms; - mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - - apache_domtrans_rotatelogs(httpd_t) - # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -260,9 +308,9 @@ - - allow httpd_t httpd_suexec_exec_t:file read_file_perms; - --allow httpd_t httpd_sys_content_t:dir list_dir_perms; --read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) --read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -+allow httpd_t httpd_ro_content:dir list_dir_perms; -+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) -+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) - - manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) - manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -278,6 +326,7 @@ - manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) - files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) - -+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -289,6 +338,7 @@ - kernel_read_kernel_sysctls(httpd_t) - # for modules that want to access /proc/meminfo - kernel_read_system_state(httpd_t) -+kernel_search_network_sysctl(httpd_t) - - corenet_all_recvfrom_unlabeled(httpd_t) - corenet_all_recvfrom_netlabel(httpd_t) -@@ -299,6 +349,7 @@ - corenet_tcp_sendrecv_all_ports(httpd_t) - corenet_udp_sendrecv_all_ports(httpd_t) - corenet_tcp_bind_all_nodes(httpd_t) -+corenet_udp_bind_all_nodes(httpd_t) - corenet_tcp_bind_http_port(httpd_t) - corenet_tcp_bind_http_cache_port(httpd_t) - corenet_sendrecv_http_server_packets(httpd_t) -@@ -312,12 +363,11 @@ - - fs_getattr_all_fs(httpd_t) - fs_search_auto_mountpoints(httpd_t) -+fs_list_inotifyfs(httpd_t) - - auth_use_nsswitch(httpd_t) - --# execute perl --corecmd_exec_bin(httpd_t) --corecmd_exec_shell(httpd_t) -+application_exec_all(httpd_t) - - domain_use_interactive_fds(httpd_t) - -@@ -335,6 +385,10 @@ - files_read_var_lib_symlinks(httpd_t) - - fs_search_auto_mountpoints(httpd_sys_script_t) -+# php uploads a file to /tmp and then execs programs to acton them -+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) - - libs_use_ld_so(httpd_t) - libs_use_shared_libs(httpd_t) -@@ -351,18 +405,33 @@ - - userdom_use_unpriv_users_fds(httpd_t) - --mta_send_mail(httpd_t) -- - tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) - ') - --ifdef(`TODO', ` - # - # We need optionals to be able to be within booleans to make this work - # -+## -+##

-+## Allow Apache to use mod_auth_pam -+##

-+## -+gen_tunable(allow_httpd_mod_auth_pam, false) -+ -+tunable_policy(`allow_httpd_mod_auth_pam',` -+ auth_domtrans_chkpwd(httpd_t) -+') -+ -+## -+##

-+## Allow Apache to use mod_auth_pam -+##

-+## -+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) -+optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) -+ samba_domtrans_winbind_helper(httpd_t) - ') - ') - -@@ -370,20 +439,54 @@ - corenet_tcp_connect_all_ports(httpd_t) - ') - -+tunable_policy(`httpd_can_sendmail',` -+ # allow httpd to connect to mail servers -+ corenet_tcp_connect_smtp_port(httpd_t) -+ corenet_sendrecv_smtp_client_packets(httpd_t) -+ corenet_tcp_connect_pop_port(httpd_t) -+ corenet_sendrecv_pop_client_packets(httpd_t) -+ mta_send_mail(httpd_t) -+ mta_send_mail(httpd_sys_script_t) -+') -+ - tunable_policy(`httpd_can_network_relay',` - # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) -+ corenet_tcp_connect_memcache_port(httpd_t) - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) - ') - -+tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; -+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) -+ can_exec(httpd_sys_script_t, httpd_sys_content_t) -+') -+ -+tunable_policy(`allow_httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` -+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t) -+') -+ -+ - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` -- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) -+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) -+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) -+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) -+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -394,20 +497,26 @@ - corenet_tcp_bind_ftp_port(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_unpriv_users_home_content_files(httpd_t) --') -- - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_t) - fs_read_nfs_symlinks(httpd_t) - ') - -+tunable_policy(`httpd_use_nfs',` -+ fs_manage_nfs_files(httpd_t) -+ fs_manage_nfs_symlinks(httpd_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) - ') - -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_files(httpd_t) -+ fs_manage_cifs_symlinks(httpd_t) -+') -+ - tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) - allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +550,13 @@ - ') - - optional_policy(` -- kerberos_use(httpd_t) -- kerberos_read_kdc_config(httpd_t) -+ dbus_system_bus_client_template(httpd, httpd_t) -+ tunable_policy(`httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) -+ ') -+') -+optional_policy(` -+ kerberos_keytab_template(httpd, httpd_t) - ') - - optional_policy(` -@@ -454,18 +568,13 @@ - ') - - optional_policy(` -- # Allow httpd to work with mysql - mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) -- -- tunable_policy(`httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_t) -- ') -+ mysql_read_config(httpd_t) - ') - - optional_policy(` - nagios_read_config(httpd_t) -- nagios_domtrans_cgi(httpd_t) - ') - - optional_policy(` -@@ -475,6 +584,12 @@ - openca_kill(httpd_t) - ') - -+tunable_policy(`httpd_execmem',` -+ allow httpd_t self:process { execmem execstack }; -+ allow httpd_sys_script_t self:process { execmem execstack }; -+ allow httpd_suexec_t self:process { execmem execstack }; -+') -+ - optional_policy(` - # Allow httpd to work with postgresql - postgresql_stream_connect(httpd_t) -@@ -482,6 +597,7 @@ - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) -+ postgresql_tcp_connect(httpd_sys_script_t) - ') - ') - -@@ -490,6 +606,7 @@ - ') - - optional_policy(` -+ files_dontaudit_rw_usr_dirs(httpd_t) - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) - ') -@@ -519,9 +636,28 @@ - logging_send_syslog_msg(httpd_helper_t) - - tunable_policy(`httpd_tty_comm',` -+ # cjp: this is redundant: -+ term_use_controlling_term(httpd_helper_t) -+ - sysadm_use_terms(httpd_helper_t) - ') - -+optional_policy(` -+ type httpd_unconfined_script_t; -+ type httpd_unconfined_script_exec_t; -+ domain_type(httpd_unconfined_script_t) -+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) -+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -+ unconfined_domain(httpd_unconfined_script_t) -+ -+ role system_r types httpd_unconfined_script_t; -+ -+ tunable_policy(`httpd_tty_comm',` -+ unconfined_use_terms(httpd_helper_t) -+ ') -+') -+ -+ - ######################################## - # - # Apache PHP script local policy -@@ -551,22 +687,27 @@ - - fs_search_auto_mountpoints(httpd_php_t) - -+auth_use_nsswitch(httpd_php_t) -+ - libs_exec_lib_files(httpd_php_t) - libs_use_ld_so(httpd_php_t) - libs_use_shared_libs(httpd_php_t) - - userdom_use_unpriv_users_fds(httpd_php_t) - --optional_policy(` -- mysql_stream_connect(httpd_php_t) -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_mysqld_port(httpd_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_t) -+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_mysqld_port(httpd_suexec_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) - ') - --optional_policy(` -- nis_use_ypbind(httpd_php_t) --') - - optional_policy(` -- postgresql_stream_connect(httpd_php_t) -+ mysql_stream_connect(httpd_php_t) -+ mysql_read_config(httpd_php_t) - ') - - ######################################## -@@ -584,12 +725,14 @@ - append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - --allow httpd_suexec_t httpd_t:fifo_file getattr; -+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - - manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - -+can_exec(httpd_suexec_t, httpd_sys_script_exec_t) -+ - kernel_read_kernel_sysctls(httpd_suexec_t) - kernel_list_proc(httpd_suexec_t) - kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +741,7 @@ - - fs_search_auto_mountpoints(httpd_suexec_t) - --# for shell scripts --corecmd_exec_bin(httpd_suexec_t) --corecmd_exec_shell(httpd_suexec_t) -+application_exec_all(httpd_suexec_t) - - files_read_etc_files(httpd_suexec_t) - files_read_usr_files(httpd_suexec_t) -@@ -633,12 +774,25 @@ - corenet_sendrecv_all_client_packets(httpd_suexec_t) - ') - -+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) -+ -+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t) -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_t) -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t) -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t) -+ -+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - ') -- --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_unpriv_users_home_content_files(httpd_suexec_t) -+tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +801,12 @@ - fs_exec_nfs_files(httpd_suexec_t) - ') - -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_files(httpd_suexec_t) -+ fs_manage_cifs_symlinks(httpd_suexec_t) -+ fs_exec_cifs_files(httpd_suexec_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_suexec_t) - fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,20 +824,20 @@ - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; - ') - --optional_policy(` -- nagios_domtrans_cgi(httpd_suexec_t) --') -- - ######################################## - # - # Apache system script local policy - # - -+auth_use_nsswitch(httpd_sys_script_t) -+ -+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - - dontaudit httpd_sys_script_t httpd_config_t:dir search; - --allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; -+apache_read_squirrelmail_data(httpd_sys_script_t) -+apache_append_squirrelmail_data(httpd_sys_script_t) - - allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; - read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +851,15 @@ - # Should we add a boolean? - apache_domtrans_rotatelogs(httpd_sys_script_t) - -+sysnet_read_config(httpd_sys_script_t) -+ - ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file append_file_perms; - ') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t) -+tunable_policy(`httpd_use_nfs',` -+ fs_manage_nfs_files(httpd_sys_script_t) -+ fs_manage_nfs_symlinks(httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +867,30 @@ - fs_read_nfs_symlinks(httpd_sys_script_t) - ') - -+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_sys_script_t self:udp_socket create_socket_perms; -+ -+ corenet_tcp_bind_all_nodes(httpd_sys_script_t) -+ corenet_udp_bind_all_nodes(httpd_sys_script_t) -+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) -+ corenet_all_recvfrom_netlabel(httpd_sys_script_t) -+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t) -+ corenet_udp_sendrecv_all_if(httpd_sys_script_t) -+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) -+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) -+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_tcp_connect_all_ports(httpd_sys_script_t) -+ corenet_sendrecv_all_client_packets(httpd_sys_script_t) -+') -+ -+ -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_files(httpd_sys_script_t) -+ fs_manage_cifs_symlinks(httpd_sys_script_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +903,10 @@ - optional_policy(` - mysql_stream_connect(httpd_sys_script_t) - mysql_rw_db_sockets(httpd_sys_script_t) --') -- --optional_policy(` -- postgresql_stream_connect(httpd_sys_script_t) -+ mysql_read_config(httpd_sys_script_t) -+ mysql_stream_connect(httpd_suexec_t) -+ mysql_rw_db_sockets(httpd_suexec_t) -+ mysql_read_config(httpd_suexec_t) - ') - - ######################################## -@@ -727,6 +914,8 @@ - # httpd_rotatelogs local policy - # - -+allow httpd_rotatelogs_t self:capability dac_override; -+ - manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - - kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +930,66 @@ - logging_search_logs(httpd_rotatelogs_t) - - miscfiles_read_localization(httpd_rotatelogs_t) -+ -+#============= bugzilla policy ============== -+apache_content_template(bugzilla) -+ -+type httpd_bugzilla_tmp_t; -+files_tmp_file(httpd_bugzilla_tmp_t) -+ -+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; -+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; -+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; -+ -+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) -+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) -+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) -+ -+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) -+ -+files_search_var_lib(httpd_bugzilla_script_t) -+ -+mta_send_mail(httpd_bugzilla_script_t) -+ -+sysnet_read_config(httpd_bugzilla_script_t) -+sysnet_use_ldap(httpd_bugzilla_script_t) -+ -+optional_policy(` -+ mysql_search_db(httpd_bugzilla_script_t) -+ mysql_stream_connect(httpd_bugzilla_script_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(httpd_bugzilla_script_t) -+') -+ -+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+ -+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) -+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) -+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) -+ -+# Removal of fastcgi, will cause problems without the following -+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -+typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; -+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; -+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; -+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; -+typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.13/policy/modules/services/arpwatch.fc ---- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) - - # - # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.13/policy/modules/services/arpwatch.if ---- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-10-28 10:56:19.000000000 -0400 -@@ -90,3 +90,45 @@ - - dontaudit $1 arpwatch_t:packet_socket { read write }; - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an arpwatch environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the arpwatch domain. -+## -+## -+## -+# -+interface(`arpwatch_admin',` -+ gen_require(` -+ type arpwatch_t, arpwatch_tmp_t; -+ type arpwatch_data_t, arpwatch_var_run_t; -+ type arpwatch_initrc_exec_t; -+ ') -+ -+ allow $1 arpwatch_t:process { ptrace signal_perms getattr }; -+ ps_process_pattern($1, arpwatch_t) -+ -+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 arpwatch_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, arpwatch_tmp_t) -+ -+ files_list_var($1) -+ admin_pattern($1, arpwatch_data_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, arpwatch_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.13/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,9 @@ - type arpwatch_data_t; - files_type(arpwatch_data_t) - -+type arpwatch_initrc_exec_t; -+init_script_file(arpwatch_initrc_exec_t) -+ - type arpwatch_tmp_t; - files_tmp_file(arpwatch_tmp_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.13/policy/modules/services/asterisk.fc ---- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/asterisk.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,5 @@ - /etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) -+/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) - - /usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.13/policy/modules/services/asterisk.if ---- nsaserefpolicy/policy/modules/services/asterisk.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/asterisk.if 2008-10-28 10:56:19.000000000 -0400 -@@ -1 +1,54 @@ - ## Asterisk IP telephony server -+ -+######################################## -+## -+## All of the rules required to administrate -+## an asterisk environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the asterisk domain. -+## -+## -+## -+# -+interface(`asterisk_admin',` -+ gen_require(` -+ type asterisk_t, asterisk_var_run_t, asterisk_spool_t; -+ type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; -+ type asterisk_var_lib_t; -+ type asterisk_initrc_exec_t; -+ ') -+ -+ allow $1 asterisk_t:process { ptrace signal_perms getattr }; -+ ps_process_pattern($1, asterisk_t) -+ -+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 asterisk_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, asterisk_tmp_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, asterisk_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, asterisk_log_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, asterisk_spool_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, asterisk_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, asterisk_var_run_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.13/policy/modules/services/asterisk.te ---- nsaserefpolicy/policy/modules/services/asterisk.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/asterisk.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,9 @@ - type asterisk_etc_t; - files_config_file(asterisk_etc_t) - -+type asterisk_initrc_exec_t; -+init_script_file(asterisk_initrc_exec_t) -+ - type asterisk_log_t; - logging_log_file(asterisk_log_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.13/policy/modules/services/audioentropy.fc ---- nsaserefpolicy/policy/modules/services/audioentropy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,3 +2,5 @@ - # /usr - # - /usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) -+ -+/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.13/policy/modules/services/audioentropy.te ---- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.te 2008-10-28 10:56:19.000000000 -0400 -@@ -35,6 +35,7 @@ - dev_read_rand(entropyd_t) - dev_write_rand(entropyd_t) - dev_read_sound(entropyd_t) -+dev_write_sound(entropyd_t) - - fs_getattr_all_fs(entropyd_t) - fs_search_auto_mountpoints(entropyd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.13/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/automount.te 2008-10-28 10:56:19.000000000 -0400 -@@ -71,6 +71,7 @@ - files_mounton_all_mountpoints(automount_t) - files_mount_all_file_type_fs(automount_t) - files_unmount_all_file_type_fs(automount_t) -+files_manage_non_security_dirs(automount_t) - - fs_mount_all_fs(automount_t) - fs_unmount_all_fs(automount_t) -@@ -100,6 +101,7 @@ - corenet_udp_bind_all_rpc_ports(automount_t) - - dev_read_sysfs(automount_t) -+dev_rw_autofs(automount_t) - # for SSP - dev_read_rand(automount_t) - dev_read_urand(automount_t) -@@ -159,7 +161,7 @@ - ') - - optional_policy(` -- kerberos_read_keytab(automount_t) -+ kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) - kerberos_dontaudit_write_config(automount_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.13/policy/modules/services/avahi.fc ---- nsaserefpolicy/policy/modules/services/avahi.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/avahi.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,5 +1,9 @@ -+/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) - - /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) - /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) -+/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) - - /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -+ -+/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.13/policy/modules/services/avahi.if ---- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/avahi.if 2008-10-28 10:56:19.000000000 -0400 -@@ -2,6 +2,103 @@ - - ######################################## - ## -+## Execute avahi server in the avahi domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`avahi_domtrans',` -+ gen_require(` -+ type avahi_exec_t; -+ type avahi_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, avahi_exec_t, avahi_t) -+') -+ -+######################################## -+## -+## Execute avahi server in the avahi domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`avahi_initrc_domtrans',` -+ gen_require(` -+ type avahi_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, avahi_initrc_exec_t) -+') -+ -+######################################## -+## -+## Send avahi a sigkill -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`avahi_sigkill',` -+ gen_require(` -+ type avahi_t; -+ ') -+ -+ allow $1 avahi_t:process sigkill; -+') -+ -+######################################## -+## -+## Send avahi a signal -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`avahi_signal',` -+ gen_require(` -+ type avahi_t; -+ ') -+ -+ allow $1 avahi_t:process signal; -+') -+ -+######################################## -+## -+## Send avahi a signull -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`avahi_signull',` -+ gen_require(` -+ type avahi_t; -+ ') -+ -+ allow $1 avahi_t:process signull; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## avahi over dbus. - ## -@@ -57,3 +154,38 @@ - - dontaudit $1 avahi_var_run_t:dir search_dir_perms; - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an avahi environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the avahi domain. -+## -+## -+## -+# -+interface(`avahi_admin',` -+ gen_require(` -+ type avahi_t, avahi_var_run_t; -+ type avahi_initrc_exec_t; -+ ') -+ -+ allow $1 avahi_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, avahi_t) -+ -+ init_labeled_script_domtrans($1, avahi_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 avahi_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_pids($1) -+ admin_pattern($1, avahi_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.13/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/avahi.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,12 @@ - type avahi_exec_t; - init_daemon_domain(avahi_t, avahi_exec_t) - -+type avahi_initrc_exec_t; -+init_script_file(avahi_initrc_exec_t) -+ -+type avahi_var_lib_t; -+files_pid_file(avahi_var_lib_t) -+ - type avahi_var_run_t; - files_pid_file(avahi_var_run_t) - -@@ -20,13 +26,18 @@ - - allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot }; - dontaudit avahi_t self:capability sys_tty_config; --allow avahi_t self:process { setrlimit signal_perms setcap }; -+allow avahi_t self:process { setrlimit signal_perms getcap setcap }; - allow avahi_t self:fifo_file rw_fifo_file_perms; - allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow avahi_t self:unix_dgram_socket create_socket_perms; - allow avahi_t self:tcp_socket create_stream_socket_perms; - allow avahi_t self:udp_socket create_socket_perms; - -+files_search_var_lib(avahi_t) -+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) -+ - manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) - manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) - allow avahi_t avahi_var_run_t:dir setattr; -@@ -76,6 +87,7 @@ - logging_send_syslog_msg(avahi_t) - - miscfiles_read_localization(avahi_t) -+miscfiles_read_certs(avahi_t) - - userdom_dontaudit_use_unpriv_user_fds(avahi_t) - -@@ -86,6 +98,7 @@ - dbus_connect_system_bus(avahi_t) - - init_dbus_chat_script(avahi_t) -+ dbus_system_domain(avahi_t, avahi_exec_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.13/policy/modules/services/bind.fc ---- nsaserefpolicy/policy/modules/services/bind.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,4 @@ --/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.13/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.if 2008-10-28 10:56:19.000000000 -0400 -@@ -38,6 +38,42 @@ - - ######################################## - ## -+## Send signulls to BIND. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bind_signull',` -+ gen_require(` -+ type named_t; -+ ') -+ -+ allow $1 named_t:process signull; -+') -+ -+######################################## -+## -+## Send sigkills to BIND. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bind_sigkill',` -+ gen_require(` -+ type named_t; -+ ') -+ -+ allow $1 named_t:process sigkill; -+') -+ -+######################################## -+## - ## Execute ndc in the ndc domain, and - ## allow the specified role the ndc domain. - ## -@@ -257,6 +293,25 @@ - - ######################################## - ## -+## Execute bind server in the bind domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`bind_initrc_domtrans',` -+ gen_require(` -+ type bind_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, bind_initrc_exec_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an bind environment - ## -@@ -267,19 +322,18 @@ - ## - ## - ## --## Role allowed access. --## --## --## --## --## The type of the terminal. -+## The role to be allowed to manage the bind domain. - ## - ## - ## - # - interface(`bind_admin',` - gen_require(` -- type named_t, ndc_t; -+ type named_t, named_tmp_t, named_log_t; -+ type named_conf_t, named_var_lib_t, named_var_run_t; -+ type named_cache_t, named_zone_t; -+ type dnssec_t, ndc_t; -+ type named_initrc_exec_t; - ') - - allow $1 named_t:process { ptrace signal_perms }; -@@ -289,4 +343,28 @@ - ps_process_pattern($1, ndc_t) - - bind_run_ndc($1, $2, $3) -+ -+ bind_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 named_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, named_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, named_log_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, named_conf_t) -+ -+ admin_pattern($1, named_cache_t) -+ admin_pattern($1, named_zone_t) -+ admin_pattern($1, dnssec_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, named_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, named_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-28 10:56:19.000000000 -0400 -@@ -247,6 +247,8 @@ - sysnet_read_config(ndc_t) - sysnet_dns_name_resolve(ndc_t) - -+term_dontaudit_use_console(ndc_t) -+ - # for /etc/rndc.key - ifdef(`distro_redhat',` - allow ndc_t named_conf_t:dir search; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc ---- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -3,6 +3,9 @@ - # - /etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) - /etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0) -+/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - - # - # /usr -@@ -16,9 +19,11 @@ - /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -+/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - - # - # /var - # - /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) - /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) -+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.13/policy/modules/services/bluetooth.if ---- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.if 2008-10-28 10:56:19.000000000 -0400 -@@ -226,3 +226,56 @@ - dontaudit $1 bluetooth_helper_domain:dir search; - dontaudit $1 bluetooth_helper_domain:file { read getattr }; - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an bluetooth environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the bluetooth domain. -+## -+## -+## -+# -+interface(`bluetooth_admin',` -+ gen_require(` -+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; -+ type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; -+ type bluetooth_conf_t, bluetooth_conf_rw_t; -+ type bluetooth_initrc_exec_t; -+ ') -+ -+ allow $1 bluetooth_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, bluetooth_t) -+ -+ init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 bluetooth_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, bluetooth_tmp_t) -+ -+ files_list_var($1) -+ admin_pattern($1, bluetooth_lock_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, bluetooth_conf_t) -+ admin_pattern($1, bluetooth_conf_rw_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, bluetooth_spool_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, bluetooth_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, bluetooth_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-28 10:58:41.000000000 -0400 -@@ -20,6 +20,9 @@ - type bluetooth_helper_exec_t; - application_executable_file(bluetooth_helper_exec_t) - -+type bluetooth_initrc_exec_t; -+init_script_file(bluetooth_initrc_exec_t) -+ - type bluetooth_lock_t; - files_lock_file(bluetooth_lock_t) - -@@ -37,14 +40,14 @@ - # Bluetooth services local policy - # - --allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock }; -+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; - dontaudit bluetooth_t self:capability sys_tty_config; - allow bluetooth_t self:process { getsched signal_perms }; - allow bluetooth_t self:fifo_file rw_fifo_file_perms; - allow bluetooth_t self:shm create_shm_perms; - allow bluetooth_t self:socket create_stream_socket_perms; - allow bluetooth_t self:unix_dgram_socket create_socket_perms; --allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; -+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow bluetooth_t self:tcp_socket create_stream_socket_perms; - allow bluetooth_t self:udp_socket create_socket_perms; - -@@ -92,6 +95,7 @@ - dev_rw_usbfs(bluetooth_t) - dev_rw_generic_usb_dev(bluetooth_t) - dev_read_urand(bluetooth_t) -+dev_rw_input_dev(bluetooth_t) - - fs_getattr_all_fs(bluetooth_t) - fs_search_auto_mountpoints(bluetooth_t) -@@ -110,6 +114,8 @@ - files_read_etc_runtime_files(bluetooth_t) - files_read_usr_files(bluetooth_t) - -+auth_use_nsswitch(bluetooth_t) -+ - libs_use_ld_so(bluetooth_t) - libs_use_shared_libs(bluetooth_t) - -@@ -117,11 +123,9 @@ - - miscfiles_read_localization(bluetooth_t) - miscfiles_read_fonts(bluetooth_t) -- --sysnet_read_config(bluetooth_t) -+miscfiles_read_hwdata(bluetooth_t) - - userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) -- - sysadm_dontaudit_use_ptys(bluetooth_t) - sysadm_dontaudit_search_home_dirs(bluetooth_t) - -@@ -128,10 +132,15 @@ - optional_policy(` - dbus_system_bus_client_template(bluetooth, bluetooth_t) - dbus_connect_system_bus(bluetooth_t) -+ dbus_system_domain(bluetooth_t, bluetooth_exec_t) -+ -+ optional_policy(` -+ cups_dbus_chat(bluetooth_t) - ') - - optional_policy(` -- nis_use_ypbind(bluetooth_t) -+ hal_dbus_chat(bluetooth_t) -+ ') - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc ---- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-11-04 08:52:09.000000000 -0500 -@@ -0,0 +1,9 @@ -+ -+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) -+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) -+ -+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) -+ -+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -+ -+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if ---- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.if 2008-11-03 17:32:32.000000000 -0500 -@@ -0,0 +1,128 @@ -+## policy for certmaster -+ -+######################################## -+## -+## Execute a domain transition to run certmaster. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`certmaster_domtrans',` -+ gen_require(` -+ type certmaster_t, certmaster_exec_t; -+ ') -+ -+ domain_auto_trans($1,certmaster_exec_t,certmaster_t) -+ -+ allow certmaster_t $1:fd use; -+ allow certmaster_t $1:fifo_file rw_file_perms; -+ allow certmaster_t $1:process sigchld; -+') -+ -+####################################### -+## -+## read -+## certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_read_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+####################################### -+## -+## Append to certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_append_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+####################################### -+## -+## Create, read, write, and delete -+## certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_manage_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an snort environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+# -+interface(`certmaster_admin',` -+ gen_require(` -+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; -+ type certmaster_etc_rw_t, certmaster_var_log_t; -+ type certmaster_initrc_exec_t; -+ ') -+ -+ allow $1 certmaster_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, certmaster_t) -+ -+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 certmaster_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ miscfiles_manage_cert_dirs($1) -+ miscfiles_manage_cert_files($1) -+ -+ admin_pattern($1, certmaster_etc_rw_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, certmaster_var_run_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, certmaster_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, certmaster_var_lib_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te ---- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-03 17:19:28.000000000 -0500 -@@ -0,0 +1,81 @@ -+policy_module(certmaster,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+# type and domain for certmaster -+type certmaster_t; -+type certmaster_exec_t; -+init_daemon_domain(certmaster_t, certmaster_exec_t) -+ -+type certmaster_initrc_exec_t; -+init_script_file(certmaster_initrc_exec_t) -+ -+# var/lib files -+type certmaster_var_lib_t; -+files_type(certmaster_var_lib_t) -+ -+# config files -+type certmaster_etc_rw_t; -+files_config_file(certmaster_etc_rw_t) -+ -+# log files -+type certmaster_var_log_t; -+logging_log_file(certmaster_var_log_t) -+ -+# pid files -+type certmaster_var_run_t; -+files_pid_file(certmaster_var_run_t) -+ -+########################################### -+# -+# certmaster local policy -+# -+ -+allow certmaster_t self:tcp_socket create_stream_socket_perms; -+ -+# config files -+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) -+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) -+ -+# var/lib files for certmaster -+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) -+ -+# log files -+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) -+ -+# pid file -+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) -+ -+corecmd_search_bin(certmaster_t) -+corecmd_getattr_bin_files(certmaster_t) -+ -+# network -+corenet_tcp_bind_inaddr_any_node(certmaster_t) -+corenet_tcp_bind_certmaster_port(certmaster_t) -+ -+files_search_etc(certmaster_t) -+files_list_var(certmaster_t) -+files_search_var_lib(certmaster_t) -+ -+# read meminfo -+kernel_read_system_state(certmaster_t) -+ -+auth_use_nsswitch(certmaster_t) -+ -+libs_use_ld_so(certmaster_t) -+libs_use_shared_libs(certmaster_t) -+ -+miscfiles_read_localization(certmaster_t) -+ -+miscfiles_manage_cert_dirs(certmaster_t) -+miscfiles_manage_cert_files(certmaster_t) -+ -+permissive certmaster_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.13/policy/modules/services/clamav.fc ---- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,20 +1,22 @@ - /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) -+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) - - /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - - /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) -+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - - /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) - - /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) - --/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) --/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) - /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) - - /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.13/policy/modules/services/clamav.if ---- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.if 2008-10-28 10:56:19.000000000 -0400 -@@ -38,6 +38,27 @@ - - ######################################## - ## -+## Allow the specified domain to append -+## to clamav log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clamav_append_log',` -+ gen_require(` -+ type clamav_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 clamav_log_t:dir list_dir_perms; -+ append_files_pattern($1, clamav_log_t, clamav_log_t) -+') -+ -+######################################## -+## - ## Read clamav configuration files. - ## - ## -@@ -91,3 +112,87 @@ - - domtrans_pattern($1, clamscan_exec_t, clamscan_t) - ') -+ -+######################################## -+## -+## Execute clamscan without a transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clamav_exec_clamscan',` -+ gen_require(` -+ type clamscan_exec_t; -+ ') -+ -+ can_exec($1, clamscan_exec_t) -+ -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an clamav environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the clamav domain. -+## -+## -+## -+# -+interface(`clamav_admin',` -+ gen_require(` -+ type clamd_t, clamd_etc_t, clamd_tmp_t; -+ type clamd_var_log_t, clamd_var_lib_t; -+ type clamd_var_run_t; -+ -+ type clamscan_t, clamscan_tmp_t; -+ -+ type freshclam_t, freshclam_var_log_t; -+ -+ type clamd_initrc_exec_t; -+ ') -+ -+ allow $1 clamd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, clamd_t) -+ -+ allow $1 clamscan_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, clamscan_t) -+ -+ allow $1 freshclam_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, freshclam_t) -+ -+ init_labeled_script_domtrans($1, clamd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 clamd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, clamd_tmp_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, clamd_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, clamd_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, clamd_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, clamd_var_run_t) -+ -+ admin_pattern($1, clamscan_tmp_t) -+ -+ admin_pattern($1, freshclam_var_log_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.13/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,7 +13,10 @@ - - # configuration files - type clamd_etc_t; --files_type(clamd_etc_t) -+files_config_file(clamd_etc_t) -+ -+type clamd_initrc_exec_t; -+init_script_file(clamd_initrc_exec_t) - - # tmp files - type clamd_tmp_t; -@@ -87,6 +90,9 @@ - kernel_dontaudit_list_proc(clamd_t) - kernel_read_sysctl(clamd_t) - kernel_read_kernel_sysctls(clamd_t) -+kernel_read_system_state(clamd_t) -+ -+corecmd_exec_shell(clamd_t) - - corenet_all_recvfrom_unlabeled(clamd_t) - corenet_all_recvfrom_netlabel(clamd_t) -@@ -97,6 +103,8 @@ - corenet_tcp_bind_all_nodes(clamd_t) - corenet_tcp_bind_clamd_port(clamd_t) - corenet_sendrecv_clamd_server_packets(clamd_t) -+corenet_tcp_bind_generic_port(clamd_t) -+corenet_tcp_connect_generic_port(clamd_t) - - dev_read_rand(clamd_t) - dev_read_urand(clamd_t) -@@ -120,6 +128,9 @@ - cron_use_system_job_fds(clamd_t) - cron_rw_pipes(clamd_t) - -+mta_read_config(clamd_t) -+mta_send_mail(clamd_t) -+ - optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) -@@ -127,6 +138,10 @@ - amavis_create_pid_files(clamd_t) - ') - -+optional_policy(` -+ exim_read_spool_files(clamd_t) -+') -+ - ######################################## - # - # Freshclam local policy -@@ -197,7 +212,7 @@ - allow clamscan_t self:fifo_file rw_file_perms; - allow clamscan_t self:unix_stream_socket create_stream_socket_perms; - allow clamscan_t self:unix_dgram_socket create_socket_perms; --allow clamscan_t self:tcp_socket { listen accept }; -+allow clamscan_t self:tcp_socket create_stream_socket_perms; - - # configuration files - allow clamscan_t clamd_etc_t:dir list_dir_perms; -@@ -213,6 +228,14 @@ - manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) - allow clamscan_t clamd_var_lib_t:dir list_dir_perms; - -+corenet_all_recvfrom_unlabeled(clamscan_t) -+corenet_all_recvfrom_netlabel(clamscan_t) -+corenet_tcp_sendrecv_all_if(clamscan_t) -+corenet_tcp_sendrecv_all_nodes(clamscan_t) -+corenet_tcp_sendrecv_all_ports(clamscan_t) -+corenet_tcp_sendrecv_clamd_port(clamscan_t) -+corenet_tcp_connect_clamd_port(clamscan_t) -+ - kernel_read_kernel_sysctls(clamscan_t) - - files_read_etc_files(clamscan_t) -@@ -230,6 +253,12 @@ - - clamav_stream_connect(clamscan_t) - -+mta_send_mail(clamscan_t) -+ - optional_policy(` - apache_read_sys_content(clamscan_t) - ') -+ -+optional_policy(` -+ mailscanner_manage_spool(clamscan_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.13/policy/modules/services/consolekit.fc ---- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/consolekit.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,6 @@ - /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - - /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+ -+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-04 09:40:18.000000000 -0500 -@@ -38,3 +38,24 @@ - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; - ') -+ -+######################################## -+## -+## Read consolekit log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_read_log',` -+ gen_require(` -+ type consolekit_log_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, consolekit_log_t, consolekit_log_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.13/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/consolekit.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,9 @@ - type consolekit_var_run_t; - files_pid_file(consolekit_var_run_t) - -+type consolekit_log_t; -+files_pid_file(consolekit_log_t) -+ - ######################################## - # - # consolekit local policy -@@ -24,20 +27,27 @@ - allow consolekit_t self:unix_stream_socket create_stream_socket_perms; - allow consolekit_t self:unix_dgram_socket create_socket_perms; - -+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -+logging_log_filetrans(consolekit_t, consolekit_log_t, file) -+ -+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) - manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) --files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) -+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) - - kernel_read_system_state(consolekit_t) - - corecmd_exec_bin(consolekit_t) -+corecmd_exec_shell(consolekit_t) - - dev_read_urand(consolekit_t) - dev_read_sysfs(consolekit_t) - - domain_read_all_domains_state(consolekit_t) - domain_use_interactive_fds(consolekit_t) -+domain_dontaudit_ptrace_all_domains(consolekit_t) - - files_read_etc_files(consolekit_t) -+files_read_usr_files(consolekit_t) - # needs to read /var/lib/dbus/machine-id - files_read_var_lib_files(consolekit_t) - -@@ -47,16 +57,37 @@ - - auth_use_nsswitch(consolekit_t) - -+init_telinit(consolekit_t) -+init_rw_utmp(consolekit_t) -+init_chat(consolekit_t) -+ - libs_use_ld_so(consolekit_t) - libs_use_shared_libs(consolekit_t) - -+logging_send_syslog_msg(consolekit_t) -+ - miscfiles_read_localization(consolekit_t) - -+# consolekit needs to be able to ptrace all logged in users -+userdom_ptrace_all_users(consolekit_t) -+unprivuser_dontaudit_read_home_content_files(consolekit_t) -+ -+hal_ptrace(consolekit_t) -+mcs_ptrace_all(consolekit_t) -+ - optional_policy(` -- dbus_system_bus_client_template(consolekit, consolekit_t) -- dbus_connect_system_bus(consolekit_t) -+ cron_read_system_job_lib_files(consolekit_t) -+') - -+optional_policy(` -+ dbus_system_domain(consolekit_t, consolekit_exec_t) -+ optional_policy(` - hal_dbus_chat(consolekit_t) -+ ') -+ -+ optional_policy(` -+ rpm_dbus_chat(consolekit_t) -+ ') - - optional_policy(` - unconfined_dbus_chat(consolekit_t) -@@ -64,6 +95,33 @@ - ') - - optional_policy(` -+ polkit_domtrans_auth(consolekit_t) -+ polkit_read_lib(consolekit_t) -+') -+ -+optional_policy(` - xserver_read_all_users_xauth(consolekit_t) - xserver_stream_connect_xdm_xserver(consolekit_t) -+ xserver_ptrace_xdm(consolekit_t) - ') -+ -+optional_policy(` -+ #reading .Xauthity -+ unconfined_ptrace(consolekit_t) -+ unconfined_stream_connect(consolekit_t) -+') -+ -+optional_policy(` -+ unprivuser_read_tmp_files(consolekit_t) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_list_nfs(consolekit_t) -+ fs_dontaudit_rw_nfs_files(consolekit_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_list_cifs(consolekit_t) -+ fs_dontaudit_rw_cifs_files(consolekit_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.13/policy/modules/services/courier.fc ---- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/courier.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -19,5 +19,5 @@ - /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) - - /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) -- - /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -+/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.13/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/courier.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,7 @@ - - type courier_etc_t; - files_config_file(courier_etc_t) -+mta_system_content(courier_etc_t) - - courier_domain_template(pcp) - -@@ -73,6 +74,9 @@ - - sysadm_dontaudit_search_home_dirs(courier_authdaemon_t) - -+files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t) -+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) -+ - ######################################## - # - # Calendar (PCP) local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-11-03 11:38:06.000000000 -0500 -@@ -17,6 +17,8 @@ - /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) - -+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -+ - /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/at/[^/]* -- <> -@@ -45,3 +47,8 @@ - /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) -+ -+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -+ -+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-29 11:57:59.000000000 -0400 -@@ -35,39 +35,24 @@ - # - template(`cron_per_role_template',` - gen_require(` -+ class context contains; - attribute cron_spool_type; - type crond_t, cron_spool_t, crontab_exec_t; -- class dbus send_msg; - ') -+ typealias $1_t alias $1_crond_t; - - # Type of user crontabs once moved to cron spool. - type $1_cron_spool_t, cron_spool_type; - files_type($1_cron_spool_t) -+ mta_system_content($1_cron_spool_t) - -- type $1_crond_t; -- domain_type($1_crond_t) -- domain_cron_exemption_target($1_crond_t) -- corecmd_shell_entry_type($1_crond_t) -- role $3 types $1_crond_t; -+ domain_cron_exemption_target($1_t) -+ corecmd_shell_entry_type($1_t) - - type $1_crontab_t; - application_domain($1_crontab_t, crontab_exec_t) - role $3 types $1_crontab_t; - -- type $1_crontab_tmp_t; -- files_tmp_file($1_crontab_tmp_t) -- -- ############################## -- # -- # $1_crond_t local policy -- # -- -- allow $1_crond_t self:capability dac_override; -- allow $1_crond_t self:process { signal_perms setsched }; -- allow $1_crond_t self:fifo_file rw_fifo_file_perms; -- allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_crond_t self:unix_dgram_socket create_socket_perms; -- - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are - # not directly executed, crond must ensure that -@@ -75,116 +60,23 @@ - # for the domain of the user cron job. It - # performs an entrypoint permission check - # for this purpose. -- allow $1_crond_t $1_cron_spool_t:file entrypoint; -+ allow $1_t $1_cron_spool_t:file entrypoint; - - # Permit a transition from the crond_t domain to this domain. - # The transition is requested explicitly by the modified crond - # via setexeccon. There is no way to set up an automatic - # transition, since crontabs are configuration files, not executables. -- allow crond_t $1_crond_t:process transition; -- dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh }; -- allow crond_t $1_crond_t:fd use; -- allow $1_crond_t crond_t:fd use; -- allow $1_crond_t crond_t:fifo_file rw_file_perms; -- allow $1_crond_t crond_t:process sigchld; -- -- kernel_read_system_state($1_crond_t) -- kernel_read_kernel_sysctls($1_crond_t) -- -- # ps does not need to access /boot when run from cron -- files_dontaudit_search_boot($1_crond_t) -- -- corenet_all_recvfrom_unlabeled($1_crond_t) -- corenet_all_recvfrom_netlabel($1_crond_t) -- corenet_tcp_sendrecv_all_if($1_crond_t) -- corenet_udp_sendrecv_all_if($1_crond_t) -- corenet_tcp_sendrecv_all_nodes($1_crond_t) -- corenet_udp_sendrecv_all_nodes($1_crond_t) -- corenet_tcp_sendrecv_all_ports($1_crond_t) -- corenet_udp_sendrecv_all_ports($1_crond_t) -- corenet_tcp_connect_all_ports($1_crond_t) -- corenet_sendrecv_all_client_packets($1_crond_t) -- -- dev_read_urand($1_crond_t) -- -- fs_getattr_all_fs($1_crond_t) -- -- corecmd_exec_all_executables($1_crond_t) -- -- # quiet other ps operations -- domain_dontaudit_read_all_domains_state($1_crond_t) -- domain_dontaudit_getattr_all_domains($1_crond_t) -- -- files_read_usr_files($1_crond_t) -- files_exec_etc_files($1_crond_t) -- # for nscd: -- files_dontaudit_search_pids($1_crond_t) -- -- libs_use_ld_so($1_crond_t) -- libs_use_shared_libs($1_crond_t) -- libs_exec_lib_files($1_crond_t) -- libs_exec_ld_so($1_crond_t) -- -- files_read_etc_runtime_files($1_crond_t) -- files_read_var_files($1_crond_t) -- files_search_spool($1_crond_t) -- -- logging_search_logs($1_crond_t) -- -- seutil_read_config($1_crond_t) -- -- miscfiles_read_localization($1_crond_t) -- -- userdom_manage_user_tmp_files($1, $1_crond_t) -- userdom_manage_user_tmp_symlinks($1, $1_crond_t) -- userdom_manage_user_tmp_pipes($1, $1_crond_t) -- userdom_manage_user_tmp_sockets($1, $1_crond_t) -- # Run scripts in user home directory and access shared libs. -- userdom_exec_user_home_content_files($1, $1_crond_t) -- # Access user files and dirs. --# userdom_manage_user_home_subdir_dirs($1,$1_crond_t) -- userdom_manage_user_home_content_files($1, $1_crond_t) -- userdom_manage_user_home_content_symlinks($1, $1_crond_t) -- userdom_manage_user_home_content_pipes($1, $1_crond_t) -- userdom_manage_user_home_content_sockets($1, $1_crond_t) --# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set) -+ allow crond_t $1_t:process transition; -+ dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh }; -+ allow crond_t $1_t:fd use; -+ allow $1_t crond_t:fd use; -+ allow $1_t crond_t:fifo_file rw_file_perms; -+ allow $1_t crond_t:process sigchld; - - tunable_policy(`fcron_crond', ` - allow crond_t $1_cron_spool_t:file manage_file_perms; - ') - -- # need a per-role version of this: -- #optional_policy(` -- # mono_domtrans($1_crond_t) -- #') -- -- optional_policy(` -- dbus_stub($1_crond_t) -- -- allow $1_crond_t $2:dbus send_msg; -- ') -- -- optional_policy(` -- nis_use_ypbind($1_crond_t) -- ') -- -- ifdef(`TODO',` -- optional_policy(` -- create_dir_file($1_crond_t, httpd_$1_content_t) -- ') -- allow $1_crond_t tmp_t:dir rw_dir_perms; -- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t; -- -- ifdef(`mta.te', ` -- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) -- allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms; -- -- # $1_mail_t should only be reading from the cron fifo not needing to write -- dontaudit $1_mail_t crond_t:fifo_file write; -- allow mta_user_agent $1_crond_t:fd use; -- ') -- ') dnl endif TODO -- - ############################## - # - # $1_crontab_t local policy -@@ -193,10 +85,13 @@ - # dac_override is to create the file in the directory under /tmp - allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_crontab_t self:process signal_perms; -+ allow $1_crontab_t self:fifo_file rw_fifo_file_perms; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, $1_crontab_t) -+ allow $2 $1_crontab_t:fd use; - -+ auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t }) - # crontab shows up in user ps - ps_process_pattern($2, $1_crontab_t) - -@@ -206,9 +101,6 @@ - # Allow crond to read those crontabs in cron spool. - allow crond_t $1_cron_spool_t:file manage_file_perms; - -- allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms; -- files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file) -- - # create files in /var/spool/cron - manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t) - filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file) -@@ -227,27 +119,32 @@ - # Run helper programs as the user domain - corecmd_bin_domtrans($1_crontab_t, $2) - corecmd_shell_domtrans($1_crontab_t, $2) -+ allow $2 $1_crontab_t:process sigchld; - - domain_use_interactive_fds($1_crontab_t) - - files_read_etc_files($1_crontab_t) - files_dontaudit_search_pids($1_crontab_t) - -+ auth_use_nsswitch($1_crontab_t) -+ - libs_use_ld_so($1_crontab_t) - libs_use_shared_libs($1_crontab_t) - - logging_send_syslog_msg($1_crontab_t) -+ logging_send_audit_msgs($1_crontab_t) - - miscfiles_read_localization($1_crontab_t) - - seutil_read_config($1_crontab_t) - -- userdom_manage_user_tmp_dirs($1, $1_crontab_t) -- userdom_manage_user_tmp_files($1, $1_crontab_t) -+ unprivuser_manage_tmp_dirs($1_crontab_t) -+ unprivuser_manage_tmp_files($1_crontab_t) - # Access terminals. - userdom_use_user_terminals($1, $1_crontab_t) - # Read user crontabs - userdom_read_user_home_content_files($1, $1_crontab_t) -+ userdom_transition_user_tmp($1, $1_crontab_t, { lnk_file file dir fifo_file }) - - tunable_policy(`fcron_crond',` - # fcron wants an instant update of a crontab change for the administrator -@@ -286,14 +183,12 @@ - template(`cron_admin_template',` - gen_require(` - attribute cron_spool_type; -- type $1_crontab_t, $1_crond_t; -+ type $1_crontab_t; - ') - - # Allow our crontab domain to unlink a user cron spool file. - allow $1_crontab_t cron_spool_type:file { getattr read unlink }; - -- logging_read_generic_logs($1_crond_t) -- - # Manipulate other users crontab. - selinux_get_fs_mount($1_crontab_t) - selinux_validate_context($1_crontab_t) -@@ -421,6 +316,24 @@ - - ######################################## - ## -+## Allow read/write unix stream sockets from the system cron jobs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_rw_system_stream_sockets',` -+ gen_require(` -+ type system_crond_t; -+ ') -+ -+ allow $1 system_crond_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## - ## Read and write a cron daemon unnamed pipe. - ## - ## -@@ -439,7 +352,7 @@ - - ######################################## - ## --## Read, and write cron daemon TCP sockets. -+## Dontaudit Read, and write cron daemon TCP sockets. - ## - ## - ## -@@ -447,7 +360,7 @@ - ## - ## - # --interface(`cron_rw_tcp_sockets',` -+interface(`cron_dontaudit_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') -@@ -559,11 +472,14 @@ - # - interface(`cron_read_system_job_tmp_files',` - gen_require(` -- type system_crond_tmp_t; -+ type system_crond_tmp_t, cron_var_run_t; - ') - - files_search_tmp($1) - allow $1 system_crond_tmp_t:file read_file_perms; -+ -+ files_search_pids($1) -+ allow $1 cron_var_run_t:file read_file_perms; - ') - - ######################################## -@@ -584,3 +500,64 @@ - - dontaudit $1 system_crond_tmp_t:file append; - ') -+ -+ -+######################################## -+## -+## Do not audit attempts to write temporary -+## files from the system cron jobs. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`cron_dontaudit_write_system_job_tmp_files',` -+ gen_require(` -+ type system_crond_tmp_t; -+ type cron_var_run_t; -+ type system_crond_var_run_t; -+ ') -+ -+ dontaudit $1 system_crond_tmp_t:file write_file_perms; -+ dontaudit $1 cron_var_run_t:file write_file_perms; -+') -+ -+######################################## -+## -+## Read temporary files from the system cron jobs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_read_system_job_lib_files',` -+ gen_require(` -+ type system_crond_var_lib_t; -+ ') -+ -+ -+ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t) -+') -+ -+######################################## -+## -+## Manage pid files used by cron -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_manage_pid_files',` -+ gen_require(` -+ type crond_var_run_t; -+ ') -+ -+ -+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.te 2008-10-28 10:56:19.000000000 -0400 -@@ -12,14 +12,6 @@ - - ## - ##

--## Allow system cron jobs to relabel filesystem --## for restoring file contexts. --##

--## --gen_tunable(cron_can_relabel, false) -- --## --##

- ## Enable extra rules in the cron domain - ## to support fcron. - ##

-@@ -38,6 +30,10 @@ - type cron_var_lib_t; - files_type(cron_var_lib_t) - -+# var/lib files -+type cron_var_run_t; -+files_type(cron_var_run_t) -+ - # var/log files - type cron_log_t; - logging_log_file(cron_log_t) -@@ -50,6 +46,8 @@ - - type crond_tmp_t; - files_tmp_file(crond_tmp_t) -+files_poly_parent(crond_tmp_t) -+mta_system_content(crond_tmp_t) - - type crond_var_run_t; - files_pid_file(crond_var_run_t) -@@ -71,6 +69,12 @@ - type system_crond_tmp_t; - files_tmp_file(system_crond_tmp_t) - -+type system_crond_var_lib_t; -+files_type(system_crond_var_lib_t) -+ -+type system_crond_var_run_t; -+files_pid_file(system_crond_var_run_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) - ') -@@ -80,7 +84,7 @@ - # Cron Local policy - # - --allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; -+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; - dontaudit crond_t self:capability { sys_resource sys_tty_config }; - allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow crond_t self:process { setexec setfscreate }; -@@ -99,15 +103,14 @@ - allow crond_t crond_var_run_t:file manage_file_perms; - files_pid_filetrans(crond_t,crond_var_run_t,file) - --allow crond_t cron_spool_t:dir rw_dir_perms; --allow crond_t cron_spool_t:file read_file_perms; -+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - - manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) - manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) - files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - --allow crond_t system_cron_spool_t:dir list_dir_perms; --allow crond_t system_cron_spool_t:file read_file_perms; -+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - - kernel_read_kernel_sysctls(crond_t) - kernel_search_key(crond_t) -@@ -133,6 +136,8 @@ - corecmd_read_bin_symlinks(crond_t) - - domain_use_interactive_fds(crond_t) -+domain_subj_id_change_exemption(crond_t) -+domain_role_change_exemption(crond_t) - - files_read_etc_files(crond_t) - files_read_generic_spool(crond_t) -@@ -142,13 +147,16 @@ - files_search_default(crond_t) - - init_rw_utmp(crond_t) -+init_spec_domtrans_script(crond_t) - - auth_use_nsswitch(crond_t) - - libs_use_ld_so(crond_t) - libs_use_shared_libs(crond_t) - -+logging_send_audit_msgs(crond_t) - logging_send_syslog_msg(crond_t) -+logging_set_loginuid(crond_t) - - seutil_read_config(crond_t) - seutil_read_default_contexts(crond_t) -@@ -161,6 +169,7 @@ - userdom_list_all_users_home_dirs(crond_t) - - mta_send_mail(crond_t) -+mta_system_content(cron_spool_t) - - ifdef(`distro_debian',` - # pam_limits is used -@@ -180,21 +189,45 @@ - ') - ') - -+tunable_policy(`allow_polyinstantiation',` -+ allow crond_t self:capability fowner; -+ files_search_tmp(crond_t) -+ files_polyinstantiate_all(crond_t) -+') -+ -+optional_policy(` -+ apache_search_sys_content(crond_t) -+') -+ - optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) - ') - -+optional_policy(` -+ # these should probably be unconfined_crond_t -+ init_dbus_send_script(crond_t) -+') -+ -+optional_policy(` -+ mono_domtrans(crond_t) -+') -+ - tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; - ') - - optional_policy(` -+ amanda_search_var_lib(crond_t) -+') -+ -+optional_policy(` - amavis_search_lib(crond_t) - ') - - optional_policy(` -- hal_dbus_send(crond_t) -+ hal_dbus_chat(crond_t) -+ hal_dbus_chat(system_crond_t) - ') - - optional_policy(` -@@ -236,6 +269,9 @@ - allow system_crond_t cron_var_lib_t:file manage_file_perms; - files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file) - -+allow system_crond_t cron_var_run_t:file manage_file_perms; -+files_pid_filetrans(system_crond_t, cron_var_run_t, file) -+ - allow system_crond_t system_cron_spool_t:file read_file_perms; - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are -@@ -267,9 +303,13 @@ - filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file }) - files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file) - -+# var/lib files for system_crond -+files_search_var_lib(system_crond_t) -+manage_files_pattern(system_crond_t, system_crond_var_lib_t, system_crond_var_lib_t) -+ - # Read from /var/spool/cron. - allow system_crond_t cron_spool_t:dir list_dir_perms; --allow system_crond_t cron_spool_t:file read_file_perms; -+allow system_crond_t cron_spool_t:file rw_file_perms; - - kernel_read_kernel_sysctls(system_crond_t) - kernel_read_system_state(system_crond_t) -@@ -323,7 +363,8 @@ - init_read_utmp(system_crond_t) - init_dontaudit_rw_utmp(system_crond_t) - # prelink tells init to restart it self, we either need to allow or dontaudit --init_write_initctl(system_crond_t) -+init_telinit(system_crond_t) -+init_spec_domtrans_script(system_crond_t) - - auth_use_nsswitch(system_crond_t) - -@@ -333,6 +374,7 @@ - libs_exec_ld_so(system_crond_t) - - logging_read_generic_logs(system_crond_t) -+logging_send_audit_msgs(system_crond_t) - logging_send_syslog_msg(system_crond_t) - - miscfiles_read_localization(system_crond_t) -@@ -348,18 +390,6 @@ - ') - ') - --tunable_policy(`cron_can_relabel',` -- seutil_domtrans_setfiles(system_crond_t) --',` -- selinux_get_fs_mount(system_crond_t) -- selinux_validate_context(system_crond_t) -- selinux_compute_access_vector(system_crond_t) -- selinux_compute_create_context(system_crond_t) -- selinux_compute_relabel_context(system_crond_t) -- selinux_compute_user_contexts(system_crond_t) -- seutil_read_file_contexts(system_crond_t) --') -- - optional_policy(` - # Needed for certwatch - apache_exec_modules(system_crond_t) -@@ -383,11 +413,20 @@ - ') - - optional_policy(` -+ lpd_list_spool(system_crond_t) -+') -+ -+optional_policy(` -+ mono_domtrans(system_crond_t) -+') -+ -+optional_policy(` - mrtg_append_create_logs(system_crond_t) - ') - - optional_policy(` - mta_send_mail(system_crond_t) -+ mta_system_content(system_cron_spool_t) - ') - - optional_policy(` -@@ -415,8 +454,7 @@ - ') - - optional_policy(` -- # cjp: why? -- squid_domtrans(system_crond_t) -+ spamassassin_manage_lib_files(system_crond_t) - ') - - optional_policy(` -@@ -424,15 +462,12 @@ - ') - - optional_policy(` -+ unconfined_dbus_send(crond_t) -+ unconfined_shell_domtrans(crond_t) -+ unconfined_domain(crond_t) - unconfined_domain(system_crond_t) -- -- userdom_priveleged_home_dir_manager(system_crond_t) - ') - --ifdef(`TODO',` --ifdef(`mta.te', ` --allow system_crond_t mail_spool_t:lnk_file read; --allow mta_user_agent system_crond_t:fd use; --r_dir_file(system_mail_t, crond_tmp_t) -+optional_policy(` -+ userdom_priveleged_home_dir_manager(system_crond_t) - ') --') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -8,24 +8,35 @@ - /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) -+ -+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - - /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - - /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ - /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) - --/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) - - /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - - /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) - /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -+# keep as separate lines to ensure proper sorting -+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -+ - /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) - /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +44,7 @@ - - /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) - /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) - - /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +54,18 @@ - /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - - /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) --/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - - /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -+ -+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if ---- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-11-06 12:45:55.000000000 -0500 -@@ -20,6 +20,30 @@ - - ######################################## - ## -+## Setup cups to transtion to the cups backend domain -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`cups_backend',` -+ gen_require(` -+ type cupsd_t; -+ ') -+ -+ domtrans_pattern(cupsd_t, $2, $1) -+ -+ allow cupsd_t $1:process signal; -+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; -+ -+ cups_read_config($1) -+ cups_append_log($1) -+') -+ -+######################################## -+## - ## Connect to cupsd over an unix domain stream socket. - ## - ## -@@ -212,6 +236,25 @@ - - ######################################## - ## -+## Append cups log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cups_append_log',` -+ gen_require(` -+ type cupsd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, cupsd_log_t, cupsd_log_t) -+') -+ -+######################################## -+## - ## Write cups log files. - ## - ## -@@ -247,3 +290,66 @@ - files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an cups environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the cups domain. -+## -+## -+## -+# -+interface(`cups_admin',` -+ gen_require(` -+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; -+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t; -+ type cupsd_var_run_t, ptal_etc_t; -+ type ptal_var_run_t, hplip_var_run_t; -+ type cupsd_initrc_exec_t; -+ ') -+ -+ allow $1 cupsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, cupsd_t) -+ -+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 cupsd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, cupsd_tmp_t) -+ -+ admin_pattern($1, cupsd_lpd_tmp_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, cupsd_etc_t) -+ -+ admin_pattern($1, ptal_etc_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, cupsd_spool_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, cupsd_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, cupsd_var_run_t) -+ -+ admin_pattern($1, ptal_var_run_t) -+ -+ admin_pattern($1, cupsd_config_var_run_t) -+ -+ admin_pattern($1, cupsd_lpd_var_run_t) -+ -+ admin_pattern($1, hplip_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-10-29 13:51:55.000000000 -0400 -@@ -20,6 +20,12 @@ - type cupsd_etc_t; - files_config_file(cupsd_etc_t) - -+type cupsd_initrc_exec_t; -+init_script_file(cupsd_initrc_exec_t) -+ -+type cupsd_interface_t; -+files_type(cupsd_interface_t) -+ - type cupsd_rw_etc_t; - files_config_file(cupsd_rw_etc_t) - -@@ -48,6 +54,10 @@ - type hplip_t; - type hplip_exec_t; - init_daemon_domain(hplip_t, hplip_exec_t) -+# For CUPS to run as a backend -+cups_backend(hplip_t, hplip_exec_t) -+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) - - type hplip_etc_t; - files_config_file(hplip_etc_t) -@@ -65,6 +75,16 @@ - type ptal_var_run_t; - files_pid_file(ptal_var_run_t) - -+type cups_pdf_t; -+type cups_pdf_exec_t; -+domain_type(cups_pdf_t) -+domain_entry_file(cups_pdf_t, cups_pdf_exec_t) -+cups_backend(cups_pdf_t, cups_pdf_exec_t) -+role system_r types cups_pdf_t; -+ -+type cups_pdf_tmp_t; -+files_tmp_file(cups_pdf_tmp_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) - ') -@@ -79,13 +99,14 @@ - # - - # /usr/lib/cups/backend/serial needs sys_admin(?!) --allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; -+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; - dontaudit cupsd_t self:capability { sys_tty_config net_admin }; --allow cupsd_t self:process { setsched signal_perms }; --allow cupsd_t self:fifo_file rw_file_perms; -+allow cupsd_t self:process { setpgid setsched signal_perms }; -+allow cupsd_t self:fifo_file rw_fifo_file_perms; - allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow cupsd_t self:unix_dgram_socket create_socket_perms; - allow cupsd_t self:netlink_selinux_socket create_socket_perms; -+allow cupsd_t self:shm create_shm_perms; - allow cupsd_t self:tcp_socket create_stream_socket_perms; - allow cupsd_t self:udp_socket create_socket_perms; - allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -97,6 +118,9 @@ - read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - files_search_etc(cupsd_t) - -+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) -+can_exec(cupsd_t, cupsd_interface_t) -+ - manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -104,8 +128,8 @@ - - # allow cups to execute its backend scripts - can_exec(cupsd_t, cupsd_exec_t) --allow cupsd_t cupsd_exec_t:dir search; --allow cupsd_t cupsd_exec_t:lnk_file read; -+allow cupsd_t cupsd_exec_t:dir search_dir_perms; -+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - allow cupsd_t cupsd_log_t:dir setattr; -@@ -116,13 +140,20 @@ - manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) - -+# This whole section needs to be moved to a smbspool policy -+# smbspool seems to be iterating through all existing tmp files. -+# Looking for kerberos files -+files_getattr_all_tmp_files(cupsd_t) -+userdom_read_unpriv_users_tmp_files(cupsd_t) -+files_dontaudit_getattr_all_tmp_sockets(cupsd_t) -+ - allow cupsd_t cupsd_var_run_t:dir setattr; - manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) - files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) - --read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -- -+allow cupsd_t hplip_t:process sigkill; - allow cupsd_t hplip_var_run_t:file read_file_perms; - - stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +180,49 @@ - corenet_tcp_bind_reserved_port(cupsd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) - corenet_tcp_connect_all_ports(cupsd_t) -+corenet_tcp_connect_smbd_port(cupsd_t) - corenet_sendrecv_hplip_client_packets(cupsd_t) - corenet_sendrecv_ipp_client_packets(cupsd_t) - corenet_sendrecv_ipp_server_packets(cupsd_t) -+corenet_tcp_bind_all_rpc_ports(cupsd_t) - - dev_rw_printer(cupsd_t) - dev_read_urand(cupsd_t) - dev_read_sysfs(cupsd_t) --dev_read_usbfs(cupsd_t) -+dev_rw_input_dev(cupsd_t) #447878 -+dev_rw_generic_usb_dev(cupsd_t) -+dev_rw_usbfs(cupsd_t) - dev_getattr_printer_dev(cupsd_t) - - domain_read_all_domains_state(cupsd_t) - - fs_getattr_all_fs(cupsd_t) - fs_search_auto_mountpoints(cupsd_t) -+fs_read_anon_inodefs_files(cupsd_t) - -+mls_fd_use_all_levels(cupsd_t) - mls_file_downgrade(cupsd_t) - mls_file_write_all_levels(cupsd_t) - mls_file_read_all_levels(cupsd_t) -+mls_rangetrans_target(cupsd_t) - mls_socket_write_all_levels(cupsd_t) - - term_use_unallocated_ttys(cupsd_t) - term_search_ptys(cupsd_t) - --auth_domtrans_chk_passwd(cupsd_t) --auth_dontaudit_read_pam_pid(cupsd_t) -- - # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp - corecmd_exec_shell(cupsd_t) - corecmd_exec_bin(cupsd_t) - - domain_use_interactive_fds(cupsd_t) - -+files_list_spool(cupsd_t) - files_read_etc_files(cupsd_t) - files_read_etc_runtime_files(cupsd_t) - # read python modules - files_read_usr_files(cupsd_t) - # for /var/lib/defoma --files_search_var_lib(cupsd_t) -+files_read_var_lib_files(cupsd_t) - files_list_world_readable(cupsd_t) - files_read_world_readable_files(cupsd_t) - files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +231,16 @@ - files_read_var_symlinks(cupsd_t) - # for /etc/printcap - files_dontaudit_write_etc_files(cupsd_t) --# smbspool seems to be iterating through all existing tmp files. --# redhat bug #214953 --# cjp: this might be a broken behavior --files_dontaudit_getattr_all_tmp_files(cupsd_t) - - selinux_compute_access_vector(cupsd_t) -+selinux_validate_context(cupsd_t) - - init_exec_script_files(cupsd_t) -+init_read_utmp(cupsd_t) - -+auth_domtrans_chk_passwd(cupsd_t) -+auth_dontaudit_read_pam_pid(cupsd_t) -+auth_rw_faillog(cupsd_t) - auth_use_nsswitch(cupsd_t) - - libs_use_ld_so(cupsd_t) -@@ -219,17 +256,21 @@ - miscfiles_read_fonts(cupsd_t) - - seutil_read_config(cupsd_t) -+sysnet_exec_ifconfig(cupsd_t) - --sysnet_read_config(cupsd_t) -- -+files_dontaudit_list_home(cupsd_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_t) - userdom_dontaudit_search_all_users_home_content(cupsd_t) - - # Write to /var/spool/cups. - lpd_manage_spool(cupsd_t) -+lpd_read_config(cupsd_t) -+lpd_exec_lpr(cupsd_t) -+lpd_relabel_spool(cupsd_t) - - ifdef(`enable_mls',` -- lpd_relabel_spool(cupsd_t) -+ mls_trusted_object(cupsd_var_run_t) -+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) - ') - - optional_policy(` -@@ -246,8 +287,16 @@ - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` -+ avahi_dbus_chat(cupsd_t) -+ ') -+ -+ optional_policy(` - hal_dbus_chat(cupsd_t) - ') -+ -+ optional_policy(` -+ unconfined_dbus_chat(cupsd_t) -+ ') - ') - - optional_policy(` -@@ -263,6 +312,10 @@ - ') - - optional_policy(` -+ mta_send_mail(cupsd_t) -+') -+ -+optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) -@@ -281,7 +334,7 @@ - # Cups configuration daemon local policy - # - --allow cupsd_config_t self:capability { chown sys_tty_config }; -+allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; - dontaudit cupsd_config_t self:capability sys_tty_config; - allow cupsd_config_t self:process signal_perms; - allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -313,7 +366,7 @@ - files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) - - kernel_read_system_state(cupsd_config_t) --kernel_read_kernel_sysctls(cupsd_config_t) -+kernel_read_all_sysctls(cupsd_config_t) - - corenet_all_recvfrom_unlabeled(cupsd_config_t) - corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -326,6 +379,7 @@ - dev_read_sysfs(cupsd_config_t) - dev_read_urand(cupsd_config_t) - dev_read_rand(cupsd_config_t) -+dev_rw_generic_usb_dev(cupsd_config_t) - - fs_getattr_all_fs(cupsd_config_t) - fs_search_auto_mountpoints(cupsd_config_t) -@@ -343,7 +397,7 @@ - files_read_var_symlinks(cupsd_config_t) - - # Alternatives asks for this --init_getattr_script_files(cupsd_config_t) -+init_getattr_all_script_files(cupsd_config_t) - - auth_use_nsswitch(cupsd_config_t) - -@@ -353,6 +407,7 @@ - logging_send_syslog_msg(cupsd_config_t) - - miscfiles_read_localization(cupsd_config_t) -+miscfiles_read_hwdata(cupsd_config_t) - - seutil_dontaudit_search_config(cupsd_config_t) - -@@ -365,14 +420,16 @@ - sysadm_dontaudit_search_home_dirs(cupsd_config_t) - - ifdef(`distro_redhat',` -- init_getattr_script_files(cupsd_config_t) -- - optional_policy(` - rpm_read_db(cupsd_config_t) - ') - ') - - optional_policy(` -+ term_use_generic_ptys(cupsd_config_t) -+') -+ -+optional_policy(` - cron_system_entry(cupsd_config_t, cupsd_config_exec_t) - ') - -@@ -388,6 +445,7 @@ - optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) -+ hal_dontaudit_use_fds(hplip_t) - ') - - optional_policy(` -@@ -500,7 +558,7 @@ - allow hplip_t self:udp_socket create_socket_perms; - allow hplip_t self:rawip_socket create_socket_perms; - --allow hplip_t cupsd_etc_t:dir search; -+allow hplip_t cupsd_etc_t:dir search_dir_perms; - - cups_stream_connect(hplip_t) - -@@ -509,6 +567,8 @@ - read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - files_search_etc(hplip_t) - -+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -+ - manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) - files_pid_filetrans(hplip_t, hplip_var_run_t, file) - -@@ -538,7 +598,8 @@ - dev_read_urand(hplip_t) - dev_read_rand(hplip_t) - dev_rw_generic_usb_dev(hplip_t) --dev_read_usbfs(hplip_t) -+dev_rw_usbfs(hplip_t) -+ - - fs_getattr_all_fs(hplip_t) - fs_search_auto_mountpoints(hplip_t) -@@ -564,12 +625,14 @@ - userdom_dontaudit_use_unpriv_user_fds(hplip_t) - userdom_dontaudit_search_all_users_home_content(hplip_t) - --lpd_read_config(cupsd_t) -+lpd_read_config(hplip_t) -+lpd_manage_spool(hplip_t) - - sysadm_dontaudit_search_home_dirs(hplip_t) - - optional_policy(` - dbus_system_bus_client_template(hplip, hplip_t) -+ dbus_connect_system_bus(hplip_t) - ') - - optional_policy(` -@@ -651,3 +714,44 @@ - optional_policy(` - udev_read_db(ptal_t) - ') -+ -+######################################## -+# -+# cups_pdf local policy -+# -+ -+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; -+ -+allow cups_pdf_t self:fifo_file rw_file_perms; -+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_read_etc_files(cups_pdf_t) -+files_read_usr_files(cups_pdf_t) -+ -+kernel_read_system_state(cups_pdf_t) -+ -+auth_use_nsswitch(cups_pdf_t) -+ -+libs_use_ld_so(cups_pdf_t) -+libs_use_shared_libs(cups_pdf_t) -+ -+corecmd_exec_shell(cups_pdf_t) -+corecmd_exec_bin(cups_pdf_t) -+ -+miscfiles_read_localization(cups_pdf_t) -+ -+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) -+ -+unprivuser_home_filetrans_home_dir(cups_pdf_t) -+unprivuser_manage_home_content_dirs(cups_pdf_t) -+unprivuser_manage_home_content_files(cups_pdf_t) -+ -+lpd_manage_spool(cups_pdf_t) -+ -+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -+miscfiles_read_fonts(cups_pdf_t) -+ -+sysadm_dontaudit_read_home_content_files(cups_pdf_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.13/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cvs.te 2008-10-28 10:56:19.000000000 -0400 -@@ -115,4 +115,5 @@ - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc ---- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-05 15:12:14.000000000 -0500 -@@ -1 +1,6 @@ - /usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) -+ -+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) -+ -+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc ---- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -4,6 +4,9 @@ - /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) - /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) - -+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) -+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) -+ - /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - - /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-29 11:24:31.000000000 -0400 -@@ -53,19 +53,19 @@ - gen_require(` - type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; - class dbus { send_msg acquire_svc }; -+ attribute dbusd_unconfined; -+ attribute dbusd_userbus; - ') - - ############################## - # - # Delcarations - # -- type $1_dbusd_t; -+ type $1_dbusd_t, dbusd_userbus; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, system_dbusd_exec_t) - role $3 types $1_dbusd_t; - -- type $1_dbusd_$1_t; -- - type $1_dbusd_tmp_t; - files_tmp_file($1_dbusd_tmp_t) - -@@ -84,14 +84,19 @@ - allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; - allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; - -+ allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc }; -+ allow $1_dbusd_t dbusd_unconfined:dbus send_msg; -+ - # For connecting to the bus -- allow $2 $1_dbusd_t:unix_stream_socket connectto; -- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; -+ allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto }; -+ allow $2 $1_dbusd_t:unix_dgram_socket getattr; -+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms; - - # SE-DBus specific permissions -- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; -- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; -+ allow $1_dbusd_t $2:dbus send_msg; -+ allow $2 $2:dbus send_msg; -+ allow $2 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -102,10 +107,9 @@ - files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) - - domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) -- allow $2 $1_dbusd_t:process { sigkill signal }; -+ allow $2 $1_dbusd_t:process { getattr ptrace signal_perms }; - -- # cjp: this seems very broken -- corecmd_bin_domtrans($1_dbusd_t, $2) -+ corecmd_bin_domtrans($1_dbusd_t, $1_t) - allow $1_dbusd_t $2:process sigkill; - allow $2 $1_dbusd_t:fd use; - allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -115,8 +119,8 @@ - kernel_read_kernel_sysctls($1_dbusd_t) - - corecmd_list_bin($1_dbusd_t) -- corecmd_read_bin_symlinks($1_dbusd_t) - corecmd_read_bin_files($1_dbusd_t) -+ corecmd_read_bin_symlinks($1_dbusd_t) - corecmd_read_bin_pipes($1_dbusd_t) - corecmd_read_bin_sockets($1_dbusd_t) - -@@ -139,6 +143,7 @@ - - fs_getattr_romfs($1_dbusd_t) - fs_getattr_xattr_fs($1_dbusd_t) -+ fs_list_inotifyfs($1_dbusd_t) - - selinux_get_fs_mount($1_dbusd_t) - selinux_validate_context($1_dbusd_t) -@@ -161,12 +166,24 @@ - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - -- userdom_read_user_home_content_files($1, $1_dbusd_t) -+ sysadm_dontaudit_search_home_dirs($1_dbusd_t) -+ unprivuser_read_home_content_files($1_dbusd_t) -+ unprivuser_dontaudit_append_home_content_files($1_dbusd_t) -+ term_dontaudit_use_all_user_ptys($1_dbusd_t) -+ term_dontaudit_use_all_user_ttys($1_dbusd_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_read_nfs_files($1_dbusd_t) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files($1_dbusd_t) -+ ') -+ - tunable_policy(`read_default_t',` - files_list_default($1_dbusd_t) - files_read_default_files($1_dbusd_t) -@@ -180,9 +197,17 @@ - ') - - optional_policy(` -+ gnome_read_gnome_config($1, $1_dbusd_t) -+ gnome_read_gconf_home_files($1_dbusd_t) -+ ') -+ -+ optional_policy(` - xserver_use_xdm_fds($1_dbusd_t) - xserver_rw_xdm_pipes($1_dbusd_t) -+ xserver_dontaudit_xdm_lib_search($1_dbusd_t) -+ xserver_rw_xdm_home_files($1_dbusd_t) - ') -+ - ') - - ####################################### -@@ -207,14 +232,12 @@ - type system_dbusd_t, system_dbusd_t; - type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; -+ attribute dbusd_unconfined; - ') - --# type $1_dbusd_system_t; --# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t; -- - # SE-DBus specific permissions --# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; -- allow $2 { system_dbusd_t self }:dbus send_msg; -+ allow $2 { system_dbusd_t $2 dbusd_unconfined }:dbus send_msg; -+ allow { system_dbusd_t dbusd_unconfined } $2:dbus send_msg; - - read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($2) -@@ -223,6 +246,10 @@ - files_search_pids($2) - stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($2) -+ -+ optional_policy(` -+ rpm_script_dbus_chat($2) -+ ') - ') - - ####################################### -@@ -251,18 +278,16 @@ - template(`dbus_user_bus_client_template',` - gen_require(` - type $1_dbusd_t; -+ attribute dbusd_unconfined; - class dbus send_msg; - ') - --# type $2_dbusd_$1_t; --# type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t; -- - # SE-DBus specific permissions --# allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - allow $3 { $1_dbusd_t self }:dbus send_msg; - - # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; -+ allow dbusd_unconfined $1_dbusd_t:dbus *; - ') - - ######################################## -@@ -292,6 +317,55 @@ - - ######################################## - ## -+## connectto a message on user/application specific DBUS. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`dbus_connectto_user_bus',` -+ allow $2 $1_dbusd_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Chat on user/application specific DBUS. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`dbus_chat_user_bus',` -+ gen_require(` -+ type $1_t; -+ type $1_dbusd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1_dbusd_t $2:dbus send_msg; -+ allow $2 $1_t:dbus send_msg; -+ allow $1_t $2:dbus send_msg; -+') -+ -+######################################## -+## - ## Read dbus configuration. - ## - ## -@@ -366,3 +440,120 @@ - - allow $1 system_dbusd_t:dbus *; - ') -+ -+######################################## -+## -+## Allow unconfined access to the system DBUS. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_unconfined',` -+ gen_require(` -+ attribute dbusd_unconfined; -+ ') -+ -+ typeattribute $1 dbusd_unconfined; -+') -+ -+######################################## -+## -+## Create a domain for processes -+## which can be started by the system dbus -+## -+## -+## -+## Type to be used as a domain. -+## -+## -+## -+## -+## Type of the program to be used as an entry point to this domain. -+## -+## -+# -+interface(`dbus_system_domain',` -+ gen_require(` -+ type system_dbusd_t; -+ role system_r; -+ ') -+ -+ domain_type($1) -+ domain_entry_file($1, $2) -+ -+ role system_r types $1; -+ -+ domtrans_pattern(system_dbusd_t, $2, $1) -+ -+ dbus_system_bus_client_template($1, $1) -+ dbus_connect_system_bus($1) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dbus_dontaudit_rw_system_selinux_socket($1) -+ '); -+') -+ -+######################################## -+## -+## Dontaudit Read, and write system dbus TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+ gen_require(` -+ type system_dbusd_t; -+ ') -+ -+ allow $1 system_dbusd_t:tcp_socket { read write }; -+ allow $1 system_dbusd_t:fd use; -+') -+ -+######################################## -+## -+## connectto a message on user/application specific DBUS. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`dbus_dontaudit_connectto_user_bus',` -+ gen_require(` -+ attribute dbusd_userbus; -+ ') -+ -+ -+ dontaudit $2 dbusd_userbus:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## dontaudit attempts to use system_dbus_t selinux_socket -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_dontaudit_rw_system_selinux_socket',` -+ gen_require(` -+ type system_dbusd_t; -+ ') -+ -+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.te 2008-10-28 10:56:19.000000000 -0400 -@@ -9,9 +9,11 @@ - # - # Delcarations - # -+attribute dbusd_unconfined; -+attribute dbusd_userbus; - - type dbusd_etc_t alias etc_dbusd_t; --files_type(dbusd_etc_t) -+files_config_file(dbusd_etc_t) - - type system_dbusd_t alias dbusd_t; - type system_dbusd_exec_t; -@@ -21,11 +23,23 @@ - files_tmp_file(system_dbusd_tmp_t) - - type system_dbusd_var_lib_t; --files_pid_file(system_dbusd_var_lib_t) -+files_type(system_dbusd_var_lib_t) - - type system_dbusd_var_run_t; - files_pid_file(system_dbusd_var_run_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mcs_systemhigh) -+') -+ -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mls_systemhigh) -+ mls_fd_use_all_levels(system_dbusd_t) -+ mls_rangetrans_target(system_dbusd_t) -+ mls_file_read_all_levels(system_dbusd_t) -+ mls_socket_write_all_levels(system_dbusd_t) -+') -+ - ############################## - # - # Local policy -@@ -35,7 +49,7 @@ - # cjp: dac_override should probably go in a distro_debian - allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; --allow system_dbusd_t self:process { getattr signal_perms setcap }; -+allow system_dbusd_t self:process { getattr signal_perms setpgid getcap setcap }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; - allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -43,6 +57,8 @@ - # Receive notifications of policy reloads and enforcing status changes. - allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -+can_exec(system_dbusd_t, system_dbusd_exec_t) -+ - allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -65,6 +81,8 @@ - - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) -+fs_list_inotifyfs(system_dbusd_t) -+fs_dontaudit_list_nfs(system_dbusd_t) - - selinux_get_fs_mount(system_dbusd_t) - selinux_validate_context(system_dbusd_t) -@@ -81,7 +99,6 @@ - corecmd_list_bin(system_dbusd_t) - corecmd_read_bin_pipes(system_dbusd_t) - corecmd_read_bin_sockets(system_dbusd_t) --corecmd_exec_bin(system_dbusd_t) - - domain_use_interactive_fds(system_dbusd_t) - -@@ -91,6 +108,9 @@ - - init_use_fds(system_dbusd_t) - init_use_script_ptys(system_dbusd_t) -+init_dbus_chat_script(system_dbusd_t) -+init_bin_domtrans_spec(system_dbusd_t) -+init_domtrans_script(system_dbusd_t) - - libs_use_ld_so(system_dbusd_t) - libs_use_shared_libs(system_dbusd_t) -@@ -122,9 +142,38 @@ - ') - - optional_policy(` -+ consolekit_dbus_chat(system_dbusd_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf(system_dbusd_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_domtrans(system_dbusd_t) -+') -+ -+optional_policy(` -+ polkit_domtrans_auth(system_dbusd_t) -+ polkit_search_lib(system_dbusd_t) -+') -+ -+optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` - udev_read_db(system_dbusd_t) - ') -+ -+optional_policy(` -+ gen_require(` -+ type unconfined_dbusd_t; -+ ') -+ unconfined_domain(unconfined_dbusd_t) -+ unconfined_execmem_domtrans(unconfined_dbusd_t) -+ -+ optional_policy(` -+ xserver_rw_xdm_xserver_shm(unconfined_dbusd_t) -+ ') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.13/policy/modules/services/dcc.if ---- nsaserefpolicy/policy/modules/services/dcc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dcc.if 2008-10-28 10:56:19.000000000 -0400 -@@ -72,6 +72,24 @@ - - ######################################## - ## -+## Send a signal to the dcc_client. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dcc_signal_client',` -+ gen_require(` -+ type dcc_client_t; -+ ') -+ -+ allow $1 dcc_client_t:process signal; -+') -+ -+######################################## -+## - ## Execute dcc_client in the dcc_client domain, and - ## allow the specified role the dcc_client domain. - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.13/policy/modules/services/dcc.te ---- nsaserefpolicy/policy/modules/services/dcc.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2008-10-28 10:56:19.000000000 -0400 -@@ -105,6 +105,8 @@ - files_read_etc_files(cdcc_t) - files_read_etc_runtime_files(cdcc_t) - -+auth_use_nsswitch(cdcc_t) -+ - libs_use_ld_so(cdcc_t) - libs_use_shared_libs(cdcc_t) - -@@ -112,19 +114,12 @@ - - miscfiles_read_localization(cdcc_t) - --sysnet_read_config(cdcc_t) --sysnet_dns_name_resolve(cdcc_t) -- --optional_policy(` -- nscd_socket_use(cdcc_t) --') -- - ######################################## - # - # dcc procmail interface local policy - # - --allow dcc_client_t self:capability setuid; -+allow dcc_client_t self:capability { setgid setuid }; - allow dcc_client_t self:unix_dgram_socket create_socket_perms; - allow dcc_client_t self:udp_socket create_socket_perms; - -@@ -141,6 +136,7 @@ - - corenet_all_recvfrom_unlabeled(dcc_client_t) - corenet_all_recvfrom_netlabel(dcc_client_t) -+corenet_udp_bind_all_nodes(dcc_client_t) - corenet_udp_sendrecv_generic_if(dcc_client_t) - corenet_udp_sendrecv_all_nodes(dcc_client_t) - corenet_udp_sendrecv_all_ports(dcc_client_t) -@@ -148,6 +144,10 @@ - files_read_etc_files(dcc_client_t) - files_read_etc_runtime_files(dcc_client_t) - -+kernel_read_system_state(dcc_client_t) -+ -+auth_use_nsswitch(dcc_client_t) -+ - libs_use_ld_so(dcc_client_t) - libs_use_shared_libs(dcc_client_t) - -@@ -155,11 +155,8 @@ - - miscfiles_read_localization(dcc_client_t) - --sysnet_read_config(dcc_client_t) --sysnet_dns_name_resolve(dcc_client_t) -- - optional_policy(` -- nscd_socket_use(dcc_client_t) -+ spamassassin_read_spamd_tmp_files(dcc_client_t) - ') - - ######################################## -@@ -191,6 +188,8 @@ - files_read_etc_files(dcc_dbclean_t) - files_read_etc_runtime_files(dcc_dbclean_t) - -+auth_use_nsswitch(dcc_dbclean_t) -+ - libs_use_ld_so(dcc_dbclean_t) - libs_use_shared_libs(dcc_dbclean_t) - -@@ -198,13 +197,6 @@ - - miscfiles_read_localization(dcc_dbclean_t) - --sysnet_read_config(dcc_dbclean_t) --sysnet_dns_name_resolve(dcc_dbclean_t) -- --optional_policy(` -- nscd_socket_use(dcc_dbclean_t) --') -- - ######################################## - # - # Server daemon local policy -@@ -262,6 +254,8 @@ - fs_getattr_all_fs(dccd_t) - fs_search_auto_mountpoints(dccd_t) - -+auth_use_nsswitch(dccd_t) -+ - libs_use_ld_so(dccd_t) - libs_use_shared_libs(dccd_t) - -@@ -277,10 +271,6 @@ - sysadm_dontaudit_search_home_dirs(dccd_t) - - optional_policy(` -- nscd_socket_use(dccd_t) --') -- --optional_policy(` - seutil_sigchld_newrole(dccd_t) - ') - -@@ -336,6 +326,8 @@ - fs_getattr_all_fs(dccifd_t) - fs_search_auto_mountpoints(dccifd_t) - -+auth_use_nsswitch(dccifd_t) -+ - libs_use_ld_so(dccifd_t) - libs_use_shared_libs(dccifd_t) - -@@ -343,11 +335,7 @@ - - miscfiles_read_localization(dccifd_t) - --sysnet_read_config(dccifd_t) --sysnet_dns_name_resolve(dccifd_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccifd_t) -- - sysadm_dontaudit_search_home_dirs(dccifd_t) - - optional_policy(` -@@ -351,10 +339,6 @@ - sysadm_dontaudit_search_home_dirs(dccifd_t) - - optional_policy(` -- nscd_socket_use(dccifd_t) --') -- --optional_policy(` - seutil_sigchld_newrole(dccifd_t) - ') - -@@ -409,6 +393,8 @@ - fs_getattr_all_fs(dccm_t) - fs_search_auto_mountpoints(dccm_t) - -+auth_use_nsswitch(dccm_t) -+ - libs_use_ld_so(dccm_t) - libs_use_shared_libs(dccm_t) - -@@ -416,11 +402,7 @@ - - miscfiles_read_localization(dccm_t) - --sysnet_read_config(dccm_t) --sysnet_dns_name_resolve(dccm_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccm_t) -- - sysadm_dontaudit_search_home_dirs(dccm_t) - - optional_policy(` -@@ -424,10 +406,6 @@ - sysadm_dontaudit_search_home_dirs(dccm_t) - - optional_policy(` -- nscd_socket_use(dccm_t) --') -- --optional_policy(` - seutil_sigchld_newrole(dccm_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.13/policy/modules/services/dhcp.fc ---- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dhcp.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) - - /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.13/policy/modules/services/dhcp.if ---- nsaserefpolicy/policy/modules/services/dhcp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dhcp.if 2008-10-28 10:56:19.000000000 -0400 -@@ -19,3 +19,63 @@ - sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr; - ') -+ -+######################################## -+## -+## Execute dhcp server in the dhcp domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`dhcpd_initrc_domtrans',` -+ gen_require(` -+ type dhcpd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an dhcp environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the dhcp domain. -+## -+## -+## -+# -+interface(`dhcpd_admin',` -+ gen_require(` -+ type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; -+ type dhcpd_var_run_t; -+ type dhcpd_initrc_exec_t; -+ ') -+ -+ allow $1 dhcpd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dhcpd_t) -+ -+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 dhcpd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, dhcpd_tmp_t) -+ -+ admin_pattern($1, dhcpd_state_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, dhcpd_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.13/policy/modules/services/dhcp.te ---- nsaserefpolicy/policy/modules/services/dhcp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dhcp.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,9 @@ - type dhcpd_exec_t; - init_daemon_domain(dhcpd_t, dhcpd_exec_t) - -+type dhcpd_initrc_exec_t; -+init_script_file(dhcpd_initrc_exec_t) -+ - type dhcpd_state_t; - files_type(dhcpd_state_t) - -@@ -24,13 +27,12 @@ - # Local policy - # - --allow dhcpd_t self:capability net_raw; -+allow dhcpd_t self:capability { net_raw sys_resource }; - dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; - allow dhcpd_t self:process signal_perms; - allow dhcpd_t self:fifo_file rw_fifo_file_perms; - allow dhcpd_t self:unix_dgram_socket create_socket_perms; - allow dhcpd_t self:unix_stream_socket create_socket_perms; --allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; - allow dhcpd_t self:tcp_socket create_stream_socket_perms; - allow dhcpd_t self:udp_socket create_socket_perms; - # Allow dhcpd_t to use packet sockets -@@ -51,6 +53,7 @@ - - kernel_read_system_state(dhcpd_t) - kernel_read_kernel_sysctls(dhcpd_t) -+kernel_read_network_state(dhcpd_t) - - corenet_all_recvfrom_unlabeled(dhcpd_t) - corenet_all_recvfrom_netlabel(dhcpd_t) -@@ -88,6 +91,8 @@ - files_read_etc_runtime_files(dhcpd_t) - files_search_var_lib(dhcpd_t) - -+auth_use_nsswitch(dhcpd_t) -+ - libs_use_ld_so(dhcpd_t) - libs_use_shared_libs(dhcpd_t) - -@@ -95,7 +100,6 @@ - - miscfiles_read_localization(dhcpd_t) - --sysnet_read_config(dhcpd_t) - sysnet_read_dhcp_config(dhcpd_t) - - userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -@@ -117,14 +121,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(dhcpd_t) --') -- --optional_policy(` -- nscd_socket_use(dhcpd_t) --') -- --optional_policy(` - seutil_sigchld_newrole(dhcpd_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc ---- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,7 @@ -+/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) -+ - /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - - /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) -+/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-10-28 10:56:19.000000000 -0400 -@@ -1 +1,175 @@ - ## dnsmasq DNS forwarder and DHCP server -+ -+######################################## -+## -+## Execute dnsmasq server in the dnsmasq domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`dnsmasq_domtrans',` -+ gen_require(` -+ type dnsmasq_exec_t; -+ type dnsmasq_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) -+') -+ -+######################################## -+## -+## Execute dnsmasq server in the dnsmasq domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`dnsmasq_initrc_domtrans',` -+ gen_require(` -+ type dnsmasq_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) -+') -+ -+######################################## -+## -+## Send dnsmasq a signal -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`dnsmasq_signal',` -+ gen_require(` -+ type dnsmasq_t; -+ ') -+ -+ allow $1 dnsmasq_t:process signal; -+') -+ -+ -+######################################## -+## -+## Send dnsmasq a signull -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_signull',` -+ gen_require(` -+ type dnsmasq_t; -+ ') -+ -+ allow $1 dnsmasq_t:process signull; -+') -+ -+######################################## -+## -+## Send dnsmasq a sigkill -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_sigkill',` -+ gen_require(` -+ type dnsmasq_t; -+ ') -+ -+ allow $1 dnsmasq_t:process sigkill; -+') -+ -+######################################## -+## -+## Delete dnsmasq pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_delete_pid_files',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') -+ -+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -+') -+ -+######################################## -+## -+## Read dnsmasq pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_read_pid_files',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') -+ -+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an dnsmasq environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the dnsmasq domain. -+## -+## -+## -+# -+interface(`dnsmasq_admin',` -+ gen_require(` -+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; -+ type dnsmasq_initrc_exec_t; -+ ') -+ -+ allow $1 dnsmasq_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dnsmasq_t) -+ -+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 dnsmasq_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_var_lib($1) -+ admin_pattern($1, dnsmasq_lease_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, dnsmasq_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,9 @@ - type dnsmasq_exec_t; - init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) - -+type dnsmasq_initrc_exec_t; -+init_script_file(dnsmasq_initrc_exec_t) -+ - type dnsmasq_lease_t; - files_type(dnsmasq_lease_t) - -@@ -23,7 +26,7 @@ - - allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw }; - dontaudit dnsmasq_t self:capability sys_tty_config; --allow dnsmasq_t self:process { setcap signal_perms }; -+allow dnsmasq_t self:process { getcap setcap signal_perms }; - allow dnsmasq_t self:fifo_file rw_fifo_file_perms; - allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; - allow dnsmasq_t self:tcp_socket create_stream_socket_perms; -@@ -32,7 +35,7 @@ - allow dnsmasq_t self:rawip_socket create_socket_perms; - - # dhcp leases --allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms; -+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) - files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) - - manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -@@ -55,8 +58,7 @@ - corenet_tcp_bind_all_nodes(dnsmasq_t) - corenet_udp_bind_all_nodes(dnsmasq_t) - corenet_tcp_bind_dns_port(dnsmasq_t) --corenet_udp_bind_dns_port(dnsmasq_t) --corenet_udp_bind_dhcpd_port(dnsmasq_t) -+corenet_udp_bind_all_ports(dnsmasq_t) - corenet_sendrecv_dns_server_packets(dnsmasq_t) - corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) - -@@ -71,6 +73,8 @@ - fs_getattr_all_fs(dnsmasq_t) - fs_search_auto_mountpoints(dnsmasq_t) - -+auth_use_nsswitch(dnsmasq_t) -+ - libs_use_ld_so(dnsmasq_t) - libs_use_shared_libs(dnsmasq_t) - -@@ -78,14 +82,12 @@ - - miscfiles_read_localization(dnsmasq_t) - --sysnet_read_config(dnsmasq_t) -- - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - - sysadm_dontaudit_search_home_dirs(dnsmasq_t) - - optional_policy(` -- nis_use_ypbind(dnsmasq_t) -+ cron_manage_pid_files(dnsmasq_t) - ') - - optional_policy(` -@@ -95,3 +97,7 @@ - optional_policy(` - udev_read_db(dnsmasq_t) - ') -+ -+optional_policy(` -+ virt_manage_lib_files(dnsmasq_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.13/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dovecot.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -6,6 +6,7 @@ - /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - - /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - - # - # /usr -@@ -17,23 +18,22 @@ - - ifdef(`distro_debian', ` - /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') - - ifdef(`distro_redhat', ` - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') - - # - # /var - # - /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) --# this is a hard link to /var/lib/dovecot/ssl-parameters.dat --/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) -+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - - /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - --/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -- -- -- -+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - -+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.13/policy/modules/services/dovecot.if ---- nsaserefpolicy/policy/modules/services/dovecot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dovecot.if 2008-10-28 10:56:19.000000000 -0400 -@@ -21,7 +21,46 @@ - - ######################################## - ## --## Do not audit attempts to delete dovecot lib files. -+## Connect to dovecot auth unix domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dovecot_auth_stream_connect',` -+ gen_require(` -+ type dovecot_auth_t, dovecot_var_run_t; -+ ') -+ -+ allow $1 dovecot_var_run_t:dir search; -+ allow $1 dovecot_var_run_t:sock_file write; -+ allow $1 dovecot_auth_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Execute dovecot_deliver in the dovecot_deliver domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dovecot_domtrans_deliver',` -+ gen_require(` -+ type dovecot_deliver_t, dovecot_deliver_exec_t; -+ ') -+ -+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) -+') -+ -+####################################### -+## -+## Do not audit attempts to d`elete dovecot lib files. - ## - ## - ## -@@ -36,3 +75,60 @@ - - dontaudit $1 dovecot_var_lib_t:file unlink; - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an dovecot environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the dovecot domain. -+## -+## -+## -+# -+interface(`dovecot_admin',` -+ gen_require(` -+ type dovecot_t, dovecot_etc_t, dovecot_log_t; -+ type dovecot_spool_t, dovecot_var_lib_t; -+ type dovecot_var_run_t; -+ -+ type dovecot_cert_t, dovecot_passwd_t; -+ type dovecot_initrc_exec_t; -+ ') -+ -+ allow $1 dovecot_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dovecot_t) -+ -+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 dovecot_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, dovecot_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, dovecot_log_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, dovecot_spool_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, dovecot_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, dovecot_var_run_t) -+ -+ admin_pattern($1, dovecot_cert_t) -+ -+ admin_pattern($1, dovecot_passwd_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-28 10:56:19.000000000 -0400 -@@ -15,12 +15,21 @@ - domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) - role system_r types dovecot_auth_t; - -+type dovecot_deliver_t; -+type dovecot_deliver_exec_t; -+domain_type(dovecot_deliver_t) -+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) -+role system_r types dovecot_deliver_t; -+ - type dovecot_cert_t; - files_type(dovecot_cert_t) - - type dovecot_etc_t; - files_config_file(dovecot_etc_t) - -+type dovecot_initrc_exec_t; -+init_script_file(dovecot_initrc_exec_t) -+ - type dovecot_passwd_t; - files_type(dovecot_passwd_t) - -@@ -31,9 +40,15 @@ - type dovecot_var_lib_t; - files_type(dovecot_var_lib_t) - -+type dovecot_var_log_t; -+logging_log_file(dovecot_var_log_t) -+ - type dovecot_var_run_t; - files_pid_file(dovecot_var_run_t) - -+type dovecot_auth_tmp_t; -+files_tmp_file(dovecot_auth_tmp_t) -+ - ######################################## - # - # dovecot local policy -@@ -85,6 +100,7 @@ - dev_read_urand(dovecot_t) - - fs_getattr_all_fs(dovecot_t) -+fs_getattr_all_dirs(dovecot_t) - fs_search_auto_mountpoints(dovecot_t) - fs_list_inotifyfs(dovecot_t) - -@@ -98,7 +114,7 @@ - files_dontaudit_list_default(dovecot_t) - # Dovecot now has quota support and it uses getmntent() to find the mountpoints. - files_read_etc_runtime_files(dovecot_t) --files_getattr_all_mountpoints(dovecot_t) -+files_search_all_mountpoints(dovecot_t) - - init_getattr_utmp(dovecot_t) - -@@ -120,7 +136,7 @@ - sysadm_dontaudit_search_home_dirs(dovecot_t) - - optional_policy(` -- kerberos_use(dovecot_t) -+ kerberos_keytab_template(dovecot, dovecot_t) - ') - - optional_policy(` -@@ -140,25 +156,39 @@ - # dovecot auth local policy - # - --allow dovecot_auth_t self:capability { setgid setuid }; -+allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; - allow dovecot_auth_t self:process signal_perms; - allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; - allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; - allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; - --allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - - allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; - -+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -+ -+# log files -+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) -+ - # Allow dovecot to create and read SSL parameters file - manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) - files_search_var_lib(dovecot_t) -+files_read_var_symlinks(dovecot_t) - - allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_auth_stream_connect(dovecot_auth_t) - - kernel_read_all_sysctls(dovecot_auth_t) - kernel_read_system_state(dovecot_auth_t) - -+logging_send_audit_msgs(dovecot_auth_t) -+logging_send_syslog_msg(dovecot_auth_t) -+ - dev_read_urand(dovecot_auth_t) - - auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -167,6 +197,7 @@ - files_read_etc_files(dovecot_auth_t) - files_read_etc_runtime_files(dovecot_auth_t) - files_search_pids(dovecot_auth_t) -+files_read_usr_files(dovecot_auth_t) - files_read_usr_symlinks(dovecot_auth_t) - files_search_tmp(dovecot_auth_t) - files_read_var_lib_files(dovecot_t) -@@ -185,5 +216,53 @@ - ') - - optional_policy(` -- logging_send_syslog_msg(dovecot_auth_t) -+ mysql_search_db(dovecot_auth_t) -+ mysql_stream_connect(dovecot_auth_t) -+') -+ -+optional_policy(` -+ nis_authenticate(dovecot_auth_t) -+') -+ -+optional_policy(` -+ postfix_manage_private_sockets(dovecot_auth_t) -+ postfix_search_spool(dovecot_auth_t) -+') -+ -+# for gssapi (kerberos) -+userdom_list_unpriv_users_tmp(dovecot_auth_t) -+userdom_read_unpriv_users_tmp_files(dovecot_auth_t) -+userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t) -+ -+######################################## -+# -+# dovecot deliver local policy -+# -+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; -+ -+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; -+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -+ -+kernel_read_all_sysctls(dovecot_deliver_t) -+kernel_read_system_state(dovecot_deliver_t) -+ -+files_read_etc_files(dovecot_deliver_t) -+files_read_etc_runtime_files(dovecot_deliver_t) -+ -+auth_use_nsswitch(dovecot_deliver_t) -+ -+libs_use_ld_so(dovecot_deliver_t) -+libs_use_shared_libs(dovecot_deliver_t) -+ -+logging_send_syslog_msg(dovecot_deliver_t) -+ -+miscfiles_read_localization(dovecot_deliver_t) -+ -+dovecot_auth_stream_connect(dovecot_deliver_t) -+ -+userdom_priveleged_home_dir_manager(dovecot_deliver_t) -+ -+optional_policy(` -+ mta_manage_spool(dovecot_deliver_t) - ') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.13/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/exim.if 2008-10-28 10:56:19.000000000 -0400 -@@ -97,6 +97,26 @@ - - ######################################## - ## -+## Allow the specified domain to manage exim's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`exim_manage_log',` -+ gen_require(` -+ type exim_log_t; -+ ') -+ -+ manage_files_pattern($1, exim_log_t, exim_log_t) -+ logging_search_logs($1) -+') -+ -+######################################## -+## - ## Allow the specified domain to append - ## exim log files. - ## -@@ -154,3 +174,23 @@ - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) - ') -+ -+######################################## -+## -+## Create, read, write, and delete -+## exim spool dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`exim_manage_spool_dirs',` -+ gen_require(` -+ type exim_spool_t; -+ ') -+ -+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) -+ files_search_spool($1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.13/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/exim.te 2008-10-28 10:56:19.000000000 -0400 -@@ -21,9 +21,20 @@ - ## - gen_tunable(exim_manage_user_files, false) - -+## -+##

-+## Allow exim to connect to databases (postgres, mysql) -+##

-+## -+gen_tunable(exim_can_connect_db, false) -+ - type exim_t; - type exim_exec_t; - init_daemon_domain(exim_t, exim_exec_t) -+mta_mailserver(exim_t, exim_exec_t) -+mta_mailserver_user_agent(exim_t) -+application_executable_file(exim_exec_t) -+mta_agent_executable(exim_exec_t) - - type exim_log_t; - logging_log_file(exim_log_t) -@@ -42,10 +53,12 @@ - # exim local policy - # - --allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; -+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; -+allow exim_t self:process { setrlimit setpgid }; - allow exim_t self:fifo_file rw_fifo_file_perms; - allow exim_t self:unix_stream_socket create_stream_socket_perms; - allow exim_t self:tcp_socket create_stream_socket_perms; -+allow exim_t self:udp_socket create_socket_perms; - - can_exec(exim_t,exim_exec_t) - -@@ -66,12 +79,15 @@ - files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(exim_t) -- - kernel_dontaudit_read_system_state(exim_t) -+kernel_read_network_state(exim_t) - - corecmd_search_bin(exim_t) - - corenet_all_recvfrom_unlabeled(exim_t) -+corenet_all_recvfrom_netlabel(exim_t) -+corenet_udp_sendrecv_all_if(exim_t) -+corenet_udp_sendrecv_all_nodes(exim_t) - corenet_tcp_sendrecv_all_if(exim_t) - corenet_tcp_sendrecv_all_nodes(exim_t) - corenet_tcp_sendrecv_all_ports(exim_t) -@@ -82,6 +98,8 @@ - corenet_tcp_connect_smtp_port(exim_t) - corenet_tcp_connect_ldap_port(exim_t) - corenet_tcp_connect_inetd_child_port(exim_t) -+# connect to spamassassin -+corenet_tcp_connect_spamd_port(exim_t) - - dev_read_rand(exim_t) - dev_read_urand(exim_t) -@@ -89,7 +107,10 @@ - # Init script handling - domain_use_interactive_fds(exim_t) - -+files_search_usr(exim_t) -+files_search_var(exim_t) - files_read_etc_files(exim_t) -+files_read_etc_runtime_files(exim_t) - - auth_use_nsswitch(exim_t) - -@@ -99,23 +120,86 @@ - logging_send_syslog_msg(exim_t) - - miscfiles_read_localization(exim_t) -+miscfiles_read_certs(exim_t) - --sysnet_dns_name_resolve(exim_t) -+fs_getattr_xattr_fs(exim_t) -+fs_list_inotifyfs(exim_t) - - unprivuser_dontaudit_search_home_dirs(exim_t) - - mta_read_aliases(exim_t) --mta_rw_spool(exim_t) -+mta_read_config(exim_t) -+mta_manage_spool(exim_t) -+mta_mailserver_delivery(exim_t) - - sysadm_dontaudit_search_home_dirs(exim_t) - - tunable_policy(`exim_read_user_files',` -- userdom_read_unpriv_users_home_content_files(exim_t) -- userdom_read_unpriv_users_tmp_files(exim_t) -+ unprivuser_read_home_content_files(exim_t) -+ unprivuser_read_tmp_files(exim_t) - ') - - tunable_policy(`exim_manage_user_files',` -- userdom_manage_unpriv_users_home_content_dirs(exim_t) -- userdom_read_unpriv_users_tmp_files(exim_t) -- userdom_write_unpriv_users_tmp_files(exim_t) -+ unprivuser_manage_home_content_dirs(exim_t) -+ unprivuser_read_tmp_files(exim_t) -+ unprivuser_write_tmp_files(exim_t) -+') -+ -+tunable_policy(`exim_can_connect_db',` -+ corenet_tcp_connect_mysqld_port(exim_t) -+ corenet_sendrecv_mysqld_client_packets(exim_t) -+ corenet_tcp_connect_postgresql_port(exim_t) -+ corenet_sendrecv_postgresql_client_packets(exim_t) -+') -+ -+optional_policy(` -+ dovecot_auth_stream_connect(exim_t) -+') -+ -+optional_policy(` -+ tunable_policy(`exim_can_connect_db',` -+ mysql_stream_connect(exim_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`exim_can_connect_db',` -+ postgresql_stream_connect(exim_t) -+') -+') -+ -+optional_policy(` -+ kerberos_keytab_template(exim, exim_t) -+') -+ -+optional_policy(` -+ mailman_read_data_files(exim_t) -+ mailman_domtrans(exim_t) -+') -+ -+optional_policy(` -+ procmail_domtrans(exim_t) -+') -+ -+optional_policy(` -+ sasl_connect(exim_t) -+') -+ -+optional_policy(` -+ cron_read_pipes(exim_t) -+ cron_rw_system_job_pipes(exim_t) -+') -+ -+optional_policy(` -+ cyrus_stream_connect(exim_t) -+') -+ -+optional_policy(` -+ clamav_domtrans_clamscan(exim_t) -+ clamav_stream_connect(exim_t) -+') -+ -+optional_policy(` -+ spamassassin_exec(exim_t) -+ spamassassin_exec_client(exim_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.13/policy/modules/services/fetchmail.if ---- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.if 2008-10-28 10:56:19.000000000 -0400 -@@ -21,10 +21,10 @@ - ps_process_pattern($1, fetchmail_t) - - files_list_etc($1) -- manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t) -+ admin_pattern($1, fetchmail_etc_t) - -- manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t) -+ admin_pattern($1, fetchmail_uidl_cache_t) - - files_list_pids($1) -- manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t) -+ admin_pattern($1, fetchmail_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.13/policy/modules/services/fetchmail.te ---- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.te 2008-10-28 10:56:19.000000000 -0400 -@@ -91,6 +91,10 @@ - ') - - optional_policy(` -+ sendmail_manage_log(fetchmail_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(fetchmail_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2008-10-28 10:56:19.000000000 -0400 -@@ -226,6 +226,11 @@ - userdom_manage_all_users_home_content_dirs(ftpd_t) - userdom_manage_all_users_home_content_files(ftpd_t) - userdom_manage_all_users_home_content_symlinks(ftpd_t) -+ auth_manage_all_files_except_shadow(ftpd_t) -+ -+ auth_read_all_dirs_except_shadow(ftpd_t) -+ auth_read_all_files_except_shadow(ftpd_t) -+ auth_read_all_symlinks_except_shadow(ftpd_t) - ') - - tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -261,7 +266,9 @@ - ') - - optional_policy(` -- kerberos_read_keytab(ftpd_t) -+ kerberos_keytab_template(ftpd, ftpd_t) -+ kerberos_manage_host_rcache(ftpd_t) -+ selinux_validate_context(ftpd_t) - ') - - optional_policy(` -@@ -273,6 +280,14 @@ - ') - - optional_policy(` -+ dbus_system_bus_client_template(notused, ftpd_t) -+ optional_policy(` -+ oddjob_dbus_chat(ftpd_t) -+ oddjob_domtrans_mkhomedir(ftpd_t) -+ ') -+') -+ -+optional_policy(` - seutil_sigchld_newrole(ftpd_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.13/policy/modules/services/gamin.fc ---- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gamin.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.13/policy/modules/services/gamin.if ---- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gamin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,57 @@ -+ -+## policy for gamin -+ -+######################################## -+## -+## Execute a domain transition to run gamin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gamin_domtrans',` -+ gen_require(` -+ type gamin_t; -+ type gamin_exec_t; -+ ') -+ -+ domtrans_pattern($1, gamin_exec_t, gamin_t) -+') -+ -+######################################## -+## -+## Execute gamin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gamin_exec',` -+ gen_require(` -+ type gamin_exec_t; -+ ') -+ -+ can_exec($1, gamin_exec_t) -+') -+ -+######################################## -+## -+## Connect to gamin over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gamin_stream_connect',` -+ gen_require(` -+ type gamin_t; -+ ') -+ -+ allow $1 gamin_t:unix_stream_socket connectto; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.13/policy/modules/services/gamin.te ---- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gamin.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,39 @@ -+policy_module(gamin, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type gamin_t; -+type gamin_exec_t; -+application_domain(gamin_t, gamin_exec_t) -+role system_r types gamin_t; -+ -+######################################## -+# -+# gamin local policy -+# -+ -+# Init script handling -+domain_use_interactive_fds(gamin_t) -+allow gamin_t self:capability sys_ptrace; -+ -+# internal communication is often done using fifo and unix sockets. -+allow gamin_t self:fifo_file rw_file_perms; -+allow gamin_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_read_etc_files(gamin_t) -+files_read_etc_runtime_files(gamin_t) -+files_list_all(gamin_t) -+files_getattr_all_files(gamin_t) -+ -+fs_list_inotifyfs(gamin_t) -+domain_read_all_domains_state(gamin_t) -+domain_dontaudit_ptrace_all_domains(gamin_t) -+ -+libs_use_ld_so(gamin_t) -+libs_use_shared_libs(gamin_t) -+ -+miscfiles_read_localization(gamin_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc ---- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,3 @@ -+ -+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.13/policy/modules/services/gnomeclock.if ---- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,75 @@ -+ -+## policy for gnomeclock -+ -+######################################## -+## -+## Execute a domain transition to run gnomeclock. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gnomeclock_domtrans',` -+ gen_require(` -+ type gnomeclock_t; -+ type gnomeclock_exec_t; -+ ') -+ -+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) -+') -+ -+ -+######################################## -+## -+## Execute gnomeclock in the gnomeclock domain, and -+## allow the specified role the gnomeclock domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the gnomeclock domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`gnomeclock_run',` -+ gen_require(` -+ type gnomeclock_t; -+ ') -+ -+ gnomeclock_domtrans($1) -+ role $2 types gnomeclock_t; -+ dontaudit gnomeclock_t $3:chr_file rw_term_perms; -+') -+ -+ -+######################################## -+## -+## Send and receive messages from -+## gnomeclock over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnomeclock_dbus_chat',` -+ gen_require(` -+ type gnomeclock_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 gnomeclock_t:dbus send_msg; -+ allow gnomeclock_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.13/policy/modules/services/gnomeclock.te ---- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,55 @@ -+policy_module(gnomeclock, 1.0.0) -+######################################## -+# -+# Declarations -+# -+ -+type gnomeclock_t; -+type gnomeclock_exec_t; -+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) -+ -+######################################## -+# -+# gnomeclock local policy -+# -+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -+allow gnomeclock_t self:process { getattr getsched }; -+ -+# internal communication is often done using fifo and unix sockets. -+allow gnomeclock_t self:fifo_file rw_file_perms; -+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; -+ -+corecmd_exec_bin(gnomeclock_t) -+ -+userdom_ptrace_all_users(gnomeclock_t) -+ -+files_read_etc_files(gnomeclock_t) -+files_read_usr_files(gnomeclock_t) -+ -+miscfiles_manage_localization(gnomeclock_t) -+miscfiles_etc_filetrans_localization(gnomeclock_t) -+ -+fs_list_inotifyfs(gnomeclock_t) -+ -+auth_use_nsswitch(gnomeclock_t) -+ -+libs_use_ld_so(gnomeclock_t) -+libs_use_shared_libs(gnomeclock_t) -+ -+miscfiles_read_localization(gnomeclock_t) -+ -+userdom_read_all_users_state(gnomeclock_t) -+ -+optional_policy(` -+ consolekit_dbus_chat(gnomeclock_t) -+') -+ -+optional_policy(` -+ clock_domtrans(gnomeclock_t) -+') -+ -+optional_policy(` -+ polkit_domtrans_auth(gnomeclock_t) -+ polkit_read_lib(gnomeclock_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc ---- nsaserefpolicy/policy/modules/services/hal.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -9,6 +9,7 @@ - /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) - /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - /usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -+/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0) - - /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) - -@@ -17,7 +18,7 @@ - /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) - - /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) --/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) -+/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0) - - /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) - /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.13/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.if 2008-10-28 10:56:19.000000000 -0400 -@@ -302,3 +302,42 @@ - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; - ') -+ -+######################################## -+## -+## Send a SIGCHLD signal to hal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_getattr',` -+ gen_require(` -+ type hald_t; -+ ') -+ -+ allow $1 hald_t:process getattr; -+') -+ -+######################################## -+## -+##f Read hal system state -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`hal_read_state',` -+ gen_require(` -+ type hald_t; -+ ') -+ kernel_search_proc($1) -+ allow $1 hald_t:dir list_dir_perms; -+ read_files_pattern($1, hald_t, hald_t) -+ read_lnk_files_pattern($1, hald_t, hald_t) -+ dontaudit $1 hald_t:process ptrace; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-11-04 13:26:50.000000000 -0500 -@@ -49,6 +49,9 @@ - type hald_var_lib_t; - files_type(hald_var_lib_t) - -+typealias hald_log_t alias pmtools_log_t; -+typealias hald_var_run_t alias pmtools_var_run_t; -+ - ######################################## - # - # Local policy -@@ -143,6 +146,7 @@ - files_getattr_all_dirs(hald_t) - files_read_kernel_img(hald_t) - files_rw_lock_dirs(hald_t) -+files_read_generic_pids(hald_t) - - fs_getattr_all_fs(hald_t) - fs_search_all(hald_t) -@@ -280,6 +284,12 @@ - ') - - optional_policy(` -+ polkit_domtrans_auth(hald_t) -+ polkit_domtrans_resolve(hald_t) -+ polkit_read_lib(hald_t) -+') -+ -+optional_policy(` - rpc_search_nfs_state_data(hald_t) - ') - -@@ -300,12 +310,20 @@ - vbetool_domtrans(hald_t) - ') - -+optional_policy(` -+ virt_manage_images(hald_t) -+') -+ -+optional_policy(` -+ xserver_read_pid(hald_t) -+') -+ - ######################################## - # - # Hal acl local policy - # - --allow hald_acl_t self:capability { dac_override fowner }; -+allow hald_acl_t self:capability { dac_override fowner sys_resource }; - allow hald_acl_t self:process { getattr signal }; - allow hald_acl_t self:fifo_file rw_fifo_file_perms; - -@@ -344,13 +362,22 @@ - libs_use_ld_so(hald_acl_t) - libs_use_shared_libs(hald_acl_t) - -+logging_send_syslog_msg(hald_acl_t) -+ - miscfiles_read_localization(hald_acl_t) - -+optional_policy(` -+ polkit_domtrans_auth(hald_acl_t) -+ polkit_read_lib(hald_acl_t) -+') -+ - ######################################## - # - # Local hald mac policy - # - -+allow hald_mac_t self:capability { setgid setuid }; -+ - domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) - allow hald_t hald_mac_t:process signal; - allow hald_mac_t hald_t:unix_stream_socket connectto; -@@ -359,6 +386,8 @@ - manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) - files_search_var_lib(hald_mac_t) - -+write_files_pattern(hald_mac_t, hald_log_t, hald_log_t) -+ - kernel_read_system_state(hald_mac_t) - - dev_read_raw_memory(hald_mac_t) -@@ -366,6 +395,9 @@ - dev_read_sysfs(hald_mac_t) - - files_read_usr_files(hald_mac_t) -+files_read_etc_files(hald_mac_t) -+ -+auth_use_nsswitch(hald_mac_t) - - libs_use_ld_so(hald_mac_t) - libs_use_shared_libs(hald_mac_t) -@@ -388,6 +420,8 @@ - manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) - files_search_var_lib(hald_sonypic_t) - -+write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) -+ - files_read_usr_files(hald_sonypic_t) - - libs_use_ld_so(hald_sonypic_t) -@@ -408,6 +442,8 @@ - manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) - files_search_var_lib(hald_keymap_t) - -+write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) -+ - dev_rw_input_dev(hald_keymap_t) - - files_read_usr_files(hald_keymap_t) -@@ -419,4 +455,4 @@ - - # This is caused by a bug in hald and PolicyKit. - # Should be removed when this is fixed --#cron_read_system_job_lib_files(hald_t) -+cron_read_system_job_lib_files(hald_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.13/policy/modules/services/inetd.fc ---- nsaserefpolicy/policy/modules/services/inetd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/inetd.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,6 +1,8 @@ - - /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) - /usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -+ - /usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.13/policy/modules/services/inetd.te ---- nsaserefpolicy/policy/modules/services/inetd.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/inetd.te 2008-10-28 10:56:19.000000000 -0400 -@@ -136,6 +136,7 @@ - domain_use_interactive_fds(inetd_t) - - files_read_etc_files(inetd_t) -+files_read_etc_runtime_files(inetd_t) - - libs_use_ld_so(inetd_t) - libs_use_shared_libs(inetd_t) -@@ -223,6 +224,7 @@ - fs_getattr_xattr_fs(inetd_child_t) - - files_read_etc_files(inetd_child_t) -+files_read_etc_runtime_files(inetd_child_t) - - auth_use_nsswitch(inetd_child_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.13/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerberos.te 2008-10-28 10:56:19.000000000 -0400 -@@ -298,6 +298,7 @@ - corenet_tcp_sendrecv_all_nodes(kpropd_t) - corenet_tcp_sendrecv_all_ports(kpropd_t) - corenet_tcp_bind_all_nodes(kpropd_t) -+corenet_tcp_bind_kprop_port(kpropd_t) - - dev_read_urand(kpropd_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.13/policy/modules/services/kerneloops.if ---- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.if 2008-10-28 10:56:19.000000000 -0400 -@@ -63,6 +63,25 @@ - - ######################################## - ## -+## Allow domain to manage kerneloops tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`kerneloops_manage_tmp_files',` -+ gen_require(` -+ type kerneloops_tmp_t; -+ ') -+ -+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an kerneloops environment - ## -@@ -81,6 +100,7 @@ - interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; -+ type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; -@@ -90,4 +110,7 @@ - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; -+ -+ admin_pattern($1, kerneloops_tmp_t) - ') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.13/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,9 @@ - type kerneloops_initrc_exec_t; - init_script_file(kerneloops_initrc_exec_t) - -+type kerneloops_tmp_t; -+files_tmp_file(kerneloops_tmp_t) -+ - ######################################## - # - # kerneloops local policy -@@ -23,6 +26,9 @@ - allow kerneloops_t self:fifo_file rw_file_perms; - allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; - -+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) -+ - kernel_read_ring_buffer(kerneloops_t) - - # Init script handling -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-10-28 10:56:19.000000000 -0400 -@@ -121,7 +121,7 @@ - sysadm_dontaudit_search_home_dirs(slapd_t) - - optional_policy(` -- kerberos_use(slapd_t) -+ kerberos_keytab_template(slapd, slapd_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.13/policy/modules/services/lpd.fc ---- nsaserefpolicy/policy/modules/services/lpd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/lpd.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -3,6 +3,8 @@ - # - /dev/printer -s gen_context(system_u:object_r:printer_t,s0) - -+/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0) -+ - # - # /usr - # -@@ -22,11 +24,15 @@ - /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) - /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) - -+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) -+ - /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) - - # - # /var - # - /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -+/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) - /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) - /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.13/policy/modules/services/mailman.fc ---- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mailman.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -31,3 +31,4 @@ - /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) - /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - ') -+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.13/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mailman.if 2008-10-28 10:56:19.000000000 -0400 -@@ -31,6 +31,12 @@ - allow mailman_$1_t self:tcp_socket create_stream_socket_perms; - allow mailman_$1_t self:udp_socket create_socket_perms; - -+ files_search_spool(mailman_$1_t) -+ -+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ - manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) -@@ -211,6 +217,7 @@ - type mailman_data_t; - ') - -+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) - ') - -@@ -252,6 +259,25 @@ - - ####################################### - ## -+## read -+## mailman logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailman_read_log',` -+ gen_require(` -+ type mailman_log_t; -+ ') -+ -+ read_files_pattern($1, mailman_log_t, mailman_log_t) -+') -+ -+####################################### -+## - ## Append to mailman logs. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.13/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mailman.te 2008-10-28 10:56:19.000000000 -0400 -@@ -53,10 +53,9 @@ - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) -+ apache_read_config(mailman_cgi_t) -+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) - -- optional_policy(` -- nscd_socket_use(mailman_cgi_t) -- ') - ') - - ######################################## -@@ -65,16 +64,19 @@ - # - - allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -+allow mailman_mail_t initrc_t:process signal; -+allow mailman_mail_t self:process { signal signull }; -+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -+ -+files_search_spool(mailman_mail_t) -+fs_rw_anon_inodefs_files(mailman_mail_t) -+ -+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) - - mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -- --ifdef(`TODO',` --optional_policy(` -- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; -- # do we really need this? -- allow mailman_mail_t qmail_lspawn_t:fifo_file write; --') --') -+mta_dontaudit_rw_queue(mailman_mail_t) - - ######################################## - # -@@ -104,6 +106,11 @@ - # some of the following could probably be changed to dontaudit, someone who - # knows mailman well should test this out and send the changes - sysadm_search_home_dirs(mailman_queue_t) -+sysadm_getattr_home_dirs(mailman_queue_t) -+ -+optional_policy(` -+ apache_read_config(mailman_queue_t) -+') - - optional_policy(` - cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.13/policy/modules/services/mailscanner.fc ---- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.13/policy/modules/services/mailscanner.if ---- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,59 @@ -+## Anti-Virus and Anti-Spam Filter -+ -+######################################## -+## -+## Search mailscanner spool directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_search_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ allow $1 mailscanner_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## read mailscanner spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_read_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## mailscanner spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_manage_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.13/policy/modules/services/mailscanner.te ---- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,5 @@ -+ -+policy_module(mailscanner, 1.0.0) -+ -+type mailscanner_spool_t; -+files_type(mailscanner_spool_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -22,7 +22,3 @@ - /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) - /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -- --#ifdef(`postfix.te', `', ` --#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) --#') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.13/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-10-28 10:56:19.000000000 -0400 -@@ -133,6 +133,15 @@ - sendmail_create_log($1_mail_t) - ') - -+ optional_policy(` -+ exim_read_log($1_mail_t) -+ exim_append_log($1_mail_t) -+ exim_manage_spool_files($1_mail_t) -+ ') -+ -+ optional_policy(` -+ uucp_manage_spool($1_mail_t) -+ ') - ') - - ####################################### -@@ -220,6 +229,11 @@ - fs_manage_cifs_symlinks($1_mail_t) - ') - -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files($1_mail_t) -+ fs_manage_nfs_symlinks($1_mail_t) -+ ') -+ - optional_policy(` - allow $1_mail_t self:capability dac_override; - -@@ -423,11 +437,13 @@ - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1, mail_spool_t, mail_spool_t) - read_files_pattern($1, mail_spool_t, mail_spool_t) -+ append_files_pattern($1, mail_spool_t, mail_spool_t) - create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - - optional_policy(` - dovecot_manage_spool($1) -+ dovecot_domtrans_deliver($1) - ') - - optional_policy(` -@@ -462,6 +478,7 @@ - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) -+ apache_append_log($1) - ') - ') - -@@ -893,6 +910,25 @@ - - ######################################## - ## -+## read mail queue files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_read_queue',` -+ gen_require(` -+ type mqueue_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete - ## mail queue files. - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.13/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.te 2008-10-28 10:56:19.000000000 -0400 -@@ -39,34 +39,50 @@ - # - - # newalias required this, not sure if it is needed in 'if' file --allow system_mail_t self:capability { dac_override }; -+allow system_mail_t self:capability { dac_override fowner }; -+allow system_mail_t self:fifo_file rw_fifo_file_perms; - - read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) -+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - - allow system_mail_t mta_exec_type:file entrypoint; - --allow system_mail_t mailcontent_type:file read_file_perms; -+can_exec(system_mail_t, mta_exec_type) -+ -+files_read_all_tmp_files(system_mail_t) - - kernel_read_system_state(system_mail_t) - kernel_read_network_state(system_mail_t) - -+dev_read_sysfs(system_mail_t) - dev_read_rand(system_mail_t) - dev_read_urand(system_mail_t) - -+fs_rw_anon_inodefs_files(system_mail_t) -+fs_list_inotifyfs(system_mail_t) -+ -+selinux_getattr_fs(system_mail_t) -+ - init_use_script_ptys(system_mail_t) - -+logging_append_all_logs(system_mail_t) -+ -+files_dontaudit_search_home(system_mail_t) - sysadm_use_terms(system_mail_t) - sysadm_dontaudit_search_home_dirs(system_mail_t) -+userdom_dontaudit_search_all_users_home_content(system_mail_t) - - optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) -+ apache_search_bugzilla_dirs(system_mail_t) - - # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) - ') - - optional_policy(` -@@ -80,6 +96,13 @@ - optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) -+ cron_rw_system_stream_sockets(system_mail_t) -+') -+ -+optional_policy(` -+ courier_manage_spool_dirs(system_mail_t) -+ courier_manage_spool_files(system_mail_t) -+ courier_rw_spool_pipes(system_mail_t) - ') - - optional_policy(` -@@ -87,6 +110,11 @@ - ') - - optional_policy(` -+ exim_domtrans(system_mail_t) -+ exim_manage_log(system_mail_t) -+') -+ -+optional_policy(` - logrotate_read_tmp_files(system_mail_t) - ') - -@@ -119,10 +147,6 @@ - # compatability for old default main.cf - postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') -- -- optional_policy(` -- cron_rw_tcp_sockets(system_mail_t) -- ') - ') - - optional_policy(` -@@ -142,11 +166,40 @@ - ') - - optional_policy(` -+ clamav_stream_connect(system_mail_t) -+ clamav_append_log(system_mail_t) -+') -+ -+optional_policy(` -+ fail2ban_append_log(system_mail_t) -+') -+ -+optional_policy(` -+ spamd_stream_connect(system_mail_t) -+') -+ -+optional_policy(` - smartmon_read_tmp_files(system_mail_t) - ') - --# should break this up among sections: -+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -+ -+init_stream_connect_script(mailserver_delivery) -+init_rw_script_stream_sockets(mailserver_delivery) -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(mailserver_delivery) -+ fs_manage_cifs_files(mailserver_delivery) -+ fs_manage_cifs_symlinks(mailserver_delivery) -+') - -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(mailserver_delivery) -+ fs_manage_nfs_files(mailserver_delivery) -+ fs_manage_nfs_symlinks(mailserver_delivery) -+') -+ -+# should break this up among sections: - optional_policy(` - # why is mail delivered to a directory of type arpwatch_data_t? - arpwatch_search_data(mailserver_delivery) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.13/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,5 @@ - /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) -+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - - /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -@@ -6,6 +7,8 @@ - /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - - /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) --/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) -+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) --/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.13/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -80,3 +80,76 @@ - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; - ') -+ -+######################################## -+## -+## Allow the specified domain to append -+## to munin log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`munin_append_log',` -+ gen_require(` -+ type munin_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 munin_log_t:dir list_dir_perms; -+ append_files_pattern($1, munin_log_t, munin_log_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an munin environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the munin domain. -+## -+## -+## -+# -+interface(`munin_admin',` -+ gen_require(` -+ type munin_t, munin_etc_t, munin_tmp_t; -+ type munin_log_t, munin_var_lib_t, munin_var_run_t; -+ type httpd_munin_content_t; -+ type munin_initrc_exec_t; -+ ') -+ -+ allow $1 munin_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, munin_t) -+ -+ init_labeled_script_domtrans($1, munin_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 munin_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, munin_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, munin_log_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, munin_etc_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, munin_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, munin_var_run_t) -+ -+ admin_pattern($1, httpd_munin_content_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 19:45:12.000000000 -0400 -@@ -13,6 +13,9 @@ - type munin_etc_t alias lrrd_etc_t; - files_config_file(munin_etc_t) - -+type munin_initrc_exec_t; -+init_script_file(munin_initrc_exec_t) -+ - type munin_log_t alias lrrd_log_t; - logging_log_file(munin_log_t) - -@@ -30,21 +33,25 @@ - # Local policy - # - --allow munin_t self:capability { setgid setuid }; -+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; - dontaudit munin_t self:capability sys_tty_config; - allow munin_t self:process { getsched setsched signal_perms }; - allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; - allow munin_t self:tcp_socket create_stream_socket_perms; - allow munin_t self:udp_socket create_socket_perms; -+allow munin_t self:fifo_file manage_fifo_file_perms; -+ -+can_exec(munin_t, munin_exec_t) - - allow munin_t munin_etc_t:dir list_dir_perms; - read_files_pattern(munin_t, munin_etc_t, munin_etc_t) - read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) - files_search_etc(munin_t) - --allow munin_t munin_log_t:file manage_file_perms; --logging_log_filetrans(munin_t, munin_log_t, file) -+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -+manage_files_pattern(munin_t, munin_log_t, munin_log_t) -+logging_log_filetrans(munin_t, munin_log_t, { file dir }) - - manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) - manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -@@ -61,9 +68,11 @@ - files_pid_filetrans(munin_t, munin_var_run_t, file) - - kernel_read_system_state(munin_t) --kernel_read_kernel_sysctls(munin_t) -+kernel_read_network_state(munin_t) -+kernel_read_all_sysctls(munin_t) - - corecmd_exec_bin(munin_t) -+corecmd_exec_shell(munin_t) - - corenet_all_recvfrom_unlabeled(munin_t) - corenet_all_recvfrom_netlabel(munin_t) -@@ -73,30 +82,39 @@ - corenet_udp_sendrecv_all_nodes(munin_t) - corenet_tcp_sendrecv_all_ports(munin_t) - corenet_udp_sendrecv_all_ports(munin_t) -+corenet_tcp_bind_munin_port(munin_t) -+corenet_tcp_connect_munin_port(munin_t) -+corenet_tcp_connect_http_port(munin_t) -+corenet_tcp_bind_all_nodes(munin_t) - - dev_read_sysfs(munin_t) - dev_read_urand(munin_t) - - domain_use_interactive_fds(munin_t) -+domain_read_all_domains_state(munin_t) - - files_read_etc_files(munin_t) - files_read_etc_runtime_files(munin_t) - files_read_usr_files(munin_t) -+files_list_spool(munin_t) - - fs_getattr_all_fs(munin_t) - fs_search_auto_mountpoints(munin_t) - -+auth_use_nsswitch(munin_t) -+ - libs_use_ld_so(munin_t) - libs_use_shared_libs(munin_t) - - logging_send_syslog_msg(munin_t) - -+miscfiles_read_fonts(munin_t) - miscfiles_read_localization(munin_t) - --sysnet_read_config(munin_t) -+sysnet_exec_ifconfig(munin_t) -+netutils_domtrans_ping(munin_t) - - userdom_dontaudit_use_unpriv_user_fds(munin_t) -- - sysadm_dontaudit_search_home_dirs(munin_t) - - optional_policy(` -@@ -109,7 +127,21 @@ - ') - - optional_policy(` -- nis_use_ypbind(munin_t) -+ fstools_domtrans(munin_t) -+') -+ -+optional_policy(` -+ mta_read_config(munin_t) -+ mta_send_mail(munin_t) -+') -+ -+optional_policy(` -+ mysql_read_config(munin_t) -+ mysql_stream_connect(munin_t) -+') -+ -+optional_policy(` -+ sendmail_read_log(munin_t) - ') - - optional_policy(` -@@ -119,3 +151,9 @@ - optional_policy(` - udev_read_db(munin_t) - ') -+ -+#============= http munin policy ============== -+apache_content_template(munin) -+ -+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.13/policy/modules/services/mysql.fc ---- nsaserefpolicy/policy/modules/services/mysql.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mysql.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -5,6 +5,7 @@ - # - /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) - /etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) - - # - # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.13/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2008-10-28 10:56:19.000000000 -0400 -@@ -53,9 +53,11 @@ - interface(`mysql_stream_connect',` - gen_require(` - type mysqld_t, mysqld_var_run_t; -+ type mysqld_db_t; - ') - - stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) -+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) - ') - - ######################################## -@@ -157,7 +159,7 @@ - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search; -- allow $1 mysqld_db_t:sock_file rw_sock_file_perms; -+ allow $1 mysqld_db_t:sock_file rw_file_perms; - ') - - ######################################## -@@ -178,3 +180,47 @@ - logging_search_logs($1) - allow $1 mysqld_log_t:file { write append setattr ioctl }; - ') -+ -+######################################## -+## -+## All of the rules required to administrate an mysql environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the mysql domain. -+## -+## -+## -+# -+interface(`mysql_admin',` -+ -+ gen_require(` -+ type mysqld_t, mysqld_var_run_t; -+ type mysqld_tmp_t, mysqld_db_t; -+ type mysqld_etc_t, mysqld_log_t; -+ type mysqld_initrc_exec_t; -+ ') -+ -+ allow $1 mysqld_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, mysqld_t) -+ -+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 mysqld_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ admin_pattern($1, mysqld_var_run_t) -+ -+ admin_pattern($1, mysqld_db_t) -+ -+ admin_pattern($1, mysqld_etc_t) -+ -+ admin_pattern($1, mysqld_log_t) -+ -+ admin_pattern($1, mysqld_tmp_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2008-10-28 10:56:19.000000000 -0400 -@@ -19,6 +19,9 @@ - type mysqld_etc_t alias etc_mysqld_t; - files_config_file(mysqld_etc_t) - -+type mysqld_initrc_exec_t; -+init_script_file(mysqld_initrc_exec_t) -+ - type mysqld_log_t; - logging_log_file(mysqld_log_t) - -@@ -34,6 +37,7 @@ - dontaudit mysqld_t self:capability sys_tty_config; - allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; - allow mysqld_t self:fifo_file rw_fifo_file_perms; -+allow mysqld_t self:shm create_shm_perms; - allow mysqld_t self:unix_stream_socket create_stream_socket_perms; - allow mysqld_t self:tcp_socket create_stream_socket_perms; - allow mysqld_t self:udp_socket create_socket_perms; -@@ -79,6 +83,7 @@ - - fs_getattr_all_fs(mysqld_t) - fs_search_auto_mountpoints(mysqld_t) -+fs_rw_hugetlbfs_files(mysqld_t) - - domain_use_interactive_fds(mysqld_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.13/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nagios.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,16 +1,19 @@ - /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) - /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - - /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - --/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) --/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - - /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) --/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+ -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) - - ifdef(`distro_debian',` - /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) --/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) - ') -+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.13/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nagios.if 2008-10-28 10:56:19.000000000 -0400 -@@ -44,7 +44,7 @@ - - ######################################## - ## --## Execute the nagios CGI with -+## Execute the nagios NRPE with - ## a domain transition. - ## - ## -@@ -53,29 +53,62 @@ - ## - ## - # --interface(`nagios_domtrans_cgi',` -+interface(`nagios_domtrans_nrpe',` - gen_require(` -- type nagios_cgi_t, nagios_cgi_exec_t; -+ type nrpe_t, nrpe_exec_t; - ') - -- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) -+ domtrans_pattern($1, nrpe_exec_t, nrpe_t) - ') - - ######################################## - ## --## Execute the nagios NRPE with --## a domain transition. -+## All of the rules required to administrate -+## an nagios environment - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The role to be allowed to manage the nagios domain. -+## -+## -+## - # --interface(`nagios_domtrans_nrpe',` -+interface(`nagios_admin',` - gen_require(` -- type nrpe_t, nrpe_exec_t; -+ type nagios_t, nrpe_t; -+ type nagios_tmp_t, nagios_log_t; -+ type nagios_etc_t, nrpe_etc_t; -+ type nagios_spool_t, nagios_var_run_t; -+ type nagios_initrc_exec_t; - ') - -- domtrans_pattern($1, nrpe_exec_t, nrpe_t) -+ allow $1 nagios_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nagios_t) -+ -+ init_labeled_script_domtrans($1, nagios_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 nagios_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, nagios_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, nagios_log_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, nagios_etc_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, nagios_spool_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, nagios_var_run_t) -+ -+ admin_pattern($1, nrpe_etc_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.13/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nagios.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,13 +10,12 @@ - type nagios_exec_t; - init_daemon_domain(nagios_t, nagios_exec_t) - --type nagios_cgi_t; --type nagios_cgi_exec_t; --init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) -- - type nagios_etc_t; - files_config_file(nagios_etc_t) - -+type nagios_initrc_exec_t; -+init_script_file(nagios_initrc_exec_t) -+ - type nagios_log_t; - logging_log_file(nagios_log_t) - -@@ -26,6 +25,9 @@ - type nagios_var_run_t; - files_pid_file(nagios_var_run_t) - -+type nagios_spool_t; -+files_type(nagios_spool_t) -+ - type nrpe_t; - type nrpe_exec_t; - init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -60,6 +62,8 @@ - manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) - files_pid_filetrans(nagios_t, nagios_var_run_t, file) - -+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -+ - kernel_read_system_state(nagios_t) - kernel_read_kernel_sysctls(nagios_t) - -@@ -131,42 +135,34 @@ - # - # Nagios CGI local policy - # -+apache_content_template(nagios) -+typealias httpd_nagios_script_t alias nagios_cgi_t; -+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; - --allow nagios_cgi_t self:process signal_perms; --allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -- --read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+allow httpd_nagios_script_t self:process signal_perms; - --allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - --allow nagios_cgi_t nagios_log_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) - --kernel_read_system_state(nagios_cgi_t) -+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) - --corecmd_exec_bin(nagios_cgi_t) -+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - --domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) - --files_read_etc_files(nagios_cgi_t) --files_read_etc_runtime_files(nagios_cgi_t) --files_read_kernel_symbol_table(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - --libs_use_ld_so(nagios_cgi_t) --libs_use_shared_libs(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) - --logging_send_syslog_msg(nagios_cgi_t) --logging_search_logs(nagios_cgi_t) -- --miscfiles_read_localization(nagios_cgi_t) -- --optional_policy(` -- apache_append_log(nagios_cgi_t) --') -+logging_send_syslog_msg(httpd_nagios_script_t) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,8 +1,12 @@ -+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+ - /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) - /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - - /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - - /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - -@@ -10,3 +14,4 @@ - /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-10-28 10:56:19.000000000 -0400 -@@ -118,6 +118,24 @@ - - ######################################## - ## -+## Execute NetworkManager scripts with an automatic domain transition to initrc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_initrc_domtrans',` -+ gen_require(` -+ type NetworkManager_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -+') -+ -+######################################## -+## - ## Read NetworkManager PID files. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-30 11:44:48.000000000 -0400 -@@ -33,9 +33,9 @@ - - # networkmanager will ptrace itself if gdb is installed - # and it receives a unexpected signal (rh bug #204161) --allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; - dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; --allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; -+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; - allow NetworkManager_t self:fifo_file rw_fifo_file_perms; - allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; - allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -@@ -51,8 +51,8 @@ - manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) - logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - --rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) --files_search_tmp(NetworkManager_t) -+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) - - manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -63,6 +63,8 @@ - kernel_read_network_state(NetworkManager_t) - kernel_read_kernel_sysctls(NetworkManager_t) - kernel_load_module(NetworkManager_t) -+kernel_read_debugfs(NetworkManager_t) -+kernel_rw_net_sysctls(NetworkManager_t) - - corenet_all_recvfrom_unlabeled(NetworkManager_t) - corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +83,16 @@ - corenet_sendrecv_isakmp_server_packets(NetworkManager_t) - corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) - corenet_sendrecv_all_client_packets(NetworkManager_t) -+corenet_rw_tun_tap_dev(NetworkManager_t) - - dev_read_sysfs(NetworkManager_t) - dev_read_rand(NetworkManager_t) - dev_read_urand(NetworkManager_t) -+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) - - fs_getattr_all_fs(NetworkManager_t) - fs_search_auto_mountpoints(NetworkManager_t) -+fs_list_inotifyfs(NetworkManager_t) - - mls_file_read_all_levels(NetworkManager_t) - -@@ -104,9 +109,14 @@ - files_read_etc_runtime_files(NetworkManager_t) - files_read_usr_files(NetworkManager_t) - -+storage_getattr_fixed_disk_dev(NetworkManager_t) -+ - init_read_utmp(NetworkManager_t) -+init_dontaudit_write_utmp(NetworkManager_t) - init_domtrans_script(NetworkManager_t) - -+auth_use_nsswitch(NetworkManager_t) -+ - libs_use_ld_so(NetworkManager_t) - libs_use_shared_libs(NetworkManager_t) - -@@ -119,27 +129,40 @@ - - seutil_read_config(NetworkManager_t) - --sysnet_domtrans_ifconfig(NetworkManager_t) -+sysnet_etc_filetrans_config(NetworkManager_t) -+sysnet_delete_dhcpc_pid(NetworkManager_t) - sysnet_domtrans_dhcpc(NetworkManager_t) --sysnet_signal_dhcpc(NetworkManager_t) -+sysnet_domtrans_ifconfig(NetworkManager_t) -+sysnet_kill_dhcpc(NetworkManager_t) -+sysnet_manage_config(NetworkManager_t) -+sysnet_read_dhcp_config(NetworkManager_t) - sysnet_read_dhcpc_pid(NetworkManager_t) --sysnet_delete_dhcpc_pid(NetworkManager_t) - sysnet_search_dhcp_state(NetworkManager_t) --# in /etc created by NetworkManager will be labelled net_conf_t. --sysnet_manage_config(NetworkManager_t) --sysnet_etc_filetrans_config(NetworkManager_t) -+sysnet_signal_dhcpc(NetworkManager_t) - - userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) - userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) - # Read gnome-keyring - userdom_read_unpriv_users_home_content_files(NetworkManager_t) -+unprivuser_stream_connect(NetworkManager_t) - - sysadm_dontaudit_search_home_dirs(NetworkManager_t) - -+cron_read_system_job_lib_files(NetworkManager_t) -+ -+optional_policy(` -+ avahi_domtrans(NetworkManager_t) -+ avahi_sigkill(NetworkManager_t) -+ avahi_signal(NetworkManager_t) -+ avahi_signull(NetworkManager_t) -+') -+ - optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) -+ bind_sigkill(NetworkManager_t) - bind_signal(NetworkManager_t) -+ bind_signull(NetworkManager_t) - ') - - optional_policy(` -@@ -151,8 +174,21 @@ - ') - - optional_policy(` -- dbus_system_bus_client_template(NetworkManager, NetworkManager_t) -- dbus_connect_system_bus(NetworkManager_t) -+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) -+') -+ -+optional_policy(` -+ dnsmasq_read_pid_files(NetworkManager_t) -+ dnsmasq_delete_pid_files(NetworkManager_t) -+ dnsmasq_domtrans(NetworkManager_t) -+ dnsmasq_initrc_domtrans(NetworkManager_t) -+ dnsmasq_sigkill(NetworkManager_t) -+ dnsmasq_signal(NetworkManager_t) -+ dnsmasq_signull(NetworkManager_t) -+') -+ -+optional_policy(` -+ hal_write_log(NetworkManager_t) - ') - - optional_policy(` -@@ -160,23 +196,48 @@ - ') - - optional_policy(` -- nis_use_ypbind(NetworkManager_t) -+ iptables_domtrans(NetworkManager_t) - ') - - optional_policy(` -- nscd_socket_use(NetworkManager_t) -+ nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) -+ nscd_signull(NetworkManager_t) -+ nscd_sigkill(NetworkManager_t) -+ nscd_initrc_domtrans(NetworkManager_t) -+') -+ -+optional_policy(` -+ # Dispatcher starting and stoping ntp -+ ntp_initrc_domtrans(NetworkManager_t) - ') - - optional_policy(` - openvpn_domtrans(NetworkManager_t) -+ openvpn_sigkill(NetworkManager_t) - openvpn_signal(NetworkManager_t) -+ openvpn_signull(NetworkManager_t) -+') -+ -+optional_policy(` -+ polkit_domtrans_auth(NetworkManager_t) -+ polkit_read_lib(NetworkManager_t) - ') - - optional_policy(` -+ ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_read_pid_files(NetworkManager_t) -+ ppp_sigkill(NetworkManager_t) - ppp_signal(NetworkManager_t) -+ ppp_signull(NetworkManager_t) -+ ppp_read_config(NetworkManager_t) -+') -+ -+optional_policy(` -+ rpm_exec(NetworkManager_t) -+ rpm_read_db(NetworkManager_t) -+ rpm_dontaudit_manage_db(NetworkManager_t) - ') - - optional_policy(` -@@ -194,7 +255,9 @@ - - optional_policy(` - vpn_domtrans(NetworkManager_t) -+ vpn_sigkill(NetworkManager_t) - vpn_signal(NetworkManager_t) -+ vpn_signull(NetworkManager_t) - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.13/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.fc 2008-11-03 13:40:14.000000000 -0500 -@@ -1,9 +1,13 @@ -- -+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - - /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - - /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - - /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) - /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.13/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-11-03 17:06:55.000000000 -0500 -@@ -28,7 +28,7 @@ - type var_yp_t; - ') - -- dontaudit $1 self:capability net_bind_service; -+ allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; -@@ -49,8 +49,8 @@ - corenet_udp_bind_all_nodes($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) -- corenet_tcp_bind_reserved_port($1) -- corenet_udp_bind_reserved_port($1) -+ corenet_dontaudit_tcp_bind_all_reserved_ports($1) -+ corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) -@@ -87,6 +87,25 @@ - - ######################################## - ## -+## Use the nis to authenticate passwords -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+# -+interface(`nis_authenticate',` -+ tunable_policy(`allow_ypbind',` -+ nis_use_ypbind_uncond($1) -+ corenet_tcp_bind_all_rpc_ports($1) -+ corenet_udp_bind_all_rpc_ports($1) -+ ') -+') -+ -+######################################## -+## - ## Execute ypbind in the ypbind domain. - ## - ## -@@ -244,3 +263,104 @@ - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) - ') -+ -+######################################## -+## -+## Execute nis server in the nis domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`nis_initrc_domtrans',` -+ gen_require(` -+ type nis_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, nis_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute nis server in the nis domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`nis_ypbind_initrc_domtrans',` -+ gen_require(` -+ type ypbind_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an nis environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the nis domain. -+## -+## -+## -+# -+interface(`nis_admin',` -+ gen_require(` -+ type ypbind_t, yppasswdd_t; -+ type ypserv_t, ypxfr_t; -+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; -+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -+ type ypbind_initrc_exec_t; -+ type nis_initrc_exec_t; -+ ') -+ -+ allow $1 ypbind_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypbind_t) -+ -+ allow $1 yppasswdd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, yppasswdd_t) -+ -+ allow $1 ypserv_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypserv_t) -+ -+ allow $1 ypxfr_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypxfr_t) -+ -+ nis_initrc_domtrans($1) -+ nis_ypbind_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 nis_initrc_exec_t system_r; -+ role_transition $2 ypbind_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, ypbind_tmp_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, ypbind_var_run_t) -+ -+ admin_pattern($1, yppasswdd_var_run_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, ypserv_conf_t) -+ -+ admin_pattern($1, ypserv_tmp_t) -+ -+ admin_pattern($1, ypserv_var_run_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.13/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.te 2008-11-03 13:39:45.000000000 -0500 -@@ -13,6 +13,9 @@ - type ypbind_exec_t; - init_daemon_domain(ypbind_t, ypbind_exec_t) - -+type ypbind_initrc_exec_t; -+init_script_file(ypbind_initrc_exec_t) -+ - type ypbind_tmp_t; - files_tmp_file(ypbind_tmp_t) - -@@ -44,6 +47,9 @@ - type ypxfr_exec_t; - init_daemon_domain(ypxfr_t, ypxfr_exec_t) - -+type nis_initrc_exec_t; -+init_script_file(nis_initrc_exec_t) -+ - ######################################## - # - # ypbind local policy -@@ -111,9 +117,19 @@ - sysnet_read_config(ypbind_t) - - userdom_dontaudit_use_unpriv_user_fds(ypbind_t) -- - sysadm_dontaudit_search_home_dirs(ypbind_t) - -+ -+optional_policy(` -+ dbus_system_bus_client_template(ypbind, ypbind_t) -+ dbus_connect_system_bus(ypbind_t) -+ init_dbus_chat_script(ypbind_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(ypbind_t) -+ ') -+') -+ - optional_policy(` - seutil_sigchld_newrole(ypbind_t) - ') -@@ -127,6 +143,7 @@ - # yppasswdd local policy - # - -+allow yppasswdd_t self:capability dac_override; - dontaudit yppasswdd_t self:capability sys_tty_config; - allow yppasswdd_t self:fifo_file rw_fifo_file_perms; - allow yppasswdd_t self:process { setfscreate signal_perms }; -@@ -157,8 +174,8 @@ - corenet_udp_sendrecv_all_ports(yppasswdd_t) - corenet_tcp_bind_all_nodes(yppasswdd_t) - corenet_udp_bind_all_nodes(yppasswdd_t) --corenet_tcp_bind_reserved_port(yppasswdd_t) --corenet_udp_bind_reserved_port(yppasswdd_t) -+corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -+corenet_udp_bind_all_rpc_ports(yppasswdd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) - corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) - corenet_sendrecv_generic_server_packets(yppasswdd_t) -@@ -249,6 +266,8 @@ - corenet_udp_bind_all_nodes(ypserv_t) - corenet_tcp_bind_reserved_port(ypserv_t) - corenet_udp_bind_reserved_port(ypserv_t) -+corenet_tcp_bind_all_rpc_ports(ypserv_t) -+corenet_udp_bind_all_rpc_ports(ypserv_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) - corenet_sendrecv_generic_server_packets(ypserv_t) -@@ -318,6 +337,8 @@ - corenet_udp_bind_all_nodes(ypxfr_t) - corenet_tcp_bind_reserved_port(ypxfr_t) - corenet_udp_bind_reserved_port(ypxfr_t) -+corenet_tcp_bind_all_rpc_ports(ypxfr_t) -+corenet_udp_bind_all_rpc_ports(ypxfr_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - corenet_tcp_connect_all_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.13/policy/modules/services/nscd.fc ---- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - - /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-11-03 13:42:37.000000000 -0500 -@@ -2,7 +2,27 @@ - - ######################################## - ## --## Send generic signals to NSCD. -+## Execute NSCD in the nscd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`nscd_domtrans',` -+ gen_require(` -+ type nscd_t, nscd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, nscd_exec_t, nscd_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to execute nscd -+## in the caller domain. - ## - ## - ## -@@ -10,37 +30,53 @@ - ## - ## - # --interface(`nscd_signal',` -+interface(`nscd_exec',` -+ gen_require(` -+ type nscd_exec_t; -+ ') -+ -+ can_exec($1, nscd_exec_t) -+') -+ -+######################################## -+## -+## Send sigkills to NSCD. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nscd_sigkill',` - gen_require(` - type nscd_t; - ') - -- allow $1 nscd_t:process signal; -+ allow $1 nscd_t:process sigkill; - ') - - ######################################## - ## --## Execute NSCD in the nscd domain. -+## Send generic signals to NSCD. - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # --interface(`nscd_domtrans',` -+interface(`nscd_signal',` - gen_require(` -- type nscd_t, nscd_exec_t; -+ type nscd_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, nscd_exec_t, nscd_t) -+ allow $1 nscd_t:process signal; - ') - - ######################################## - ## --## Allow the specified domain to execute nscd --## in the caller domain. -+## Send signulls to NSCD. - ## - ## - ## -@@ -48,12 +84,12 @@ - ## - ## - # --interface(`nscd_exec',` -+interface(`nscd_signull',` - gen_require(` -- type nscd_exec_t; -+ type nscd_t; - ') - -- can_exec($1, nscd_exec_t) -+ allow $1 nscd_t:process signull; - ') - - ######################################## -@@ -70,15 +106,14 @@ - interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; -- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; -+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_t:fd use; -- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -- -+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file { getattr read }; -@@ -204,3 +239,60 @@ - role $2 types nscd_t; - dontaudit nscd_t $3:chr_file rw_term_perms; - ') -+ -+######################################## -+## -+## Execute nscd server in the nscd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`nscd_initrc_domtrans',` -+ gen_require(` -+ type nscd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, nscd_initrc_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an nscd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the nscd domain. -+## -+## -+## -+# -+interface(`nscd_admin',` -+ gen_require(` -+ type nscd_t, nscd_log_t, nscd_var_run_t; -+ type nscd_initrc_exec_t; -+ ') -+ -+ allow $1 nscd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nscd_t) -+ -+ nscd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 nscd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_list_logs($1) -+ admin_pattern($1, nscd_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, nscd_var_run_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.13/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.te 2008-11-03 13:39:13.000000000 -0500 -@@ -20,6 +20,9 @@ - type nscd_exec_t; - init_daemon_domain(nscd_t, nscd_exec_t) - -+type nscd_initrc_exec_t; -+init_script_file(nscd_initrc_exec_t) -+ - type nscd_log_t; - logging_log_file(nscd_log_t) - -@@ -28,14 +31,14 @@ - # Local policy - # - --allow nscd_t self:capability { kill setgid setuid audit_write }; -+allow nscd_t self:capability { kill setgid setuid }; - dontaudit nscd_t self:capability sys_tty_config; --allow nscd_t self:process { getattr setsched signal_perms }; -+allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; - allow nscd_t self:fifo_file read_fifo_file_perms; - allow nscd_t self:unix_stream_socket create_stream_socket_perms; - allow nscd_t self:unix_dgram_socket create_socket_perms; - allow nscd_t self:netlink_selinux_socket create_socket_perms; --allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+ - allow nscd_t self:tcp_socket create_socket_perms; - allow nscd_t self:udp_socket create_socket_perms; - -@@ -50,6 +53,8 @@ - manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) - files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) - -+can_exec(nscd_t, nscd_exec_t) -+ - kernel_read_kernel_sysctls(nscd_t) - kernel_list_proc(nscd_t) - kernel_read_proc_symlinks(nscd_t) -@@ -60,6 +65,7 @@ - - fs_getattr_all_fs(nscd_t) - fs_search_auto_mountpoints(nscd_t) -+fs_list_inotifyfs(nscd_t) - - # for when /etc/passwd has just been updated and has the wrong type - auth_getattr_shadow(nscd_t) -@@ -73,6 +79,7 @@ - corenet_udp_sendrecv_all_nodes(nscd_t) - corenet_tcp_sendrecv_all_ports(nscd_t) - corenet_udp_sendrecv_all_ports(nscd_t) -+corenet_udp_bind_all_nodes(nscd_t) - corenet_tcp_connect_all_ports(nscd_t) - corenet_sendrecv_all_client_packets(nscd_t) - corenet_rw_tun_tap_dev(nscd_t) -@@ -84,6 +91,7 @@ - selinux_compute_relabel_context(nscd_t) - selinux_compute_user_contexts(nscd_t) - domain_use_interactive_fds(nscd_t) -+domain_search_all_domains_state(nscd_t) - - files_read_etc_files(nscd_t) - files_read_generic_tmp_symlinks(nscd_t) -@@ -93,6 +101,7 @@ - libs_use_ld_so(nscd_t) - libs_use_shared_libs(nscd_t) - -+logging_send_audit_msgs(nscd_t) - logging_send_syslog_msg(nscd_t) - - miscfiles_read_localization(nscd_t) -@@ -108,6 +117,14 @@ - sysadm_dontaudit_search_home_dirs(nscd_t) - - optional_policy(` -+ cron_read_system_job_tmp_files(nscd_t) -+') -+ -+optional_policy(` -+ kerberos_use(nscd_t) -+') -+ -+optional_policy(` - udev_read_db(nscd_t) - ') - -@@ -115,3 +132,12 @@ - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) - ') -+ -+optional_policy(` -+ tunable_policy(`samba_domain_controller',` -+ samba_append_log(nscd_t) -+ samba_dontaudit_use_fds(nscd_t) -+ ') -+ samba_read_config(nscd_t) -+ samba_read_var_files(nscd_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.13/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ntp.if 2008-10-28 10:56:19.000000000 -0400 -@@ -56,6 +56,24 @@ - - ######################################## - ## -+## Execute ntp server in the ntpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`ntp_initrc_domtrans',` -+ gen_require(` -+ type ntpd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an ntp environment - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.13/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ntp.te 2008-10-28 10:56:19.000000000 -0400 -@@ -42,6 +42,7 @@ - dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; - allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; - allow ntpd_t self:fifo_file rw_fifo_file_perms; -+allow ntpd_t self:shm create_shm_perms; - allow ntpd_t self:unix_dgram_socket create_socket_perms; - allow ntpd_t self:unix_stream_socket create_socket_perms; - allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -90,6 +91,8 @@ - - fs_getattr_all_fs(ntpd_t) - fs_search_auto_mountpoints(ntpd_t) -+# Necessary to communicate with gpsd devices -+fs_rw_tmpfs_files(ntpd_t) - - term_use_ptmx(ntpd_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.13/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/oddjob.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,4 @@ --/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - - /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.13/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/oddjob.if 2008-10-28 10:56:19.000000000 -0400 -@@ -44,6 +44,7 @@ - ') - - domtrans_pattern(oddjob_t, $2, $1) -+ domain_user_exemption_target($1) - ') - - ######################################## -@@ -84,3 +85,34 @@ - - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - ') -+ -+######################################## -+## -+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the oddjob_mkhomedir domain. -+## -+## -+## -+## -+## The type of the terminal allow the oddjob_mkhomedir domain to use. -+## -+## -+## -+# -+interface(`oddjob_run_mkhomedir',` -+ gen_require(` -+ type oddjob_mkhomedir_t; -+ ') -+ -+ oddjob_domtrans_mkhomedir($1) -+ role $2 types oddjob_mkhomedir_t; -+ dontaudit oddjob_mkhomedir_t $3:chr_file rw_term_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.13/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/oddjob.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,14 +10,21 @@ - type oddjob_exec_t; - domain_type(oddjob_t) - init_daemon_domain(oddjob_t, oddjob_exec_t) -+domain_obj_id_change_exemption(oddjob_t) -+domain_role_change_exemption(oddjob_t) - domain_subj_id_change_exemption(oddjob_t) - - type oddjob_mkhomedir_t; - type oddjob_mkhomedir_exec_t; - domain_type(oddjob_mkhomedir_t) --init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -+domain_obj_id_change_exemption(oddjob_mkhomedir_t) -+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) -+') -+ - # pid files - type oddjob_var_run_t; - files_pid_file(oddjob_var_run_t) -@@ -68,17 +75,34 @@ - # oddjob_mkhomedir local policy - # - -+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -+allow oddjob_mkhomedir_t self:process setfscreate; - allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; - allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - - files_read_etc_files(oddjob_mkhomedir_t) - -+kernel_read_system_state(oddjob_mkhomedir_t) -+ -+auth_use_nsswitch(oddjob_mkhomedir_t) -+ - libs_use_ld_so(oddjob_mkhomedir_t) - libs_use_shared_libs(oddjob_mkhomedir_t) - -+logging_send_syslog_msg(oddjob_mkhomedir_t) -+ - miscfiles_read_localization(oddjob_mkhomedir_t) - --staff_manage_home_dirs(oddjob_mkhomedir_t) -+selinux_get_fs_mount(oddjob_mkhomedir_t) -+selinux_validate_context(oddjob_mkhomedir_t) -+selinux_compute_access_vector(oddjob_mkhomedir_t) -+selinux_compute_create_context(oddjob_mkhomedir_t) -+selinux_compute_relabel_context(oddjob_mkhomedir_t) -+selinux_compute_user_contexts(oddjob_mkhomedir_t) -+ -+seutil_read_config(oddjob_mkhomedir_t) -+seutil_read_file_contexts(oddjob_mkhomedir_t) -+seutil_read_default_contexts(oddjob_mkhomedir_t) - - # Add/remove user home directories - unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.13/policy/modules/services/openvpn.if ---- nsaserefpolicy/policy/modules/services/openvpn.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/openvpn.if 2008-10-28 10:56:19.000000000 -0400 -@@ -52,6 +52,24 @@ - - ######################################## - ## -+## Send sigkills to OPENVPN clients. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvpn_sigkill',` -+ gen_require(` -+ type openvpn_t; -+ ') -+ -+ allow $1 openvpn_t:process sigkill; -+') -+ -+######################################## -+## - ## Send generic signals to OPENVPN clients. - ## - ## -@@ -70,6 +88,24 @@ - - ######################################## - ## -+## Send signulls to OPENVPN clients. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvpn_signull',` -+ gen_require(` -+ type openvpn_t; -+ ') -+ -+ allow $1 openvpn_t:process signull; -+') -+ -+######################################## -+## - ## Allow the specified domain to read - ## OpenVPN configuration files. - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.13/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/openvpn.te 2008-10-28 10:56:19.000000000 -0400 -@@ -117,3 +117,11 @@ - - networkmanager_dbus_chat(openvpn_t) - ') -+ -+# Need to interact with terminals if config option "auth-user-pass" is used -+sysadm_use_terms(openvpn_t) -+ -+optional_policy(` -+ unconfined_use_terms(openvpn_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.5.13/policy/modules/services/pads.fc ---- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,12 @@ -+ -+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) -+ -+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) -+ -+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) -+ -+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.5.13/policy/modules/services/pads.if ---- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,10 @@ -+## SELinux policy for PADS daemon. -+## -+##

-+## PADS is a libpcap based detection engine used to -+## passively detect network assets. It is designed to -+## complement IDS technology by providing context to IDS -+## alerts. -+##

-+## -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te ---- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,68 @@ -+ -+policy_module(pads, 0.0.1) -+ -+######################################## -+# -+# Declarations -+# -+ -+type pads_t; -+type pads_exec_t; -+init_daemon_domain(pads_t, pads_exec_t) -+role system_r types pads_t; -+ -+type pads_initrc_exec_t; -+init_script_file(pads_initrc_exec_t) -+ -+type pads_config_t; -+files_config_file(pads_config_t) -+ -+type pads_var_run_t; -+files_pid_file(pads_var_run_t) -+ -+######################################## -+# -+# Declarations -+# -+ -+allow pads_t self:capability { dac_override net_raw }; -+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -+allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -+allow pads_t self:udp_socket { create ioctl }; -+allow pads_t self:unix_dgram_socket { write create connect }; -+ -+allow pads_t pads_config_t:file manage_file_perms; -+files_etc_filetrans(pads_t, pads_config_t, file) -+ -+allow pads_t pads_var_run_t:file manage_file_perms; -+files_pid_filetrans(pads_t, pads_var_run_t, file) -+ -+corecmd_search_bin(pads_t) -+ -+corenet_all_recvfrom_unlabeled(pads_t) -+corenet_all_recvfrom_netlabel(pads_t) -+corenet_tcp_sendrecv_all_if(pads_t) -+corenet_tcp_sendrecv_all_nodes(pads_t) -+ -+corenet_tcp_connect_prelude_port(pads_t) -+ -+dev_read_rand(pads_t) -+dev_read_urand(pads_t) -+ -+kernel_read_sysctl(pads_t) -+ -+files_read_etc_files(pads_t) -+files_search_spool(pads_t) -+ -+libs_use_ld_so(pads_t) -+libs_use_shared_libs(pads_t) -+ -+miscfiles_read_localization(pads_t) -+ -+logging_send_syslog_msg(pads_t) -+ -+sysnet_dns_name_resolve(pads_t) -+ -+optional_policy(` -+ prelude_manage_spool(pads_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.13/policy/modules/services/pcscd.te ---- nsaserefpolicy/policy/modules/services/pcscd.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,7 @@ - type pcscd_exec_t; - domain_type(pcscd_t) - init_daemon_domain(pcscd_t, pcscd_exec_t) -+init_daemon_domain(pcscd_t, pcscd_exec_t) - - # pid files - type pcscd_var_run_t; -@@ -60,6 +61,14 @@ - sysnet_dns_name_resolve(pcscd_t) - - optional_policy(` -+ dbus_system_bus_client_template(pcscd, pcscd_t) -+ -+ optional_policy(` -+ hal_dbus_chat(pcscd_t) -+ ') -+') -+ -+optional_policy(` - openct_stream_connect(pcscd_t) - openct_read_pid_files(pcscd_t) - openct_signull(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.13/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te 2008-11-04 12:06:18.000000000 -0500 -@@ -30,7 +30,7 @@ - # Local policy - # - --allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; -+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; - dontaudit pegasus_t self:capability sys_tty_config; - allow pegasus_t self:process signal; - allow pegasus_t self:fifo_file rw_fifo_file_perms; -@@ -66,6 +66,8 @@ - kernel_read_system_state(pegasus_t) - kernel_search_vm_sysctl(pegasus_t) - kernel_read_net_sysctls(pegasus_t) -+kernel_read_xen_state(pegasus_t) -+kernel_write_xen_state(pegasus_t) - - corenet_all_recvfrom_unlabeled(pegasus_t) - corenet_all_recvfrom_netlabel(pegasus_t) -@@ -96,13 +98,12 @@ - - auth_use_nsswitch(pegasus_t) - auth_domtrans_chk_passwd(pegasus_t) -+auth_read_shadow(pegasus_t) - - domain_use_interactive_fds(pegasus_t) - domain_read_all_domains_state(pegasus_t) - --files_read_etc_files(pegasus_t) --files_list_var_lib(pegasus_t) --files_read_var_lib_files(pegasus_t) -+files_read_all_files(pegasus_t) - files_read_var_lib_symlinks(pegasus_t) - - hostname_exec(pegasus_t) -@@ -118,7 +119,6 @@ - - miscfiles_read_localization(pegasus_t) - --sysnet_read_config(pegasus_t) - sysnet_domtrans_ifconfig(pegasus_t) - - userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -130,6 +130,14 @@ - ') - - optional_policy(` -+ samba_manage_config(pegasus_t) -+') -+ -+optional_policy(` -+ ssh_exec(pegasus_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) - ') -@@ -141,3 +149,13 @@ - optional_policy(` - unconfined_signull(pegasus_t) - ') -+ -+optional_policy(` -+ virt_domtrans(pegasus_t) -+ virt_manage_config(pegasus_t) -+') -+ -+optional_policy(` -+ xen_stream_connect(pegasus_t) -+ xen_stream_connect_xenstore(pegasus_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc ---- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,9 @@ -+ -+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) -+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) -+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) -+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) -+ -+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) -+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if ---- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-11-04 09:56:57.000000000 -0500 -@@ -0,0 +1,233 @@ -+ -+## policy for polkit_auth -+ -+######################################## -+## -+## Execute a domain transition to run polkit_auth. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_auth',` -+ gen_require(` -+ type polkit_auth_t; -+ type polkit_auth_exec_t; -+ ') -+ -+ domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) -+') -+ -+######################################## -+## -+## Search polkit lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polkit_search_lib',` -+ gen_require(` -+ type polkit_var_lib_t; -+ ') -+ -+ allow $1 polkit_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## read polkit lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polkit_read_lib',` -+ gen_require(` -+ type polkit_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) -+ -+ # Broken placement -+ cron_read_system_job_lib_files($1) -+') -+ -+######################################## -+## -+## Execute a domain transition to run polkit_grant. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_grant',` -+ gen_require(` -+ type polkit_grant_t; -+ type polkit_grant_exec_t; -+ ') -+ -+ domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) -+') -+ -+######################################## -+## -+## Execute a domain transition to run polkit_resolve. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_resolve',` -+ gen_require(` -+ type polkit_resolve_t; -+ type polkit_resolve_exec_t; -+ ') -+ -+ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) -+ -+ allow polkit_resolve_t $1:dir list_dir_perms; -+ read_files_pattern(polkit_resolve_t, $1, $1) -+ read_lnk_files_pattern(polkit_resolve_t, $1, $1) -+ allow polkit_resolve_t $1:process getattr; -+') -+ -+######################################## -+## -+## Execute a policy_grant in the policy_grant domain, and -+## allow the specified role the policy_grant domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the load_policy domain. -+## -+## -+## -+## -+## The type of the terminal allow the load_policy domain to use. -+## -+## -+## -+# -+interface(`polkit_run_grant',` -+ gen_require(` -+ type polkit_grant_t; -+ ') -+ -+ polkit_domtrans_grant($1) -+ role $2 types polkit_grant_t; -+ allow polkit_grant_t $3:chr_file rw_term_perms; -+ allow $1 polkit_grant_t:process signal; -+ read_files_pattern(polkit_grant_t, $1, $1) -+ allow polkit_grant_t $1:process getattr; -+') -+ -+######################################## -+## -+## Execute a policy_auth in the policy_auth domain, and -+## allow the specified role the policy_auth domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the load_policy domain. -+## -+## -+## -+## -+## The type of the terminal allow the load_policy domain to use. -+## -+## -+# -+interface(`polkit_run_auth',` -+ gen_require(` -+ type polkit_auth_t; -+ ') -+ -+ polkit_domtrans_auth($1) -+ role $2 types polkit_auth_t; -+ allow polkit_auth_t $3:chr_file rw_term_perms; -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+# -+template(`polkit_per_role_template',` -+ polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t }) -+ polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t }) -+ polkit_read_lib($2) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## polkit over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polkit_dbus_chat',` -+ gen_require(` -+ type polkit_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 polkit_t:dbus send_msg; -+ allow polkit_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te ---- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-05 11:49:03.000000000 -0500 -@@ -0,0 +1,232 @@ -+policy_module(polkit_auth, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type polkit_t; -+type polkit_exec_t; -+init_daemon_domain(polkit_t, polkit_exec_t) -+ -+type polkit_grant_t; -+type polkit_grant_exec_t; -+init_system_domain(polkit_grant_t, polkit_grant_exec_t) -+ -+type polkit_resolve_t; -+type polkit_resolve_exec_t; -+init_system_domain(polkit_resolve_t, polkit_resolve_exec_t) -+ -+type polkit_auth_t; -+type polkit_auth_exec_t; -+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) -+ -+type polkit_var_lib_t; -+files_type(polkit_var_lib_t) -+ -+type polkit_var_run_t; -+files_pid_file(polkit_var_run_t) -+ -+######################################## -+# -+# polkit local policy -+# -+ -+allow polkit_t self:capability { setgid setuid }; -+allow polkit_t self:process getattr; -+ -+allow polkit_t self:unix_dgram_socket create_socket_perms; -+allow polkit_t self:fifo_file rw_file_perms; -+allow polkit_t self:unix_stream_socket create_stream_socket_perms; -+ -+polkit_domtrans_auth(polkit_t) -+polkit_domtrans_resolve(polkit_t) -+ -+can_exec(polkit_t, polkit_exec_t) -+corecmd_exec_bin(polkit_t) -+ -+domain_use_interactive_fds(polkit_t) -+ -+files_read_etc_files(polkit_t) -+files_read_usr_files(polkit_t) -+ -+fs_list_inotifyfs(polkit_t) -+ -+kernel_read_kernel_sysctls(polkit_t) -+ -+auth_use_nsswitch(polkit_t) -+ -+libs_use_ld_so(polkit_t) -+libs_use_shared_libs(polkit_t) -+ -+miscfiles_read_localization(polkit_t) -+ -+logging_send_syslog_msg(polkit_t) -+ -+manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) -+ -+# pid file -+manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) -+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) -+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) -+ -+optional_policy(` -+ dbus_system_domain(polkit_t, polkit_exec_t) -+ optional_policy(` -+ consolekit_dbus_chat(polkit_t) -+ ') -+') -+ -+######################################## -+# -+# polkit_auth local policy -+# -+ -+allow polkit_auth_t self:capability setgid; -+allow polkit_auth_t self:process { getattr }; -+ -+allow polkit_auth_t self:unix_dgram_socket create_socket_perms; -+allow polkit_auth_t self:fifo_file rw_file_perms; -+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_auth_t, polkit_auth_exec_t) -+corecmd_search_bin(polkit_auth_t) -+ -+domain_use_interactive_fds(polkit_auth_t) -+ -+files_read_etc_files(polkit_auth_t) -+files_read_usr_files(polkit_auth_t) -+ -+auth_use_nsswitch(polkit_auth_t) -+ -+libs_use_ld_so(polkit_auth_t) -+libs_use_shared_libs(polkit_auth_t) -+ -+miscfiles_read_localization(polkit_auth_t) -+ -+logging_send_syslog_msg(polkit_auth_t) -+ -+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) -+ -+# pid file -+manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) -+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) -+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) -+ -+userdom_read_all_users_state(polkit_t) -+ -+unprivuser_append_home_content_files(polkit_auth_t) -+unprivuser_dontaudit_read_home_content_files(polkit_auth_t) -+ -+optional_policy(` -+ cron_read_system_job_lib_files(polkit_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t) -+ consolekit_dbus_chat(polkit_auth_t) -+ dbus_system_domain(polkit_exec_t, polkit_t) -+') -+ -+optional_policy(` -+ hal_getattr(polkit_auth_t) -+ hal_read_state(polkit_auth_t) -+') -+ -+######################################## -+# -+# polkit_grant local policy -+# -+ -+allow polkit_grant_t self:capability setuid; -+allow polkit_grant_t self:process getattr; -+ -+allow polkit_grant_t self:unix_dgram_socket create_socket_perms; -+allow polkit_grant_t self:fifo_file rw_file_perms; -+allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_grant_t, polkit_grant_exec_t) -+corecmd_search_bin(polkit_grant_t) -+ -+files_read_etc_files(polkit_grant_t) -+files_read_usr_files(polkit_grant_t) -+ -+auth_use_nsswitch(polkit_grant_t) -+auth_domtrans_chk_passwd(polkit_grant_t) -+ -+libs_use_ld_so(polkit_grant_t) -+libs_use_shared_libs(polkit_grant_t) -+ -+miscfiles_read_localization(polkit_grant_t) -+ -+logging_send_syslog_msg(polkit_grant_t) -+ -+polkit_domtrans_auth(polkit_grant_t) -+polkit_domtrans_resolve(polkit_grant_t) -+ -+manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) -+ -+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) -+userdom_read_all_users_state(polkit_grant_t) -+ -+optional_policy(` -+ dbus_system_bus_client_template(polkit_grant, polkit_grant_t) -+ consolekit_dbus_chat(polkit_grant_t) -+') -+ -+gen_require(` -+ type system_crond_var_lib_t; -+') -+ -+manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t) -+ -+######################################## -+# -+# polkit_resolve local policy -+# -+ -+allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace }; -+allow polkit_resolve_t self:process getattr; -+ -+allow polkit_resolve_t self:unix_dgram_socket create_socket_perms; -+allow polkit_resolve_t self:fifo_file rw_file_perms; -+allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; -+ -+read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) -+ -+can_exec(polkit_resolve_t, polkit_resolve_exec_t) -+corecmd_search_bin(polkit_resolve_t) -+ -+polkit_domtrans_auth(polkit_resolve_t) -+ -+files_read_etc_files(polkit_resolve_t) -+files_read_usr_files(polkit_resolve_t) -+ -+auth_use_nsswitch(polkit_resolve_t) -+ -+libs_use_ld_so(polkit_resolve_t) -+libs_use_shared_libs(polkit_resolve_t) -+ -+miscfiles_read_localization(polkit_resolve_t) -+ -+logging_send_syslog_msg(polkit_resolve_t) -+ -+userdom_read_all_users_state(polkit_resolve_t) -+userdom_ptrace_all_users(polkit_resolve_t) -+mcs_ptrace_all(polkit_resolve_t) -+ -+optional_policy(` -+ dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t) -+ optional_policy(` -+ consolekit_dbus_chat(polkit_resolve_t) -+ ') -+') -+ -+optional_policy(` -+ hal_getattr(polkit_resolve_t) -+ hal_read_state(polkit_resolve_t) -+') -+ -+optional_policy(` -+ unconfined_ptrace(polkit_resolve_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.13/policy/modules/services/portmap.te ---- nsaserefpolicy/policy/modules/services/portmap.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/portmap.te 2008-10-28 10:56:19.000000000 -0400 -@@ -41,6 +41,7 @@ - manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) - files_pid_filetrans(portmap_t, portmap_var_run_t, file) - -+kernel_read_system_state(portmap_t) - kernel_read_kernel_sysctls(portmap_t) - kernel_list_proc(portmap_t) - kernel_read_proc_symlinks(portmap_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.5.13/policy/modules/services/portreserve.fc ---- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,12 @@ -+# portreserve executable will have: -+# label: system_u:object_r:portreserve_exec_t -+# MLS sensitivity: s0 -+# MCS categories: -+ -+#exec -+/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -+ -+/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) -+ -+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.5.13/policy/modules/services/portreserve.if ---- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,70 @@ -+## policy for portreserve -+ -+######################################## -+## -+## Execute a domain transition to run portreserve. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`portreserve_domtrans',` -+ gen_require(` -+ type portreserve_t, portreserve_exec_t; -+ ') -+ -+ domain_auto_trans($1,portreserve_exec_t,portreserve_t) -+ -+ allow portreserve_t $1:fd use; -+ allow portreserve_t $1:fifo_file rw_file_perms; -+ allow portreserve_t $1:process sigchld; -+') -+ -+####################################### -+## -+## Allow the specified domain to read -+## portreserve etcuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`portreserve_read_etc',` -+ gen_require(` -+ type portreserve_etc_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 portreserve_etc_t:dir list_dir_perms; -+ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+') -+ -+####################################### -+## -+## Allow the specified domain to manage -+## portreserve etcuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`portreserve_manage_etc',` -+ gen_require(` -+ type portreserve_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te ---- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-10-28 11:20:02.000000000 -0400 -@@ -0,0 +1,53 @@ -+policy_module(portreserve,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type portreserve_t; -+type portreserve_exec_t; -+init_daemon_domain(portreserve_t, portreserve_exec_t) -+ -+type portreserve_etc_t; -+files_type(portreserve_etc_t) -+ -+type portreserve_var_run_t; -+files_pid_file(portreserve_var_run_t) -+ -+######################################## -+# -+# Portreserve local policy -+# -+allow portreserve_t self:fifo_file rw_fifo_file_perms; -+allow portreserve_t self:unix_stream_socket create_stream_socket_perms; -+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow portreserve_t self:tcp_socket create_socket_perms; -+allow portreserve_t self:udp_socket create_socket_perms; -+ -+# Read etc files -+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -+ -+# Manage /var/run/portreserve/* -+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) -+ -+corenet_tcp_bind_all_ports(portreserve_t) -+corenet_tcp_bind_all_ports(portreserve_t) -+corenet_udp_bind_all_nodes(portreserve_t) -+corenet_udp_bind_all_ports(portreserve_t) -+corenet_tcp_bind_inaddr_any_node(portreserve_t) -+corenet_udp_bind_inaddr_any_node(portreserve_t) -+ -+files_read_etc_files(portreserve_t) -+ -+libs_use_ld_so(portreserve_t) -+libs_use_shared_libs(portreserve_t) -+ -+# Init script handling -+#init_use_fds(portreserve_t) -+#init_use_script_ptys(portreserve_t) -+#domain_use_interactive_fds(portreserve_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.13/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -29,12 +29,10 @@ - /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) - /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) - /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) - ') - /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) - /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-10-28 10:56:19.000000000 -0400 -@@ -211,9 +211,8 @@ - type postfix_etc_t; - ') - -- allow $1 postfix_etc_t:dir { getattr read search }; -- allow $1 postfix_etc_t:file { read getattr }; -- allow $1 postfix_etc_t:lnk_file { getattr read }; -+ read_files_pattern($1, postfix_etc_t, postfix_etc_t) -+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) - files_search_etc($1) - ') - -@@ -421,7 +420,7 @@ - ## - ## - # --interface(`postfix_create_pivate_sockets',` -+interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') -@@ -432,6 +431,25 @@ - - ######################################## - ## -+## manage named socket in a postfix private directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_manage_private_sockets',` -+ gen_require(` -+ type postfix_private_t; -+ ') -+ -+ allow $1 postfix_private_t:dir list_dir_perms; -+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) -+') -+ -+######################################## -+## - ## Execute the master postfix program in the - ## postfix_master domain. - ## -@@ -508,6 +526,25 @@ - - ######################################## - ## -+## Manage postfix mail spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_manage_spool_files',` -+ gen_require(` -+ type postfix_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -+') -+ -+######################################## -+## - ## Execute postfix user mail programs - ## in their respective domains. - ## -@@ -524,3 +561,23 @@ - - typeattribute $1 postfix_user_domtrans; - ') -+ -+######################################## -+## -+## Execute the master postdrop in the -+## postfix_postdrop domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_domtrans_postdrop',` -+ gen_require(` -+ type postfix_postdrop_t, postfix_postdrop_exec_t; -+ ') -+ -+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,6 +6,14 @@ - # Declarations - # - -+## -+##

-+## Allow postfix_local domain full write access to mail_spool directories -+## -+##

-+## -+gen_tunable(allow_postfix_local_write_mail_spool, false) -+ - attribute postfix_user_domains; - # domains that transition to the - # postfix user domains -@@ -19,7 +27,7 @@ - postfix_server_domain_template(cleanup) - - type postfix_etc_t; --files_type(postfix_etc_t) -+files_config_file(postfix_etc_t) - - type postfix_exec_t; - application_executable_file(postfix_exec_t) -@@ -27,6 +35,12 @@ - postfix_server_domain_template(local) - mta_mailserver_delivery(postfix_local_t) - -+sysadm_read_home_content_files(postfix_local_t) -+ -+tunable_policy(`allow_postfix_local_write_mail_spool',` -+ mta_manage_spool(postfix_local_t) -+') -+ - type postfix_local_tmp_t; - files_tmp_file(postfix_local_tmp_t) - -@@ -34,6 +48,7 @@ - type postfix_map_t; - type postfix_map_exec_t; - application_domain(postfix_map_t, postfix_map_exec_t) -+role system_r types postfix_map_t; - - type postfix_map_tmp_t; - files_tmp_file(postfix_map_tmp_t) -@@ -103,6 +118,7 @@ - allow postfix_master_t self:fifo_file rw_fifo_file_perms; - allow postfix_master_t self:tcp_socket create_stream_socket_perms; - allow postfix_master_t self:udp_socket create_socket_perms; -+allow postfix_master_t self:process setrlimit; - - allow postfix_master_t postfix_etc_t:file rw_file_perms; - -@@ -142,6 +158,7 @@ - - delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - - kernel_read_all_sysctls(postfix_master_t) - -@@ -170,6 +187,7 @@ - domain_use_interactive_fds(postfix_master_t) - - files_read_usr_files(postfix_master_t) -+files_search_var_lib(postfix_master_t) - - term_dontaudit_search_ptys(postfix_master_t) - -@@ -181,15 +199,14 @@ - - mta_rw_aliases(postfix_master_t) - mta_read_sendmail_bin(postfix_master_t) -+mta_getattr_spool(postfix_master_t) - --ifdef(`distro_redhat',` -- # for newer main.cf that uses /etc/aliases -- mta_manage_aliases(postfix_master_t) -- mta_etc_filetrans_aliases(postfix_master_t) -+optional_policy(` -+ cyrus_stream_connect(postfix_master_t) - ') - - optional_policy(` -- cyrus_stream_connect(postfix_master_t) -+ kerberos_keytab_template(postfix, postfix_t) - ') - - optional_policy(` -@@ -202,9 +219,29 @@ - ') - - optional_policy(` -+ postgrey_search_spool(postfix_master_t) -+') -+ -+optional_policy(` - sendmail_signal(postfix_master_t) - ') - -+########################################################### -+# -+# Partially converted rules. THESE ARE ONLY TEMPORARY -+# -+ -+ifdef(`distro_redhat',` -+ # for newer main.cf that uses /etc/aliases -+ allow postfix_master_t etc_aliases_t:dir manage_dir_perms; -+ allow postfix_master_t etc_aliases_t:file manage_file_perms; -+ allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; -+ mta_etc_filetrans_aliases(postfix_master_t) -+ filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file }) -+') -+ -+# end partially converted rules -+ - ######################################## - # - # Postfix bounce local policy -@@ -245,6 +282,10 @@ - - corecmd_exec_bin(postfix_cleanup_t) - -+optional_policy(` -+ mailman_read_data_files(postfix_cleanup_t) -+') -+ - ######################################## - # - # Postfix local local policy -@@ -270,18 +311,25 @@ - - files_read_etc_files(postfix_local_t) - -+logging_dontaudit_search_logs(postfix_local_t) -+ - mta_read_aliases(postfix_local_t) - mta_delete_spool(postfix_local_t) - # For reading spamassasin - mta_read_config(postfix_local_t) - -+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) -+ - optional_policy(` - clamav_search_lib(postfix_local_t) -+ clamav_exec_clamscan(postfix_local_t) - ') - - optional_policy(` - # for postalias - mailman_manage_data_files(postfix_local_t) -+ mailman_append_log(postfix_local_t) -+ mailman_read_log(postfix_local_t) - ') - - optional_policy(` -@@ -292,8 +340,7 @@ - # - # Postfix map local policy - # -- --allow postfix_map_t self:capability setgid; -+allow postfix_map_t self:capability { dac_override setgid setuid }; - allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_map_t self:unix_dgram_socket create_socket_perms; - allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -343,8 +390,6 @@ - - miscfiles_read_localization(postfix_map_t) - --seutil_read_config(postfix_map_t) -- - tunable_policy(`read_default_t',` - files_list_default(postfix_map_t) - files_read_default_files(postfix_map_t) -@@ -357,6 +402,11 @@ - locallogin_dontaudit_use_fds(postfix_map_t) - ') - -+optional_policy(` -+# for postalias -+ mailman_manage_data_files(postfix_map_t) -+') -+ - ######################################## - # - # Postfix pickup local policy -@@ -381,6 +431,7 @@ - # - - allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; -+allow postfix_pipe_t self:process setrlimit; - - write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - -@@ -388,6 +439,12 @@ - - rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) - -+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) -+ -+optional_policy(` -+ dovecot_domtrans_deliver(postfix_pipe_t) -+') -+ - optional_policy(` - procmail_domtrans(postfix_pipe_t) - ') -@@ -397,6 +454,14 @@ - ') - - optional_policy(` -+ mta_manage_spool(postfix_pipe_t) -+') -+ -+optional_policy(` -+ spamassassin_domtrans_spamc(postfix_pipe_t) -+') -+ -+optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) - ') - -@@ -433,8 +498,11 @@ - ') - - optional_policy(` -- ppp_use_fds(postfix_postqueue_t) -- ppp_sigchld(postfix_postqueue_t) -+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t) -+') -+ -+optional_policy(` -+ uucp_manage_spool(postfix_postdrop_t) - ') - - ####################################### -@@ -460,6 +528,15 @@ - init_sigchld_script(postfix_postqueue_t) - init_use_script_fds(postfix_postqueue_t) - -+optional_policy(` -+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) -+') -+ -+optional_policy(` -+ ppp_use_fds(postfix_postqueue_t) -+ ppp_sigchld(postfix_postqueue_t) -+') -+ - ######################################## - # - # Postfix qmgr local policy -@@ -543,6 +620,10 @@ - mta_read_aliases(postfix_smtpd_t) - - optional_policy(` -+ dovecot_auth_stream_connect(postfix_smtpd_t) -+') -+ -+optional_policy(` - mailman_read_data_files(postfix_smtpd_t) - ') - -@@ -569,7 +650,7 @@ - files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) - - # connect to master process --stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t) -+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - - corecmd_exec_shell(postfix_virtual_t) - corecmd_exec_bin(postfix_virtual_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.13/policy/modules/services/postgresql.fc ---- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgresql.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,6 +2,7 @@ - # /etc - # - /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) -+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) - - # - # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.13/policy/modules/services/postgresql.if ---- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgresql.if 2008-10-28 10:56:19.000000000 -0400 -@@ -372,3 +372,46 @@ - - typeattribute $1 sepgsql_unconfined_type; - ') -+ -+######################################## -+## -+## All of the rules required to administrate an postgresql environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the postgresql domain. -+## -+## -+## -+# -+interface(`postgresql_admin',` -+ gen_require(` -+ type postgresql_t, postgresql_var_run_t; -+ type postgresql_tmp_t, postgresql_db_t; -+ type postgresql_etc_t, postgresql_log_t; -+ type postgresql_initrc_exec_t; -+ ') -+ -+ allow $1 postgresql_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, postgresql_t) -+ -+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 postgresql_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ admin_pattern($1, postgresql_var_run_t) -+ -+ admin_pattern($1, postgresql_db_t) -+ -+ admin_pattern($1, postgresql_etc_t) -+ -+ admin_pattern($1, postgresql_log_t) -+ -+ admin_pattern($1, postgresql_tmp_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.13/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-11-06 08:49:50.000000000 -0500 -@@ -32,6 +32,9 @@ - type postgresql_etc_t; - files_config_file(postgresql_etc_t) - -+type postgresql_initrc_exec_t; -+init_script_file(postgresql_initrc_exec_t) -+ - type postgresql_lock_t; - files_lock_file(postgresql_lock_t) - -@@ -104,6 +107,7 @@ - dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; - allow postgresql_t self:process signal_perms; - allow postgresql_t self:fifo_file rw_fifo_file_perms; -+allow postgresql_t self:file { getattr read }; - allow postgresql_t self:sem create_sem_perms; - allow postgresql_t self:shm create_shm_perms; - allow postgresql_t self:tcp_socket create_stream_socket_perms; -@@ -158,7 +162,7 @@ - - manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) - manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) --files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) -+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file }) - - kernel_read_kernel_sysctls(postgresql_t) - kernel_read_system_state(postgresql_t) -@@ -174,6 +178,7 @@ - corenet_udp_sendrecv_all_nodes(postgresql_t) - corenet_tcp_sendrecv_all_ports(postgresql_t) - corenet_udp_sendrecv_all_ports(postgresql_t) -+corenet_udp_bind_all_nodes(postgresql_t) - corenet_tcp_bind_all_nodes(postgresql_t) - corenet_tcp_bind_postgresql_port(postgresql_t) - corenet_tcp_connect_auth_port(postgresql_t) -@@ -288,7 +293,7 @@ - allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; - - allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute }; --allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint }; -+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; - - allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; - allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; -@@ -329,7 +334,7 @@ - - # unconfined domain is not allowed to invoke user defined procedure directly. - # They have to confirm and relabel it at first. --allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *; -+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *; - allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; - - allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.13/policy/modules/services/postgrey.fc ---- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgrey.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,5 +1,7 @@ - - /etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) -+/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0) -+ - - /usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0) - -@@ -7,3 +9,5 @@ - - /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) - /var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) -+ -+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.13/policy/modules/services/postgrey.if ---- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgrey.if 2008-10-28 10:56:19.000000000 -0400 -@@ -12,10 +12,73 @@ - # - interface(`postgrey_stream_connect',` - gen_require(` -- type postgrey_var_run_t, postgrey_t; -+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t; - ') - - allow $1 postgrey_t:unix_stream_socket connectto; -- allow $1 postgrey_var_run_t:sock_file write; -+ write_sock_files_pattern($1, postgrey_var_run_t, postgrey_var_run_t) -+ write_sock_files_pattern($1, postgrey_spool_t, postgrey_spool_t) - files_search_pids($1) - ') -+ -+######################################## -+## -+## Search the spool directory -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`postgrey_search_spool',` -+ gen_require(` -+ type postgrey_spool_t; -+ ') -+ -+ allow $1 postgrey_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an postgrey environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the postgrey domain. -+## -+## -+## -+# -+interface(`postgrey_admin',` -+ gen_require(` -+ type postgrey_t, postgrey_etc_t; -+ type postgrey_var_lib_t, postgrey_var_run_t; -+ type postgrey_initrc_exec_t; -+ ') -+ -+ allow $1 postgrey_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, postgrey_t) -+ -+ init_labeled_script_domtrans($1, postgrey_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 postgrey_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, postgrey_etc_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, postgrey_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, postgrey_var_run_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.13/policy/modules/services/postgrey.te ---- nsaserefpolicy/policy/modules/services/postgrey.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgrey.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,12 @@ - type postgrey_etc_t; - files_config_file(postgrey_etc_t) - -+type postgrey_initrc_exec_t; -+init_script_file(postgrey_initrc_exec_t) -+ -+type postgrey_spool_t; -+files_type(postgrey_spool_t) -+ - type postgrey_var_lib_t; - files_type(postgrey_var_lib_t) - -@@ -24,15 +30,21 @@ - # Local policy - # - --allow postgrey_t self:capability { chown setgid setuid }; -+allow postgrey_t self:capability { chown dac_override setgid setuid }; - dontaudit postgrey_t self:capability sys_tty_config; - allow postgrey_t self:process signal_perms; - allow postgrey_t self:tcp_socket create_stream_socket_perms; -+allow postgrey_t self:fifo_file create_fifo_file_perms; - - allow postgrey_t postgrey_etc_t:dir list_dir_perms; - read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) - read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) - -+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -+ - manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) - files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) - -@@ -86,6 +98,11 @@ - ') - - optional_policy(` -+ postfix_read_config(postgrey_t) -+ postfix_manage_spool_files(postgrey_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(postgrey_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.13/policy/modules/services/ppp.fc ---- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,8 +1,6 @@ - # - # /etc - # --/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) -- - /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) - /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) - /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -@@ -8,9 +6,9 @@ - /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) - /etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) - /etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -- - # Fix /etc/ppp {up,down} family scripts (see man pppd) --/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0) -+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - - # - # /sbin -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.13/policy/modules/services/ppp.if ---- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.if 2008-10-28 10:56:19.000000000 -0400 -@@ -58,6 +58,25 @@ - - ######################################## - ## -+## Send ppp a sigkill -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`ppp_sigkill',` -+ gen_require(` -+ type pppd_t; -+ ') -+ -+ allow $1 pppd_t:process sigkill; -+') -+ -+######################################## -+## - ## Send a generic signal to PPP. - ## - ## -@@ -310,6 +329,24 @@ - - ######################################## - ## -+## Execute ppp server in the ntpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`ppp_initrc_domtrans',` -+ gen_require(` -+ type pppd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, pppd_initrc_exec_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an ppp environment - ## -@@ -327,33 +364,42 @@ - type pppd_etc_rw_t, pppd_var_run_t; - - type pptp_t, pptp_log_t, pptp_var_run_t; -+ type pppd_script_exec_t; -+ type pppd_initrc_exec_t; - ') - - allow $1 pppd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, pppd_t) - -+ ppp_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pppd_initrc_exec_t system_r; -+ allow $2 system_r; -+ - files_list_tmp($1) -- manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t) -+ admin_pattern($1, pppd_tmp_t, pppd_tmp_t) - - logging_list_logs($1) -- manage_files_pattern($1, pppd_log_t, pppd_log_t) -+ admin_pattern($1, pppd_log_t, pppd_log_t) - -- manage_files_pattern($1, pppd_lock_t, pppd_lock_t) -+ admin_pattern($1, pppd_lock_t, pppd_lock_t) - - files_list_etc($1) -- manage_files_pattern($1, pppd_etc_t, pppd_etc_t) -+ admin_pattern($1, pppd_etc_t, pppd_etc_t) -+ -+ admin_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t) - -- manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t) -+ admin_pattern($1, pppd_secret_t, pppd_secret_t) - -- manage_files_pattern($1, pppd_secret_t, pppd_secret_t) -+ admin_pattern($1, pppd_script_exec_t) - - files_list_pids($1) -- manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) -+ admin_pattern($1, pppd_var_run_t, pppd_var_run_t) - - allow $1 pptp_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, pptp_t) - -- manage_files_pattern($1, pptp_log_t, pptp_log_t) -+ admin_pattern($1, pptp_log_t, pptp_log_t) - -- manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) -+ admin_pattern($1, pptp_var_run_t, pptp_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-30 15:01:10.000000000 -0400 -@@ -37,8 +37,8 @@ - type pppd_etc_rw_t; - files_type(pppd_etc_rw_t) - --type pppd_script_exec_t; --files_type(pppd_script_exec_t) -+type pppd_initrc_exec_t; -+files_type(pppd_initrc_exec_t) - - # pppd_secret_t is the type of the pap and chap password files - type pppd_secret_t; -@@ -114,6 +114,8 @@ - # Access secret files - allow pppd_t pppd_secret_t:file read_file_perms; - -+ppp_initrc_domtrans(pppd_t) -+ - kernel_read_kernel_sysctls(pppd_t) - kernel_read_system_state(pppd_t) - kernel_rw_net_sysctls(pppd_t) -@@ -197,6 +199,8 @@ - - optional_policy(` - mta_send_mail(pppd_t) -+ mta_system_content(pppd_etc_t) -+ mta_system_content(pppd_etc_rw_t) - ') - - optional_policy(` -@@ -220,7 +224,7 @@ - # PPTP Local policy - # - --allow pptp_t self:capability net_raw; -+allow pptp_t self:capability { net_raw net_admin }; - dontaudit pptp_t self:capability sys_tty_config; - allow pptp_t self:process signal; - allow pptp_t self:fifo_file rw_fifo_file_perms; -@@ -228,14 +232,16 @@ - allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow pptp_t self:rawip_socket create_socket_perms; - allow pptp_t self:tcp_socket create_socket_perms; -+allow pptp_t self:udp_socket create_socket_perms; -+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - - allow pptp_t pppd_etc_t:dir list_dir_perms; - allow pptp_t pppd_etc_t:file read_file_perms; --allow pptp_t pppd_etc_t:lnk_file { getattr read }; -+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; - - allow pptp_t pppd_etc_rw_t:dir list_dir_perms; - allow pptp_t pppd_etc_rw_t:file read_file_perms; --allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; -+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; - can_exec(pptp_t, pppd_etc_rw_t) - - # Allow pptp to append to pppd log files -@@ -251,9 +257,13 @@ - kernel_list_proc(pptp_t) - kernel_read_kernel_sysctls(pptp_t) - kernel_read_proc_symlinks(pptp_t) -+kernel_read_system_state(pptp_t) - - dev_read_sysfs(pptp_t) - -+corecmd_exec_shell(pptp_t) -+corecmd_read_bin_symlinks(pptp_t) -+ - corenet_all_recvfrom_unlabeled(pptp_t) - corenet_all_recvfrom_netlabel(pptp_t) - corenet_tcp_sendrecv_all_if(pptp_t) -@@ -269,12 +279,16 @@ - fs_getattr_all_fs(pptp_t) - fs_search_auto_mountpoints(pptp_t) - -+files_read_etc_files(pptp_t) -+ - term_ioctl_generic_ptys(pptp_t) - term_search_ptys(pptp_t) - term_use_ptmx(pptp_t) - - domain_use_interactive_fds(pptp_t) - -+auth_use_nsswitch(pptp_t) -+ - libs_use_ld_so(pptp_t) - libs_use_shared_libs(pptp_t) - -@@ -282,7 +296,7 @@ - - miscfiles_read_localization(pptp_t) - --sysnet_read_config(pptp_t) -+sysnet_exec_ifconfig(pptp_t) - - userdom_dontaudit_use_unpriv_user_fds(pptp_t) - -@@ -293,11 +307,15 @@ - ') - - optional_policy(` -- hostname_exec(pptp_t) -+ dbus_system_domain(pppd_t, pppd_exec_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(pppd_t) -+ ') - ') - - optional_policy(` -- nscd_socket_use(pptp_t) -+ hostname_exec(pptp_t) - ') - - optional_policy(` -@@ -311,6 +329,3 @@ - optional_policy(` - postfix_read_config(pppd_t) - ') -- --# FIXME: --domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.13/policy/modules/services/prelude.fc ---- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,9 @@ -+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) -+ -+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) -+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -+ - /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - - /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) -@@ -5,7 +11,15 @@ - - /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) - -+/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) -+ - /var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) - - /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) - /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -+ -+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) -+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) -+ -+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.13/policy/modules/services/prelude.if ---- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.if 2008-10-28 10:56:19.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # -@@ -42,7 +42,7 @@ - ## - ## - ## --## Domain allowed acccess. -+## Domain allowed to transition. - ## - ## - # -@@ -56,6 +56,45 @@ - - ######################################## - ## -+## Read the prelude spool files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prelude_read_spool',` -+ gen_require(` -+ type prelude_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, prelude_spool_t, prelude_spool_t) -+') -+ -+######################################## -+## -+## Manage to prelude-manager spool files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`prelude_manage_spool',` -+ gen_require(` -+ type prelude_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) -+ manage_files_pattern($1, prelude_spool_t, prelude_spool_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an prelude environment - ## -@@ -64,6 +103,11 @@ - ## Domain allowed access. - ## - ## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## - ## - # - interface(`prelude_admin',` -@@ -71,6 +115,10 @@ - type prelude_t, prelude_spool_t; - type prelude_var_run_t, prelude_var_lib_t; - type prelude_audisp_t, prelude_audisp_var_run_t; -+ type prelude_initrc_exec_t; -+ -+ type prelude_lml_t, prelude_lml_tmp_t; -+ type prelude_lml_var_run_t; - ') - - allow $1 prelude_t:process { ptrace signal_perms }; -@@ -79,11 +127,18 @@ - allow $1 prelude_audisp_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_audisp_t) - -- manage_files_pattern($1, prelude_spool_t, prelude_spool_t) -- -- manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) -- -- manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) -+ allow $1 prelude_lml_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, prelude_lml_t) - -- manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) -+ init_labeled_script_domtrans($1, prelude_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 prelude_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ admin_pattern($1, prelude_spool_t) -+ admin_pattern($1, prelude_var_lib_t) -+ admin_pattern($1, prelude_var_run_t) -+ admin_pattern($1, prelude_audisp_var_run_t) -+ admin_pattern($1, prelude_lml_tmp_t) -+ admin_pattern($1, prelude_lml_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te ---- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-28 10:56:19.000000000 -0400 -@@ -13,25 +13,57 @@ - type prelude_spool_t; - files_type(prelude_spool_t) - -+type prelude_log_t; -+logging_log_file(prelude_log_t) -+ - type prelude_var_run_t; - files_pid_file(prelude_var_run_t) - - type prelude_var_lib_t; - files_type(prelude_var_lib_t) - -+type prelude_initrc_exec_t; -+init_script_file(prelude_initrc_exec_t) -+ - type prelude_audisp_t; - type prelude_audisp_exec_t; - init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) -+typealias prelude_audisp_t alias audisp_prelude_t; -+typealias prelude_audisp_exec_t alias audisp_prelude_exec_t; - - type prelude_audisp_var_run_t; - files_pid_file(prelude_audisp_var_run_t) -+typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t; -+ -+type prelude_lml_t; -+type prelude_lml_exec_t; -+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) -+ -+type prelude_lml_var_run_t; -+files_pid_file(prelude_lml_var_run_t) -+ -+type prelude_lml_tmp_t; -+files_tmp_file(prelude_lml_tmp_t) -+ -+######################################## -+# -+# prelude_correlator declarations -+# -+ -+type prelude_correlator_t; -+type prelude_correlator_exec_t; -+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) -+role system_r types prelude_correlator_t; -+ -+type prelude_correlator_config_t; -+files_config_file(prelude_correlator_config_t) - - ######################################## - # - # prelude local policy - # - --allow prelude_t self:capability sys_tty_config; -+allow prelude_t self:capability { dac_override sys_tty_config }; - allow prelude_t self:fifo_file rw_file_perms; - allow prelude_t self:unix_stream_socket create_stream_socket_perms; - allow prelude_t self:netlink_route_socket r_netlink_socket_perms; -@@ -49,6 +81,9 @@ - manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) - files_pid_filetrans(prelude_t, prelude_var_run_t, file) - -+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -+logging_log_filetrans(prelude_t, prelude_log_t, file) -+ - corecmd_search_bin(prelude_t) - - corenet_all_recvfrom_unlabeled(prelude_t) -@@ -56,15 +91,23 @@ - corenet_tcp_sendrecv_all_if(prelude_t) - corenet_tcp_sendrecv_all_nodes(prelude_t) - corenet_tcp_bind_all_nodes(prelude_t) -+corenet_tcp_bind_prelude_port(prelude_t) -+corenet_tcp_connect_prelude_port(prelude_t) -+corenet_tcp_connect_postgresql_port(prelude_t) - - dev_read_rand(prelude_t) - dev_read_urand(prelude_t) - -+kernel_read_sysctl(prelude_t) -+ - # Init script handling - domain_use_interactive_fds(prelude_t) - - files_read_etc_files(prelude_t) - files_read_usr_files(prelude_t) -+files_search_tmp(prelude_t) -+ -+fs_rw_anon_inodefs_files(prelude_t) - - auth_use_nsswitch(prelude_t) - -@@ -89,7 +132,7 @@ - # - # prelude_audisp local policy - # -- -+allow prelude_audisp_t self:capability dac_override; - allow prelude_audisp_t self:fifo_file rw_file_perms; - allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; - allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -@@ -110,6 +153,7 @@ - corenet_tcp_sendrecv_all_if(prelude_audisp_t) - corenet_tcp_sendrecv_all_nodes(prelude_audisp_t) - corenet_tcp_bind_all_nodes(prelude_audisp_t) -+corenet_tcp_connect_prelude_port(prelude_audisp_t) - - dev_read_rand(prelude_audisp_t) - dev_read_urand(prelude_audisp_t) -@@ -117,15 +161,139 @@ - # Init script handling - domain_use_interactive_fds(prelude_audisp_t) - -+kernel_read_sysctl(prelude_audisp_t) -+ - files_read_etc_files(prelude_audisp_t) - - libs_use_ld_so(prelude_audisp_t) - libs_use_shared_libs(prelude_audisp_t) - - logging_send_syslog_msg(prelude_audisp_t) -+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) - - miscfiles_read_localization(prelude_audisp_t) - -+sysnet_dns_name_resolve(prelude_audisp_t) -+ -+######################################## -+# -+# prelude_correlator local policy -+# -+ -+allow prelude_correlator_t self:capability dac_override; -+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; -+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; -+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; -+ -+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; -+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) -+ -+prelude_manage_spool(prelude_correlator_t) -+ -+corecmd_search_bin(prelude_correlator_t) -+ -+corenet_all_recvfrom_unlabeled(prelude_correlator_t) -+corenet_all_recvfrom_netlabel(prelude_correlator_t) -+corenet_tcp_sendrecv_all_if(prelude_correlator_t) -+corenet_tcp_sendrecv_all_nodes(prelude_correlator_t) -+corenet_tcp_connect_prelude_port(prelude_correlator_t) -+ -+kernel_read_sysctl(prelude_correlator_t) -+ -+dev_read_rand(prelude_correlator_t) -+dev_read_urand(prelude_correlator_t) -+ -+files_read_etc_files(prelude_correlator_t) -+files_read_usr_files(prelude_correlator_t) -+files_search_spool(prelude_correlator_t) -+ -+libs_use_ld_so(prelude_correlator_t) -+libs_use_shared_libs(prelude_correlator_t) -+ -+logging_send_syslog_msg(prelude_correlator_t) -+ -+miscfiles_read_localization(prelude_correlator_t) -+ -+sysnet_dns_name_resolve(prelude_correlator_t) -+ -+######################################## -+# -+# prelude_lml local declarations -+# -+ -+allow prelude_lml_t self:capability dac_override; -+ -+# Init script handling -+domain_use_interactive_fds(prelude_lml_t) -+ -+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; -+allow prelude_lml_t self:unix_dgram_socket { write create connect }; -+allow prelude_lml_t self:fifo_file rw_fifo_file_perms; -+allow prelude_lml_t self:unix_stream_socket connectto; -+ -+files_list_tmp(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) -+ -+files_search_spool(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -+ -+files_search_var_lib(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -+ -+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) -+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) -+ -+corecmd_exec_bin(prelude_lml_t) -+ -+corenet_tcp_sendrecv_generic_if(prelude_lml_t) -+corenet_tcp_sendrecv_all_nodes(prelude_lml_t) -+corenet_tcp_recvfrom_netlabel(prelude_lml_t) -+corenet_tcp_recvfrom_unlabeled(prelude_lml_t) -+corenet_sendrecv_unlabeled_packets(prelude_lml_t) -+corenet_tcp_connect_prelude_port(prelude_lml_t) -+ -+dev_read_rand(prelude_lml_t) -+dev_read_urand(prelude_lml_t) -+ -+kernel_read_sysctl(prelude_lml_t) -+ -+files_list_etc(prelude_lml_t) -+files_read_etc_files(prelude_lml_t) -+files_read_etc_runtime_files(prelude_lml_t) -+ -+files_search_spool(prelude_lml_t) -+files_search_usr(prelude_lml_t) -+files_search_var_lib(prelude_lml_t) -+ -+fs_list_inotifyfs(prelude_lml_t) -+fs_read_anon_inodefs_files(prelude_lml_t) -+fs_rw_anon_inodefs_files(prelude_lml_t) -+ -+auth_use_nsswitch(prelude_lml_t) -+ -+libs_use_ld_so(prelude_lml_t) -+libs_use_shared_libs(prelude_lml_t) -+libs_exec_lib_files(prelude_lml_t) -+libs_read_lib_files(prelude_lml_t) -+ -+logging_send_syslog_msg(prelude_lml_t) -+logging_read_generic_logs(prelude_lml_t) -+ -+miscfiles_read_localization(prelude_lml_t) -+ -+sysnet_dns_name_resolve(prelude_lml_t) -+ -+userdom_read_all_users_state(prelude_lml_t) -+ -+optional_policy(` -+ apache_search_sys_content(prelude_lml_t) -+ apache_read_log(prelude_lml_t) -+') -+ - ######################################## - # - # prewikka_cgi Declarations -@@ -134,6 +302,20 @@ - optional_policy(` - apache_content_template(prewikka) - files_read_etc_files(httpd_prewikka_script_t) -+ files_search_tmp(httpd_prewikka_script_t) -+ -+ kernel_read_sysctl(httpd_prewikka_script_t) -+ kernel_search_network_sysctl(httpd_prewikka_script_t) -+ -+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) -+ -+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) -+ -+ auth_use_nsswitch(httpd_prewikka_script_t) -+ -+ logging_send_syslog_msg(httpd_prewikka_script_t) -+ -+ apache_search_sys_content(httpd_prewikka_script_t) - - optional_policy(` - mysql_search_db(httpd_prewikka_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.13/policy/modules/services/privoxy.fc ---- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/privoxy.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,5 +1,7 @@ - - /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) -+/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) -+/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) - - /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.13/policy/modules/services/privoxy.if ---- nsaserefpolicy/policy/modules/services/privoxy.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/privoxy.if 2008-10-28 10:56:19.000000000 -0400 -@@ -16,17 +16,23 @@ - gen_require(` - type privoxy_t, privoxy_log_t; - type privoxy_etc_rw_t, privoxy_var_run_t; -+ type privoxy_initrc_exec_t; - ') - - allow $1 privoxy_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, privoxy_t) - -+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 privoxy_initrc_exec_t system_r; -+ allow $2 system_r; -+ - logging_list_logs($1) -- manage_files_pattern($1, privoxy_log_t, privoxy_log_t) -+ admin_pattern($1, privoxy_log_t) - - files_list_etc($1) -- manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t) -+ admin_pattern($1, privoxy_etc_rw_t) - - files_list_pids($1) -- manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t) -+ admin_pattern($1, privoxy_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.13/policy/modules/services/privoxy.te ---- nsaserefpolicy/policy/modules/services/privoxy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/privoxy.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,9 @@ - type privoxy_exec_t; - init_daemon_domain(privoxy_t, privoxy_exec_t) - -+type privoxy_initrc_exec_t; -+init_script_file(privoxy_initrc_exec_t) -+ - type privoxy_etc_rw_t; - files_type(privoxy_etc_rw_t) - -@@ -50,6 +53,7 @@ - corenet_tcp_connect_http_port(privoxy_t) - corenet_tcp_connect_http_cache_port(privoxy_t) - corenet_tcp_connect_ftp_port(privoxy_t) -+corenet_tcp_connect_pgpkeyserver_port(privoxy_t) - corenet_tcp_connect_tor_port(privoxy_t) - corenet_sendrecv_http_cache_client_packets(privoxy_t) - corenet_sendrecv_http_cache_server_packets(privoxy_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.13/policy/modules/services/procmail.fc ---- nsaserefpolicy/policy/modules/services/procmail.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/procmail.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,2 +1,5 @@ - - /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) -+ -+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.13/policy/modules/services/procmail.if ---- nsaserefpolicy/policy/modules/services/procmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/procmail.if 2008-10-28 10:56:19.000000000 -0400 -@@ -39,3 +39,41 @@ - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) - ') -+ -+######################################## -+## -+## Read procmail tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`procmail_read_tmp_files',` -+ gen_require(` -+ type procmail_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 procmail_tmp_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Read/write procmail tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`procmail_rw_tmp_files',` -+ gen_require(` -+ type procmail_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.13/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/procmail.te 2008-10-28 10:56:19.000000000 -0400 -@@ -14,6 +14,10 @@ - type procmail_tmp_t; - files_tmp_file(procmail_tmp_t) - -+# log files -+type procmail_log_t; -+logging_log_file(procmail_log_t) -+ - ######################################## - # - # Local policy -@@ -29,6 +33,13 @@ - - can_exec(procmail_t,procmail_exec_t) - -+# Write log to /var/log/procmail.log or /var/log/procmail/.* -+allow procmail_t procmail_log_t:dir setattr; -+create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -+append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -+read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -+logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) -+ - allow procmail_t procmail_tmp_t:file manage_file_perms; - files_tmp_filetrans(procmail_t, procmail_tmp_t, file) - -@@ -58,6 +69,7 @@ - - corecmd_exec_bin(procmail_t) - corecmd_exec_shell(procmail_t) -+corecmd_read_bin_symlinks(procmail_t) - - files_read_etc_files(procmail_t) - files_read_etc_runtime_files(procmail_t) -@@ -75,10 +87,6 @@ - # only works until we define a different type for maildir - userdom_priveleged_home_dir_manager(procmail_t) - --# Do not audit attempts to access /root. --staff_dontaudit_search_home_dirs(procmail_t) --sysadm_dontaudit_search_home_dirs(procmail_t) -- - mta_manage_spool(procmail_t) - - ifdef(`hide_broken_symptoms',` -@@ -117,11 +125,13 @@ - - optional_policy(` - pyzor_domtrans(procmail_t) -+ pyzor_signal(procmail_t) - ') - - optional_policy(` - mta_read_config(procmail_t) - sendmail_domtrans(procmail_t) -+ sendmail_signal(procmail_t) - sendmail_rw_tcp_sockets(procmail_t) - sendmail_rw_unix_stream_sockets(procmail_t) - ') -@@ -130,7 +140,16 @@ - corenet_udp_bind_generic_port(procmail_t) - corenet_dontaudit_udp_bind_all_ports(procmail_t) - -- spamassassin_exec(procmail_t) -- spamassassin_exec_client(procmail_t) -+ spamassassin_domtrans(procmail_t) -+ spamassassin_domtrans_spamc(procmail_t) - spamassassin_read_lib_files(procmail_t) - ') -+ -+optional_policy(` -+ # Do not audit attempts to access /root. -+ sysadm_dontaudit_search_home_dirs(procmail_t) -+') -+ -+optional_policy(` -+ mailscanner_read_spool(procmail_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.13/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,6 +1,8 @@ - /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - --HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) -+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - - /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) - /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.13/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.if 2008-10-28 10:56:19.000000000 -0400 -@@ -25,16 +25,16 @@ - # - template(`pyzor_per_role_template',` - gen_require(` -- type pyzord_t; -+ type pyzor_t; -+ type pyzor_home_t; - ') - -- type $1_pyzor_home_t; -- userdom_user_home_content($1, $1_pyzor_home_t) -+ typealias pyzor_home_t alias $1_pyzor_home_t; - -- manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) -- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) -- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) -- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) -+ manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -+ manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -+ manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -+ userdom_user_home_dir_filetrans($1, pyzor_t, pyzor_home_t, { dir file lnk_file }) - ') - - ######################################## -@@ -94,3 +94,50 @@ - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an pyzor environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the pyzor domain. -+## -+## -+## -+# -+interface(`pyzor_admin',` -+ gen_require(` -+ type pyzord_t, pyzor_tmp_t, pyzord_log_t; -+ type pyzor_etc_t, pyzor_var_lib_t; -+ type pyzord_initrc_exec_t; -+ ') -+ -+ allow $1 pyzord_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pyzord_t) -+ -+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 pyzord_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, pyzor_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, pyzord_log_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, pyzor_etc_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, pyzor_var_lib_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,6 +6,37 @@ - # Declarations - # - -+ -+ifdef(`distro_redhat',` -+ -+ gen_require(` -+ type spamc_t; -+ type spamc_exec_t; -+ type spamd_t; -+ type spamd_initrc_exec_t; -+ type spamd_exec_t; -+ type spamc_tmp_t; -+ type spamd_log_t; -+ type spamd_var_lib_t; -+ type spamd_etc_t; -+ type spamc_tmp_t; -+ type spamc_home_t; -+ ') -+ -+ typealias spamc_t alias pyzor_t; -+ typealias spamc_exec_t alias pyzor_exec_t; -+ typealias spamd_t alias pyzord_t; -+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; -+ typealias spamd_exec_t alias pyzord_exec_t; -+ typealias spamc_tmp_t alias pyzor_tmp_t; -+ typealias spamd_log_t alias pyzor_log_t; -+ typealias spamd_log_t alias pyzord_log_t; -+ typealias spamd_var_lib_t alias pyzor_var_lib_t; -+ typealias spamd_etc_t alias pyzor_etc_t; -+ typealias spamc_home_t alias pyzor_home_t; -+ -+',` -+ - type pyzor_t; - type pyzor_exec_t; - application_domain(pyzor_t, pyzor_exec_t) -@@ -17,7 +48,7 @@ - init_daemon_domain(pyzord_t, pyzord_exec_t) - - type pyzor_etc_t; --files_type(pyzor_etc_t) -+ files_config_file(pyzor_etc_t) - - type pyzord_log_t; - logging_log_file(pyzord_log_t) -@@ -28,6 +59,14 @@ - type pyzor_var_lib_t; - files_type(pyzor_var_lib_t) - -+type pyzor_home_t; -+userdom_user_home_content(user, pyzor_home_t) -+ -+type pyzord_initrc_exec_t; -+init_script_file(pyzord_initrc_exec_t) -+ -+') -+ - ######################################## - # - # Pyzor local policy -@@ -68,6 +107,8 @@ - - miscfiles_read_localization(pyzor_t) - -+mta_read_queue(pyzor_t) -+ - sysadm_dontaudit_search_home_dirs(pyzor_t) - - optional_policy(` -@@ -76,8 +117,13 @@ - ') - - optional_policy(` -+ procmail_read_tmp_files(pyzor_t) -+') -+ -+optional_policy(` - spamassassin_signal_spamd(pyzor_t) - spamassassin_read_spamd_tmp_files(pyzor_t) -+ unprivuser_read_home_content_files(pyzor_t) - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.13/policy/modules/services/qmail.te ---- nsaserefpolicy/policy/modules/services/qmail.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/qmail.te 2008-10-28 10:56:19.000000000 -0400 -@@ -124,6 +124,10 @@ - - qmail_domtrans_queue(qmail_local_t) - -+optional_policy(` -+ spamassassin_domtrans_spamc(qmail_local_t) -+') -+ - ######################################## - # - # qmail-lspawn local policy -@@ -255,6 +259,10 @@ - ') - - optional_policy(` -+ kerberos_keytab_template(qmail, qmail_smtpd_t) -+') -+ -+optional_policy(` - ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.13/policy/modules/services/radius.te ---- nsaserefpolicy/policy/modules/services/radius.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/radius.te 2008-10-28 10:56:19.000000000 -0400 -@@ -59,8 +59,9 @@ - - manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) - -+manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) - manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) --files_pid_filetrans(radiusd_t, radiusd_var_run_t, file) -+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file }) - - kernel_read_kernel_sysctls(radiusd_t) - kernel_read_system_state(radiusd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.13/policy/modules/services/razor.fc ---- nsaserefpolicy/policy/modules/services/razor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/razor.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,4 @@ --HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) -+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) - - /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.13/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/razor.if 2008-10-28 10:56:19.000000000 -0400 -@@ -137,6 +137,7 @@ - template(`razor_per_role_template',` - gen_require(` - type razor_exec_t; -+ type razor_home_t, razor_tmp_t; - ') - - type $1_razor_t; -@@ -145,12 +146,8 @@ - razor_common_domain_template($1_razor) - role $3 types $1_razor_t; - -- type $1_razor_home_t alias $1_razor_rw_t; -- files_poly_member($1_razor_home_t) -- userdom_user_home_content($1, $1_razor_home_t) -- -- type $1_razor_tmp_t; -- files_tmp_file($1_razor_tmp_t) -+ typealias razor_home_t alias $1_razor_home_t; -+ typealias razor_tmp_t alias $1_razor_tmp_t; - - ############################## - # -@@ -159,10 +156,10 @@ - - allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; - -- manage_dirs_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) -- manage_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) -- manage_lnk_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) -- userdom_user_home_dir_filetrans($1, $1_razor_t, $1_razor_home_t, dir) -+ manage_dirs_pattern($1_razor_t, razor_home_t, razor_home_t) -+ manage_files_pattern($1_razor_t, razor_home_t, razor_home_t) -+ manage_lnk_files_pattern($1_razor_t, razor_home_t, razor_home_t) -+ userdom_user_home_dir_filetrans($1, $1_razor_t, razor_home_t, dir) - - manage_dirs_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t) - manage_files_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t) -@@ -170,12 +167,12 @@ - - domtrans_pattern($2, razor_exec_t, $1_razor_t) - -- manage_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t) -- manage_files_pattern($2, $1_razor_home_t, $1_razor_home_t) -- manage_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t) -- relabel_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t) -- relabel_files_pattern($2, $1_razor_home_t, $1_razor_home_t) -- relabel_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t) -+ manage_dirs_pattern($2, razor_home_t, razor_home_t) -+ manage_files_pattern($2, razor_home_t, razor_home_t) -+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t) -+ relabel_dirs_pattern($2, razor_home_t, razor_home_t) -+ relabel_files_pattern($2, razor_home_t, razor_home_t) -+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) - - logging_send_syslog_msg($1_razor_t) - -@@ -218,3 +215,61 @@ - - domtrans_pattern($1, razor_exec_t, razor_t) - ') -+ -+######################################## -+## -+## Create, read, write, and delete razor files -+## in a user home subdirectory. -+## -+## -+##

-+## Create, read, write, and delete razor files -+## in a user home subdirectory. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`razor_manage_user_home_files',` -+ gen_require(` -+ type user_home_dir_t, razor_home_t; -+ ') -+ -+ files_search_home($2) -+ allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_files_pattern($2, razor_home_t, razor_home_t) -+ read_lnk_files_pattern($2, razor_home_t, razor_home_t) -+') -+ -+######################################## -+## -+## read razor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`razor_read_lib_files',` -+ gen_require(` -+ type razor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.13/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/razor.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,21 +6,51 @@ - # Declarations - # - -+ifdef(`distro_redhat',` -+ -+ gen_require(` -+ type spamc_t; -+ type spamc_exec_t; -+ type spamd_log_t; -+ type spamd_spool_t; -+ type spamd_var_lib_t; -+ type spamd_etc_t; -+ type spamassassin_home_t; -+ type spamc_tmp_t; -+ ') -+ -+ typealias spamc_t alias razor_t; -+ typealias spamc_exec_t alias razor_exec_t; -+ typealias spamd_log_t alias razor_log_t; -+ typealias spamd_var_lib_t alias razor_var_lib_t; -+ typealias spamd_etc_t alias razor_etc_t; -+ typealias spamassassin_home_t alias razor_home_t; -+ -+',` -+ - type razor_t; - type razor_exec_t; - domain_type(razor_t) - domain_entry_file(razor_t, razor_exec_t) - role system_r types razor_t; - --type razor_etc_t; --files_config_file(razor_etc_t) -- - type razor_log_t; - logging_log_file(razor_log_t) - - type razor_var_lib_t; - files_type(razor_var_lib_t) - -+type razor_etc_t; -+files_config_file(razor_etc_t) -+ -+type razor_home_t; -+userdom_user_home_content(user, razor_home_t) -+ -+type razor_tmp_t; -+files_tmp_file(razor_tmp_t) -+ -+') -+ - razor_common_domain_template(razor) - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.13/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-10-28 10:56:19.000000000 -0400 -@@ -133,6 +133,8 @@ - - dev_read_urand(ricci_t) - -+domain_read_all_domains_state(ricci_t) -+ - files_read_etc_files(ricci_t) - files_read_etc_runtime_files(ricci_t) - files_create_boot_flag(ricci_t) -@@ -140,7 +142,7 @@ - auth_domtrans_chk_passwd(ricci_t) - auth_append_login_records(ricci_t) - --init_dontaudit_stream_connect_script(ricci_t) -+init_stream_connect_script(ricci_t) - - libs_use_ld_so(ricci_t) - libs_use_shared_libs(ricci_t) -@@ -205,7 +207,7 @@ - corecmd_exec_shell(ricci_modcluster_t) - corecmd_exec_bin(ricci_modcluster_t) - --domain_dontaudit_read_all_domains_state(ricci_modcluster_t) -+domain_read_all_domains_state(ricci_modcluster_t) - - files_search_locks(ricci_modcluster_t) - files_read_etc_runtime_files(ricci_modcluster_t) -@@ -293,14 +295,14 @@ - corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) - corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) - --domain_dontaudit_read_all_domains_state(ricci_modclusterd_t) -+domain_read_all_domains_state(ricci_modclusterd_t) - - files_read_etc_files(ricci_modclusterd_t) - files_read_etc_runtime_files(ricci_modclusterd_t) - - fs_getattr_xattr_fs(ricci_modclusterd_t) - --init_dontaudit_stream_connect_script(ricci_modclusterd_t) -+init_stream_connect_script(ricci_modclusterd_t) - - libs_use_ld_so(ricci_modclusterd_t) - libs_use_shared_libs(ricci_modclusterd_t) -@@ -337,7 +339,7 @@ - - corecmd_exec_bin(ricci_modlog_t) - --domain_dontaudit_read_all_domains_state(ricci_modlog_t) -+domain_read_all_domains_state(ricci_modlog_t) - - files_read_etc_files(ricci_modlog_t) - files_search_usr(ricci_modlog_t) -@@ -450,7 +452,7 @@ - dev_read_urand(ricci_modstorage_t) - dev_manage_generic_blk_files(ricci_modstorage_t) - --domain_dontaudit_read_all_domains_state(ricci_modstorage_t) -+domain_read_all_domains_state(ricci_modstorage_t) - - #Needed for editing /etc/fstab - files_manage_etc_files(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.13/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rlogin.te 2008-11-05 17:20:28.000000000 -0500 -@@ -94,10 +94,22 @@ - remotelogin_signal(rlogind_t) - - optional_policy(` -- kerberos_use(rlogind_t) -- kerberos_read_keytab(rlogind_t) -+ kerberos_keytab_template(rlogind, rlogind_t) -+ kerberos_manage_host_rcache(rlogind_t) - ') - - optional_policy(` - tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) - ') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs(rlogind_t) -+ fs_read_nfs_files(rlogind_t) -+ fs_read_nfs_symlinks(rlogind_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs(rlogind_t) -+ fs_read_cifs_files(rlogind_t) -+ fs_read_cifs_symlinks(rlogind_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.13/policy/modules/services/roundup.fc ---- nsaserefpolicy/policy/modules/services/roundup.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/roundup.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,5 @@ -+/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) -+ - # - # /usr - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.13/policy/modules/services/roundup.if ---- nsaserefpolicy/policy/modules/services/roundup.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/roundup.if 2008-10-28 10:56:19.000000000 -0400 -@@ -1 +1,39 @@ - ## Roundup Issue Tracking System policy -+ -+######################################## -+## -+## All of the rules required to administrate -+## an roundup environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the roundup domain. -+## -+## -+## -+# -+interface(`roundup_admin',` -+ gen_require(` -+ type roundup_t, roundup_var_lib_t, roundup_var_run_t; -+ type roundup_initrc_exec_t; -+ ') -+ -+ allow $1 roundup_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, roundup_t) -+ -+ init_labeled_script_domtrans($1, roundup_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 roundup_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_var_lib($1) -+ admin_pattern($1, roundup_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, roundup_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.13/policy/modules/services/roundup.te ---- nsaserefpolicy/policy/modules/services/roundup.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/roundup.te 2008-10-28 10:56:19.000000000 -0400 -@@ -10,6 +10,9 @@ - type roundup_exec_t; - init_daemon_domain(roundup_t, roundup_exec_t) - -+type roundup_initrc_exec_t; -+init_script_file(roundup_initrc_exec_t) -+ - type roundup_var_run_t; - files_pid_file(roundup_var_run_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc ---- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,7 @@ - # /usr - # - /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) - /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) - /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-28 10:56:19.000000000 -0400 -@@ -88,8 +88,11 @@ - # bind to arbitary unused ports - corenet_tcp_bind_generic_port($1_t) - corenet_udp_bind_generic_port($1_t) -- corenet_udp_bind_reserved_port($1_t) -+ corenet_dontaudit_tcp_bind_all_ports($1_t) -+ corenet_dontaudit_udp_bind_all_ports($1_t) - corenet_sendrecv_generic_server_packets($1_t) -+ corenet_tcp_bind_all_rpc_ports($1_t) -+ corenet_udp_bind_all_rpc_ports($1_t) - - fs_rw_rpc_named_pipes($1_t) - fs_search_auto_mountpoints($1_t) -@@ -208,6 +211,24 @@ - - ######################################## - ## -+## Execute domain in nfsd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`rpc_domtrans_rpcd',` -+ gen_require(` -+ type rpcd_t, rpcd_exec_t; -+ ') -+ -+ domtrans_pattern($1, rpcd_exec_t, rpcd_t) -+') -+ -+######################################## -+## - ## Read NFS exported content. - ## - ## -@@ -338,3 +359,22 @@ - files_search_var_lib($1) - read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - ') -+ -+######################################## -+## -+## Manage NFS state data in /var/lib/nfs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpc_manage_nfs_state_data',` -+ gen_require(` -+ type var_lib_nfs_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-10-28 10:56:19.000000000 -0400 -@@ -23,7 +23,7 @@ - gen_tunable(allow_nfsd_anon_write, false) - - type exports_t; --files_type(exports_t) -+files_config_file(exports_t) - - rpc_domain_template(gssd) - -@@ -68,6 +68,7 @@ - # for rpc.rquotad - kernel_read_sysctl(rpcd_t) - kernel_rw_fs_sysctls(rpcd_t) -+kernel_dontaudit_getattr_core_if(rpcd_t) - - corecmd_exec_bin(rpcd_t) - -@@ -101,6 +102,7 @@ - # for /proc/fs/nfs/exports - should we have a new type? - kernel_read_system_state(nfsd_t) - kernel_read_network_state(nfsd_t) -+kernel_dontaudit_getattr_core_if(nfsd_t) - - corenet_tcp_bind_all_rpc_ports(nfsd_t) - corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -135,6 +137,7 @@ - tunable_policy(`nfs_export_all_rw',` - fs_read_noxattr_fs_files(nfsd_t) - auth_manage_all_files_except_shadow(nfsd_t) -+ unprivuser_home_dir_filetrans_home_content(nfsd_t, { file dir }) - ') - - tunable_policy(`nfs_export_all_ro',` -@@ -170,9 +173,14 @@ - files_read_usr_symlinks(gssd_t) - - auth_use_nsswitch(gssd_t) -+auth_manage_cache(gssd_t) - - miscfiles_read_certs(gssd_t) - -+userdom_dontaudit_search_users_home_dirs(gssd_t) -+sysadm_dontaudit_search_home_dirs(gssd_t) -+userdom_dontaudit_manage_user_tmp_files(user, gssd_t) -+ - tunable_policy(`allow_gssd_read_tmp',` - userdom_list_unpriv_users_tmp(gssd_t) - userdom_read_unpriv_users_tmp_files(gssd_t) -@@ -180,8 +188,7 @@ - ') - - optional_policy(` -- kerberos_use(gssd_t) -- kerberos_read_keytab(gssd_t) -+ kerberos_keytab_template(gssd, gssd_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.13/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,4 @@ --/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) - - /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2008-10-28 10:56:19.000000000 -0400 -@@ -60,6 +60,7 @@ - domain_use_interactive_fds(rpcbind_t) - - files_read_etc_files(rpcbind_t) -+files_read_etc_runtime_files(rpcbind_t) - - libs_use_ld_so(rpcbind_t) - libs_use_shared_libs(rpcbind_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.13/policy/modules/services/rshd.te ---- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rshd.te 2008-10-28 10:56:19.000000000 -0400 -@@ -16,7 +16,7 @@ - # - # Local policy - # --allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; -+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; - allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; - allow rshd_t self:fifo_file rw_fifo_file_perms; - allow rshd_t self:tcp_socket create_stream_socket_perms; -@@ -33,6 +33,9 @@ - corenet_udp_sendrecv_all_ports(rshd_t) - corenet_tcp_bind_all_nodes(rshd_t) - corenet_tcp_bind_rsh_port(rshd_t) -+corenet_tcp_bind_all_rpc_ports(rshd_t) -+corenet_tcp_connect_all_ports(rshd_t) -+corenet_tcp_connect_all_rpc_ports(rshd_t) - corenet_sendrecv_rsh_server_packets(rshd_t) - - dev_read_urand(rshd_t) -@@ -44,20 +47,22 @@ - selinux_compute_relabel_context(rshd_t) - selinux_compute_user_contexts(rshd_t) - --auth_domtrans_chk_passwd(rshd_t) -+auth_login_pgm_domain(rshd_t) -+auth_write_login_records(rshd_t) - - corecmd_read_bin_symlinks(rshd_t) - - files_list_home(rshd_t) - files_read_etc_files(rshd_t) --files_search_tmp(rshd_t) -+files_manage_generic_tmp_dirs(rshd_t) - --auth_use_nsswitch(rshd_t) -+init_rw_utmp(rshd_t) - - libs_use_ld_so(rshd_t) - libs_use_shared_libs(rshd_t) - - logging_send_syslog_msg(rshd_t) -+logging_search_logs(rshd_t) - - miscfiles_read_localization(rshd_t) - -@@ -77,7 +82,8 @@ - ') - - optional_policy(` -- kerberos_use(rshd_t) -+ kerberos_keytab_template(rshd, rshd_t) -+ kerberos_manage_host_rcache(rshd_t) - ') - - optional_policy(` -@@ -86,4 +92,5 @@ - - optional_policy(` - unconfined_shell_domtrans(rshd_t) -+ unconfined_signal(rshd_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.13/policy/modules/services/rsync.fc ---- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rsync.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -3,4 +3,4 @@ - - /var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) - --/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0) -+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.13/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2008-10-28 10:56:19.000000000 -0400 -@@ -45,7 +45,7 @@ - # Local policy - # - --allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; -+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; - allow rsync_t self:process signal_perms; - allow rsync_t self:fifo_file rw_fifo_file_perms; - allow rsync_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.13/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,6 +2,9 @@ - # - # /etc - # -+/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) - /etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) - /etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) - /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -@@ -15,6 +18,7 @@ - /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) - /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) - /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) -+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) - /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) - - /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -@@ -47,3 +51,7 @@ - /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - - /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+ -+ifndef(`enable_mls',` -+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 11:57:02.000000000 -0500 -@@ -44,6 +44,44 @@ - - ######################################## - ## -+## Execute smbd net in the smbd_t domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`samba_domtrans_smb',` -+ gen_require(` -+ type smbd_t, smbd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, smbd_exec_t, smbd_t) -+') -+ -+######################################## -+## -+## Execute nmbd net in the nmbd_t domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`samba_domtrans_nmb',` -+ gen_require(` -+ type nmbd_t, nmbd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, nmbd_exec_t, nmbd_t) -+') -+ -+######################################## -+## - ## Execute samba net in the samba_net domain. - ## - ## -@@ -63,6 +101,25 @@ - - ######################################## - ## -+## Execute samba net in the samba_unconfined_net domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`samba_domtrans_unconfined_net',` -+ gen_require(` -+ type samba_unconfined_net_t, samba_net_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) -+') -+ -+######################################## -+## - ## Execute samba net in the samba_net domain, and - ## allow the specified role the samba_net domain. - ## -@@ -95,6 +152,38 @@ - - ######################################## - ## -+## Execute samba net in the samba_unconfined_net domain, and -+## allow the specified role the samba_unconfined_net domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the samba_unconfined_net domain. -+## -+## -+## -+## -+## The type of the terminal allow the samba_unconfined_net domain to use. -+## -+## -+## -+# -+interface(`samba_run_unconfined_net',` -+ gen_require(` -+ type samba_unconfined_net_t; -+ ') -+ -+ samba_domtrans_unconfined_net($1) -+ role $2 types samba_unconfined_net_t; -+ allow samba_unconfined_net_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## - ## Execute smbmount in the smbmount domain. - ## - ## -@@ -188,6 +277,28 @@ - - ######################################## - ## -+## Allow the specified domain to read -+## and write samba configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`samba_manage_config',` -+ gen_require(` -+ type samba_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t) -+ manage_files_pattern($1, samba_etc_t, samba_etc_t) -+') -+ -+######################################## -+## - ## Allow the specified domain to read samba's log files. - ## - ## -@@ -331,6 +442,25 @@ - - ######################################## - ## -+## dontaudit the specified domain to -+## write samba /var files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`samba_dontaudit_write_var_files',` -+ gen_require(` -+ type samba_var_t; -+ ') -+ -+ dontaudit $1 samba_var_t:file write; -+') -+ -+######################################## -+## - ## Allow the specified domain to - ## read and write samba /var files. - ## -@@ -348,6 +478,7 @@ - files_search_var($1) - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) -+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t) - ') - - ######################################## -@@ -420,6 +551,7 @@ - ') - - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -+ allow $1 winbind_helper_t:process signal; - ') - - ######################################## -@@ -503,3 +635,208 @@ - stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) - ') - ') -+ -+######################################## -+## -+## Create a set of derived types for apache -+## web content. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`samba_helper_template',` -+ gen_require(` -+ type smbd_t; -+ ') -+ #This type is for samba helper scripts -+ type samba_$1_script_t; -+ domain_type(samba_$1_script_t) -+ role system_r types samba_$1_script_t; -+ -+ # This type is used for executable scripts files -+ type samba_$1_script_exec_t; -+ corecmd_shell_entry_type(samba_$1_script_t) -+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) -+ -+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) -+ allow smbd_t samba_$1_script_exec_t:file ioctl; -+ -+') -+ -+######################################## -+## -+## Allow the specified domain to read samba's shares -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`samba_read_share_files',` -+ gen_require(` -+ type samba_share_t; -+ ') -+ -+ allow $1 samba_share_t:filesystem getattr; -+ read_files_pattern($1, samba_share_t, samba_share_t) -+') -+ -+######################################## -+## -+## Execute a domain transition to run smbcontrol. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`samba_domtrans_smbcontrol',` -+ gen_require(` -+ type smbcontrol_t; -+ type smbcontrol_exec_t; -+ ') -+ -+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -+') -+ -+ -+######################################## -+## -+## Execute smbcontrol in the smbcontrol domain, and -+## allow the specified role the smbcontrol domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the smbcontrol domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`samba_run_smbcontrol',` -+ gen_require(` -+ type smbcontrol_t; -+ ') -+ -+ samba_domtrans_smbcontrol($1) -+ role $2 types smbcontrol_t; -+ dontaudit smbcontrol_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Execute samba server in the samba domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`samba_initrc_domtrans',` -+ gen_require(` -+ type samba_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, samba_initrc_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an samba environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the samba domain. -+## -+## -+## -+# -+interface(`samba_admin',` -+ gen_require(` -+ type nmbd_t, nmbd_var_run_t; -+ type smbd_t, smbd_tmp_t; -+ type smbd_initrc_exec_t; -+ type smbd_spool_t, smbd_var_run_t; -+ -+ type samba_log_t, samba_var_t; -+ type samba_etc_t, samba_share_t; -+ type samba_secrets_t; -+ -+ type swat_var_run_t, swat_tmp_t; -+ -+ type winbind_var_run_t, winbind_tmp_t; -+ type winbind_log_t; -+ -+ type samba_unconfined_script_t, samba_unconfined_script_exec_t; -+ type samba_initrc_exec_t; -+ ') -+ -+ allow $1 smbd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, smbd_t) -+ -+ allow $1 nmbd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nmbd_t) -+ -+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) -+ -+ samba_run_smbcontrol($1, $2, $3) -+ samba_run_winbind_helper($1, $2, $3) -+ samba_run_smbmount($1, $2, $3) -+ samba_run_net($1, $2, $3) -+ -+ init_labeled_script_domtrans($1, samba_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 samba_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, smbd_tmp_t) -+ admin_pattern($1, swat_tmp_t) -+ admin_pattern($1, winbind_tmp_t) -+ -+ admin_pattern($1, samba_secrets_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, samba_etc_t) -+ -+ admin_pattern($1, samba_share_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, samba_log_t) -+ admin_pattern($1, winbind_log_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, smbd_spool_t) -+ -+ files_list_var($1) -+ admin_pattern($1, samba_var_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, smbd_var_run_t) -+ admin_pattern($1, nmbd_var_run_t) -+ admin_pattern($1, swat_var_run_t) -+ admin_pattern($1, winbind_var_run_t) -+ admin_pattern($1, samba_unconfined_script_exec_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-05 12:55:21.000000000 -0500 -@@ -66,6 +66,13 @@ - ## - gen_tunable(samba_share_nfs, false) - -+## -+##

-+## Allow samba to export ntfs/fusefs volumes. -+##

-+## -+gen_tunable(samba_share_fusefs, false) -+ - type nmbd_t; - type nmbd_exec_t; - init_daemon_domain(nmbd_t, nmbd_exec_t) -@@ -73,6 +80,9 @@ - type nmbd_var_run_t; - files_pid_file(nmbd_var_run_t) - -+type samba_initrc_exec_t; -+init_script_file(samba_initrc_exec_t) -+ - type samba_etc_t; - files_config_file(samba_etc_t) - -@@ -80,11 +90,9 @@ - logging_log_file(samba_log_t) - - type samba_net_t; --domain_type(samba_net_t) --role system_r types samba_net_t; -- - type samba_net_exec_t; --domain_entry_file(samba_net_t, samba_net_exec_t) -+role system_r types samba_net_t; -+application_domain(samba_net_t, samba_net_exec_t) - - type samba_net_tmp_t; - files_tmp_file(samba_net_tmp_t) -@@ -146,11 +154,17 @@ - type winbind_var_run_t; - files_pid_file(winbind_var_run_t) - -+type smbcontrol_t; -+type smbcontrol_exec_t; -+application_domain(smbcontrol_t, smbcontrol_exec_t) -+role system_r types smbcontrol_t; -+ - ######################################## - # - # Samba net local policy - # -- -+allow samba_net_t self:capability { dac_read_search dac_override }; -+allow samba_net_t self:process getsched; - allow samba_net_t self:unix_dgram_socket create_socket_perms; - allow samba_net_t self:unix_stream_socket create_stream_socket_perms; - allow samba_net_t self:udp_socket create_socket_perms; -@@ -165,11 +179,12 @@ - manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) - files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - --allow samba_net_t samba_var_t:dir rw_dir_perms; -+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) - - kernel_read_proc_symlinks(samba_net_t) -+kernel_read_system_state(samba_net_t) - - corenet_all_recvfrom_unlabeled(samba_net_t) - corenet_all_recvfrom_netlabel(samba_net_t) -@@ -190,6 +205,7 @@ - domain_use_interactive_fds(samba_net_t) - - files_read_etc_files(samba_net_t) -+files_read_usr_symlinks(samba_net_t) - - auth_use_nsswitch(samba_net_t) - -@@ -200,7 +216,10 @@ - - miscfiles_read_localization(samba_net_t) - -+samba_read_var_files(samba_net_t) -+ - sysadm_dontaudit_search_home_dirs(samba_net_t) -+userdom_list_all_users_home_dirs(samba_net_t) - - optional_policy(` - kerberos_use(samba_net_t) -@@ -210,7 +229,7 @@ - # - # smbd Local policy - # --allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search }; - dontaudit smbd_t self:capability sys_tty_config; - allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow smbd_t self:process setrlimit; -@@ -228,10 +247,8 @@ - - allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - --create_dirs_pattern(smbd_t, samba_log_t, samba_log_t) -+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) - manage_files_pattern(smbd_t, samba_log_t, samba_log_t) --allow smbd_t samba_log_t:dir setattr; --dontaudit smbd_t samba_log_t:dir remove_name; - - allow smbd_t samba_net_tmp_t:file getattr; - -@@ -241,6 +258,7 @@ - manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) - manage_files_pattern(smbd_t, samba_share_t, samba_share_t) - manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) -+allow smbd_t samba_share_t:filesystem getattr; - - manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) - manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -@@ -258,7 +276,7 @@ - manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) - files_pid_filetrans(smbd_t, smbd_var_run_t, file) - --allow smbd_t winbind_var_run_t:sock_file { read write getattr }; -+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; - - kernel_getattr_core_if(smbd_t) - kernel_getattr_message_if(smbd_t) -@@ -314,20 +332,24 @@ - - init_rw_utmp(smbd_t) - --libs_use_ld_so(smbd_t) --libs_use_shared_libs(smbd_t) -- - logging_search_logs(smbd_t) - logging_send_syslog_msg(smbd_t) - - miscfiles_read_localization(smbd_t) - miscfiles_read_public_files(smbd_t) - -+libs_use_ld_so(smbd_t) -+libs_use_shared_libs(smbd_t) -+ - userdom_dontaudit_use_unpriv_user_fds(smbd_t) - userdom_use_unpriv_users_fds(smbd_t) - -+usermanage_read_crack_db(smbd_t) -+ - sysadm_dontaudit_search_home_dirs(smbd_t) - -+term_use_ptmx(smbd_t) -+ - ifdef(`hide_broken_symptoms', ` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -348,6 +370,25 @@ - tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) -+ fs_manage_nfs_symlinks(smbd_t) -+ fs_manage_nfs_named_pipes(smbd_t) -+ fs_manage_nfs_named_sockets(smbd_t) -+') -+ -+# Support Samba sharing of ntfs/fusefs mount points -+tunable_policy(`samba_share_fusefs',` -+ fs_manage_fusefs_dirs(smbd_t) -+ fs_manage_fusefs_files(smbd_t) -+',` -+ fs_search_fusefs_dirs(smbd_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(smbd, smbd_t) -+') -+ -+optional_policy(` -+ lpd_exec_lpr(smbd_t) - ') - - optional_policy(` -@@ -379,8 +420,10 @@ - - tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) -+ auth_read_all_dirs_except_shadow(smbd_t) - auth_read_all_files_except_shadow(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) -+ auth_read_all_dirs_except_shadow(nmbd_t) - auth_read_all_files_except_shadow(nmbd_t) - ') - -@@ -452,6 +495,7 @@ - dev_getattr_mtrr_dev(nmbd_t) - - fs_getattr_all_fs(nmbd_t) -+fs_list_inotifyfs(nmbd_t) - fs_search_auto_mountpoints(nmbd_t) - - domain_use_interactive_fds(nmbd_t) -@@ -536,6 +580,7 @@ - storage_raw_write_fixed_disk(smbmount_t) - - term_list_ptys(smbmount_t) -+term_use_controlling_term(smbmount_t) - - corecmd_list_bin(smbmount_t) - -@@ -547,32 +592,46 @@ - - auth_use_nsswitch(smbmount_t) - -+libs_use_ld_so(smbmount_t) -+libs_use_shared_libs(smbmount_t) -+ - miscfiles_read_localization(smbmount_t) - - mount_use_fds(smbmount_t) - --libs_use_ld_so(smbmount_t) --libs_use_shared_libs(smbmount_t) -- - locallogin_use_fds(smbmount_t) - - logging_search_logs(smbmount_t) - - userdom_use_all_users_fds(smbmount_t) - -+optional_policy(` -+ cups_read_rw_config(smbmount_t) -+') -+ - ######################################## - # - # SWAT Local policy - # - --allow swat_t self:capability { setuid setgid }; --allow swat_t self:process signal_perms; --allow swat_t self:fifo_file rw_file_perms; -+allow swat_t self:capability { setuid setgid sys_resource }; -+allow swat_t self:process { setrlimit signal_perms }; -+allow swat_t self:fifo_file rw_fifo_file_perms; - allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - allow swat_t self:tcp_socket create_stream_socket_perms; - allow swat_t self:udp_socket create_socket_perms; - -+allow swat_t self:unix_stream_socket connectto; -+can_exec(swat_t, smbd_exec_t) -+allow swat_t smbd_port_t:tcp_socket name_bind; -+allow swat_t smbd_t:process { signal signull }; -+allow swat_t smbd_var_run_t:file { lock unlink }; -+ - allow swat_t nmbd_exec_t:file mmap_file_perms; -+can_exec(swat_t, nmbd_exec_t) -+allow swat_t nmbd_port_t:udp_socket name_bind; -+allow swat_t nmbd_t:process { signal signull }; -+allow swat_t nmbd_var_run_t:file { lock read unlink }; - - rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) - -@@ -592,6 +651,9 @@ - files_pid_filetrans(swat_t, swat_var_run_t, file) - - allow swat_t winbind_exec_t:file mmap_file_perms; -+can_exec(swat_t, winbind_exec_t) -+allow swat_t winbind_var_run_t:dir { write add_name remove_name }; -+allow swat_t winbind_var_run_t:sock_file { create unlink }; - - kernel_read_kernel_sysctls(swat_t) - kernel_read_system_state(swat_t) -@@ -616,10 +678,12 @@ - - dev_read_urand(swat_t) - -+files_list_var_lib(swat_t) - files_read_etc_files(swat_t) - files_search_home(swat_t) - files_read_usr_files(swat_t) - fs_getattr_xattr_fs(swat_t) -+fs_list_inotifyfs(swat_t) - - auth_domtrans_chk_passwd(swat_t) - auth_use_nsswitch(swat_t) -@@ -628,6 +692,7 @@ - libs_use_shared_libs(swat_t) - - logging_send_syslog_msg(swat_t) -+logging_send_audit_msgs(swat_t) - logging_search_logs(swat_t) - - miscfiles_read_localization(swat_t) -@@ -645,6 +710,17 @@ - kerberos_use(swat_t) - ') - -+init_read_utmp(swat_t) -+init_dontaudit_write_utmp(swat_t) -+ -+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -+create_files_pattern(swat_t, samba_log_t, samba_log_t) -+ -+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) -+ -+manage_files_pattern(swat_t, samba_var_t, samba_var_t) -+files_list_var_lib(swat_t) -+ - ######################################## - # - # Winbind local policy -@@ -694,6 +770,8 @@ - manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) - files_pid_filetrans(winbind_t, winbind_var_run_t, file) - -+corecmd_exec_bin(winbind_t) -+ - kernel_read_kernel_sysctls(winbind_t) - kernel_list_proc(winbind_t) - kernel_read_proc_symlinks(winbind_t) -@@ -780,8 +858,13 @@ - miscfiles_read_localization(winbind_helper_t) - - optional_policy(` -+ apache_append_log(winbind_helper_t) -+') -+ -+optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) -+ squid_rw_stream_sockets(winbind_helper_t) - ') - - ######################################## -@@ -790,6 +873,16 @@ - # - - optional_policy(` -+ type samba_unconfined_net_t; -+ domain_type(samba_unconfined_net_t) -+ role system_r types samba_unconfined_net_t; -+ -+ unconfined_domain(samba_unconfined_net_t) -+ -+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) -+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) -+') -+ - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; - domain_type(samba_unconfined_script_t) -@@ -800,9 +893,46 @@ - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; - -+optional_policy(` - unconfined_domain(samba_unconfined_script_t) -+') - - tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) -+', ` -+ can_exec(smbd_t, samba_unconfined_script_exec_t) - ') --') -+ -+######################################## -+# -+# smbcontrol local policy -+# -+ -+# internal communication is often done using fifo and unix sockets. -+allow smbcontrol_t self:fifo_file rw_file_perms; -+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_read_etc_files(smbcontrol_t) -+ -+libs_use_ld_so(smbcontrol_t) -+libs_use_shared_libs(smbcontrol_t) -+ -+miscfiles_read_localization(smbcontrol_t) -+ -+files_search_var_lib(smbcontrol_t) -+samba_read_config(smbcontrol_t) -+samba_rw_var_files(smbcontrol_t) -+samba_search_var(smbcontrol_t) -+samba_read_winbind_pid(smbcontrol_t) -+ -+allow smbcontrol_t smbd_t:process signal; -+domain_use_interactive_fds(smbcontrol_t) -+allow smbd_t smbcontrol_t:process { signal signull }; -+ -+allow nmbd_t smbcontrol_t:process signal; -+allow smbcontrol_t nmbd_t:process { signal signull }; -+ -+allow smbcontrol_t winbind_t:process { signal signull }; -+allow winbind_t smbcontrol_t:process signal; -+ -+allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.13/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sasl.te 2008-10-28 10:56:19.000000000 -0400 -@@ -111,6 +111,10 @@ - ') - - optional_policy(` -+ nis_authenticate(saslauthd_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(saslauthd_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.13/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sendmail.if 2008-10-28 10:56:19.000000000 -0400 -@@ -89,7 +89,7 @@ - type sendmail_t; - ') - -- allow $1 sendmail_t:unix_stream_socket { read write }; -+ allow $1 sendmail_t:unix_stream_socket { getattr read write }; - ') - - ######################################## -@@ -149,3 +149,104 @@ - - logging_log_filetrans($1, sendmail_log_t, file) - ') -+ -+######################################## -+## -+## Execute the sendmail program in the sendmail domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the sendmail domain. -+## -+## -+## -+## -+## The type of the terminal allow the sendmail domain to use. -+## -+## -+## -+# -+interface(`sendmail_run',` -+ gen_require(` -+ type sendmail_t; -+ ') -+ -+ sendmail_domtrans($1) -+ role $2 types sendmail_t; -+ allow sendmail_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Execute sendmail in the unconfined sendmail domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sendmail_domtrans_unconfined',` -+ gen_require(` -+ type unconfined_sendmail_t, sendmail_exec_t; -+ ') -+ -+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) -+') -+ -+######################################## -+## -+## Execute sendmail in the unconfined sendmail domain, and -+## allow the specified role the unconfined sendmail domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the unconfined sendmail domain. -+## -+## -+## -+## -+## The type of the terminal allow the unconfined sendmail domain to use. -+## -+## -+## -+# -+interface(`sendmail_run_unconfined',` -+ gen_require(` -+ type unconfined_sendmail_t; -+ ') -+ -+ sendmail_domtrans_unconfined($1) -+ role $2 types unconfined_sendmail_t; -+ allow unconfined_sendmail_t $3:chr_file rw_file_perms; -+') -+ -+######################################## -+## -+## Allow attempts to read and write to -+## sendmail unnamed pipes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sendmail_rw_pipes',` -+ gen_require(` -+ type sendmail_t; -+ ') -+ -+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.13/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2008-10-28 10:56:19.000000000 -0400 -@@ -20,13 +20,17 @@ - mta_mailserver_delivery(sendmail_t) - mta_mailserver_sender(sendmail_t) - -+type unconfined_sendmail_t; -+application_domain(unconfined_sendmail_t, sendmail_exec_t) -+role system_r types unconfined_sendmail_t; -+ - ######################################## - # - # Sendmail local policy - # - --allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; --allow sendmail_t self:process signal; -+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -+allow sendmail_t self:process { setrlimit signal signull }; - allow sendmail_t self:fifo_file rw_fifo_file_perms; - allow sendmail_t self:unix_stream_socket create_stream_socket_perms; - allow sendmail_t self:unix_dgram_socket create_socket_perms; -@@ -47,6 +51,7 @@ - kernel_read_kernel_sysctls(sendmail_t) - # for piping mail to a command - kernel_read_system_state(sendmail_t) -+kernel_read_network_state(sendmail_t) - - corenet_all_recvfrom_unlabeled(sendmail_t) - corenet_all_recvfrom_netlabel(sendmail_t) -@@ -64,24 +69,29 @@ - - fs_getattr_all_fs(sendmail_t) - fs_search_auto_mountpoints(sendmail_t) -+fs_rw_anon_inodefs_files(sendmail_t) - - term_dontaudit_use_console(sendmail_t) - - # for piping mail to a command - corecmd_exec_shell(sendmail_t) -+corecmd_exec_bin(sendmail_t) - - domain_use_interactive_fds(sendmail_t) - - files_read_etc_files(sendmail_t) -+files_read_usr_files(sendmail_t) - files_search_spool(sendmail_t) - # for piping mail to a command - files_read_etc_runtime_files(sendmail_t) -+files_read_all_tmp_files(sendmail_t) - - init_use_fds(sendmail_t) - init_use_script_ptys(sendmail_t) - # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console - init_read_utmp(sendmail_t) - init_dontaudit_write_utmp(sendmail_t) -+init_rw_script_tmp_files(sendmail_t) - - auth_use_nsswitch(sendmail_t) - -@@ -91,34 +101,55 @@ - libs_read_lib_files(sendmail_t) - - logging_send_syslog_msg(sendmail_t) -+logging_dontaudit_write_generic_logs(sendmail_t) - - miscfiles_read_certs(sendmail_t) - miscfiles_read_localization(sendmail_t) - - userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -+sysadm_dontaudit_search_home_dirs(sendmail_t) -+userdom_read_all_users_home_content_files(sendmail_t) - - mta_read_config(sendmail_t) - mta_etc_filetrans_aliases(sendmail_t) - # Write to /etc/aliases and /etc/mail. --mta_rw_aliases(sendmail_t) -+mta_manage_aliases(sendmail_t) - # Write to /var/spool/mail and /var/spool/mqueue. - mta_manage_queue(sendmail_t) - mta_manage_spool(sendmail_t) -+mta_sendmail_exec(sendmail_t) - --sysadm_dontaudit_search_home_dirs(sendmail_t) -+optional_policy(` -+ cron_read_pipes(sendmail_t) -+') - - optional_policy(` - clamav_search_lib(sendmail_t) -+ clamav_stream_connect(sendmail_t) - ') - - optional_policy(` -- postfix_exec_master(sendmail_t) -+ cyrus_stream_connect(sendmail_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(sendmail, sendmail_t) -+') -+ -+optional_policy(` -+ munin_dontaudit_search_lib(sendmail_t) -+') -+ -+optional_policy(` -+ postfix_domtrans_postdrop(sendmail_t) -+ postfix_domtrans_master(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) - ') - - optional_policy(` - procmail_domtrans(sendmail_t) -+ procmail_rw_tmp_files(sendmail_t) - ') - - optional_policy(` -@@ -126,24 +157,25 @@ - ') - - optional_policy(` -+ sasl_connect(sendmail_t) -+') -+ -+optional_policy(` -+ spamd_stream_connect(sendmail_t) -+') -+ -+optional_policy(` - udev_read_db(sendmail_t) - ') - --ifdef(`TODO',` --allow sendmail_t etc_mail_t:dir rw_dir_perms; --allow sendmail_t etc_mail_t:file manage_file_perms; --# for the start script to run make -C /etc/mail --allow initrc_t etc_mail_t:dir rw_dir_perms; --allow initrc_t etc_mail_t:file manage_file_perms; --allow system_mail_t initrc_t:fd use; --allow system_mail_t initrc_t:fifo_file write; -- --# When sendmail runs as user_mail_domain, it needs some extra permissions --# to update /etc/mail/statistics. --allow user_mail_domain etc_mail_t:file rw_file_perms; -+######################################## -+# -+# Unconfined sendmail local policy -+# Allow unconfined domain to run newalias and have transitions work -+# - --# Silently deny attempts to access /root. --dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; -+optional_policy(` -+ mta_etc_filetrans_aliases(unconfined_sendmail_t) -+ unconfined_domain(unconfined_sendmail_t) -+') - --dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; --') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc ---- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,5 @@ -+/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) -+ - /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) - - /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if ---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if 2008-10-28 10:56:19.000000000 -0400 -@@ -16,8 +16,8 @@ - ') - - files_search_pids($1) -- allow $1 setroubleshoot_var_run_t:sock_file write; -- allow $1 setroubleshootd_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) -+ allow $1 setroubleshoot_var_run_t:sock_file read; - ') - - ######################################## -@@ -36,6 +36,48 @@ - type setroubleshootd_t, setroubleshoot_var_run_t; - ') - -- dontaudit $1 setroubleshoot_var_run_t:sock_file write; -+ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an setroubleshoot environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the setroubleshoot domain. -+## -+## -+## -+# -+interface(`setroubleshoot_admin',` -+ gen_require(` -+ type setroubleshootd_t, setroubleshoot_log_t; -+ type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; -+ type setroubleshoot_initrc_exec_t; -+ ') -+ -+ allow $1 setroubleshootd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, setroubleshootd_t) -+ -+ init_labeled_script_domtrans($1, setroubleshoot_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 setroubleshoot_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_list_logs($1) -+ admin_pattern($1, setroubleshoot_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, setroubleshoot_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, setroubleshoot_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2008-10-28 10:56:19.000000000 -0400 -@@ -11,6 +11,9 @@ - domain_type(setroubleshootd_t) - init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) - -+type setroubleshoot_initrc_exec_t; -+init_script_file(setroubleshoot_initrc_exec_t) -+ - type setroubleshoot_var_lib_t; - files_type(setroubleshoot_var_lib_t) - -@@ -27,8 +30,8 @@ - # setroubleshootd local policy - # - --allow setroubleshootd_t self:capability { dac_override sys_tty_config }; --allow setroubleshootd_t self:process { signull signal getattr getsched }; -+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; - allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; - allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; - allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -52,7 +55,10 @@ - - kernel_read_kernel_sysctls(setroubleshootd_t) - kernel_read_system_state(setroubleshootd_t) -+kernel_read_net_sysctls(setroubleshootd_t) - kernel_read_network_state(setroubleshootd_t) -+kernel_dontaudit_list_all_proc(setroubleshootd_t) -+kernel_read_unlabeled_state(setroubleshootd_t) - - corecmd_exec_bin(setroubleshootd_t) - corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +74,23 @@ - - dev_read_urand(setroubleshootd_t) - dev_read_sysfs(setroubleshootd_t) -+dev_getattr_all_blk_files(setroubleshootd_t) -+dev_getattr_all_chr_files(setroubleshootd_t) - - domain_dontaudit_search_all_domains_state(setroubleshootd_t) - - files_read_usr_files(setroubleshootd_t) - files_read_etc_files(setroubleshootd_t) --files_getattr_all_dirs(setroubleshootd_t) -+files_list_all(setroubleshootd_t) - files_getattr_all_files(setroubleshootd_t) -+files_getattr_all_pipes(setroubleshootd_t) -+files_getattr_all_sockets(setroubleshootd_t) - - fs_getattr_all_dirs(setroubleshootd_t) - fs_getattr_all_files(setroubleshootd_t) -+fs_read_fusefs_symlinks(setroubleshootd_t) -+fs_dontaudit_read_nfs_files(setroubleshootd_t) -+fs_dontaudit_read_cifs_files(setroubleshootd_t) - - selinux_get_enforce_mode(setroubleshootd_t) - selinux_validate_context(setroubleshootd_t) -@@ -97,22 +110,25 @@ - - locallogin_dontaudit_use_fds(setroubleshootd_t) - -+logging_send_audit_msgs(setroubleshootd_t) - logging_send_syslog_msg(setroubleshootd_t) - logging_stream_connect_dispatcher(setroubleshootd_t) - - seutil_read_config(setroubleshootd_t) - seutil_read_file_contexts(setroubleshootd_t) -- --sysnet_read_config(setroubleshootd_t) -+seutil_read_bin_policy(setroubleshootd_t) - - sysadm_dontaudit_read_home_content_files(setroubleshootd_t) -+unprivuser_dontaudit_read_home_content_files(setroubleshootd_t) - - optional_policy(` - dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) - dbus_connect_system_bus(setroubleshootd_t) -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) - ') - - optional_policy(` -+ rpm_signull(setroubleshootd_t) - rpm_read_db(setroubleshootd_t) - rpm_dontaudit_manage_db(setroubleshootd_t) - rpm_use_script_fds(setroubleshootd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.13/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/smartmon.te 2008-10-28 10:56:19.000000000 -0400 -@@ -19,6 +19,10 @@ - type fsdaemon_tmp_t; - files_tmp_file(fsdaemon_tmp_t) - -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(fsdaemon_t,fsdaemon_exec_t,mls_systemhigh) -+') -+ - ######################################## - # - # Local policy -@@ -26,7 +30,7 @@ - - allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; - dontaudit fsdaemon_t self:capability sys_tty_config; --allow fsdaemon_t self:process signal_perms; -+allow fsdaemon_t self:process { signal_perms setfscreate }; - allow fsdaemon_t self:fifo_file rw_fifo_file_perms; - allow fsdaemon_t self:unix_dgram_socket create_socket_perms; - allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; -@@ -52,6 +56,7 @@ - corenet_udp_sendrecv_all_nodes(fsdaemon_t) - corenet_udp_sendrecv_all_ports(fsdaemon_t) - -+dev_delete_generic_dirs(fsdaemon_t) - dev_read_sysfs(fsdaemon_t) - dev_read_urand(fsdaemon_t) - -@@ -67,9 +72,11 @@ - - mls_file_read_all_levels(fsdaemon_t) - -+storage_dev_filetrans_fixed_disk(fsdaemon_t) - storage_raw_read_fixed_disk(fsdaemon_t) - storage_raw_write_fixed_disk(fsdaemon_t) - storage_raw_read_removable_device(fsdaemon_t) -+storage_manage_fixed_disk(fsdaemon_t) - - term_dontaudit_search_ptys(fsdaemon_t) - -@@ -82,6 +89,8 @@ - - miscfiles_read_localization(fsdaemon_t) - -+selinux_validate_context(fsdaemon_t) -+ - sysnet_dns_name_resolve(fsdaemon_t) - - userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -@@ -94,6 +103,7 @@ - - optional_policy(` - seutil_sigchld_newrole(fsdaemon_t) -+ seutil_read_file_contexts(fsdaemon_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.13/policy/modules/services/snmp.fc ---- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,3 +1,6 @@ -+/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) -+ - # - # /usr - # -@@ -8,6 +11,7 @@ - # - # /var - # -+/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.13/policy/modules/services/snmp.if ---- nsaserefpolicy/policy/modules/services/snmp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.if 2008-10-28 10:56:19.000000000 -0400 -@@ -95,23 +95,34 @@ - ## Domain allowed access. - ## - ## -+## -+## -+## The role to be allowed to manage the snmp domain. -+## -+## - ## - # - interface(`snmp_admin',` - gen_require(` - type snmpd_t, snmpd_log_t; - type snmpd_var_lib_t, snmpd_var_run_t; -+ type snmpd_initrc_exec_t; - ') - - allow $1 snmpd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, snmpd_t) - -+ init_labeled_script_domtrans($1, snmpd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 snmpd_initrc_exec_t system_r; -+ allow $2 system_r; -+ - logging_list_logs($1) -- manage_files_pattern($1, snmpd_log_t, snmpd_log_t) -+ admin_pattern($1, snmpd_log_t) - - files_list_var_lib($1) -- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ admin_pattern($1, snmpd_var_lib_t) - - files_list_pids($1) -- manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t) -+ admin_pattern($1, snmpd_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.13/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-10-28 10:56:19.000000000 -0400 -@@ -9,6 +9,9 @@ - type snmpd_exec_t; - init_daemon_domain(snmpd_t, snmpd_exec_t) - -+type snmp_initrc_exec_t; -+init_script_file(snmp_initrc_exec_t) -+ - type snmpd_log_t; - logging_log_file(snmpd_log_t) - -@@ -22,8 +25,9 @@ - # - # Local policy - # --allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; -+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace }; - dontaudit snmpd_t self:capability { sys_module sys_tty_config }; -+allow snmpd_t self:process { getsched setsched }; - allow snmpd_t self:fifo_file rw_fifo_file_perms; - allow snmpd_t self:unix_dgram_socket create_socket_perms; - allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -@@ -45,6 +49,7 @@ - - kernel_read_device_sysctls(snmpd_t) - kernel_read_kernel_sysctls(snmpd_t) -+kernel_read_fs_sysctls(snmpd_t) - kernel_read_net_sysctls(snmpd_t) - kernel_read_proc_symlinks(snmpd_t) - kernel_read_system_state(snmpd_t) -@@ -76,13 +81,14 @@ - domain_use_interactive_fds(snmpd_t) - domain_signull_all_domains(snmpd_t) - domain_read_all_domains_state(snmpd_t) -+domain_dontaudit_ptrace_all_domains(snmpd_t) -+domain_exec_all_entry_files(snmpd_t) - - files_read_etc_files(snmpd_t) - files_read_usr_files(snmpd_t) - files_read_etc_runtime_files(snmpd_t) - files_search_home(snmpd_t) --files_getattr_boot_dirs(snmpd_t) --files_dontaudit_getattr_home_dir(snmpd_t) -+auth_read_all_dirs_except_shadow(snmpd_t) - - fs_getattr_all_dirs(snmpd_t) - fs_getattr_all_fs(snmpd_t) -@@ -94,6 +100,8 @@ - init_read_utmp(snmpd_t) - init_dontaudit_write_utmp(snmpd_t) - -+auth_use_nsswitch(snmpd_t) -+ - libs_use_ld_so(snmpd_t) - libs_use_shared_libs(snmpd_t) - -@@ -121,7 +129,7 @@ - ') - - optional_policy(` -- auth_use_nsswitch(snmpd_t) -+ consoletype_exec(snmpd_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.13/policy/modules/services/snort.if ---- nsaserefpolicy/policy/modules/services/snort.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snort.if 2008-10-28 10:56:19.000000000 -0400 -@@ -30,7 +30,7 @@ - ## - ## - ## --## The role to be allowed to manage the snort domain. -+## The role to be allowed to manage the syslog domain. - ## - ## - ## -@@ -50,11 +50,6 @@ - allow $2 system_r; - - admin_pattern($1, snort_etc_t) -- files_search_etc($1) -- -- admin_pattern($1, snort_log_t) -- logging_search_logs($1) -- - admin_pattern($1, snort_var_run_t) -- files_search_pids($1) -+ admin_pattern($1, snort_log_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.13/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snort.te 2008-10-28 10:56:19.000000000 -0400 -@@ -56,6 +56,7 @@ - files_pid_filetrans(snort_t, snort_var_run_t, file) - - kernel_read_kernel_sysctls(snort_t) -+kernel_read_sysctl(snort_t) - kernel_list_proc(snort_t) - kernel_read_proc_symlinks(snort_t) - kernel_dontaudit_read_system_state(snort_t) -@@ -70,6 +71,7 @@ - corenet_raw_sendrecv_all_nodes(snort_t) - corenet_tcp_sendrecv_all_ports(snort_t) - corenet_udp_sendrecv_all_ports(snort_t) -+corenet_tcp_connect_prelude_port(snort_t) - - dev_read_sysfs(snort_t) - dev_read_rand(snort_t) -@@ -98,6 +100,13 @@ - - sysadm_dontaudit_search_home_dirs(snort_t) - -+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager -+sysnet_dns_name_resolve(snort_t) -+ -+optional_policy(` -+ prelude_manage_spool(snort_t) -+') -+ - optional_policy(` - seutil_sigchld_newrole(snort_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.13/policy/modules/services/spamassassin.fc ---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,16 +1,27 @@ --HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) -+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+ -+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) - - /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) --/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) - /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) - /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - - /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) - - /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) - -+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) -+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) -+ - /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) --/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -+/var/run/spamass-milter.* gen_context(system_u:object_r:spamd_var_run_t,s0) -+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - - /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) - /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.13/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -37,7 +37,8 @@ - - gen_require(` - type spamc_exec_t, spamassassin_exec_t; -- type spamd_t, spamd_tmp_t; -+ type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t; -+ type spamc_home_t, spamc_tmp_t; - ') - - ############################## -@@ -45,277 +46,24 @@ - # Declarations - # - -- type $1_spamc_t; -- application_domain($1_spamc_t, spamc_exec_t) -- role $3 types $1_spamc_t; -- -- type $1_spamc_tmp_t; -- files_tmp_file($1_spamc_tmp_t) -- -- type $1_spamassassin_t; -- application_domain($1_spamassassin_t, spamassassin_exec_t) -- role $3 types $1_spamassassin_t; -- -- type $1_spamassassin_home_t alias $1_spamassassin_rw_t; -- userdom_user_home_content($1, $1_spamassassin_home_t) -- files_poly_member($1_spamassassin_home_t) -+ typealias spamc_t alias $1_spamc_t; -+ role $3 types spamc_t; - -- type $1_spamassassin_tmp_t; -- files_tmp_file($1_spamassassin_tmp_t) -+ typealias spamassassin_t alias $1_spamassassin_t; -+ role $3 types spamassassin_t; - -- ############################## -- # -- # $1_spamc_t local policy -- # -- -- allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -- allow $1_spamc_t self:fd use; -- allow $1_spamc_t self:fifo_file rw_fifo_file_perms; -- allow $1_spamc_t self:sock_file read_sock_file_perms; -- allow $1_spamc_t self:shm create_shm_perms; -- allow $1_spamc_t self:sem create_sem_perms; -- allow $1_spamc_t self:msgq create_msgq_perms; -- allow $1_spamc_t self:msg { send receive }; -- allow $1_spamc_t self:unix_dgram_socket create_socket_perms; -- allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_spamc_t self:unix_dgram_socket sendto; -- allow $1_spamc_t self:unix_stream_socket connectto; -- allow $1_spamc_t self:tcp_socket create_stream_socket_perms; -- allow $1_spamc_t self:udp_socket create_socket_perms; -- -- manage_dirs_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t) -- manage_files_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t) -- files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) -- -- # Allow connecting to a local spamd -- stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t) -- -- domtrans_pattern($2, spamc_exec_t, $1_spamc_t) -- -- kernel_read_kernel_sysctls($1_spamc_t) -- -- corenet_all_recvfrom_unlabeled($1_spamc_t) -- corenet_all_recvfrom_netlabel($1_spamc_t) -- corenet_tcp_sendrecv_generic_if($1_spamc_t) -- corenet_udp_sendrecv_generic_if($1_spamc_t) -- corenet_tcp_sendrecv_all_nodes($1_spamc_t) -- corenet_udp_sendrecv_all_nodes($1_spamc_t) -- corenet_tcp_sendrecv_all_ports($1_spamc_t) -- corenet_udp_sendrecv_all_ports($1_spamc_t) -- corenet_tcp_connect_all_ports($1_spamc_t) -- corenet_sendrecv_all_client_packets($1_spamc_t) -- -- fs_search_auto_mountpoints($1_spamc_t) -- -- # cjp: these should probably be removed: -- corecmd_list_bin($1_spamc_t) -- corecmd_read_bin_symlinks($1_spamc_t) -- corecmd_read_bin_files($1_spamc_t) -- corecmd_read_bin_pipes($1_spamc_t) -- corecmd_read_bin_sockets($1_spamc_t) -- -- domain_use_interactive_fds($1_spamc_t) -- -- files_read_etc_files($1_spamc_t) -- files_read_etc_runtime_files($1_spamc_t) -- files_read_usr_files($1_spamc_t) -- files_dontaudit_search_var($1_spamc_t) -- # cjp: this may be removable: -- files_list_home($1_spamc_t) -- -- libs_use_ld_so($1_spamc_t) -- libs_use_shared_libs($1_spamc_t) -- -- logging_send_syslog_msg($1_spamc_t) -- -- miscfiles_read_localization($1_spamc_t) -- -- # cjp: this should probably be removed: -- seutil_read_config($1_spamc_t) -- -- sysnet_read_config($1_spamc_t) -- -- userdom_use_unpriv_users_fds($1_spamc_t) -- # cjp: this really should just be the -- # terminal specific to the role -- userdom_use_unpriv_users_ptys($1_spamc_t) -- -- # cjp: this should probably be removed: -- tunable_policy(`read_default_t',` -- files_list_default($1_spamc_t) -- files_read_default_files($1_spamc_t) -- files_read_default_symlinks($1_spamc_t) -- files_read_default_sockets($1_spamc_t) -- files_read_default_pipes($1_spamc_t) -- ') -- -- optional_policy(` -- # Allow connection to spamd socket above -- evolution_stream_connect($1, $1_spamc_t) -- ') -- -- optional_policy(` -- nis_use_ypbind($1_spamc_t) -- ') -- -- optional_policy(` -- nscd_socket_use($1_spamc_t) -- ') -+ typealias spamc_home_t alias $1_spamassassin_home_t; -+ typealias spamc_tmp_t alias $1_spamassassin_tmp_t; -+ typealias spamc_tmp_t alias $1_spamc_tmp_t; -+ -+ manage_dirs_pattern($2, spamc_home_t, spamc_home_t) -+ manage_files_pattern($2, spamc_home_t, spamc_home_t) -+ manage_lnk_files_pattern($2, spamc_home_t, spamc_home_t) -+ relabel_dirs_pattern($2, spamc_home_t, spamc_home_t) -+ relabel_files_pattern($2, spamc_home_t, spamc_home_t) -+ relabel_lnk_files_pattern($2, spamc_home_t, spamc_home_t) - -- optional_policy(` -- mta_read_config($1_spamc_t) -- sendmail_stub($1_spamc_t) -- ') -- -- ############################## -- # -- # $1_spamassassin_t local policy -- # -- -- allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -- allow $1_spamassassin_t self:fd use; -- allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms; -- allow $1_spamassassin_t self:sock_file read_sock_file_perms; -- allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms; -- allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_spamassassin_t self:unix_dgram_socket sendto; -- allow $1_spamassassin_t self:unix_stream_socket connectto; -- allow $1_spamassassin_t self:shm create_shm_perms; -- allow $1_spamassassin_t self:sem create_sem_perms; -- allow $1_spamassassin_t self:msgq create_msgq_perms; -- allow $1_spamassassin_t self:msg { send receive }; -- -- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) -- -- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t) -- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t) -- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) -- -- manage_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) -- relabel_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) -- relabel_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) -- relabel_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) -- -- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) -- -- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) -- userdom_user_home_dir_filetrans($1, spamd_t, $1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) -- -- kernel_read_kernel_sysctls($1_spamassassin_t) -- -- dev_read_urand($1_spamassassin_t) -- -- fs_search_auto_mountpoints($1_spamassassin_t) -- -- # this should probably be removed -- corecmd_list_bin($1_spamassassin_t) -- corecmd_read_bin_symlinks($1_spamassassin_t) -- corecmd_read_bin_files($1_spamassassin_t) -- corecmd_read_bin_pipes($1_spamassassin_t) -- corecmd_read_bin_sockets($1_spamassassin_t) -- -- domain_use_interactive_fds($1_spamassassin_t) -- -- files_read_etc_files($1_spamassassin_t) -- files_read_etc_runtime_files($1_spamassassin_t) -- files_list_home($1_spamassassin_t) -- files_read_usr_files($1_spamassassin_t) -- files_dontaudit_search_var($1_spamassassin_t) -- -- libs_use_ld_so($1_spamassassin_t) -- libs_use_shared_libs($1_spamassassin_t) -- -- logging_send_syslog_msg($1_spamassassin_t) -- -- miscfiles_read_localization($1_spamassassin_t) -- -- # cjp: this could probably be removed -- seutil_read_config($1_spamassassin_t) -- -- sysnet_dns_name_resolve($1_spamassassin_t) -- -- userdom_use_unpriv_users_fds($1_spamassassin_t) -- userdom_search_user_home_dirs($1,$1_spamassassin_t) -- # cjp: this really should just be the -- # terminal specific to the role -- userdom_use_unpriv_users_ptys($1_spamassassin_t) -- -- # this should probably be removed: -- tunable_policy(`read_default_t',` -- files_list_default($1_spamassassin_t) -- files_read_default_files($1_spamassassin_t) -- files_read_default_symlinks($1_spamassassin_t) -- files_read_default_sockets($1_spamassassin_t) -- files_read_default_pipes($1_spamassassin_t) -- ') -- -- # set tunable if you have spamassassin do DNS lookups -- tunable_policy(`spamassassin_can_network',` -- allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms; -- allow $1_spamassassin_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled($1_spamassassin_t) -- corenet_all_recvfrom_netlabel($1_spamassassin_t) -- corenet_tcp_sendrecv_generic_if($1_spamassassin_t) -- corenet_udp_sendrecv_generic_if($1_spamassassin_t) -- corenet_tcp_sendrecv_all_nodes($1_spamassassin_t) -- corenet_udp_sendrecv_all_nodes($1_spamassassin_t) -- corenet_tcp_sendrecv_all_ports($1_spamassassin_t) -- corenet_udp_sendrecv_all_ports($1_spamassassin_t) -- corenet_tcp_connect_all_ports($1_spamassassin_t) -- corenet_sendrecv_all_client_packets($1_spamassassin_t) -- -- sysnet_read_config($1_spamassassin_t) -- ') -- -- tunable_policy(`spamd_enable_home_dirs',` -- userdom_manage_user_home_content_dirs($1,spamd_t) -- userdom_manage_user_home_content_files($1,spamd_t) -- userdom_manage_user_home_content_symlinks($1,spamd_t) -- ') -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs($1_spamassassin_t) -- fs_manage_nfs_files($1_spamassassin_t) -- fs_manage_nfs_symlinks($1_spamassassin_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs($1_spamassassin_t) -- fs_manage_cifs_files($1_spamassassin_t) -- fs_manage_cifs_symlinks($1_spamassassin_t) -- ') -- -- optional_policy(` -- # Write pid file and socket in ~/.evolution/cache/tmp -- evolution_home_filetrans($1, spamd_t, spamd_tmp_t, { file sock_file }) -- ') -- -- optional_policy(` -- # cjp: clearly some redundancy here -- -- nis_use_ypbind($1_spamassassin_t) -- -- tunable_policy(`spamassassin_can_network && allow_ypbind',` -- nis_use_ypbind_uncond($1_spamassassin_t) -- ') -- ') -- -- optional_policy(` -- mta_read_config($1_spamassassin_t) -- sendmail_stub($1_spamassassin_t) -- ') -+ domtrans_pattern($2, spamc_exec_t, spamc_t) - ') - - ######################################## -@@ -331,10 +79,10 @@ - # - interface(`spamassassin_exec',` - gen_require(` -- type spamassassin_exec_t; -+ type spamc_exec_t; - ') - -- can_exec($1, spamassassin_exec_t) -+ can_exec($1, spamc_exec_t) - - ') - -@@ -397,11 +145,66 @@ - ## - # - template(`spamassassin_domtrans_user_client',` -+ spamassassin_domtrans_spamc($2) -+') -+ -+######################################## -+## -+## Execute spamassassin client in the spamassassin client domain. -+## -+## -+##

-+## This is a template and should only be called -+## from per user domain tempaltes. -+##

-+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`spamassassin_domtrans_spamc',` - gen_require(` -- type $1_spamc_t, spamc_exec_t; -+ type spamc_t, spamc_exec_t; - ') - -- domtrans_pattern($2, spamc_exec_t, $1_spamc_t) -+ domtrans_pattern($1, spamc_exec_t, spamc_t) -+ allow $1 spamc_exec_t:file ioctl; -+') -+ -+######################################## -+## -+## Read spamassassin per user homedir -+## -+## -+##

-+## Read spamassassin per user homedir -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`spamassassin_read_user_home_files',` -+ gen_require(` -+ type spamassassin_home_t; -+ ') -+ -+ allow $1 spamassassin_home_t:dir list_dir_perms; -+ allow $1 spamassassin_home_t:file read_file_perms; - ') - - ######################################## -@@ -445,11 +248,27 @@ - ## - # - template(`spamassassin_domtrans_user_local_client',` -- gen_require(` -- type $1_spamassassin_t, spamassassin_exec_t; -+ spamassassin_domtrans($2) - ') - -- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) -+######################################## -+## -+## Execute spamassassin in the user spamassassin domain. -+## -+## -+##

-+## This is a template and should only be called -+## from per user domain tempaltes. -+##

-+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`spamassassin_domtrans',` -+ spamassassin_domtrans_spamc($1) - ') - - ######################################## -@@ -468,6 +287,7 @@ - ') - - files_search_var_lib($1) -+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - ') - -@@ -527,3 +347,103 @@ - - dontaudit $1 spamd_tmp_t:sock_file getattr; - ') -+ -+######################################## -+## -+## Connect to run spamd. -+## -+## -+## -+## Domain allowed to connect. -+## -+## -+# -+interface(`spamd_stream_connect',` -+ gen_require(` -+ type spamd_t, spamd_var_run_t; -+ ') -+ -+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an spamassassin environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the spamassassin domain. -+## -+## -+## -+# -+interface(`spamassassin_spamd_admin',` -+ gen_require(` -+ type spamd_t, spamd_tmp_t, spamd_log_t; -+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; -+ type spamd_initrc_exec_t; -+ ') -+ -+ allow $1 spamd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, spamd_t, spamd_t) -+ -+ init_labeled_script_domtrans($1, spamd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 spamd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, spamd_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, spamd_log_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, spamd_spool_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, spamd_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, spamd_var_run_t) -+') -+ -+######################################## -+## -+## Read spamassassin per user homedir -+## -+## -+##

-+## Read spamassassin per user homedir -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`spamassassin_manage_user_home_files',` -+ gen_require(` -+ type spamc_home_t; -+ ') -+ -+ manage_files_pattern($1, spamc_home_t, spamc_home_t) -+ razor_manage_user_home_files(user, $1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te ---- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-10-29 17:13:04.000000000 -0400 -@@ -21,16 +21,24 @@ - gen_tunable(spamd_enable_home_dirs, true) - - # spamassassin client executable -+type spamc_t; - type spamc_exec_t; --application_executable_file(spamc_exec_t) -+application_domain(spamc_t, spamc_exec_t) -+role system_r types spamc_t; - - type spamd_t; - type spamd_exec_t; - init_daemon_domain(spamd_t,spamd_exec_t) - -+type spamd_initrc_exec_t; -+init_script_file(spamd_initrc_exec_t) -+ - type spamd_spool_t; - files_type(spamd_spool_t) - -+type spamd_log_t; -+logging_log_file(spamd_log_t) -+ - type spamd_tmp_t; - files_tmp_file(spamd_tmp_t) - -@@ -41,8 +49,20 @@ - type spamd_var_run_t; - files_pid_file(spamd_var_run_t) - --type spamassassin_exec_t; --application_executable_file(spamassassin_exec_t) -+type spamd_etc_t; -+files_config_file(spamd_etc_t) -+ -+typealias spamc_exec_t alias spamassassin_exec_t; -+typealias spamc_t alias spamassassin_t; -+ -+type spamc_home_t; -+userdom_user_home_content(user, spamc_home_t) -+typealias spamc_home_t alias spamassassin_home_t; -+typealias spamc_home_t alias user_spamassassin_home_t; -+ -+type spamc_tmp_t; -+files_tmp_file(spamc_tmp_t) -+typealias spamc_tmp_t alias spamassassin_tmp_t; - - ######################################## - # -@@ -53,7 +73,7 @@ - # setuids to the user running spamc. Comment this if you are not - # using this ability. - --allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; -+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; - dontaudit spamd_t self:capability sys_tty_config; - allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow spamd_t self:fd use; -@@ -69,10 +89,13 @@ - allow spamd_t self:unix_stream_socket connectto; - allow spamd_t self:tcp_socket create_stream_socket_perms; - allow spamd_t self:udp_socket create_socket_perms; --allow spamd_t self:netlink_route_socket r_netlink_socket_perms; -+ -+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) -+logging_log_filetrans(spamd_t, spamd_log_t, file) - - manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) - manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) - files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) - - manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -81,10 +104,11 @@ - - # var/lib files for spamd - allow spamd_t spamd_var_lib_t:dir list_dir_perms; --read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - - manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) - - kernel_read_all_sysctls(spamd_t) -@@ -134,6 +158,8 @@ - - init_dontaudit_rw_utmp(spamd_t) - -+auth_use_nsswitch(spamd_t) -+ - libs_use_ld_so(spamd_t) - libs_use_shared_libs(spamd_t) - -@@ -141,20 +167,40 @@ - - miscfiles_read_localization(spamd_t) - --sysnet_read_config(spamd_t) --sysnet_use_ldap(spamd_t) --sysnet_dns_name_resolve(spamd_t) -- - userdom_use_unpriv_users_fds(spamd_t) - userdom_search_unpriv_users_home_dirs(spamd_t) -- - sysadm_dontaudit_search_home_dirs(spamd_t) - -+manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t) -+manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t) -+manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t) -+manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t) -+manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t) -+userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) -+ -+optional_policy(` -+ # Write pid file and socket in ~/.evolution/cache/tmp -+ evolution_home_filetrans(user, spamd_t, spamd_tmp_t, { file sock_file }) -+') -+ -+optional_policy(` -+ exim_manage_spool_dirs(spamd_t) -+ exim_manage_spool_files(spamd_t) -+') -+ -+tunable_policy(`spamd_enable_home_dirs',` -+ unprivuser_manage_home_content_dirs(spamd_t) -+ unprivuser_manage_home_content_files(spamd_t) -+ unprivuser_manage_home_content_symlinks(spamd_t) -+') -+ - tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(spamd_t) - fs_manage_nfs_files(spamd_t) - ') - - tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(spamd_t) - fs_manage_cifs_files(spamd_t) - ') - -@@ -172,6 +218,7 @@ - - optional_policy(` - dcc_domtrans_client(spamd_t) -+ dcc_signal_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) - ') - -@@ -181,10 +228,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(spamd_t) --') -- --optional_policy(` - postfix_read_config(spamd_t) - ') - -@@ -199,6 +242,10 @@ - - optional_policy(` - razor_domtrans(spamd_t) -+ razor_read_lib_files(spamd_t) -+ tunable_policy(`spamd_enable_home_dirs',` -+ razor_manage_user_home_files(user, spamd_t) -+ ') - ') - - optional_policy(` -@@ -213,3 +260,121 @@ - optional_policy(` - udev_read_db(spamd_t) - ') -+ -+############################## -+# -+# spamc_t local policy -+# -+ -+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow spamc_t self:fd use; -+allow spamc_t self:fifo_file rw_fifo_file_perms; -+allow spamc_t self:sock_file read_sock_file_perms; -+allow spamc_t self:unix_dgram_socket create_socket_perms; -+allow spamc_t self:unix_stream_socket create_stream_socket_perms; -+allow spamc_t self:unix_dgram_socket sendto; -+allow spamc_t self:unix_stream_socket connectto; -+allow spamc_t self:shm create_shm_perms; -+allow spamc_t self:sem create_sem_perms; -+allow spamc_t self:msgq create_msgq_perms; -+allow spamc_t self:msg { send receive }; -+allow spamc_t self:tcp_socket create_stream_socket_perms; -+allow spamc_t self:udp_socket create_socket_perms; -+ -+# Allow connecting to a local spamd -+allow spamc_t spamd_t:unix_stream_socket connectto; -+allow spamc_t spamd_tmp_t:sock_file rw_file_perms; -+ -+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+userdom_user_home_dir_filetrans($1, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) -+ -+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) -+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) -+ -+kernel_read_kernel_sysctls(spamc_t) -+kernel_read_system_state(spamc_t) -+ -+dev_read_urand(spamc_t) -+ -+files_list_var_lib(spamc_t) -+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -+ -+fs_search_auto_mountpoints(spamc_t) -+ -+domain_use_interactive_fds(spamc_t) -+ -+files_read_etc_files(spamc_t) -+files_read_etc_runtime_files(spamc_t) -+files_read_usr_files(spamc_t) -+files_list_home(spamc_t) -+files_read_usr_files(spamc_t) -+files_dontaudit_search_var(spamc_t) -+ -+auth_use_nsswitch(spamc_t) -+ -+libs_use_ld_so(spamc_t) -+libs_use_shared_libs(spamc_t) -+ -+logging_send_syslog_msg(spamc_t) -+ -+miscfiles_read_localization(spamc_t) -+ -+# cjp: this really should just be the -+# terminal specific to the role -+userdom_use_unpriv_users_ptys(spamc_t) -+ -+userdom_use_unpriv_users_fds(spamc_t) -+userdom_search_user_home_dirs(user, spamc_t) -+userdom_list_user_files(user, spamc_t) -+# cjp: this really should just be the -+# terminal specific to the role -+userdom_use_unpriv_users_ptys(spamc_t) -+ -+# set tunable if you have spamc do DNS lookups -+tunable_policy(`spamassassin_can_network',` -+ allow spamc_t self:tcp_socket create_stream_socket_perms; -+ allow spamc_t self:udp_socket create_socket_perms; -+ -+ corenet_all_recvfrom_unlabeled(spamc_t) -+ corenet_all_recvfrom_netlabel(spamc_t) -+ corenet_tcp_sendrecv_generic_if(spamc_t) -+ corenet_udp_sendrecv_generic_if(spamc_t) -+ corenet_tcp_sendrecv_all_nodes(spamc_t) -+ corenet_udp_sendrecv_all_nodes(spamc_t) -+ corenet_tcp_sendrecv_all_ports(spamc_t) -+ corenet_udp_sendrecv_all_ports(spamc_t) -+ corenet_tcp_connect_all_ports(spamc_t) -+ corenet_sendrecv_all_client_packets(spamc_t) -+ corenet_udp_bind_generic_port(spamc_t) -+ -+ sysnet_read_config(spamc_t) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(spamc_t) -+ fs_manage_nfs_files(spamc_t) -+ fs_manage_nfs_symlinks(spamc_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(spamc_t) -+ fs_manage_cifs_files(spamc_t) -+ fs_manage_cifs_symlinks(spamc_t) -+') -+ -+optional_policy(` -+ # Allow connection to spamd socket above -+ evolution_stream_connect(user, spamc_t) -+') -+ -+optional_policy(` -+ mta_read_config(spamc_t) -+ mta_read_queue(spamc_t) -+ sendmail_stub(spamc_t) -+ sendmail_rw_pipes(spamc_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.13/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/squid.te 2008-10-28 10:56:19.000000000 -0400 -@@ -118,6 +118,8 @@ - - fs_getattr_all_fs(squid_t) - fs_search_auto_mountpoints(squid_t) -+#squid requires the following when run in diskd mode, the recommended setting -+fs_rw_tmpfs_files(squid_t) - - selinux_dontaudit_getattr_dir(squid_t) - -@@ -189,8 +191,3 @@ - optional_policy(` - udev_read_db(squid_t) - ') -- --ifdef(`TODO',` --#squid requires the following when run in diskd mode, the recommended setting --allow squid_t tmpfs_t:file { read write }; --') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.13/policy/modules/services/ssh.fc ---- nsaserefpolicy/policy/modules/services/ssh.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,4 @@ --HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) -+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - - /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) - /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-28 10:56:19.000000000 -0400 -@@ -36,6 +36,7 @@ - gen_require(` - attribute ssh_server; - type ssh_exec_t, sshd_key_t, sshd_tmp_t; -+ type ssh_home_t, ssh_tmp_t; - ') - - ############################## -@@ -47,8 +48,9 @@ - application_domain($1_ssh_t, ssh_exec_t) - role $3 types $1_ssh_t; - -- type $1_home_ssh_t; -- files_type($1_home_ssh_t) -+ typealias ssh_home_t alias $1_ssh_home_t; -+ typealias ssh_home_t alias $1_home_ssh_t; -+ typealias ssh_tmp_t alias $1_ssh_tmp_t; - - ############################## - # -@@ -65,8 +67,7 @@ - allow $1_ssh_t self:sem create_sem_perms; - allow $1_ssh_t self:msgq create_msgq_perms; - allow $1_ssh_t self:msg { send receive }; -- allow $1_ssh_t self:tcp_socket create_socket_perms; -- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; -+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms; - - # for rsync - allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; -@@ -93,20 +94,21 @@ - ps_process_pattern($2, $1_ssh_t) - - # user can manage the keys and config -- manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) -- manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) -- manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) -+ manage_files_pattern($2, ssh_home_t, ssh_home_t) -+ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) -+ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) - - # ssh client can manage the keys and config -- manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) -- read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) -+ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) -+ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) - - # ssh servers can read the user keys and config -- allow ssh_server $1_home_ssh_t:dir list_dir_perms; -- read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) -- read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) -+ allow ssh_server ssh_home_t:dir list_dir_perms; -+ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - - kernel_read_kernel_sysctls($1_ssh_t) -+ kernel_read_system_state($1_ssh_t) - - corenet_all_recvfrom_unlabeled($1_ssh_t) - corenet_all_recvfrom_netlabel($1_ssh_t) -@@ -115,6 +117,8 @@ - corenet_tcp_sendrecv_all_ports($1_ssh_t) - corenet_tcp_connect_ssh_port($1_ssh_t) - corenet_sendrecv_ssh_client_packets($1_ssh_t) -+ corenet_tcp_bind_all_nodes($1_ssh_t) -+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t) - - dev_read_urand($1_ssh_t) - -@@ -133,6 +137,8 @@ - files_read_etc_files($1_ssh_t) - files_read_var_files($1_ssh_t) - -+ auth_use_nsswitch($1_ssh_t) -+ - libs_use_ld_so($1_ssh_t) - libs_use_shared_libs($1_ssh_t) - -@@ -143,9 +149,6 @@ - - seutil_read_config($1_ssh_t) - -- sysnet_read_config($1_ssh_t) -- sysnet_dns_name_resolve($1_ssh_t) -- - tunable_policy(`read_default_t',` - files_list_default($1_ssh_t) - files_read_default_files($1_ssh_t) -@@ -157,14 +160,6 @@ - optional_policy(` - kerberos_use($1_ssh_t) - ') -- -- optional_policy(` -- nis_use_ypbind($1_ssh_t) -- ') -- -- optional_policy(` -- nscd_socket_use($1_ssh_t) -- ') - ') - - ####################################### -@@ -212,7 +207,7 @@ - - ssh_basic_client_template($1, $2, $3) - -- userdom_user_home_content($1, $1_home_ssh_t) -+ userdom_user_home_content($1, ssh_home_t) - - type $1_ssh_agent_t; - application_domain($1_ssh_agent_t, ssh_agent_exec_t) -@@ -240,9 +235,9 @@ - manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) - fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -- manage_dirs_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) -- manage_sock_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) -- userdom_user_home_dir_filetrans($1, $1_ssh_t, $1_home_ssh_t, { dir sock_file }) -+ manage_dirs_pattern($1_ssh_t, ssh_home_t, ssh_home_t) -+ manage_sock_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) -+ userdom_user_home_dir_filetrans($1, $1_ssh_t, ssh_home_t, { dir sock_file }) - - # Allow the ssh program to communicate with ssh-agent. - stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) -@@ -254,6 +249,8 @@ - userdom_use_unpriv_users_fds($1_ssh_t) - userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) - userdom_search_user_home_dirs($1,$1_ssh_t) -+ userdom_write_user_tmp_sockets(user,$1_ssh_t) -+ - # Write to the user domain tty. - userdom_use_user_terminals($1,$1_ssh_t) - # needs to read krb tgt -@@ -279,24 +276,14 @@ - # for port forwarding - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port($1_ssh_t) -+ corenet_tcp_bind_all_nodes($1_ssh_t) - ') - - optional_policy(` -- xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) -+# xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) - xserver_domtrans_user_xauth($1, $1_ssh_t) - ') - -- ifdef(`TODO',` -- # for /bin/sh used to execute xauth -- dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; -- -- #allow ssh to access keys stored on removable media -- # Should we have a boolean around this? -- files_search_mnt($1_ssh_t) -- r_dir_file($1_ssh_t, removable_t) -- -- ') dnl endif TODO -- - ############################## - # - # $1_ssh_agent_t local policy -@@ -381,12 +368,9 @@ - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) -+ xserver_dontaudit_rw_xdm_home_files($1_ssh_agent_t) - ') - -- ifdef(`TODO',` -- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; -- ') dnl endif TODO -- - ############################## - # - # $1_ssh_keysign_t local policy -@@ -413,6 +397,25 @@ - ') - ') - -+######################################## -+## -+## Execute the ssh agent client in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_agent_exec',` -+ gen_require(` -+ type ssh_agent_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, ssh_agent_exec_t) -+') -+ - ####################################### - ## - ## The template to define a ssh server. -@@ -443,13 +446,14 @@ - type $1_var_run_t; - files_pid_file($1_var_run_t) - -- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal setsched setrlimit setexec }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - # ssh agent connections: - allow $1_t self:unix_stream_socket create_stream_socket_perms; -+ allow $1_t self:shm create_shm_perms; - - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; - term_create_pty($1_t,$1_devpts_t) -@@ -478,7 +482,12 @@ - corenet_udp_bind_all_nodes($1_t) - corenet_tcp_bind_ssh_port($1_t) - corenet_tcp_connect_all_ports($1_t) -+ corenet_tcp_bind_all_unreserved_ports($1_t) - corenet_sendrecv_ssh_server_packets($1_t) -+ # -R qualifier -+ corenet_sendrecv_ssh_server_packets($1_t) -+ # tunnel feature and -w (net_admin capability also) -+ corenet_rw_tun_tap_dev($1_t) - - fs_dontaudit_getattr_all_fs($1_t) - -@@ -506,9 +515,14 @@ - - userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) - userdom_search_all_users_home_dirs($1_t) -+ userdom_read_all_users_home_content_files($1_t) -+ -+ # Allow checking users mail at login -+ mta_getattr_spool($1_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_t) -+ fs_read_nfs_symlinks($1_t) - ') - - tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +531,7 @@ - - optional_policy(` - kerberos_use($1_t) -- ') -- -- optional_policy(` -- # Allow checking users mail at login -- mta_getattr_spool($1_t) -+ kerberos_manage_host_rcache($1_t) - ') - - optional_policy(` -@@ -710,3 +720,22 @@ - - dontaudit $1 sshd_key_t:file { getattr read }; - ') -+ -+####################################### -+## -+## Delete from the ssh temp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_delete_tmp',` -+ gen_require(` -+ type ssh_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ delete_files_pattern($1, ssh_tmp_t, ssh_tmp_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-28 10:56:19.000000000 -0400 -@@ -24,7 +24,7 @@ - - # Type for the ssh-agent executable. - type ssh_agent_exec_t; --files_type(ssh_agent_exec_t) -+application_executable_file(ssh_agent_exec_t) - - # ssh client executable. - type ssh_exec_t; -@@ -55,6 +55,12 @@ - init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) - ') - -+type ssh_home_t; -+userdom_user_home_content(user, ssh_home_t) -+ -+type ssh_tmp_t; -+files_tmp_file(ssh_tmp_t) -+ - ################################# - # - # sshd local policy -@@ -78,6 +84,9 @@ - corenet_tcp_bind_xserver_port(sshd_t) - corenet_sendrecv_xserver_server_packets(sshd_t) - -+userdom_read_all_users_home_content_files(sshd_t) -+userdom_read_all_users_home_content_symlinks(sshd_t) -+ - tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -99,6 +108,14 @@ - ') - - optional_policy(` -+ kerberos_keytab_template(sshd, sshd_t) -+') -+ -+optional_policy(` -+ xserver_getattr_xauth(sshd_t) -+') -+ -+optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) - ') - -@@ -117,7 +134,11 @@ - ') - - optional_policy(` -- unconfined_domain(sshd_t) -+ usermanage_domtrans_passwd(sshd_t) -+ usermanage_read_crack_db(sshd_t) -+') -+ -+optional_policy(` - unconfined_shell_domtrans(sshd_t) - ') - -@@ -176,6 +197,8 @@ - init_use_fds(ssh_keygen_t) - init_use_script_ptys(ssh_keygen_t) - -+auth_use_nsswitch(ssh_keygen_t) -+ - libs_use_ld_so(ssh_keygen_t) - libs_use_shared_libs(ssh_keygen_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc ---- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,5 +2,6 @@ - /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) - - /usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) -+/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - - /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.13/policy/modules/services/stunnel.te ---- nsaserefpolicy/policy/modules/services/stunnel.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/stunnel.te 2008-10-28 10:56:19.000000000 -0400 -@@ -54,6 +54,8 @@ - kernel_read_system_state(stunnel_t) - kernel_read_network_state(stunnel_t) - -+corecmd_exec_bin(stunnel_t) -+ - corenet_all_recvfrom_unlabeled(stunnel_t) - corenet_all_recvfrom_netlabel(stunnel_t) - corenet_tcp_sendrecv_all_if(stunnel_t) -@@ -109,6 +111,7 @@ - dev_read_urand(stunnel_t) - - files_read_etc_files(stunnel_t) -+ files_read_etc_runtime_files(stunnel_t) - files_search_home(stunnel_t) - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.13/policy/modules/services/sysstat.te ---- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sysstat.te 2008-10-28 10:56:19.000000000 -0400 -@@ -47,6 +47,7 @@ - files_read_etc_files(sysstat_t) - - fs_getattr_xattr_fs(sysstat_t) -+fs_list_inotifyfs(sysstat_t) - - term_use_console(sysstat_t) - term_use_all_terms(sysstat_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.13/policy/modules/services/telnet.te ---- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/telnet.te 2008-10-28 10:56:19.000000000 -0400 -@@ -90,8 +90,8 @@ - userdom_search_unpriv_users_home_dirs(telnetd_t) - - optional_policy(` -- kerberos_use(telnetd_t) -- kerberos_read_keytab(telnetd_t) -+ kerberos_keytab_template(telnetd, telnetd_t) -+ kerberos_manage_host_rcache(telnetd_t) - ') - - tunable_policy(`use_nfs_home_dirs',` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.13/policy/modules/services/tftp.te ---- nsaserefpolicy/policy/modules/services/tftp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/tftp.te 2008-10-28 10:56:19.000000000 -0400 -@@ -75,6 +75,7 @@ - domain_use_interactive_fds(tftpd_t) - - files_read_etc_files(tftpd_t); -+files_read_etc_runtime_files(tftpd_t); - files_read_var_files(tftpd_t) - files_read_var_symlinks(tftpd_t) - files_search_var(tftpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te ---- nsaserefpolicy/policy/modules/services/tor.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/tor.te 2008-10-28 10:56:19.000000000 -0400 -@@ -34,7 +34,7 @@ - # tor local policy - # - --allow tor_t self:capability { setgid setuid }; -+allow tor_t self:capability { setgid setuid sys_tty_config }; - allow tor_t self:fifo_file rw_fifo_file_perms; - allow tor_t self:unix_stream_socket create_stream_socket_perms; - allow tor_t self:netlink_route_socket r_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc ---- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc 2008-11-05 12:14:57.000000000 -0500 -@@ -0,0 +1,10 @@ -+ -+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) -+ -+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) -+ -+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) -+ -+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) -+ -+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if ---- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/ulogd.if 2008-11-05 12:14:57.000000000 -0500 -@@ -0,0 +1,127 @@ -+## policy for ulogd -+ -+######################################## -+## -+## Execute a domain transition to run ulogd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ulogd_domtrans',` -+ gen_require(` -+ type ulogd_t, ulogd_exec_t; -+ ') -+ -+ domtrans_pattern($1,ulogd_exec_t,ulogd_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read -+## ulogd configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_read_config',` -+ gen_require(` -+ type ulogd_etc_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read ulogd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_read_log',` -+ gen_require(` -+ type ulogd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 ulogd_var_log_t:dir list_dir_perms; -+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to append to ulogd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_append_log',` -+ gen_require(` -+ type ulogd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 ulogd_var_log_t:dir list_dir_perms; -+ allow $1 ulogd_var_log_t:file append_file_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ulogd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+# -+interface(`ulogd_admin',` -+ gen_require(` -+ type ulogd_t, ulogd_etc_t; -+ type ulogd_var_log_t, ulogd_initrc_exec_t; -+ type ulogd_modules_t; -+ ') -+ -+ allow $1 ulogd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ulogd_t) -+ -+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 ulogd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_etc($1) -+ admin_pattern($1, ulogd_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, ulogd_var_log_t) -+ -+ files_search_usr($1) -+ admin_pattern($1, ulogd_modules_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te ---- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/ulogd.te 2008-11-05 12:14:57.000000000 -0500 -@@ -0,0 +1,54 @@ -+policy_module(ulogd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type ulogd_t; -+type ulogd_exec_t; -+init_daemon_domain(ulogd_t, ulogd_exec_t) -+ -+type ulogd_initrc_exec_t; -+init_script_file(ulogd_initrc_exec_t) -+ -+# /usr/lib files -+type ulogd_modules_t; -+files_type(ulogd_modules_t) -+ -+# config files -+type ulogd_etc_t; -+files_type(ulogd_etc_t) -+ -+# log files -+type ulogd_var_log_t; -+logging_log_file(ulogd_var_log_t) -+ -+######################################## -+ -+# -+# ulogd local policy -+# -+ -+allow ulogd_t self:capability net_admin; -+allow ulogd_t self:netlink_nflog_socket create_socket_perms; -+ -+# config files -+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -+ -+# modules for ulogd -+list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t) -+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) -+ -+# log files -+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -+logging_log_filetrans(ulogd_t,ulogd_var_log_t, file ) -+ -+files_search_etc(ulogd_t) -+ -+libs_use_ld_so(ulogd_t) -+libs_use_shared_libs(ulogd_t) -+ -+miscfiles_read_localization(ulogd_t) -+ -+permissive ulogd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc ---- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,6 +2,7 @@ - /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) - /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) - /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) - - /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.13/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/virt.if 2008-11-04 11:58:23.000000000 -0500 -@@ -41,6 +41,27 @@ - - ######################################## - ## -+## manage virt config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_manage_config',` -+ gen_require(` -+ type virt_etc_t; -+ type virt_etc_rw_t; -+ ') -+ -+ files_search_etc($1) -+ manage_files_pattern($1, virt_etc_t, virt_etc_t) -+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -+') -+ -+######################################## -+## - ## Read virt PID files. - ## - ## -@@ -78,6 +99,24 @@ - - ######################################## - ## -+## Execute virt server in the virt domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`virtd_initrc_domtrans',` -+ gen_require(` -+ type virtd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, virtd_initrc_exec_t) -+') -+ -+######################################## -+## - ## Search virt lib directories. - ## - ## -@@ -196,6 +235,35 @@ - - ######################################## - ## -+## Make the specified type usable as a virt image -+## -+## -+##

-+## Make the specified type usable as a virt image -+##

-+## -+## -+## -+## Type to be used as a virtual image -+## -+## -+# -+# -+interface(`virt_image',` -+ gen_require(` -+ attribute virt_image_type; -+ ') -+ -+ typeattribute $1 virt_image_type; -+ -+ files_type($1) -+ -+ # virt images can be assigned to blk devices -+ dev_node($1) -+') -+ -+######################################## -+## - ## Allow domain to manage virt image files - ## - ## -@@ -214,6 +282,7 @@ - manage_dirs_pattern($1, virt_image_t, virt_image_t) - manage_files_pattern($1, virt_image_t, virt_image_t) - read_lnk_files_pattern($1, virt_image_t, virt_image_t) -+ rw_blk_files_pattern($1, virt_image_t, virt_image_t) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) -@@ -243,11 +312,17 @@ - interface(`virt_admin',` - gen_require(` - type virtd_t; -+ type virtd_initrc_exec_t; - ') - - allow $1 virtd_t:process { ptrace signal_perms }; - ps_process_pattern($1, virtd_t) - -+ virtd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 virtd_initrc_exec_t system_r; -+ allow $2 system_r; -+ - virt_manage_pid_files($1) - - virt_manage_lib_files($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.13/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/virt.te 2008-10-28 10:56:19.000000000 -0400 -@@ -5,6 +5,7 @@ - # - # Declarations - # -+attribute virt_image_type; - - ## - ##

-@@ -27,10 +28,8 @@ - files_type(virt_etc_rw_t) - - # virt Image files --type virt_image_t; # customizable --files_type(virt_image_t) --# virt_image_t can be assigned to blk devices --dev_node(virt_image_t) -+type virt_image_t, virt_image_type; # customizable -+virt_image(virt_image_t) - - type virt_log_t; - logging_log_file(virt_log_t) -@@ -45,6 +44,9 @@ - type virtd_exec_t; - init_daemon_domain(virtd_t, virtd_exec_t) - -+type virtd_initrc_exec_t; -+init_script_file(virtd_initrc_exec_t) -+ - ######################################## - # - # virtd local policy -@@ -49,9 +51,8 @@ - # - # virtd local policy - # -- - allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; --allow virtd_t self:process { sigkill signal execmem }; -+allow virtd_t self:process { getsched sigkill signal execmem }; - allow virtd_t self:fifo_file rw_file_perms; - allow virtd_t self:unix_stream_socket create_stream_socket_perms; - allow virtd_t self:tcp_socket create_stream_socket_perms; -@@ -64,7 +65,7 @@ - manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) - filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) - --manage_files_pattern(virtd_t, virt_image_t, virt_image_t) -+manage_files_pattern(virtd_t, virt_image_type, virt_image_type) - - manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) - manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -82,6 +83,8 @@ - kernel_read_system_state(virtd_t) - kernel_read_network_state(virtd_t) - kernel_rw_net_sysctls(virtd_t) -+kernel_read_xen_state(virtd_t) -+kernel_write_xen_state(virtd_t) - kernel_load_module(virtd_t) - - corecmd_exec_bin(virtd_t) -@@ -93,7 +96,7 @@ - corenet_tcp_sendrecv_all_nodes(virtd_t) - corenet_tcp_sendrecv_all_ports(virtd_t) - corenet_tcp_bind_all_nodes(virtd_t) --#corenet_tcp_bind_virt_port(virtd_t) -+corenet_tcp_bind_virt_port(virtd_t) - corenet_tcp_bind_vnc_port(virtd_t) - corenet_tcp_connect_vnc_port(virtd_t) - corenet_tcp_connect_soundd_port(virtd_t) -@@ -107,8 +110,10 @@ - - files_read_usr_files(virtd_t) - files_read_etc_files(virtd_t) -+files_read_usr_files(virtd_t) - files_read_etc_runtime_files(virtd_t) - files_search_all(virtd_t) -+files_list_kernel_modules(virtd_t) - - fs_list_auto_mountpoints(virtd_t) - -@@ -162,26 +167,27 @@ - ') - ') - --#optional_policy(` --# dnsmasq_domtrans(virtd_t) --# dnsmasq_signal(virtd_t) --# dnsmasq_sigkill(virtd_t) --#') -+optional_policy(` -+ dnsmasq_domtrans(virtd_t) -+ dnsmasq_signal(virtd_t) -+ dnsmasq_sigkill(virtd_t) -+') - - optional_policy(` - iptables_domtrans(virtd_t) - ') - --#optional_policy(` --# polkit_domtrans_auth(virtd_t) --# polkit_domtrans_resolve(virtd_t) --#') -+optional_policy(` -+ polkit_domtrans_auth(virtd_t) -+ polkit_domtrans_resolve(virtd_t) -+') - - optional_policy(` - qemu_domtrans(virtd_t) - qemu_read_state(virtd_t) - qemu_signal(virtd_t) - qemu_kill(virtd_t) -+ qemu_setsched(virtd_t) - ') - - optional_policy(` -@@ -189,9 +195,10 @@ - ') - - optional_policy(` -- kernel_read_xen_state(virtd_t) -- kernel_write_xen_state(virtd_t) -- - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) - ') -+ -+optional_policy(` -+ unconfined_domain(virtd_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.13/policy/modules/services/w3c.te ---- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/w3c.te 2008-10-28 10:56:19.000000000 -0400 -@@ -8,11 +8,18 @@ - - apache_content_template(w3c_validator) - -+type httpd_w3c_validator_tmp_t; -+files_tmp_file(httpd_w3c_validator_tmp_t) -+ - ######################################## - # - # Local policy - # - -+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) -+ - corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) - corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) - corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.13/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-11-03 11:42:39.000000000 -0500 -@@ -1,13 +1,15 @@ - # - # HOME_DIR - # --HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0) --HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0) --HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) --HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) --HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) --HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) --HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) -+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0) -+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:fonts_config_home_t,s0) -+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:fonts_config_home_t,s0) -+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:fonts_cache_home_t,s0) -+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:fonts_cache_home_t,s0) -+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -+HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) - - # - # /dev -@@ -32,11 +34,6 @@ - /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) - --ifdef(`distro_redhat',` --/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) --/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) --') -- - # - # /opt - # -@@ -50,7 +47,7 @@ - /tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) - /tmp/\.ICE-unix/.* -s <> - /tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) --/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -+/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) - /tmp/\.X11-unix/.* -s <> - - # -@@ -58,9 +55,11 @@ - # - - /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/sbin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) - /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +88,25 @@ - - /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - --/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) -+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) - --/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+ -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) - -+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) - - ifdef(`distro_suse',` - /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-04 13:27:32.000000000 -0500 -@@ -16,6 +16,7 @@ - gen_require(` - type xkb_var_lib_t, xserver_exec_t, xserver_log_t; - -+ attribute rootwindow_type; - attribute x_server_domain; - class x_drawable all_x_drawable_perms; - class x_colormap all_x_colormap_perms; -@@ -134,18 +135,24 @@ - dev_rw_agp($1_xserver_t) - dev_rw_framebuffer($1_xserver_t) - dev_manage_dri_dev($1_xserver_t) -- dev_create_generic_dirs($1_xserver_t) -- dev_setattr_generic_dirs($1_xserver_t) -+ dev_manage_generic_dirs($1_xserver_t) - # raw memory access is needed if not using the frame buffer - dev_read_raw_memory($1_xserver_t) - dev_wx_raw_memory($1_xserver_t) - # for other device nodes such as the NVidia binary-only driver - dev_rw_xserver_misc($1_xserver_t) -+ dev_setattr_xserver_misc_dev($1_xserver_t) - # read events - the synaptics touchpad driver reads raw events - dev_rw_input_dev($1_xserver_t) - dev_rwx_zero($1_xserver_t) -+ dev_read_urand($1_xserver_t) -+ dev_rw_generic_usb_dev($1_xserver_t) -+ dev_rw_generic_usb_pipes($1_xserver_t) - -+ domain_mmap_low_type($1_xserver_t) - domain_mmap_low($1_xserver_t) -+ domain_read_all_domains_state($1_xserver_t) -+ domain_dontaudit_ptrace_all_domains($1_xserver_t) - - files_read_etc_files($1_xserver_t) - files_read_etc_runtime_files($1_xserver_t) -@@ -159,7 +166,8 @@ - fs_getattr_xattr_fs($1_xserver_t) - fs_search_nfs($1_xserver_t) - fs_search_auto_mountpoints($1_xserver_t) -- fs_search_ramfs($1_xserver_t) -+ fs_manage_ramfs_files($1_xserver_t) -+ fs_list_inotifyfs($1_xserver_t) - - selinux_validate_context($1_xserver_t) - selinux_compute_access_vector($1_xserver_t) -@@ -169,6 +177,9 @@ - - init_getpgid($1_xserver_t) - -+ miscfiles_read_hwdata($1_xserver_t) -+ -+ term_search_ptys($1_xserver_t) - term_setattr_unallocated_ttys($1_xserver_t) - term_use_unallocated_ttys($1_xserver_t) - -@@ -276,6 +287,8 @@ - gen_require(` - type iceauth_exec_t, xauth_exec_t; - attribute fonts_type, fonts_cache_type, fonts_config_type; -+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t; -+ type iceauth_home_t, xauth_t, xauth_home_t, xauth_tmp_t; - ') - - ############################## -@@ -286,61 +299,41 @@ - xserver_common_domain_template($1) - role $3 types $1_xserver_t; - -- type $1_fonts_t, fonts_type; -- userdom_user_home_content($1, $1_fonts_t) -- -- type $1_fonts_cache_t, fonts_cache_type; -- userdom_user_home_content($1, $1_fonts_cache_t) -- -- type $1_fonts_config_t, fonts_config_type; -- userdom_user_home_content($1, $1_fonts_cache_t) -+ typealias fonts_home_t alias $1_fonts_t; -+ typealias fonts_cache_home_t alias $1_fonts_cache_t; -+ typealias fonts_config_home_t alias $1_fonts_config_t; - - type $1_iceauth_t; - domain_type($1_iceauth_t) - domain_entry_file($1_iceauth_t, iceauth_exec_t) - role $3 types $1_iceauth_t; - -- type $1_iceauth_home_t alias $1_iceauth_rw_t; -- files_poly_member($1_iceauth_home_t) -- userdom_user_home_content($1, $1_iceauth_home_t) -- -- type $1_xauth_t; -- domain_type($1_xauth_t) -- domain_entry_file($1_xauth_t, xauth_exec_t) -- role $3 types $1_xauth_t; -- -- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; -- files_poly_member($1_xauth_home_t) -- userdom_user_home_content($1, $1_xauth_home_t) -+ typealias iceauth_home_t alias $1_iceauth_rw_t; -+ typealias iceauth_home_t alias $1_iceauth_home_t; - -- type $1_xauth_tmp_t; -- files_tmp_file($1_xauth_tmp_t) -- -- ############################## -- # -- # $1_xserver_t Local policy -- # -+ typealias xauth_home_t alias $1_xauth_rw_t; -+ typealias xauth_home_t alias $1_xauth_home_t; - -- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) -+ allow $1_xserver_t xauth_home_t:file read_file_perms; - -- allow $1_xserver_t $1_xauth_home_t:file { getattr read }; -+ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t) -+ role $3 types xauth_t; - -- domtrans_pattern($2, xserver_exec_t, $1_xserver_t) - allow $1_xserver_t $2:process signal; - - allow $1_xserver_t $2:shm rw_shm_perms; - -- manage_dirs_pattern($2, $1_fonts_t, $1_fonts_t) -- manage_files_pattern($2, $1_fonts_t, $1_fonts_t) -- relabel_dirs_pattern($2, $1_fonts_t, $1_fonts_t) -- relabel_files_pattern($2, $1_fonts_t, $1_fonts_t) -- -- manage_dirs_pattern($2, $1_fonts_config_t, $1_fonts_config_t) -- manage_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t) -- relabel_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t) -+ manage_dirs_pattern($2, fonts_home_t, fonts_home_t) -+ manage_files_pattern($2, fonts_home_t, fonts_home_t) -+ relabel_dirs_pattern($2, fonts_home_t, fonts_home_t) -+ relabel_files_pattern($2, fonts_home_t, fonts_home_t) -+ -+ manage_dirs_pattern($2, fonts_config_home_t, fonts_config_home_t) -+ manage_files_pattern($2, fonts_config_home_t, fonts_config_home_t) -+ relabel_files_pattern($2, fonts_config_home_t, fonts_config_home_t) - - # For startup relabel -- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; -+ allow $2 fonts_cache_home_t:{ dir file } { relabelto relabelfrom }; - - stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t) - -@@ -354,85 +347,36 @@ - - locallogin_use_fds($1_xserver_t) - -+ miscfiles_read_fonts($2) -+ - userdom_search_user_home_dirs($1, $1_xserver_t) - userdom_use_user_ttys($1, $1_xserver_t) - userdom_setattr_user_ttys($1, $1_xserver_t) - userdom_rw_user_tmpfs_files($1, $1_xserver_t) - - xserver_use_user_fonts($1, $1_xserver_t) -- xserver_rw_xdm_tmp_files($1_xauth_t) -+ xserver_rw_xdm_tmp_files(xauth_t) -+ xserver_read_xdm_xserver_tmp_files($2) - - optional_policy(` - userhelper_search_config($1_xserver_t) - ') - -- ifdef(`TODO',` -- ifdef(`xdm.te', ` -- allow $1_t xdm_tmp_t:sock_file unlink; -- allow $1_xserver_t xdm_var_run_t:dir search; -+ optional_policy(` -+ wm_exec($2) - ') -- ') dnl end TODO -- -- ############################## -- # -- # $1_xauth_t Local policy -- # - -- allow $1_xauth_t self:process signal; -- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; -+ domtrans_pattern($2, xauth_exec_t, xauth_t) -+ allow $2 xauth_t:process signal; - -- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; -- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file) -- -- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) -- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) -- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) -- -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -- -- allow $2 $1_xauth_t:process signal; -+ allow $2 xauth_home_t:file manage_file_perms; -+ allow $2 xauth_home_t:file { relabelfrom relabelto }; - - # allow ps to show xauth -- ps_process_pattern($2,$1_xauth_t) -- -- allow $2 $1_xauth_home_t:file manage_file_perms; -- allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; -- -- allow xdm_t $1_xauth_home_t:file manage_file_perms; -- userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file) -- -- domain_use_interactive_fds($1_xauth_t) -- -- files_read_etc_files($1_xauth_t) -- files_search_pids($1_xauth_t) -- -- fs_getattr_xattr_fs($1_xauth_t) -- fs_search_auto_mountpoints($1_xauth_t) -+ ps_process_pattern($2,xauth_t) - -- # cjp: why? -- term_use_ptmx($1_xauth_t) -- -- auth_use_nsswitch($1_xauth_t) -- -- libs_use_ld_so($1_xauth_t) -- libs_use_shared_libs($1_xauth_t) -- -- userdom_use_user_terminals($1, $1_xauth_t) -- userdom_read_user_tmp_files($1, $1_xauth_t) -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files($1_xauth_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files($1_xauth_t) -- ') -- -- optional_policy(` -- ssh_sigchld($1_xauth_t) -- ssh_read_pipes($1_xauth_t) -- ssh_dontaudit_rw_tcp_sockets($1_xauth_t) -- ') -+ userdom_use_user_terminals($1, xauth_t) -+ userdom_read_user_tmp_files($1, xauth_t) - - ############################## - # -@@ -441,16 +385,17 @@ - - domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) - -- allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; -- userdom_user_home_dir_filetrans($1, $1_iceauth_t, $1_iceauth_home_t, file) -+ allow $1_iceauth_t iceauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1, $1_iceauth_t, iceauth_home_t, file) - - # allow ps to show iceauth - ps_process_pattern($2, $1_iceauth_t) - -- allow $2 $1_iceauth_home_t:file manage_file_perms; -- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; -+ allow $2 iceauth_home_t:file manage_file_perms; -+ allow $2 iceauth_home_t:file { relabelfrom relabelto }; - -- allow xdm_t $1_iceauth_home_t:file read_file_perms; -+ xserver_use_xdm($2) -+ xserver_rw_xdm_xserver_shm($2) - - fs_search_auto_mountpoints($1_iceauth_t) - -@@ -473,33 +418,12 @@ - # - - # Device rules -- allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell }; -+ allow $1_x_domain $1_xserver_t:x_device { getattr use setattr setfocus grab bell }; - - allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send; -+ allow $2 $1_input_xevent_type:x_event send; - allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send; -- -- # manage: xhost X11:ChangeHosts -- # freeze: metacity X11:GrabKey -- # force_cursor: metacity X11:GrabPointer -- allow $2 $1_xserver_t:x_device { manage freeze force_cursor }; -- -- # gnome-settings-daemon XKEYBOARD:SetControls -- allow $2 $1_xserver_t:x_server manage; -- -- # gnome-settings-daemon RANDR:SelectInput -- allow $2 $1_xserver_t:x_resource write; -- -- # metacity X11:InstallColormap X11:UninstallColormap -- allow $2 $1_rootwindow_t:x_colormap { install uninstall }; -- -- # read: gnome-settings-daemon RANDR:GetScreenSizeRange -- # write: gnome-settings-daemon RANDR:SelectInput -- # setattr: gnome-settings-daemon X11:GrabKey -- # manage: metacity X11:ChangeWindowAttributes -- allow $2 $1_rootwindow_t:x_drawable { read write manage setattr }; -- -- # setattr: metacity X11:InstallColormap -- allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr }; -+ allow $2 xdm_rootwindow_t:x_colormap remove_color; - - # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER - allow $2 info_xproperty_t:x_property { create write append }; -@@ -548,7 +472,7 @@ - allow $2 $1_xserver_t:process signal; - - # Read /tmp/.X0-lock -- allow $2 $1_xserver_tmp_t:file { getattr read }; -+ allow $2 $1_xserver_tmp_t:file read_file_perms; - - # Client read xserver shm - allow $2 $1_xserver_t:fd use; -@@ -616,7 +540,7 @@ - # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') - gen_require(` - type xdm_t, xdm_tmp_t; -- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; -+ type xauth_home_t, iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; - ') - - allow $2 self:shm create_shm_perms; -@@ -624,12 +548,12 @@ - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file -- allow $2 $1_xauth_home_t:file { getattr read }; -- allow $2 $1_iceauth_home_t:file { getattr read }; -+ allow $2 xauth_home_t:file read_file_perms; -+ allow $2 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; -- allow $2 xdm_t:fifo_file { getattr read write ioctl }; -+ allow $2 xdm_t:fifo_file rw_fifo_files_perms; - allow $2 xdm_tmp_t:dir search; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; -@@ -649,13 +573,210 @@ - - xserver_read_xdm_tmp_files($2) - -- # Client write xserver shm -- tunable_policy(`allow_write_xshm',` -- allow $2 $1_xserver_t:shm rw_shm_perms; -- allow $2 $1_xserver_tmpfs_t:file rw_file_perms; - ') -+ -+####################################### -+##

-+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The prefix of the X client domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Client domain allowed access. -+## -+## -+# -+interface(`xserver_use',` -+ gen_require(` -+ type $1_rootwindow_t; -+ type $1_xproperty_t; -+ attribute $1_x_domain, $1_input_xevent_type; -+ attribute x_domain; -+ type $1_xserver_t; -+# type $2_input_xevent_t; - ') - -+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms; -+ -+# typeattribute $2_input_xevent_t $1_input_xevent_type; -+ -+ # can change properties of root window -+ allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property }; -+ # X Windows -+ # operations allowed on root windows -+ allow $3 $1_rootwindow_t:x_drawable { read getattr list_child add_child remove_child send receive override destroy hide }; -+# type_transition $3 $1_rootwindow_t:x_drawable $2_t; -+ -+ allow $3 $1_xproperty_t:x_property { write read }; -+ -+ # X Colormaps -+ # can use the default colormap -+ allow $3 $1_rootwindow_t:x_colormap { read use add_color }; -+ -+ # manage: xhost X11:ChangeHosts -+ # freeze: metacity X11:GrabKey -+ # force_cursor: metacity X11:GrabPointer -+ allow $3 $1_xserver_t:x_device { manage freeze force_cursor }; -+ allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell }; -+ -+ # gnome-settings-daemon XKEYBOARD:SetControls -+ allow $3 $1_xserver_t:x_server { manage grab }; -+ -+ # gnome-settings-daemon RANDR:SelectInput -+ allow $3 $1_xserver_t:x_resource { read write }; -+ -+ # metacity X11:InstallColormap X11:UninstallColormap -+ allow $3 $1_rootwindow_t:x_colormap { use install uninstall }; -+ -+ # read: gnome-settings-daemon RANDR:GetScreenSizeRange -+ # write: gnome-settings-daemon RANDR:SelectInput -+ # setattr: gnome-settings-daemon X11:GrabKey -+ # manage: metacity X11:ChangeWindowAttributes -+ allow $3 $1_rootwindow_t:x_drawable { show write manage setattr get_property blend create add_child write receive set_property }; -+ -+ # setattr: metacity X11:InstallColormap -+ allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; -+ ifdef(`enable_mls',` -+ mls_xwin_read_to_clearance($1_xserver_t) -+ -+ mls_fd_use_all_levels($1_xserver_t) -+ -+ mls_socket_read_all_levels($1_xserver_t) -+ mls_socket_write_all_levels($1_xserver_t) -+ -+ mls_sysvipc_read_to_clearance($1_xserver_t) -+ mls_sysvipc_write_to_clearance($1_xserver_t) -+ -+# missing socket transition -+ mls_file_write_within_range($1_xserver_t) -+ mls_xwin_write_all_levels($1_xserver_t) -+ -+# /dev/mem -+ mls_file_read_all_levels($1_xserver_t) -+ mls_file_write_all_levels($1_xserver_t) -+ ') -+ -+ selinux_getattr_fs($1_xserver_t) -+ seutil_read_config($1_xserver_t) -+ -+# allow $1_xserver_t $2:process getpgid; -+ -+ allow $1_xserver_t input_xevent_t:x_event send; -+ allow $1_xserver_t $1_rootwindow_t:x_drawable send; -+') -+ -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Client domain allowed access. -+## -+## -+# -+interface(`xserver_common_app',` -+ gen_require(` -+ type std_xext_t; -+# type $1_rootwindow_t; -+# type $1_xproperty_t; -+# type $1_client_xevent_t; -+# type $1_focus_xevent_t; -+# type $1_input_xevent_t; -+# type $1_manage_xevent_t; -+# type $1_property_xevent_t; -+ attribute rootwindow_type; -+ attribute xproperty_type; -+ class x_drawable all_x_drawable_perms; -+ class x_screen all_x_screen_perms; -+ class x_gc all_x_gc_perms; -+ class x_font all_x_font_perms; -+ class x_colormap all_x_colormap_perms; -+ class x_property all_x_property_perms; -+ class x_selection all_x_selection_perms; -+ class x_cursor all_x_cursor_perms; -+ class x_client all_x_client_perms; -+ class x_device all_x_device_perms; -+ class x_server all_x_server_perms; -+ class x_extension all_x_extension_perms; -+ class x_resource all_x_resource_perms; -+ class x_event all_x_event_perms; -+ class x_synthetic_event all_x_synthetic_event_perms; -+ type xevent_t, input_xevent_t, client_xevent_t; -+ type clipboard_xselection_t; -+ type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t; -+ type manage_xevent_t, output_xext_t, property_xevent_t; -+ type debug_xext_t, screensaver_xext_t; -+ type shmem_xext_t, xselection_t; -+ attribute xevent_type, xextension_type; -+ ') -+ # can receive certain root window events -+ allow $2 self:x_cursor { destroy create use setattr }; -+ allow $2 self:x_drawable { write getattr read destroy create add_child }; -+ -+ allow $2 self:x_gc { destroy create use setattr }; -+ allow $2 self:x_resource { write read }; -+ -+ allow $2 input_xevent_t:x_synthetic_event receive; -+ allow $2 client_xevent_t:x_synthetic_event { send receive }; -+ allow $2 focus_xevent_t:x_event receive; -+ allow $2 info_xproperty_t:x_property read; -+ allow $2 manage_xevent_t:x_event receive; -+ allow $2 manage_xevent_t:x_synthetic_event { send receive }; -+ -+ allow $2 xextension_type:x_extension { query use }; -+ -+ allow $2 property_xevent_t:x_event receive; -+ -+# allow $2 $1_client_xevent_t:x_synthetic_event receive; -+# allow $2 $1_client_xevent_t:x_event receive; -+# allow $2 $1_focus_xevent_t:x_event receive; -+# allow $2 $1_input_xevent_t:x_event receive; -+# allow $2 $1_input_xevent_t:x_synthetic_event receive; -+# allow $2 $1_manage_xevent_t:x_event receive; -+# allow $2 $1_property_xevent_t:x_event receive; -+ allow $2 xevent_type:x_event receive; -+ allow $2 xevent_type:x_synthetic_event receive; -+ -+ allow $2 $1_t:x_drawable { get_property setattr show receive blend create manage add_child write read getattr list_child set_property }; -+ -+# Broken Compiler -+# allow $2 $1_xproperty_t:x_property read; -+ allow $2 xproperty_type:x_property {getattr read }; -+ -+ allow $2 std_xext_t:x_extension { query use }; -+ allow $2 xproperty_t:x_property { write create destroy }; -+ allow $2 xselection_t:x_selection getattr; -+ allow $2 clipboard_xselection_t:x_selection { getattr setattr }; -+ -+ allow $1_t $2:x_resource { write read }; -+ -+# xserver_use($1, $1, $2) -+ xserver_use(xdm, $1, $2) -+') -+ -+ - ####################################### - ## - ## Interface to provide X object permissions on a given X server to -@@ -682,7 +803,7 @@ - # - template(`xserver_common_x_domain_template',` - gen_require(` -- type $1_rootwindow_t, std_xext_t, shmem_xext_t; -+ type std_xext_t, shmem_xext_t; - type xproperty_t, info_xproperty_t, clipboard_xproperty_t; - type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; - type xevent_t, client_xevent_t; -@@ -691,7 +812,6 @@ - attribute x_server_domain, x_domain; - attribute xproperty_type; - attribute xevent_type, xextension_type; -- attribute $1_x_domain, $1_input_xevent_type; - - class x_drawable all_x_drawable_perms; - class x_screen all_x_screen_perms; -@@ -708,6 +828,7 @@ - class x_resource all_x_resource_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; -+ attribute $1_x_domain; - ') - - ############################## -@@ -715,20 +836,22 @@ - # Declarations - # - -- # Type attributes -- typeattribute $3 $1_x_domain, x_domain; -+ type $2_input_xevent_t, xevent_type; - - # Types for properties - type $2_xproperty_t alias $2_default_xproperty_t, xproperty_type; - - # Types for events -- type $2_input_xevent_t, $1_input_xevent_type, xevent_type; - type $2_property_xevent_t, xevent_type; - type $2_focus_xevent_t, xevent_type; - type $2_manage_xevent_t, xevent_type; - type $2_default_xevent_t, xevent_type; - type $2_client_xevent_t, xevent_type; - -+ # Type attributes -+ typeattribute $2_t x_domain; -+ typeattribute $2_t $1_x_domain; -+ - ############################## - # - # Local Policy -@@ -746,7 +869,7 @@ - allow $3 x_server_domain:x_server getattr; - # everyone can do override-redirect windows. - # this could be used to spoof labels -- allow $3 self:x_drawable override; -+ allow $3 $3:x_drawable override; - # everyone can receive management events on the root window - # allows to know when new windows appear, among other things - allow $3 manage_xevent_t:x_event receive; -@@ -755,36 +878,30 @@ - # can read server-owned resources - allow $3 x_server_domain:x_resource read; - # can mess with own clients -- allow $3 self:x_client { manage destroy }; -+ allow $3 $3:x_client { manage destroy }; - - # X Protocol Extensions - allow $3 std_xext_t:x_extension { query use }; - allow $3 shmem_xext_t:x_extension { query use }; - dontaudit $3 xextension_type:x_extension { query use }; - -+ tunable_policy(`xserver_rw_x_device',` -+ allow $3 x_server_domain:x_device { read write }; -+ ') -+ - # X Properties - # can read and write client properties -- allow $3 $2_xproperty_t:x_property { create destroy read write append }; -+ allow $3 $2_xproperty_t:x_property { getattr create destroy read write append }; - type_transition $3 xproperty_t:x_property $2_xproperty_t; - # can read and write cut buffers -- allow $3 clipboard_xproperty_t:x_property { create read write append }; -+ allow $3 clipboard_xproperty_t:x_property { getattr create read write append }; - # can read info properties -- allow $3 info_xproperty_t:x_property read; -- # can change properties of root window -- allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property }; -+ allow $3 info_xproperty_t:x_property { getattr read }; - # can change properties of own windows -- allow $3 self:x_drawable { list_property get_property set_property }; -+ allow $3 $3:x_drawable { list_property get_property set_property }; - -- # X Windows -- # operations allowed on root windows -- allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; - # operations allowed on my windows -- allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; -- type_transition $3 $1_rootwindow_t:x_drawable $3; -- -- # X Colormaps -- # can use the default colormap -- allow $3 $1_rootwindow_t:x_colormap { read use add_color }; -+ allow $3 $3:x_drawable { blend create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; - - # X Input - # can receive own events -@@ -811,6 +928,12 @@ - allow $3 manage_xevent_t:x_synthetic_event send; - allow $3 client_xevent_t:x_synthetic_event send; - -+ allow $3 input_xevent_t:x_event receive; -+ allow $3 input_xevent_t:x_synthetic_event send; -+ allow $3 $2_client_xevent_t:x_synthetic_event send; -+ allow $3 xproperty_t:x_property { read destroy }; -+ allow $3 xselection_t:x_selection setattr; -+ - # X Selections - # can use the clipboard - allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -819,13 +942,15 @@ - - # Other X Objects - # can create and use cursors -- allow $3 self:x_cursor *; -+ allow $3 $3:x_cursor *; - # can create and use graphics contexts -- allow $3 self:x_gc *; -+ allow $3 $3:x_gc *; - # can create and use colormaps -- allow $3 self:x_colormap *; -+ allow $3 $3:x_colormap *; - # can read and write own objects -- allow $3 self:x_resource { read write }; -+ allow $3 $3:x_resource { read write }; -+ -+ xserver_common_app($1, $3) - - tunable_policy(`! xserver_object_manager',` - # should be xserver_unconfined($3), -@@ -885,24 +1010,17 @@ - # - template(`xserver_user_x_domain_template',` - gen_require(` -- type xdm_t, xdm_tmp_t; -- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; -+ type xdm_xproperty_t; -+ type xauth_home_t, iceauth_home_t; - ') - -- allow $3 self:shm create_shm_perms; -- allow $3 self:unix_dgram_socket create_socket_perms; -- allow $3 self:unix_stream_socket { connectto create_stream_socket_perms }; -+ allow $3 $3:shm create_shm_perms; -+ allow $3 $3:unix_dgram_socket create_socket_perms; -+ allow $3 $3:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file -- allow $3 $1_xauth_home_t:file { getattr read }; -- allow $3 $1_iceauth_home_t:file { getattr read }; -- -- # for when /tmp/.X11-unix is created by the system -- allow $3 xdm_t:fd use; -- allow $3 xdm_t:fifo_file { getattr read write ioctl }; -- allow $3 xdm_tmp_t:dir search; -- allow $3 xdm_tmp_t:sock_file { read write }; -- dontaudit $3 xdm_t:tcp_socket { read write }; -+ allow $3 xauth_home_t:file read_file_perms; -+ allow $3 iceauth_home_t:file read_file_perms; - - # Allow connections to X server. - files_search_tmp($3) -@@ -917,16 +1035,16 @@ - xserver_rw_session_template($1, $3, $4) - xserver_use_user_fonts($1, $3) - -- xserver_read_xdm_tmp_files($3) -- - # X object manager - xserver_common_x_domain_template($1, $2, $3) - -- # Client write xserver shm -- tunable_policy(`allow_write_xshm',` -- allow $3 $1_xserver_t:shm rw_shm_perms; -- allow $3 $1_xserver_tmpfs_t:file rw_file_perms; -- ') -+ allow $3 xdm_xproperty_t:x_property { write read }; -+ allow $3 xdm_xserver_t:x_screen { saver_hide saver_show }; -+ -+# allow $3 $1_rootwindow_t:x_drawable read; -+ allow $3 xdm_rootwindow_t:x_drawable read; -+ -+ xserver_use_xdm($3) - ') - - ######################################## -@@ -958,26 +1076,43 @@ - # - template(`xserver_use_user_fonts',` - gen_require(` -- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t; -+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t; - ') - - # Read per user fonts -- allow $2 $1_fonts_t:dir list_dir_perms; -- allow $2 $1_fonts_t:file read_file_perms; -+ read_files_pattern($2, fonts_home_t, fonts_home_t) - - # Manipulate the global font cache -- manage_dirs_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t) -- manage_files_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t) -+ manage_dirs_pattern($2, fonts_cache_home_t, fonts_cache_home_t) -+ manage_files_pattern($2, fonts_cache_home_t, fonts_cache_home_t) - - # Read per user font config -- allow $2 $1_fonts_config_t:dir list_dir_perms; -- allow $2 $1_fonts_config_t:file read_file_perms; -+ allow $2 fonts_config_home_t:dir list_dir_perms; -+ allow $2 fonts_config_home_t:file read_file_perms; - - userdom_search_user_home_dirs($1, $2) - ') - - ######################################## - ## -+## Get the attributes of xauth executable -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_getattr_xauth',` -+ gen_require(` -+ type xauth_exec_t; -+ ') -+ -+ allow $1 xauth_exec_t:file getattr; -+') -+ -+######################################## -+## - ## Transition to a user Xauthority domain. - ## - ## -@@ -1003,10 +1138,77 @@ - # - template(`xserver_domtrans_user_xauth',` - gen_require(` -- type $1_xauth_t, xauth_exec_t; -+ type xauth_t, xauth_exec_t; - ') - -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -+ domtrans_pattern($2, xauth_exec_t, xauth_t) -+') -+ -+######################################## -+## -+## Read a user Xauthority domain. -+## -+## -+##

-+## read to a user Xauthority domain. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`xserver_read_user_xauth',` -+ gen_require(` -+ type xauth_home_t; -+ ') -+ -+ allow $2 xauth_home_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Read a user Iceauthority domain. -+## -+## -+##

-+## read to a user Iceauthority domain. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`xserver_read_user_iceauth',` -+ gen_require(` -+ type iceauth_home_t; -+ ') -+ -+ # Read .Iceauthority file -+ allow $2 iceauth_home_t:file read_file_perms; - ') - - ######################################## -@@ -1036,10 +1238,10 @@ - # - template(`xserver_user_home_dir_filetrans_user_xauth',` - gen_require(` -- type $1_xauth_home_t; -+ type xauth_home_t; - ') - -- userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file) -+ userdom_user_home_dir_filetrans($1, $2, xauth_home_t, file) - ') - - ######################################## -@@ -1180,7 +1382,7 @@ - type xdm_t; - ') - -- allow $1 xdm_t:fifo_file { getattr read write }; -+ allow $1 xdm_t:fifo_file rw_fifo_file_perms; - ') - - ######################################## -@@ -1225,6 +1427,25 @@ - - ######################################## - ## -+## Connect to apmd over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_stream_connect',` -+ gen_require(` -+ type xdm_xserver_t, xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, xserver_var_run_t, xserver_var_run_t, xdm_xserver_t) -+') -+ -+######################################## -+## - ## Read xdm-writable configuration files. - ## - ## -@@ -1239,7 +1460,7 @@ - ') - - files_search_etc($1) -- allow $1 xdm_rw_etc_t:file { getattr read }; -+ allow $1 xdm_rw_etc_t:file read_file_perms; - ') - - ######################################## -@@ -1279,6 +1500,7 @@ - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ allow $1 xdm_tmp_t:sock_file unlink; - ') - - ######################################## -@@ -1297,7 +1519,7 @@ - ') - - files_search_pids($1) -- allow $1 xdm_var_run_t:file read_file_perms; -+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) - ') - - ######################################## -@@ -1315,7 +1537,25 @@ - type xdm_var_lib_t; - ') - -- allow $1 xdm_var_lib_t:file { getattr read }; -+ allow $1 xdm_var_lib_t:file read_file_perms; -+') -+ -+######################################## -+## -+## dontaudit search of XDM var lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_dontaudit_xdm_lib_search',` -+ gen_require(` -+ type xdm_var_lib_t; -+ ') -+ -+ dontaudit $1 xdm_var_lib_t:dir search_dir_perms; - ') - - ######################################## -@@ -1330,15 +1570,47 @@ - # - interface(`xserver_domtrans_xdm_xserver',` - gen_require(` -- type xdm_xserver_t, xserver_exec_t; -+ type xdm_xserver_t, xserver_exec_t, xdm_t; - ') - - allow $1 xdm_xserver_t:process siginh; -+ allow xdm_t $1:process sigchld; - domtrans_pattern($1, xserver_exec_t, xdm_xserver_t) - ') - - ######################################## - ## -+## Execute xsever in the xdm_xserver domain, and -+## allow the specified role the xdm_xserver domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the xdm_xserver domain. -+## -+## -+## -+## -+## The type of the terminal allow the xdm_xserver domain to use. -+## -+## -+# -+interface(`xserver_run_xdm_xserver',` -+ gen_require(` -+ type xdm_xserver_t; -+ ') -+ -+ xserver_domtrans_xdm_xserver($1) -+ role $2 types xdm_xserver_t; -+ allow xdm_xserver_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## - ## Make an X session script an entrypoint for the specified domain. - ## - ## -@@ -1488,7 +1760,7 @@ - type xdm_xserver_tmp_t; - ') - -- allow $1 xdm_xserver_tmp_t:file { getattr read }; -+ read_files_pattern($1, xdm_xserver_tmp_t, xdm_xserver_tmp_t) - ') - - ######################################## -@@ -1680,6 +1952,26 @@ - - ######################################## - ## -+## Connect to apmd over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_stream_connect',` -+ gen_require(` -+ type xdm_t, xdm_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 xdm_var_run_t:sock_file write; -+ allow $1 xdm_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## - ## xdm xserver RW shared memory socket. - ## - ## -@@ -1698,6 +1990,24 @@ - - ######################################## - ## -+## Ptrace XDM -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_ptrace_xdm',` -+ gen_require(` -+ type xdm_t; -+ ') -+ -+ allow $1 xdm_t:process ptrace; -+') -+ -+######################################## -+## - ## Interface to provide X object permissions on a given X server to - ## an X client domain. Gives the domain complete control over the - ## display. -@@ -1710,8 +2020,176 @@ - # - interface(`xserver_unconfined',` - gen_require(` -- attribute xserver_unconfined_type; -+ attribute xserver_unconfined_type, x_domain; -+ ') -+ -+ typeattribute $1 xserver_unconfined_type, x_domain; -+') -+ -+######################################## -+## -+## Read xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Execute xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_exec_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Write xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_write_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`xserver_manage_home_fonts',` -+ gen_require(` -+ type fonts_home_t; -+ type fonts_config_home_t; -+ ') -+ -+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t) -+ manage_files_pattern($1, fonts_home_t, fonts_home_t) -+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t) -+ -+ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t) -+') -+ -+######################################## -+## -+## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`xserver_read_home_fonts',` -+ gen_require(` -+ type fonts_home_t; -+ ') -+ -+ read_files_pattern($1, fonts_home_t, fonts_home_t) -+ read_lnk_files_pattern($1, fonts_home_t, fonts_home_t) -+') -+ -+######################################## -+## -+## write to .xsession-errors file -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_rw_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t; -+ ') -+ -+ allow $1 xdm_home_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Dontaudit write to .xsession-errors file -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_dontaudit_rw_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t; - ') - -- typeattribute $1 xserver_unconfined_type; -+ dontaudit $1 xdm_home_t:file rw_file_perms; -+') -+ -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## Client domain allowed access. -+## -+## -+# -+interface(`xserver_use_xdm',` -+ gen_require(` -+ type xdm_t, xdm_tmp_t; -+ ') -+ -+ allow $1 xdm_t:fd use; -+ allow $1 xdm_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 xdm_t:tcp_socket { read write }; -+ -+ # Allow connections to X server. -+ xserver_stream_connect_xdm($1) -+ xserver_read_xdm_tmp_files($1) -+ xserver_xdm_stream_connect($1) -+ -+ allow $1 xdm_t:x_client { getattr destroy }; -+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; -+ allow $1 xdm_xproperty_t:x_property { write read }; - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-05 15:24:47.000000000 -0500 -@@ -8,6 +8,14 @@ - - ## - ##

-+## Allows X clients to read/write the x devices (keyboard/mouse) -+##

-+## -+gen_tunable(xserver_rw_x_device, true) -+ -+ -+## -+##

- ## Allows clients to write to the X server shared - ## memory segments. - ##

-@@ -16,6 +24,13 @@ - - ## - ##

-+## Allows XServer to execute writable memory -+##

-+## -+gen_tunable(allow_xserver_execmem, false) -+ -+## -+##

- ## Allow xdm logins as sysadm - ##

- ## -@@ -36,6 +51,7 @@ - # Domains - attribute xserver_unconfined_type; - attribute x_server_domain; -+attribute x_server_domain_tmpfs; - - # Per-object attributes - attribute rootwindow_type; -@@ -92,7 +108,10 @@ - files_lock_file(xdm_lock_t) - - type xdm_rw_etc_t; --files_type(xdm_rw_etc_t) -+files_config_file(xdm_rw_etc_t) -+ -+type xdm_spool_t; -+files_type(xdm_spool_t) - - type xdm_var_lib_t; - files_type(xdm_var_lib_t) -@@ -100,6 +119,12 @@ - type xdm_var_run_t; - files_pid_file(xdm_var_run_t) - -+type xserver_var_lib_t; -+files_type(xserver_var_lib_t) -+ -+type xserver_var_run_t; -+files_pid_file(xserver_var_run_t) -+ - type xdm_tmp_t; - files_tmp_file(xdm_tmp_t) - typealias xdm_tmp_t alias ice_tmp_t; -@@ -107,6 +132,9 @@ - type xdm_tmpfs_t; - files_tmpfs_file(xdm_tmpfs_t) - -+type xdm_home_t; -+userdom_user_home_content(user, xdm_home_t) -+ - # type for /var/lib/xkb - type xkb_var_lib_t; - files_type(xkb_var_lib_t) -@@ -122,6 +150,31 @@ - type xserver_log_t; - logging_log_file(xserver_log_t) - -+type fonts_cache_home_t, fonts_cache_type; -+userdom_user_home_content(user, fonts_cache_home_t) -+ -+type fonts_home_t, fonts_type; -+userdom_user_home_content(user, fonts_home_t) -+ -+type fonts_config_home_t, fonts_config_type; -+userdom_user_home_content(user, fonts_config_home_t) -+ -+type iceauth_home_t; -+userdom_user_home_content(user, iceauth_home_t) -+ -+type xauth_t; -+domain_type(xauth_t) -+domain_entry_file(xauth_t, xauth_exec_t) -+ -+type xauth_home_t, xauth_home_type; -+userdom_user_home_content(user, xauth_home_t) -+ -+type admin_xauth_home_t; -+files_type(admin_xauth_home_t) -+ -+type xauth_tmp_t; -+files_tmp_file(xauth_tmp_t) -+ - xserver_common_domain_template(xdm) - xserver_common_x_domain_template(xdm, xdm, xdm_t) - init_system_domain(xdm_xserver_t, xserver_exec_t) -@@ -140,13 +193,14 @@ - # XDM Local policy - # - --allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; --allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; -+allow xdm_t self:process { getattr getcap setcap }; - allow xdm_t self:fifo_file rw_fifo_file_perms; - allow xdm_t self:shm create_shm_perms; - allow xdm_t self:sem create_sem_perms; - allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; --allow xdm_t self:unix_dgram_socket create_socket_perms; -+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; - allow xdm_t self:tcp_socket create_stream_socket_perms; - allow xdm_t self:udp_socket create_socket_perms; - allow xdm_t self:socket create_socket_perms; -@@ -154,6 +208,12 @@ - allow xdm_t self:key { search link write }; - - allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+ -+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) -+unprivuser_home_dir_filetrans(xdm_t, xdm_home_t, file) -+#userdom_manage_user_home_content_files(user, xdm_t) - - # Allow gdm to run gdm-binary - can_exec(xdm_t, xdm_exec_t) -@@ -169,6 +229,8 @@ - manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) -+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - - manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -176,15 +238,32 @@ - manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -+fs_rw_tmpfs_files(xdm_xserver_t) -+fs_getattr_all_fs(xdm_t) -+fs_search_inotifyfs(xdm_t) -+fs_list_all(xdm_t) -+fs_read_noxattr_fs_files(xdm_t) -+ -+manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t) -+ -+files_search_spool(xdm_t) -+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) - - manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) - manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) --files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) -+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) -+# Read machine-id -+files_read_var_lib_files(xdm_t) - - manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) - manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) - manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) --files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) -+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) - - allow xdm_t xdm_xserver_t:process signal; - allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +277,7 @@ - allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; - - allow xdm_t xdm_xserver_t:shm rw_shm_perms; -+read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t) - - # connect to xdm xserver over stream socket - stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,6 +309,7 @@ - corenet_udp_sendrecv_all_ports(xdm_t) - corenet_tcp_bind_all_nodes(xdm_t) - corenet_udp_bind_all_nodes(xdm_t) -+corenet_udp_bind_xdmcp_port(xdm_t) - corenet_tcp_connect_all_ports(xdm_t) - corenet_sendrecv_all_client_packets(xdm_t) - # xdm tries to bind to biff_port_t -@@ -241,6 +322,7 @@ - dev_getattr_mouse_dev(xdm_t) - dev_setattr_mouse_dev(xdm_t) - dev_rw_apm_bios(xdm_t) -+dev_rw_input_dev(xdm_t) - dev_setattr_apm_bios_dev(xdm_t) - dev_rw_dri(xdm_t) - dev_rw_agp(xdm_t) -@@ -253,14 +335,17 @@ - dev_setattr_video_dev(xdm_t) - dev_getattr_scanner_dev(xdm_t) - dev_setattr_scanner_dev(xdm_t) --dev_getattr_sound_dev(xdm_t) --dev_setattr_sound_dev(xdm_t) -+dev_read_sound(xdm_t) -+dev_write_sound(xdm_t) - dev_getattr_power_mgmt_dev(xdm_t) - dev_setattr_power_mgmt_dev(xdm_t) -+dev_getattr_null_dev(xdm_t) -+dev_setattr_null_dev(xdm_t) - - domain_use_interactive_fds(xdm_t) - # Do not audit denied probes of /proc. - domain_dontaudit_read_all_domains_state(xdm_t) -+domain_dontaudit_ptrace_all_domains(xdm_t) - - files_read_etc_files(xdm_t) - files_read_var_files(xdm_t) -@@ -271,9 +356,13 @@ - files_read_usr_files(xdm_t) - # Poweroff wants to create the /poweroff file when run from xdm - files_create_boot_flag(xdm_t) -+files_dontaudit_getattr_boot_dirs(xdm_t) -+files_dontaudit_write_usr_files(xdm_t) - - fs_getattr_all_fs(xdm_t) - fs_search_auto_mountpoints(xdm_t) -+fs_rw_anon_inodefs_files(xdm_t) -+fs_mount_tmpfs(xdm_t) - - storage_dontaudit_read_fixed_disk(xdm_t) - storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +371,7 @@ - storage_dontaudit_raw_write_removable_device(xdm_t) - storage_dontaudit_setattr_removable_dev(xdm_t) - storage_dontaudit_rw_scsi_generic(xdm_t) -+storage_dontaudit_rw_fuse(xdm_t) - - term_setattr_console(xdm_t) - term_use_unallocated_ttys(xdm_t) -@@ -290,6 +380,7 @@ - auth_domtrans_pam_console(xdm_t) - auth_manage_pam_pid(xdm_t) - auth_manage_pam_console_data(xdm_t) -+auth_signal_pam(xdm_t) - auth_rw_faillog(xdm_t) - auth_write_login_records(xdm_t) - -@@ -301,21 +392,26 @@ - libs_exec_lib_files(xdm_t) - - logging_read_generic_logs(xdm_t) -+logging_send_audit_msgs(xdm_t) - -+miscfiles_dontaudit_write_fonts(xdm_t) - miscfiles_read_localization(xdm_t) - miscfiles_read_fonts(xdm_t) -- --sysnet_read_config(xdm_t) -+miscfiles_manage_localization(xdm_t) - - userdom_dontaudit_use_unpriv_user_fds(xdm_t) - userdom_create_all_users_keys(xdm_t) - # for .dmrc --userdom_read_unpriv_users_home_content_files(xdm_t) -+unprivuser_read_home_content_files(xdm_t) -+unprivuser_dontaudit_write_home_content_files(xdm_t) -+ - # Search /proc for any user domain processes. - userdom_read_all_users_state(xdm_t) - userdom_signal_all_users(xdm_t) -- --sysadm_dontaudit_search_home_dirs(xdm_t) -+# -+# Wants to delete .xsession-errors file -+# -+userdom_unlink_unpriv_users_home_content_files(xdm_t) - - xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) - xserver_unconfined(xdm_t) -@@ -348,10 +444,12 @@ - - optional_policy(` - alsa_domtrans(xdm_t) -+ alsa_read_rw_config(xdm_t) - ') - - optional_policy(` - consolekit_dbus_chat(xdm_t) -+ consolekit_read_log(xdm_t) - ') - - optional_policy(` -@@ -359,6 +457,22 @@ - ') - - optional_policy(` -+ # Use dbus to start other processes as xdm_t -+ dbus_per_role_template(xdm, xdm_t, system_r) -+ corecmd_bin_entry_type(xdm_t) -+ -+ dbus_system_bus_client_template(xdm, xdm_t) -+ -+ optional_policy(` -+ hal_dbus_chat(xdm_t) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(xdm_t) -+ ') -+') -+ -+optional_policy(` - # Talk to the console mouse server. - gpm_stream_connect(xdm_t) - gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +496,34 @@ - ') - - optional_policy(` -+ polkit_domtrans_auth(xdm_t) -+ polkit_read_lib(xdm_t) -+') -+ -+# On crash gdm execs gdb to dump stack -+optional_policy(` -+ rpm_exec(xdm_t) -+ rpm_read_db(xdm_t) -+ rpm_dontaudit_manage_db(xdm_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(xdm_t) - ') - - optional_policy(` -+ sysadm_dontaudit_search_home_dirs(xdm_t) -+ sysadm_dontaudit_read_home_sym_links(xdm_t) -+ sysadm_dontaudit_write_home_dirs(xdm_t) -+') -+ -+optional_policy(` - udev_read_db(xdm_t) - ') - - optional_policy(` -- unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) -+ unconfined_signal(xdm_t) - - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; -@@ -411,6 +543,10 @@ - ') - - optional_policy(` -+ wm_exec(xdm_t) -+') -+ -+optional_policy(` - xfs_stream_connect(xdm_t) - ') - -@@ -427,7 +563,7 @@ - allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; - dontaudit xdm_xserver_t xdm_var_lib_t:dir search; - --allow xdm_xserver_t xdm_var_run_t:file read_file_perms; -+read_files_pattern(xdm_xserver_t, xdm_var_run_t, xdm_var_run_t) - - # Label pid and temporary files with derived types. - manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +575,15 @@ - can_exec(xdm_xserver_t, xkb_var_lib_t) - files_search_var_lib(xdm_xserver_t) - -+manage_dirs_pattern(xdm_xserver_t, xserver_var_lib_t, xserver_var_lib_t) -+manage_files_pattern(xdm_xserver_t, xserver_var_lib_t, xserver_var_lib_t) -+files_var_lib_filetrans(xdm_xserver_t, xserver_var_lib_t, dir) -+ -+manage_dirs_pattern(xdm_xserver_t, xserver_var_run_t, xserver_var_run_t) -+manage_files_pattern(xdm_xserver_t, xserver_var_run_t, xserver_var_run_t) -+manage_sock_files_pattern(xdm_xserver_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xdm_xserver_t, xserver_var_run_t, { dir file }) -+ - # VNC v4 module in X server - corenet_tcp_bind_vnc_port(xdm_xserver_t) - -@@ -450,10 +595,19 @@ - # xdm_xserver_t may no longer have any reason - # to read ROLE_home_t - examine this in more detail - # (xauth?) --userdom_read_unpriv_users_home_content_files(xdm_xserver_t) -+unprivuser_read_home_content_files(xdm_xserver_t) -+unprivuser_manage_tmp_files(xdm_xserver_t) - - xserver_use_all_users_fonts(xdm_xserver_t) - -+getty_use_fds(xdm_xserver_t) -+locallogin_use_fds(xdm_xserver_t) -+userdom_dontaudit_write_user_home_content_files(user, xdm_xserver_t) -+ -+optional_policy(` -+ userhelper_search_config(xdm_xserver_t) -+') -+ - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xdm_xserver_t) - fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +622,19 @@ - - optional_policy(` - dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) -+ -+ optional_policy(` - hal_dbus_chat(xdm_xserver_t) - ') -+') -+ -+optional_policy(` -+ locallogin_use_fds(xdm_xserver_t) -+') -+ -+optional_policy(` -+ mono_rw_shm(xdm_xserver_t) -+') - - optional_policy(` - resmgr_stream_connect(xdm_t) -@@ -481,8 +646,25 @@ - ') - - optional_policy(` -- unconfined_domain_noaudit(xdm_xserver_t) -- unconfined_domtrans(xdm_xserver_t) -+ rpm_dontaudit_rw_shm(xdm_xserver_t) -+ rpm_rw_tmpfs_files(xdm_xserver_t) -+') -+ -+optional_policy(` -+ unconfined_rw_shm(xdm_xserver_t) -+ unconfined_execmem_rw_shm(xdm_xserver_t) -+ unconfined_rw_tmpfs_files(xdm_xserver_t) -+ -+ # xserver signals unconfined user on startx -+ unconfined_signal(xdm_xserver_t) -+ unconfined_getpgid(xdm_xserver_t) -+ unconfined_domain(xdm_xserver_t) -+') -+ -+ -+tunable_policy(`allow_xserver_execmem',` -+ allow xdm_xserver_t self:process { execheap execmem execstack }; -+') - - ifndef(`distro_redhat',` - allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +673,6 @@ - ifdef(`distro_rhel4',` - allow xdm_xserver_t self:process { execheap execmem }; - ') --') - - ######################################## - # -@@ -512,6 +693,27 @@ - allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *; - allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; - -+ -+tunable_policy(`!xserver_object_manager',` -+ gen_require(` -+ attribute domain; -+ ') -+ # we want no X confinement -+ allow domain domain:x_server *; -+ allow domain domain:x_drawable *; -+ allow domain domain:x_screen *; -+ allow domain domain:x_gc *; -+ allow domain domain:x_colormap *; -+ allow domain domain:x_property *; -+ allow domain domain:x_selection *; -+ allow domain domain:x_cursor *; -+ allow domain domain:x_client *; -+ allow domain domain:x_device *; -+ allow domain domain:x_extension *; -+ allow domain domain:x_resource *; -+ allow domain domain:{ x_event x_synthetic_event } *; -+') -+ - ifdef(`TODO',` - # Need to further investigate these permissions and - # perhaps define derived types. -@@ -544,3 +746,70 @@ - # - allow pam_t xdm_t:fifo_file { getattr ioctl write }; - ') dnl end TODO -+ -+# Client write xserver shm -+tunable_policy(`allow_write_xshm',` -+ allow x_domain x_server_domain:shm rw_shm_perms; -+ allow x_domain xdm_xserver_tmpfs_t:file rw_file_perms; -+') -+ -+############################## -+# -+# xauth_t Local policy -+# -+ -+allow xauth_t self:process signal; -+allow xauth_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow xauth_t xauth_home_t:file manage_file_perms; -+userdom_user_home_dir_filetrans($1, xauth_t, xauth_home_t, file) -+ -+manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) -+manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) -+files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) -+ -+domain_use_interactive_fds(xauth_t) -+ -+files_read_etc_files(xauth_t) -+files_search_pids(xauth_t) -+ -+fs_getattr_xattr_fs(xauth_t) -+fs_search_auto_mountpoints(xauth_t) -+ -+auth_use_nsswitch(xauth_t) -+ -+libs_use_ld_so(xauth_t) -+libs_use_shared_libs(xauth_t) -+ -+files_search_pids(xauth_t) -+rw_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files(xauth_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_files(xauth_t) -+') -+ -+optional_policy(` -+ ssh_sigchld(xauth_t) -+ ssh_read_pipes(xauth_t) -+ ssh_dontaudit_rw_tcp_sockets(xauth_t) -+') -+ -+allow xdm_t iceauth_home_t:file read_file_perms; -+ -+ -+# Hack to handle the problem of using the nvidia blobs -+tunable_policy(`allow_execmem',` -+ # Allow making anonymous memory executable, e.g. -+ # for runtime-code generation or executable stack. -+ allow xdm_t self:process execmem; -+') -+ -+tunable_policy(`allow_execstack',` -+ # Allow making the stack executable via mprotect; -+ # execstack implies execmem; -+ allow xdm_t self:process { execstack execmem }; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.5.13/policy/modules/services/zebra.te ---- nsaserefpolicy/policy/modules/services/zebra.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/zebra.te 2008-10-28 10:56:19.000000000 -0400 -@@ -41,7 +41,7 @@ - allow zebra_t self:capability { setgid setuid net_admin net_raw }; - dontaudit zebra_t self:capability sys_tty_config; - allow zebra_t self:process { signal_perms getcap setcap }; --allow zebra_t self:file rw_file_perms; -+allow zebra_t self:file { ioctl read write getattr lock append }; - allow zebra_t self:unix_dgram_socket create_socket_perms; - allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.13/policy/modules/services/zosremote.fc ---- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/zosremote.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.13/policy/modules/services/zosremote.if ---- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/zosremote.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,52 @@ -+## policy for z/OS Remote-services Audit dispatcher plugin -+ -+######################################## -+## -+## Execute a domain transition to run audispd-zos-remote. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`zos_remote_domtrans',` -+ gen_require(` -+ type zos_remote_t; -+ type zos_remote_exec_t; -+ ') -+ -+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -+') -+ -+######################################## -+## -+## Allow specified type and role to transition and -+## run in the zos_remote_t domain. Allow specified type -+## to use zos_remote_t terminal. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the zos_remote domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`zos_remote_run',` -+ gen_require(` -+ type zos_remote_t; -+ ') -+ -+ zos_remote_domtrans($1) -+ role $2 types zos_remote_t; -+ dontaudit zos_remote_t $3:chr_file rw_term_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.13/policy/modules/services/zosremote.te ---- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/zosremote.te 2008-10-28 11:20:11.000000000 -0400 -@@ -0,0 +1,36 @@ -+policy_module(zosremote,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type zos_remote_t; -+type zos_remote_exec_t; -+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) -+ -+init_system_domain(zos_remote_t, zos_remote_exec_t) -+ -+role system_r types zos_remote_t; -+ -+ -+######################################## -+# -+# zos_remote local policy -+# -+ -+allow zos_remote_t self:fifo_file rw_file_perms; -+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow zos_remote_t self:process signal; -+ -+files_read_etc_files(zos_remote_t) -+ -+auth_use_nsswitch(zos_remote_t); -+ -+libs_use_ld_so(zos_remote_t) -+libs_use_shared_libs(zos_remote_t) -+ -+miscfiles_read_localization(zos_remote_t) -+ -+logging_send_syslog_msg(zos_remote_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.13/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/application.te 2008-10-28 10:56:19.000000000 -0400 -@@ -7,6 +7,12 @@ - # Executables to be run by user - attribute application_exec_type; - -+unprivuser_append_home_content_files(application_domain_type) -+unprivuser_write_tmp_files(application_domain_type) -+logging_rw_all_logs(application_domain_type) -+ -+files_dontaudit_search_all_dirs(application_domain_type) -+ - optional_policy(` - ssh_sigchld(application_domain_type) - ssh_rw_stream_sockets(application_domain_type) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.13/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -7,12 +7,10 @@ - /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - --/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) --/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) -- - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) - /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ifdef(`distro_suse', ` -@@ -40,6 +38,10 @@ - /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) - - /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) -- - /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+ - /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+ -+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.13/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -56,10 +56,6 @@ - miscfiles_read_localization($1_chkpwd_t) - - seutil_read_config($1_chkpwd_t) -- -- optional_policy(` -- kerberos_use($1_chkpwd_t) -- ') - ') - - ####################################### -@@ -99,7 +95,7 @@ - template(`authlogin_per_role_template',` - - gen_require(` -- type system_chkpwd_t, shadow_t; -+ type system_chkpwd_t, shadow_t, updpwd_t; - ') - - authlogin_common_auth_domain_template($1) -@@ -169,6 +165,7 @@ - interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t; -+ type auth_cache_t; - ') - - domain_type($1) -@@ -177,12 +174,27 @@ - domain_obj_id_change_exemption($1) - role system_r types $1; - -+ # Needed for pam_selinux_permit to cleanup properly -+ domain_read_all_domains_state($1) -+ domain_kill_all_domains($1) -+ -+ # pam_keyring -+ allow $1 self:capability ipc_lock; -+ allow $1 self:process setkeycreate; -+ allow $1 self:key manage_key_perms; -+ userdom_manage_all_users_keys($1) -+ - files_list_var_lib($1) - manage_files_pattern($1, var_auth_t, var_auth_t) - - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_rw_afs_state($1) - -+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -+ manage_files_pattern($1, auth_cache_t, auth_cache_t) -+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) -+ files_var_filetrans($1, auth_cache_t, dir) -+ - # for SSP/ProPolice - dev_read_urand($1) - # for fingerprint readers -@@ -216,6 +228,7 @@ - auth_rw_faillog($1) - auth_exec_pam($1) - auth_use_nsswitch($1) -+ auth_manage_pam_pid($1) - - init_rw_utmp($1) - -@@ -226,8 +239,40 @@ - seutil_read_config($1) - seutil_read_default_contexts($1) - -+ userdom_set_rlimitnh($1) -+ userdom_read_all_users_home_content_symlinks($1) -+ unprivuser_unlink_tmp_files($1) -+ unprivuser_stream_connect($1) -+ -+ optional_policy(` -+ dbus_system_bus_client_template(notused, $1) -+ optional_policy(` -+ oddjob_dbus_chat($1) -+ oddjob_domtrans_mkhomedir($1) -+ ') -+ ') -+ -+ optional_policy(` -+ corecmd_exec_bin($1) -+ storage_getattr_fixed_disk_dev($1) -+ mount_domtrans($1) -+ ') -+ -+ optional_policy(` -+ nis_authenticate($1) -+ ') -+ -+ optional_policy(` -+ ssh_agent_exec($1) -+ userdom_read_all_users_home_content_files($1) -+ ') -+ - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) -+ unprivuser_manage_home_content_dirs($1) -+ unprivuser_manage_home_content_files($1) -+ userdom_relabel_all_home_dirs($1) -+ userdom_relabel_all_home_files($1) - ') - ') - -@@ -333,19 +378,15 @@ - dev_read_rand($1) - dev_read_urand($1) - -+ auth_use_nsswitch($1) -+ - logging_send_audit_msgs($1) - - miscfiles_read_certs($1) - -- sysnet_dns_name_resolve($1) -- sysnet_use_ldap($1) -- - optional_policy(` -- kerberos_use($1) -- ') -- -- optional_policy(` -- nis_use_ypbind($1) -+ kerberos_read_keytab($1) -+ kerberos_connect_524($1) - ') - - optional_policy(` -@@ -356,6 +397,28 @@ - optional_policy(` - samba_stream_connect_winbind($1) - ') -+ auth_domtrans_upd_passwd($1) -+') -+ -+######################################## -+## -+## Run unix_chkpwd to check a password. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_domtrans_chkpwd',` -+ gen_require(` -+ type system_chkpwd_t, chkpwd_exec_t, shadow_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t) -+ dontaudit $1 shadow_t:file { getattr read }; -+ auth_domtrans_upd_passwd($1) - ') - - ######################################## -@@ -369,12 +432,12 @@ - ## - ## - ## --## The role to allow the chkpwd domain. -+## The role to allow the updpwd domain. - ## - ## - ## - ## --## The type of the terminal allow the chkpwd domain to use. -+## The type of the terminal allow the updpwd domain to use. - ## - ## - # -@@ -386,6 +449,7 @@ - auth_domtrans_chk_passwd($1) - role $2 types system_chkpwd_t; - allow system_chkpwd_t $3:chr_file rw_file_perms; -+ auth_run_upd_passwd($1, $2, $3) - ') - - ######################################## -@@ -871,7 +935,7 @@ - files_search_var($1) - allow $1 var_auth_t:dir manage_dir_perms; - allow $1 var_auth_t:file rw_file_perms; -- allow $1 var_auth_t:lnk_file rw_lnk_file_perms; -+ allow $1 var_auth_t:lnk_file rw_file_perms; - ') - - ######################################## -@@ -1447,6 +1511,10 @@ - ') - - optional_policy(` -+ kerberos_use($1) -+ ') -+ -+ optional_policy(` - nis_use_ypbind($1) - ') - -@@ -1457,6 +1525,7 @@ - optional_policy(` - samba_stream_connect_winbind($1) - samba_read_var_files($1) -+ samba_dontaudit_write_var_files($1) - ') - ') - -@@ -1491,3 +1560,59 @@ - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; - ') -+ -+######################################## -+## -+## Read authentication cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`auth_read_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') -+ -+ read_files_pattern($1, auth_cache_t, auth_cache_t) -+') -+ -+######################################## -+## -+## Read/Write authentication cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`auth_rw_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') -+ -+ rw_files_pattern($1, auth_cache_t, auth_cache_t) -+') -+######################################## -+## -+## Manage authentication cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`auth_manage_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') -+ -+ manage_files_pattern($1, auth_cache_t, auth_cache_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.13/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.te 2008-10-28 10:56:19.000000000 -0400 -@@ -59,6 +59,9 @@ - type utempter_exec_t; - application_domain(utempter_t,utempter_exec_t) - -+type auth_cache_t; -+logging_log_file(auth_cache_t) -+ - # - # var_auth_t is the type of /var/lib/auth, usually - # used for auth data in pam_able -@@ -73,6 +76,9 @@ - authlogin_common_auth_domain_template(system) - role system_r types system_chkpwd_t; - -+# Read only version of updpwd -+domain_entry_file(system_chkpwd_t, updpwd_exec_t) -+ - ######################################## - # - # PAM local policy -@@ -111,7 +117,8 @@ - term_use_all_user_ttys(pam_t) - term_use_all_user_ptys(pam_t) - --init_dontaudit_rw_utmp(pam_t) -+init_read_utmp(pam_t) -+init_dontaudit_write_utmp(pam_t) - - files_read_etc_files(pam_t) - -@@ -122,6 +129,12 @@ - - userdom_use_unpriv_users_fds(pam_t) - -+userdom_write_unpriv_users_tmp_files(pam_t) -+unprivuser_unlink_tmp_files(pam_t) -+unprivuser_dontaudit_read_home_content_files(pam_t) -+unprivuser_dontaudit_write_home_content_files(pam_t) -+unprivuser_append_home_content_files(pam_t) -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(pam_t) -@@ -155,6 +168,8 @@ - dev_read_sysfs(pam_console_t) - dev_getattr_apm_bios_dev(pam_console_t) - dev_setattr_apm_bios_dev(pam_console_t) -+dev_getattr_cpu_dev(pam_console_t) -+dev_setattr_cpu_dev(pam_console_t) - dev_getattr_dri_dev(pam_console_t) - dev_setattr_dri_dev(pam_console_t) - dev_getattr_input_dev(pam_console_t) -@@ -179,6 +194,10 @@ - dev_setattr_video_dev(pam_console_t) - dev_getattr_xserver_misc_dev(pam_console_t) - dev_setattr_xserver_misc_dev(pam_console_t) -+ -+dev_getattr_all_chr_files(pam_console_t) -+dev_setattr_all_chr_files(pam_console_t) -+ - dev_read_urand(pam_console_t) - - mls_file_read_all_levels(pam_console_t) -@@ -283,6 +302,11 @@ - ') - ') - -+optional_policy(` -+ # apache leaks file descriptors -+ apache_dontaudit_rw_tcp_sockets(system_chkpwd_t) -+') -+ - ######################################## - # - # updpwd local policy -@@ -298,8 +322,10 @@ - files_manage_etc_files(updpwd_t) - - term_dontaudit_use_console(updpwd_t) --term_dontaudit_use_console(updpwd_t) -+term_dontaudit_use_all_user_ptys(updpwd_t) -+term_dontaudit_use_all_user_ttys(updpwd_t) - term_dontaudit_use_unallocated_ttys(updpwd_t) -+term_dontaudit_use_generic_ptys(updpwd_t) - - auth_manage_shadow(updpwd_t) - auth_use_nsswitch(updpwd_t) -@@ -360,11 +386,6 @@ - ') - - optional_policy(` -- # Allow utemper to write to /tmp/.xses-* -- unconfined_write_tmp_files(utempter_t) --') -- --optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.13/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/fstools.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,3 @@ --/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -21,7 +20,6 @@ - /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) --/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.13/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/fstools.te 2008-10-28 10:56:19.000000000 -0400 -@@ -97,6 +97,10 @@ - fs_getattr_tmpfs_dirs(fsadm_t) - fs_read_tmpfs_symlinks(fsadm_t) - -+fs_manage_nfs_files(fsadm_t) -+ -+fs_manage_cifs_files(fsadm_t) -+ - mls_file_read_all_levels(fsadm_t) - mls_file_write_all_levels(fsadm_t) - -@@ -184,4 +188,9 @@ - - optional_policy(` - xen_append_log(fsadm_t) -+ xen_rw_image_files(fsadm_t) -+') -+ -+optional_policy(` -+ unconfined_domain(fsadm_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.13/policy/modules/system/hostname.te ---- nsaserefpolicy/policy/modules/system/hostname.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/hostname.te 2008-10-28 10:56:19.000000000 -0400 -@@ -8,7 +8,9 @@ - - type hostname_t; - type hostname_exec_t; --init_system_domain(hostname_t,hostname_exec_t) -+ -+#dont transition from initrc -+application_domain(hostname_t, hostname_exec_t) - role system_r types hostname_t; - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.13/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -4,8 +4,7 @@ - /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) --/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) --/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - -@@ -46,6 +45,8 @@ - /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) - -+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) -+ - # - # /var - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.13/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.if 2008-10-28 10:56:19.000000000 -0400 -@@ -278,6 +278,27 @@ - kernel_dontaudit_use_fds($1) - ') - ') -+ -+ sysadm_dontaudit_search_home_dirs($1) -+ -+ tunable_policy(`allow_daemons_use_tty',` -+ term_use_all_user_ttys($1) -+ term_use_all_user_ptys($1) -+ ',` -+ term_dontaudit_use_all_user_ttys($1) -+ term_dontaudit_use_all_user_ptys($1) -+ ') -+ -+ # these apps are often redirect output to random log files -+ logging_rw_all_logs($1) -+ -+ optional_policy(` -+ cron_rw_pipes($1) -+ ') -+ -+ optional_policy(` -+ xserver_rw_xdm_home_files($1) -+ ') - ') - - ######################################## -@@ -617,18 +638,19 @@ - # - interface(`init_spec_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; - ') - - files_list_etc($1) -- spec_domtrans_pattern($1,initrc_exec_t,initrc_t) -+ spec_domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - -@@ -644,23 +666,43 @@ - # - interface(`init_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; - ') - - files_list_etc($1) -- domtrans_pattern($1,initrc_exec_t,initrc_t) -+ domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## -+## Execute a file in a bin directory -+## in the initrc_t domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_bin_domtrans_spec',` -+ gen_require(` -+ type initrc_t; -+ ') -+ -+ corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## -@@ -774,7 +816,7 @@ - - allow $1 init_t:dir search_dir_perms; - allow $1 init_t:file read_file_perms; -- allow $1 init_t:lnk_file read_lnk_file_perms; -+ allow $1 init_t:lnk_file read_file_perms; - ') - - ######################################## -@@ -1296,6 +1338,25 @@ - - ######################################## - ## -+## Read init script temporary data. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_read_script_tmp_files',` -+ gen_require(` -+ type initrc_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) -+') -+ -+######################################## -+## - ## Create files in a init script - ## temporary data directory. - ## -@@ -1451,7 +1512,7 @@ - type initrc_var_run_t; - ') - -- dontaudit $1 initrc_var_run_t:file { getattr read write append }; -+ dontaudit $1 initrc_var_run_t:file rw_file_perms; - ') - - ######################################## -@@ -1507,3 +1568,51 @@ - ') - corenet_udp_recvfrom_labeled($1, daemon) - ') -+ -+######################################## -+## -+## Transition to system_r when execute an init script -+## -+## -+##

-+## Execute a init script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+## -+## -+## -+## Role to transition from. -+## -+## -+# -+interface(`init_script_role_transition',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ role_transition $1 init_script_file_type system_r; -+') -+ -+######################################## -+## -+## Send and receive unix_stream_messages with -+## init -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_chat',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_dgram_socket sendto; -+ allow init_t $1:unix_dgram_socket sendto; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-29 14:03:43.000000000 -0400 -@@ -17,6 +17,20 @@ - ## - gen_tunable(init_upstart,false) - -+## -+##

-+## Allow all daemons the ability to read/write terminals -+##

-+## -+gen_tunable(allow_daemons_use_tty, false) -+ -+## -+##

-+## Allow all daemons to write corefiles to / -+##

-+## -+gen_tunable(allow_daemons_dump_core, false) -+ - # used for direct running of init scripts - # by admin domains - attribute direct_run_init; -@@ -88,7 +102,7 @@ - # - - # Use capabilities. old rule: --allow init_t self:capability ~sys_module; -+allow init_t self:capability ~{ audit_control audit_write sys_module }; - # is ~sys_module really needed? observed: - # sys_boot - # sys_tty_config -@@ -101,7 +115,7 @@ - # Re-exec itself - can_exec(init_t,init_exec_t) - --allow init_t initrc_t:unix_stream_socket connectto; -+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; - - # For /var/run/shutdown.pid. - allow init_t init_var_run_t:file manage_file_perms; -@@ -117,6 +131,8 @@ - kernel_read_system_state(init_t) - kernel_share_state(init_t) - -+fs_list_inotifyfs(init_t) -+ - corecmd_exec_chroot(init_t) - corecmd_exec_bin(init_t) - -@@ -169,6 +185,8 @@ - - miscfiles_read_localization(init_t) - -+allow init_t self:process setsched; -+ - ifdef(`distro_gentoo',` - allow init_t self:process { getcap setcap }; - ') -@@ -191,6 +209,14 @@ - ') - - optional_policy(` -+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to -+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up -+ # the directory. But we do not want to allow this. -+ # The master process of dovecot will manage this file. -+ dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` - nscd_socket_use(init_t) - ') - -@@ -204,9 +230,10 @@ - # - - allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; --allow initrc_t self:capability ~{ sys_admin sys_module }; -+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; - dontaudit initrc_t self:capability sys_module; # sysctl is triggering this - allow initrc_t self:passwd rootok; -+allow initrc_t self:key { search }; - - # Allow IPC with self - allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -219,7 +246,8 @@ - term_create_pty(initrc_t,initrc_devpts_t) - - # Going to single user mode --init_exec(initrc_t) -+init_telinit(initrc_t) -+init_chat(initrc_t) - - can_exec(initrc_t, init_script_file_type) - -@@ -232,6 +260,7 @@ - - allow initrc_t initrc_var_run_t:file manage_file_perms; - files_pid_filetrans(initrc_t,initrc_var_run_t,file) -+files_manage_generic_pids_symlinks(initrc_t) - - can_exec(initrc_t,initrc_tmp_t) - allow initrc_t initrc_tmp_t:file manage_file_perms; -@@ -253,6 +282,7 @@ - kernel_dontaudit_getattr_message_if(initrc_t) - - files_read_kernel_symbol_table(initrc_t) -+files_exec_etc_files(initrc_t) - - corenet_all_recvfrom_unlabeled(initrc_t) - corenet_all_recvfrom_netlabel(initrc_t) -@@ -276,7 +306,7 @@ - dev_read_sound_mixer(initrc_t) - dev_write_sound_mixer(initrc_t) - dev_setattr_all_chr_files(initrc_t) --dev_read_lvm_control(initrc_t) -+dev_rw_lvm_control(initrc_t) - dev_delete_lvm_control_dev(initrc_t) - dev_manage_generic_symlinks(initrc_t) - dev_manage_generic_files(initrc_t) -@@ -330,7 +360,7 @@ - domain_sigchld_all_domains(initrc_t) - domain_read_all_domains_state(initrc_t) - domain_getattr_all_domains(initrc_t) --domain_dontaudit_ptrace_all_domains(initrc_t) -+domain_ptrace_all_domains(initrc_t) - domain_getsession_all_domains(initrc_t) - domain_use_interactive_fds(initrc_t) - # for lsof which is used by alsa shutdown: -@@ -371,6 +401,7 @@ - libs_use_shared_libs(initrc_t) - libs_exec_lib_files(initrc_t) - -+logging_send_audit_msgs(initrc_t) - logging_send_syslog_msg(initrc_t) - logging_manage_generic_logs(initrc_t) - logging_read_all_logs(initrc_t) -@@ -503,6 +534,7 @@ - optional_policy(` - #for /etc/rc.d/init.d/nfs to create /etc/exports - rpc_write_exports(initrc_t) -+ rpc_manage_nfs_state_data(initrc_t) - ') - - optional_policy(` -@@ -521,6 +553,31 @@ - ') - ') - -+domain_dontaudit_use_interactive_fds(daemon) -+ -+sysadm_dontaudit_search_home_dirs(daemon) -+ -+tunable_policy(`allow_daemons_use_tty',` -+ term_use_unallocated_ttys(daemon) -+ term_use_generic_ptys(daemon) -+ term_use_all_user_ttys(daemon) -+ term_use_all_user_ptys(daemon) -+',` -+ term_dontaudit_use_unallocated_ttys(daemon) -+ term_dontaudit_use_generic_ptys(daemon) -+ term_dontaudit_use_all_user_ttys(daemon) -+ term_dontaudit_use_all_user_ptys(daemon) -+ ') -+ -+# system-config-services causes avc messages that should be dontaudited -+tunable_policy(`allow_daemons_dump_core',` -+ files_dump_core(daemon) -+') -+ -+optional_policy(` -+ unconfined_dontaudit_rw_pipes(daemon) -+') -+ - optional_policy(` - amavis_search_lib(initrc_t) - amavis_setattr_pid_files(initrc_t) -@@ -575,6 +632,10 @@ - dbus_read_config(initrc_t) - - optional_policy(` -+ consolekit_dbus_chat(initrc_t) -+ ') -+ -+ optional_policy(` - networkmanager_dbus_chat(initrc_t) - ') - ') -@@ -660,12 +721,6 @@ - mta_read_config(initrc_t) - mta_dontaudit_read_spool_symlinks(initrc_t) - ') --# cjp: require doesnt work in the else of optionals :\ --# this also would result in a type transition --# conflict if sendmail is enabled --#optional_policy(`',` --# mta_send_mail(initrc_t) --#') - - optional_policy(` - ifdef(`distro_redhat',` -@@ -726,6 +781,9 @@ - - # why is this needed: - rpm_manage_db(initrc_t) -+ # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) -+ - ') - - optional_policy(` -@@ -738,10 +796,12 @@ - squid_manage_logs(initrc_t) - ') - -+ifdef(`enabled_mls',` - optional_policy(` - # allow init scripts to su - su_restricted_domain_template(initrc,initrc_t,system_r) - ') -+') - - optional_policy(` - ssh_dontaudit_read_server_keys(initrc_t) -@@ -759,6 +819,11 @@ - uml_setattr_util_sockets(initrc_t) - ') - -+# Cron jobs used to start and stop services -+optional_policy(` -+ cron_rw_pipes(daemon) -+') -+ - optional_policy(` - unconfined_domain(initrc_t) - -@@ -773,6 +838,10 @@ - ') - - optional_policy(` -+ rpm_dontaudit_rw_pipes(daemon) -+') -+ -+optional_policy(` - vmware_read_system_config(initrc_t) - vmware_append_system_config(initrc_t) - ') -@@ -795,3 +864,11 @@ - optional_policy(` - zebra_read_config(initrc_t) - ') -+ -+unprivuser_append_home_content_files(daemon) -+unprivuser_write_tmp_files(daemon) -+logging_append_all_logs(daemon) -+ -+optional_policy(` -+ xserver_rw_xdm_home_files(daemon) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc ---- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2008-11-05 10:40:04.000000000 -0500 -@@ -26,6 +26,7 @@ - /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - -+/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) - /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2008-10-28 10:56:19.000000000 -0400 -@@ -55,11 +55,12 @@ - - allow ipsec_t self:capability { net_admin dac_override dac_read_search }; - dontaudit ipsec_t self:capability sys_tty_config; --allow ipsec_t self:process signal; --allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; -+allow ipsec_t self:process { signal setsched }; - allow ipsec_t self:tcp_socket create_stream_socket_perms; --allow ipsec_t self:key_socket { create write read setopt }; --allow ipsec_t self:fifo_file read_file_perms; -+allow ipsec_t self:udp_socket create_socket_perms; -+allow ipsec_t self:key_socket create_socket_perms; -+allow ipsec_t self:fifo_file read_fifo_file_perms; -+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; - - allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; - read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) -@@ -104,6 +105,11 @@ - corenet_tcp_bind_all_nodes(ipsec_t) - corenet_tcp_bind_reserved_port(ipsec_t) - corenet_tcp_bind_isakmp_port(ipsec_t) -+ -+corenet_udp_bind_all_nodes(ipsec_t) -+corenet_udp_bind_isakmp_port(ipsec_t) -+corenet_udp_bind_ipsecnat_port(ipsec_t) -+ - corenet_sendrecv_generic_server_packets(ipsec_t) - corenet_sendrecv_isakmp_server_packets(ipsec_t) - -@@ -127,6 +133,8 @@ - init_use_fds(ipsec_t) - init_use_script_ptys(ipsec_t) - -+auth_use_nsswitch(ipsec_t) -+ - libs_use_ld_so(ipsec_t) - libs_use_shared_libs(ipsec_t) - -@@ -134,17 +142,11 @@ - - miscfiles_read_localization(ipsec_t) - --sysnet_read_config(ipsec_t) -- - userdom_dontaudit_use_unpriv_user_fds(ipsec_t) - - sysadm_dontaudit_search_home_dirs(ipsec_t) - - optional_policy(` -- nis_use_ypbind(ipsec_t) --') -- --optional_policy(` - seutil_sigchld_newrole(ipsec_t) - ') - -@@ -160,9 +162,9 @@ - allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; - allow ipsec_mgmt_t self:process { signal setrlimit }; - allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; --allow ipsec_mgmt_t self:tcp_socket create_socket_perms; -+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:udp_socket create_socket_perms; --allow ipsec_mgmt_t self:key_socket { create setopt }; -+allow ipsec_mgmt_t self:key_socket create_socket_perms; - allow ipsec_mgmt_t self:fifo_file rw_file_perms; - - allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; -@@ -171,6 +173,8 @@ - allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; - files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) - -+logging_send_syslog_msg(ipsec_mgmt_t) -+ - manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) - manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) - -@@ -226,6 +230,7 @@ - # the ipsec wrapper wants to run /usr/bin/logger (should we put - # it in its own domain?) - corecmd_exec_bin(ipsec_mgmt_t) -+corecmd_exec_shell(ipsec_mgmt_t) - - domain_use_interactive_fds(ipsec_mgmt_t) - # denials when ps tries to search /proc. Do not audit these denials. -@@ -283,7 +288,7 @@ - allow racoon_t self:unix_dgram_socket { connect create ioctl write }; - allow racoon_t self:netlink_selinux_socket { bind create read }; - allow racoon_t self:udp_socket create_socket_perms; --allow racoon_t self:key_socket { create read setopt write }; -+allow racoon_t self:key_socket create_socket_perms; - - # manage pid file - manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -305,6 +310,7 @@ - corenet_tcp_bind_all_nodes(racoon_t) - corenet_udp_bind_all_nodes(racoon_t) - corenet_udp_bind_isakmp_port(racoon_t) -+corenet_udp_sendrecv_all_if(racoon_t) - corenet_udp_bind_ipsecnat_port(racoon_t) - - dev_read_urand(racoon_t) -@@ -319,6 +325,8 @@ - - ipsec_setcontext_default_spd(racoon_t) - -+auth_use_nsswitch(racoon_t) -+ - libs_use_ld_so(racoon_t) - libs_use_shared_libs(racoon_t) - -@@ -335,7 +343,7 @@ - # - - allow setkey_t self:capability net_admin; --allow setkey_t self:key_socket { create read setopt write }; -+allow setkey_t self:key_socket create_socket_perms; - allow setkey_t self:netlink_route_socket create_netlink_socket_perms; - - allow setkey_t ipsec_conf_file_t:dir list_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.13/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/iscsi.te 2008-10-28 10:56:19.000000000 -0400 -@@ -28,7 +28,7 @@ - # iscsid local policy - # - --allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; -+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; - allow iscsid_t self:process { setrlimit setsched signal }; - allow iscsid_t self:fifo_file rw_fifo_file_perms; - allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -39,7 +39,7 @@ - allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; - allow iscsid_t self:tcp_socket create_stream_socket_perms; - --allow iscsid_t iscsi_lock_t:file manage_file_perms; -+manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) - files_lock_filetrans(iscsid_t,iscsi_lock_t,file) - - allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-05 11:29:07.000000000 -0500 -@@ -60,12 +60,15 @@ - # - # /opt - # -+/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - -+/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -+ - ifdef(`distro_gentoo',` - # despite the extensions, they are actually libs - /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -@@ -84,7 +87,8 @@ - - ifdef(`distro_redhat',` - /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) - /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -115,9 +119,17 @@ - - /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ - /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -133,6 +145,7 @@ - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -@@ -168,7 +181,8 @@ - # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv - # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php - /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +201,7 @@ - /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,7 +261,7 @@ - - # Flash plugin, Macromedia - HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +282,8 @@ - /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ - # Java, Sun Microsystems (JPackage SRPM) - /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +308,8 @@ - /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) - ') dnl end distro_redhat - - # -@@ -310,3 +329,18 @@ - /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) -+ -+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2008-10-28 10:56:19.000000000 -0400 -@@ -52,11 +52,11 @@ - # ldconfig local policy - # - --allow ldconfig_t self:capability sys_chroot; -+allow ldconfig_t self:capability { dac_override sys_chroot }; - - manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) - --allow ldconfig_t ld_so_cache_t:file manage_file_perms; -+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) - files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) - - manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) -@@ -70,8 +70,11 @@ - - fs_getattr_xattr_fs(ldconfig_t) - -+corecmd_search_bin(ldconfig_t) -+ - domain_use_interactive_fds(ldconfig_t) - -+files_search_home(ldconfig_t) - files_search_var_lib(ldconfig_t) - files_read_etc_files(ldconfig_t) - files_search_tmp(ldconfig_t) -@@ -80,6 +83,7 @@ - files_delete_etc_files(ldconfig_t) - - init_use_script_ptys(ldconfig_t) -+init_read_script_tmp_files(ldconfig_t) - - libs_use_ld_so(ldconfig_t) - libs_use_shared_libs(ldconfig_t) -@@ -96,6 +100,10 @@ - ') - ') - -+unprivuser_dontaudit_write_home_content_files(ldconfig_t) -+unprivuser_manage_tmp_files(ldconfig_t) -+unprivuser_manage_tmp_symlinks(ldconfig_t) -+ - ifdef(`hide_broken_symptoms',` - optional_policy(` - unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) -@@ -118,4 +126,10 @@ - # and executes ldconfig on it. If you dont allow this kernel installs - # blow up. - rpm_manage_script_tmp_files(ldconfig_t) -+ # smart package manager needs the following for the same reason -+ rpm_rw_tmp_files(ldconfig_t) -+') -+ -+optional_policy(` -+ unconfined_domain(ldconfig_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.13/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/locallogin.te 2008-10-28 10:56:19.000000000 -0400 -@@ -67,6 +67,7 @@ - dev_setattr_power_mgmt_dev(local_login_t) - dev_getattr_sound_dev(local_login_t) - dev_setattr_sound_dev(local_login_t) -+dev_rw_generic_usb_dev(local_login_t) - dev_dontaudit_getattr_apm_bios_dev(local_login_t) - dev_dontaudit_setattr_apm_bios_dev(local_login_t) - dev_dontaudit_read_framebuffer(local_login_t) -@@ -100,7 +101,6 @@ - - auth_rw_login_records(local_login_t) - auth_rw_faillog(local_login_t) --auth_manage_pam_pid(local_login_t) - auth_manage_pam_console_data(local_login_t) - auth_domtrans_pam_console(local_login_t) - -@@ -163,6 +163,11 @@ - fs_read_cifs_symlinks(local_login_t) - ') - -+tunable_policy(`allow_console_login',` -+ term_relabel_console(local_login_t) -+ term_setattr_console(local_login_t) -+') -+ - optional_policy(` - alsa_domtrans(local_login_t) - ') -@@ -192,7 +197,7 @@ - ') - - optional_policy(` -- unconfined_domain(local_login_t) -+ unconfined_shell_domtrans(local_login_t) - ') - - optional_policy(` -@@ -241,18 +246,25 @@ - seutil_read_default_contexts(sulogin_t) - - auth_read_shadow(sulogin_t) -+auth_use_nsswitch(sulogin_t) - - userdom_use_unpriv_users_fds(sulogin_t) - --staff_search_home_dirs(sulogin_t) -- -+ifdef(`enable_mls',` - sysadm_shell_domtrans(sulogin_t) -+',` -+ optional_policy(` -+ unconfined_shell_domtrans(sulogin_t) -+ ') -+') -+ - sysadm_use_ptys(sulogin_t) - sysadm_search_home_dirs(sulogin_t) - - # suse and debian do not use pam with sulogin... - ifdef(`distro_suse', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat',`define(`sulogin_no_pam')') - - ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; -@@ -267,10 +279,4 @@ - selinux_compute_user_contexts(sulogin_t) - ') - --optional_policy(` -- nis_use_ypbind(sulogin_t) --') - --optional_policy(` -- nscd_socket_use(sulogin_t) --') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.13/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -53,10 +53,10 @@ - /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) - ') - --/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) --/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) --/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) --/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) -+/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) -+/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -+/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) - /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) - /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) - /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -@@ -65,3 +65,5 @@ - /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) - - /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ -+/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.13/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.if 2008-10-28 10:56:19.000000000 -0400 -@@ -451,7 +451,7 @@ - ') - - allow $1 devlog_t:lnk_file read; -- allow $1 devlog_t:sock_file rw_sock_file_perms; -+ allow $1 devlog_t:sock_file rw_file_perms; - - # the type of socket depends on the syslog daemon - allow $1 syslogd_t:unix_dgram_socket sendto; -@@ -719,6 +719,8 @@ - files_search_var($1) - manage_files_pattern($1,logfile,logfile) - read_lnk_files_pattern($1,logfile,logfile) -+ allow $1 logfile:dir { relabelfrom relabelto }; -+ allow $1 logfile:file { relabelfrom relabelto }; - ') - - ######################################## -@@ -952,5 +954,5 @@ - # - interface(`logging_admin',` - logging_admin_audit($1, $2, $3) -- logging_admin_syslog($1, $2) -+ logging_admin_syslog($1, $2, $3) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.13/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-10-28 10:56:19.000000000 -0400 -@@ -129,7 +129,7 @@ - allow auditd_t self:process { signal_perms setpgid setsched }; - allow auditd_t self:file rw_file_perms; - allow auditd_t self:unix_dgram_socket create_socket_perms; --allow auditd_t self:fifo_file rw_file_perms; -+allow auditd_t self:fifo_file rw_fifo_file_perms; - allow auditd_t self:tcp_socket create_stream_socket_perms; - - allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -221,9 +221,9 @@ - # audit dispatcher local policy - # - --allow audisp_t self:capability sys_nice; -+allow audisp_t self:capability { dac_override sys_nice }; - allow audisp_t self:process setsched; --allow audisp_t self:fifo_file rw_file_perms; -+allow audisp_t self:fifo_file rw_fifo_file_perms; - allow audisp_t self:unix_stream_socket create_stream_socket_perms; - allow audisp_t self:unix_dgram_socket create_socket_perms; - -@@ -352,7 +352,7 @@ - allow syslogd_t self:unix_dgram_socket create_socket_perms; - allow syslogd_t self:unix_stream_socket create_stream_socket_perms; - allow syslogd_t self:unix_dgram_socket sendto; --allow syslogd_t self:fifo_file rw_file_perms; -+allow syslogd_t self:fifo_file rw_fifo_file_perms; - allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.13/policy/modules/system/lvm.fc ---- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/lvm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -55,6 +55,7 @@ - /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -97,3 +98,4 @@ - /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) - /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) - /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) -+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.13/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/lvm.te 2008-11-05 16:20:42.000000000 -0500 -@@ -10,6 +10,9 @@ - type clvmd_exec_t; - init_daemon_domain(clvmd_t,clvmd_exec_t) - -+type clvmd_initrc_exec_t; -+init_script_file(clvmd_initrc_exec_t) -+ - type clvmd_var_run_t; - files_pid_file(clvmd_var_run_t) - -@@ -22,7 +25,7 @@ - role system_r types lvm_t; - - type lvm_etc_t; --files_type(lvm_etc_t) -+files_config_file(lvm_etc_t) - - type lvm_lock_t; - files_lock_file(lvm_lock_t) -@@ -44,9 +47,9 @@ - # Cluster LVM daemon local policy - # - --allow clvmd_t self:capability { sys_admin mknod }; -+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; - dontaudit clvmd_t self:capability sys_tty_config; --allow clvmd_t self:process signal_perms; -+allow clvmd_t self:process { signal_perms setsched }; - dontaudit clvmd_t self:process ptrace; - allow clvmd_t self:socket create_socket_perms; - allow clvmd_t self:fifo_file rw_fifo_file_perms; -@@ -54,6 +57,8 @@ - allow clvmd_t self:tcp_socket create_stream_socket_perms; - allow clvmd_t self:udp_socket create_socket_perms; - -+init_dontaudit_getattr_initctl(clvmd_t) -+ - manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) - files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) - -@@ -85,10 +90,15 @@ - corenet_sendrecv_generic_server_packets(clvmd_t) - - dev_read_sysfs(clvmd_t) -+dev_manage_generic_symlinks(clvmd_t) -+dev_relabel_generic_dev_dirs(clvmd_t) -+dev_manage_generic_blk_files(clvmd_t) - dev_manage_generic_chr_files(clvmd_t) - dev_rw_lvm_control(clvmd_t) - dev_dontaudit_getattr_all_blk_files(clvmd_t) - dev_dontaudit_getattr_all_chr_files(clvmd_t) -+dev_create_generic_dirs(clvmd_t) -+dev_delete_generic_dirs(clvmd_t) - - files_read_etc_files(clvmd_t) - files_list_usr(clvmd_t) -@@ -99,9 +109,12 @@ - fs_dontaudit_read_removable_files(clvmd_t) - - storage_dontaudit_getattr_removable_dev(clvmd_t) -+storage_dev_filetrans_fixed_disk(clvmd_t) -+storage_manage_fixed_disk(clvmd_t) - - domain_use_interactive_fds(clvmd_t) - -+storage_relabel_fixed_disk(clvmd_t) - storage_raw_read_fixed_disk(clvmd_t) - - auth_use_nsswitch(clvmd_t) -@@ -115,9 +128,11 @@ - - seutil_dontaudit_search_config(clvmd_t) - seutil_sigchld_newrole(clvmd_t) -+seutil_read_config(clvmd_t) -+seutil_read_file_contexts(clvmd_t) -+seutil_search_default_contexts(clvmd_t) - - userdom_dontaudit_use_unpriv_user_fds(clvmd_t) -- - sysadm_dontaudit_search_home_dirs(clvmd_t) - - lvm_domtrans(clvmd_t) -@@ -128,6 +143,14 @@ - ') - - optional_policy(` -+ dbus_system_bus_client_template(lvm,lvm_t) -+ -+ optional_policy(` -+ hal_dbus_chat(lvm_t) -+ ') -+') -+ -+optional_policy(` - gpm_dontaudit_getattr_gpmctl(clvmd_t) - ') - -@@ -137,6 +160,14 @@ - ') - - optional_policy(` -+ unconfined_domain(clvmd_t) -+') -+ -+optional_policy(` -+ unconfined_domain(lvm_t) -+') -+ -+optional_policy(` - udev_read_db(clvmd_t) - ') - -@@ -147,17 +178,19 @@ - - # DAC overrides and mknod for modifying /dev entries (vgmknodes) - # rawio needed for dmraid --allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; -+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; -+# lvm needs net_admin for multipath - dontaudit lvm_t self:capability sys_tty_config; - allow lvm_t self:process { sigchld sigkill sigstop signull signal }; - # LVM will complain a lot if it cannot set its priority. - allow lvm_t self:process setsched; - allow lvm_t self:file rw_file_perms; --allow lvm_t self:fifo_file rw_file_perms; -+allow lvm_t self:fifo_file manage_fifo_file_perms; - allow lvm_t self:unix_dgram_socket create_socket_perms; - allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; - --allow lvm_t clvmd_t:unix_stream_socket connectto; -+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; - - manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) - manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) -@@ -189,6 +222,7 @@ - manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) - filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) - files_etc_filetrans(lvm_t,lvm_metadata_t,file) -+files_search_mnt(lvm_t) - - kernel_read_system_state(lvm_t) - kernel_read_kernel_sysctls(lvm_t) -@@ -225,6 +259,7 @@ - dev_dontaudit_getattr_generic_blk_files(lvm_t) - dev_dontaudit_getattr_generic_pipes(lvm_t) - dev_create_generic_dirs(lvm_t) -+dev_rw_generic_files(lvm_t) - - fs_getattr_xattr_fs(lvm_t) - fs_search_auto_mountpoints(lvm_t) -@@ -243,6 +278,7 @@ - storage_dev_filetrans_fixed_disk(lvm_t) - # Access raw devices and old /dev/lvm (c 109,0). Is this needed? - storage_manage_fixed_disk(lvm_t) -+mls_file_read_all_levels(lvm_t) - - term_getattr_all_user_ttys(lvm_t) - term_list_ptys(lvm_t) -@@ -252,6 +288,7 @@ - - domain_use_interactive_fds(lvm_t) - -+files_read_usr_files(lvm_t) - files_read_etc_files(lvm_t) - files_read_etc_runtime_files(lvm_t) - # for when /usr is not mounted: -@@ -273,6 +310,8 @@ - seutil_search_default_contexts(lvm_t) - seutil_sigchld_newrole(lvm_t) - -+sysadm_dontaudit_search_home_dirs(lvm_t) -+ - ifdef(`distro_redhat',` - # this is from the initrd: - files_rw_isid_type_dirs(lvm_t) -@@ -291,5 +330,18 @@ - ') - - optional_policy(` -+ modutils_domtrans_insmod(lvm_t) -+') -+ -+optional_policy(` - udev_read_db(lvm_t) - ') -+ -+optional_policy(` -+ unconfined_domain(lvm_t) -+') -+ -+optional_policy(` -+ xen_append_log(lvm_t) -+ xen_dontaudit_rw_unix_stream_sockets(lvm_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.5.13/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/miscfiles.if 2008-11-03 17:18:22.000000000 -0500 -@@ -23,6 +23,45 @@ - - ######################################## - ## -+## manange system SSL certificates. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_manage_cert_dirs',` -+ gen_require(` -+ type cert_t; -+ ') -+ -+ manage_dirs_pattern($1,cert_t,cert_t) -+') -+ -+######################################## -+## -+## manange system SSL certificates. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_manage_cert_files',` -+ gen_require(` -+ type cert_t; -+ ') -+ -+ manage_files_pattern($1,cert_t,cert_t) -+ read_lnk_files_pattern($1,cert_t,cert_t) -+') -+ -+######################################## -+## - ## Read fonts. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.13/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/modutils.te 2008-10-28 10:56:19.000000000 -0400 -@@ -42,7 +42,7 @@ - # insmod local policy - # - --allow insmod_t self:capability { dac_override net_raw sys_tty_config }; -+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; - allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; - - allow insmod_t self:udp_socket create_socket_perms; -@@ -55,6 +55,7 @@ - - kernel_load_module(insmod_t) - kernel_read_system_state(insmod_t) -+kernel_read_network_state(insmod_t) - kernel_write_proc_files(insmod_t) - kernel_mount_debugfs(insmod_t) - kernel_mount_kvmfs(insmod_t) -@@ -63,6 +64,7 @@ - kernel_read_kernel_sysctls(insmod_t) - kernel_rw_kernel_sysctl(insmod_t) - kernel_read_hotplug_sysctls(insmod_t) -+kernel_setsched(insmod_t) - - files_read_kernel_modules(insmod_t) - # for locking: (cjp: ????) -@@ -76,9 +78,7 @@ - dev_read_sound(insmod_t) - dev_write_sound(insmod_t) - dev_rw_apm_bios(insmod_t) --# cjp: why is this needed? insmod cannot mounton any dir --# and it also transitions to mount --dev_mount_usbfs(insmod_t) -+dev_create_generic_chr_files(insmod_t) - - fs_getattr_xattr_fs(insmod_t) - -@@ -101,6 +101,8 @@ - init_use_fds(insmod_t) - init_use_script_fds(insmod_t) - init_use_script_ptys(insmod_t) -+init_spec_domtrans_script(insmod_t) -+init_rw_script_tmp_files(insmod_t) - - libs_use_ld_so(insmod_t) - libs_use_shared_libs(insmod_t) -@@ -112,17 +114,32 @@ - - seutil_read_file_contexts(insmod_t) - --ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(insmod_t) - ') --') -+ -+term_dontaudit_use_unallocated_ttys(insmod_t) -+userdom_dontaudit_search_users_home_dirs(insmod_t) -+sysadm_dontaudit_search_home_dirs(insmod_t) -+fs_dontaudit_use_tmpfs_chr_dev(insmod_t) - - if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t,insmod_exec_t) - } - - optional_policy(` -+ alsa_domtrans(insmod_t) -+') -+ -+optional_policy(` -+ firstboot_dontaudit_rw_pipes(insmod_t) -+') -+ -+optional_policy(` -+ hal_write_log(insmod_t) -+') -+ -+optional_policy(` - hotplug_search_config(insmod_t) - ') - -@@ -155,10 +172,12 @@ - - optional_policy(` - rpm_rw_pipes(insmod_t) -+ rpm_read_script_tmp_files(insmod_t) - ') - - optional_policy(` - unconfined_dontaudit_rw_pipes(insmod_t) -+ unconfined_dontaudit_use_terms(insmod_t) - ') - - optional_policy(` -@@ -185,6 +204,7 @@ - - files_read_kernel_symbol_table(depmod_t) - files_read_kernel_modules(depmod_t) -+files_delete_kernel_modules(depmod_t) - - fs_getattr_xattr_fs(depmod_t) - -@@ -208,9 +228,11 @@ - - # Read System.map from home directories. - files_list_home(depmod_t) --staff_read_home_content_files(depmod_t) -+unprivuser_read_home_content_files(depmod_t) - sysadm_read_home_content_files(depmod_t) - -+sysadm_dontaudit_use_terms(depmod_t) -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(depmod_t) -@@ -219,11 +241,13 @@ - - optional_policy(` - # Read System.map from home directories. -- unconfined_read_home_content_files(depmod_t) -+ unconfined_dontaudit_use_terms(depmod_t) -+ unconfined_domain(depmod_t) - ') - - optional_policy(` - rpm_rw_pipes(depmod_t) -+ rpm_manage_script_tmp_files(depmod_t) - ') - - ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.13/policy/modules/system/mount.fc ---- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,6 @@ - /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -- -+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) - /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.13/policy/modules/system/mount.if ---- nsaserefpolicy/policy/modules/system/mount.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.if 2008-10-28 10:56:19.000000000 -0400 -@@ -49,6 +49,8 @@ - mount_domtrans($1) - role $2 types mount_t; - allow mount_t $3:chr_file rw_file_perms; -+ #Leaked File Descriptors -+ dontaudit mount_t $1:unix_stream_socket rw_socket_perms; - - optional_policy(` - samba_run_smbmount($1, $2, $3) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-28 10:56:19.000000000 -0400 -@@ -18,17 +18,18 @@ - init_system_domain(mount_t,mount_exec_t) - role system_r types mount_t; - -+typealias mount_t alias mount_ntfs_t; -+typealias mount_exec_t alias mount_ntfs_exec_t; -+ - type mount_loopback_t; # customizable - files_type(mount_loopback_t) - - type mount_tmp_t; - files_tmp_file(mount_tmp_t) - --# causes problems with interfaces when --# this is optionally declared in monolithic --# policy--duplicate type declaration - type unconfined_mount_t; - application_domain(unconfined_mount_t,mount_exec_t) -+role system_r types unconfined_mount_t; - - ######################################## - # -@@ -36,7 +37,8 @@ - # - - # setuid/setgid needed to mount cifs --allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:process ptrace; - - allow mount_t mount_loopback_t:file read_file_perms; - -@@ -47,12 +49,17 @@ - - files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) - -+# In order to mount reiserfs_t -+kernel_list_unlabeled(mount_t) - kernel_read_system_state(mount_t) -+kernel_read_network_state(mount_t) - kernel_read_kernel_sysctls(mount_t) - kernel_dontaudit_getattr_core_if(mount_t) -+kernel_search_debugfs(mount_t) - - dev_getattr_all_blk_files(mount_t) - dev_list_all_dev_nodes(mount_t) -+dev_read_usbfs(mount_t) - dev_rw_lvm_control(mount_t) - dev_dontaudit_getattr_all_chr_files(mount_t) - dev_dontaudit_getattr_memory_dev(mount_t) -@@ -62,16 +69,19 @@ - storage_raw_write_fixed_disk(mount_t) - storage_raw_read_removable_device(mount_t) - storage_raw_write_removable_device(mount_t) -+storage_rw_fuse(mount_t) - --fs_getattr_xattr_fs(mount_t) --fs_getattr_cifs(mount_t) -+fs_list_all(mount_t) -+fs_getattr_all_fs(mount_t) - fs_mount_all_fs(mount_t) - fs_unmount_all_fs(mount_t) - fs_remount_all_fs(mount_t) - fs_relabelfrom_all_fs(mount_t) --fs_list_auto_mountpoints(mount_t) - fs_rw_tmpfs_chr_files(mount_t) -+fs_manage_tmpfs_dirs(mount_t) - fs_read_tmpfs_symlinks(mount_t) -+fs_read_fusefs_files(mount_t) -+fs_manage_nfs_dirs(mount_t) - - term_use_all_terms(mount_t) - -@@ -79,6 +89,7 @@ - corecmd_exec_bin(mount_t) - - domain_use_interactive_fds(mount_t) -+domain_dontaudit_search_all_domains_state(mount_t) - - files_search_all(mount_t) - files_read_etc_files(mount_t) -@@ -87,7 +98,7 @@ - files_mounton_all_mountpoints(mount_t) - files_unmount_rootfs(mount_t) - # These rules need to be generalized. Only admin, initrc should have it: --files_relabelto_all_file_type_fs(mount_t) -+files_relabel_all_file_type_fs(mount_t) - files_mount_all_file_type_fs(mount_t) - files_unmount_all_file_type_fs(mount_t) - # for when /etc/mtab loses its type -@@ -100,6 +111,8 @@ - init_use_fds(mount_t) - init_use_script_ptys(mount_t) - init_dontaudit_getattr_initctl(mount_t) -+init_stream_connect_script(mount_t) -+init_rw_script_stream_sockets(mount_t) - - auth_use_nsswitch(mount_t) - -@@ -119,6 +132,8 @@ - seutil_read_config(mount_t) - - userdom_use_all_users_fds(mount_t) -+sysadm_read_home_content_files(mount_t) -+unprivuser_manage_home_content_dirs(mount_t) - - ifdef(`distro_redhat',` - optional_policy(` -@@ -167,6 +182,8 @@ - fs_search_rpc(mount_t) - - rpc_stub(mount_t) -+ -+ rpc_domtrans_rpcd(mount_t) - ') - - optional_policy(` -@@ -181,6 +198,11 @@ - ') - ') - -+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 -+optional_policy(` -+ lvm_domtrans(mount_t) -+') -+ - # for kernel package installation - optional_policy(` - rpm_rw_pipes(mount_t) -@@ -188,6 +210,7 @@ - - optional_policy(` - samba_domtrans_smbmount(mount_t) -+ samba_read_config(mount_t) - ') - - ######################################## -@@ -198,4 +221,26 @@ - optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t,file) - unconfined_domain(unconfined_mount_t) -+ optional_policy(` -+ hal_dbus_chat(unconfined_mount_t) -+ ') - ') -+ -+######################################## -+# -+# ntfs local policy -+# -+allow mount_t self:fifo_file rw_fifo_file_perms; -+allow mount_t self:unix_stream_socket create_stream_socket_perms; -+allow mount_t self:unix_dgram_socket create_socket_perms; -+ -+corecmd_exec_shell(mount_t) -+ -+modutils_domtrans_insmod(mount_t) -+ -+optional_policy(` -+ hal_write_log(mount_t) -+ hal_use_fds(mount_t) -+ hal_rw_pipes(mount_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.13/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/raid.te 2008-10-28 10:56:19.000000000 -0400 -@@ -39,6 +39,7 @@ - dev_dontaudit_getattr_generic_files(mdadm_t) - dev_dontaudit_getattr_generic_chr_files(mdadm_t) - dev_dontaudit_getattr_generic_blk_files(mdadm_t) -+dev_read_realtime_clock(mdadm_t) - - fs_search_auto_mountpoints(mdadm_t) - fs_dontaudit_list_tmpfs(mdadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc ---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -38,7 +38,7 @@ - /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) - /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) - /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) --/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) -+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) - /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) - /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) - -@@ -46,3 +46,11 @@ - # /var/run - # - /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) -+ -+# -+# /var/lib -+# -+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) -+ -+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.13/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if 2008-10-28 10:56:19.000000000 -0400 -@@ -555,6 +555,59 @@ - - ######################################## - ## -+## Execute setfiles in the setfiles domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_domtrans_setfiles_mac',` -+ gen_require(` -+ type setfiles_mac_t, setfiles_exec_t; -+ ') -+ -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) -+') -+ -+######################################## -+## -+## Execute setfiles in the setfiles_mac domain, and -+## allow the specified role the setfiles_mac domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the setfiles_mac domain. -+## -+## -+## -+## -+## The type of the terminal allow the setfiles_mac domain to use. -+## -+## -+## -+# -+interface(`seutil_run_setfiles_mac',` -+ gen_require(` -+ type setfiles_mac_t; -+ ') -+ -+ seutil_domtrans_setfiles_mac($1) -+ role $2 types setfiles_mac_t; -+ allow setfiles_mac_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## - ## Execute setfiles in the caller domain. - ## - ## -@@ -589,7 +642,7 @@ - type selinux_config_t; - ') - -- dontaudit $1 selinux_config_t:dir search; -+ dontaudit $1 selinux_config_t:dir search_dir_perms; - ') - - ######################################## -@@ -608,7 +661,7 @@ - type selinux_config_t; - ') - -- dontaudit $1 selinux_config_t:dir search; -+ dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file { getattr read }; - ') - -@@ -700,6 +753,7 @@ - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1,selinux_config_t,selinux_config_t) - read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) - ') -@@ -1019,6 +1073,26 @@ - - ######################################## - ## -+## Execute a domain transition to run setsebool. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`seutil_domtrans_setsebool',` -+ gen_require(` -+ type setsebool_t, setsebool_exec_t; -+ ') -+ -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, setsebool_exec_t, setsebool_t) -+') -+ -+######################################## -+## - ## Execute semanage in the semanage domain, and - ## allow the specified role the semanage domain, - ## and use the caller's terminal. -@@ -1030,7 +1104,7 @@ - ## - ## - ## --## The role to be allowed the checkpolicy domain. -+## The role to be allowed the semanage domain. - ## - ## - ## -@@ -1046,14 +1120,45 @@ - ') - - seutil_domtrans_semanage($1) -- seutil_run_setfiles(semanage_t, $2, $3) -- seutil_run_loadpolicy(semanage_t, $2, $3) - role $2 types semanage_t; - allow semanage_t $3:chr_file rw_term_perms; - ') - - ######################################## - ## -+## Execute setsebool in the semanage domain, and -+## allow the specified role the semanage domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the semanage domain. -+## -+## -+## -+## -+## The type of the terminal allow the semanage domain to use. -+## -+## -+## -+# -+interface(`seutil_run_setsebool',` -+ gen_require(` -+ type semanage_t; -+ ') -+ -+ seutil_domtrans_setsebool($1) -+ role $2 types setsebool_t; -+ allow setsebool_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## - ## Full management of the semanage - ## module store. - ## -@@ -1165,3 +1270,260 @@ - selinux_dontaudit_get_fs_mount($1) - seutil_dontaudit_read_config($1) - ') -+ -+####################################### -+## -+## The per role template for the setsebool module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for setsebool plugins that are executed by a browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`seutil_setsebool_per_role_template',` -+ gen_require(` -+ type setsebool_exec_t; -+ ') -+ -+ type $1_setsebool_t; -+ domain_type($1_setsebool_t) -+ domain_entry_file($1_setsebool_t, setsebool_exec_t) -+ role $3 types $1_setsebool_t; -+ -+ files_search_usr($2) -+ corecmd_search_bin($2) -+ domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t) -+ seutil_semanage_policy($1_setsebool_t) -+ -+ # Need to define per type booleans -+ selinux_set_boolean($1_setsebool_t) -+ -+ # Bug in semanage -+ seutil_domtrans_setfiles($1_setsebool_t) -+ seutil_manage_file_contexts($1_setsebool_t) -+ seutil_manage_default_contexts($1_setsebool_t) -+ seutil_manage_config($1_setsebool_t) -+') -+ -+####################################### -+## -+## All rules necessary to run semanage command -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_semanage_policy',` -+ gen_require(` -+ type semanage_tmp_t; -+ type policy_config_t; -+ ') -+ allow $1 self:capability { dac_override audit_write sys_resource }; -+ dontaudit $1 self:capability sys_tty_config; -+ allow $1 self:unix_stream_socket create_stream_socket_perms; -+ allow $1 self:unix_dgram_socket create_socket_perms; -+ logging_send_audit_msgs($1) -+ -+ # Running genhomedircon requires this for finding all users -+ auth_use_nsswitch($1) -+ -+ allow $1 policy_config_t:file { read write }; -+ -+ allow $1 semanage_tmp_t:dir manage_dir_perms; -+ allow $1 semanage_tmp_t:file manage_file_perms; -+ files_tmp_filetrans($1, semanage_tmp_t, { file dir }) -+ -+ kernel_read_system_state($1) -+ kernel_read_kernel_sysctls($1) -+ -+ corecmd_exec_bin($1) -+ corecmd_exec_shell($1) -+ -+ dev_read_urand($1) -+ -+ domain_use_interactive_fds($1) -+ -+ files_read_etc_files($1) -+ files_read_etc_runtime_files($1) -+ files_read_usr_files($1) -+ files_list_pids($1) -+ fs_list_inotifyfs($1) -+ fs_getattr_all_fs($1) -+ -+ mls_file_write_all_levels($1) -+ mls_file_read_all_levels($1) -+ -+ selinux_getattr_fs($1) -+ selinux_validate_context($1) -+ selinux_get_enforce_mode($1) -+ -+ term_use_all_terms($1) -+ -+ libs_use_ld_so($1) -+ libs_use_shared_libs($1) -+ -+ locallogin_use_fds($1) -+ -+ logging_send_syslog_msg($1) -+ -+ miscfiles_read_localization($1) -+ -+ seutil_search_default_contexts($1) -+ seutil_domtrans_loadpolicy($1) -+ seutil_read_config($1) -+ seutil_manage_bin_policy($1) -+ seutil_use_newrole_fds($1) -+ seutil_manage_module_store($1) -+ seutil_get_semanage_trans_lock($1) -+ seutil_get_semanage_read_lock($1) -+ -+ userdom_dontaudit_write_unpriv_user_home_content_files($1) -+ -+ optional_policy(` -+ rpm_dontaudit_rw_tmp_files($1) -+ rpm_dontaudit_rw_pipes($1) -+ ') -+') -+ -+ -+####################################### -+## -+## All rules necessary to run setfiles command -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_setfiles',` -+ -+allow $1 self:capability { dac_override dac_read_search fowner }; -+dontaudit $1 self:capability sys_tty_config; -+allow $1 self:fifo_file rw_file_perms; -+dontaudit $1 self:dir relabelfrom; -+dontaudit $1 self:file relabelfrom; -+dontaudit $1 self:lnk_file relabelfrom; -+ -+ -+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; -+ -+logging_send_audit_msgs($1) -+ -+kernel_read_system_state($1) -+kernel_relabelfrom_unlabeled_dirs($1) -+kernel_relabelfrom_unlabeled_files($1) -+kernel_relabelfrom_unlabeled_symlinks($1) -+kernel_relabelfrom_unlabeled_pipes($1) -+kernel_relabelfrom_unlabeled_sockets($1) -+kernel_use_fds($1) -+kernel_rw_pipes($1) -+kernel_rw_unix_dgram_sockets($1) -+kernel_dontaudit_list_all_proc($1) -+kernel_read_all_sysctls($1) -+kernel_read_network_state_symlinks($1) -+ -+dev_relabel_all_dev_nodes($1) -+ -+domain_use_interactive_fds($1) -+domain_read_all_domains_state($1) -+ -+files_read_etc_runtime_files($1) -+files_read_etc_files($1) -+files_list_all($1) -+files_relabel_all_files($1) -+files_list_isid_type_dirs($1) -+files_read_isid_type_files($1) -+files_dontaudit_read_all_symlinks($1) -+ -+fs_getattr_xattr_fs($1) -+fs_list_all($1) -+fs_getattr_all_files($1) -+fs_search_auto_mountpoints($1) -+fs_relabelfrom_noxattr_fs($1) -+ -+mls_file_read_all_levels($1) -+mls_file_write_all_levels($1) -+mls_file_upgrade($1) -+mls_file_downgrade($1) -+ -+selinux_validate_context($1) -+selinux_compute_access_vector($1) -+selinux_compute_create_context($1) -+selinux_compute_relabel_context($1) -+selinux_compute_user_contexts($1) -+ -+term_use_all_terms($1) -+ -+# this is to satisfy the assertion: -+auth_relabelto_shadow($1) -+ -+init_use_fds($1) -+init_use_script_fds($1) -+init_use_script_ptys($1) -+init_exec_script_files($1) -+ -+libs_use_ld_so($1) -+libs_use_shared_libs($1) -+ -+logging_send_syslog_msg($1) -+ -+miscfiles_read_localization($1) -+ -+seutil_libselinux_linked($1) -+ -+userdom_use_all_users_fds($1) -+# for config files in a home directory -+userdom_read_all_users_home_content_files($1) -+ -+ifdef(`distro_debian',` -+ # udev tmpfs is populated with static device nodes -+ # and then relabeled afterwards; thus -+ # /dev/console has the tmpfs type -+ fs_rw_tmpfs_chr_files($1) -+') -+ -+ifdef(`distro_redhat',` -+ fs_rw_tmpfs_chr_files($1) -+ fs_rw_tmpfs_blk_files($1) -+ fs_relabel_tmpfs_blk_file($1) -+ fs_relabel_tmpfs_chr_file($1) -+') -+ -+ifdef(`distro_ubuntu',` -+ optional_policy(` -+ unconfined_domain($1) -+ ') -+') -+ -+optional_policy(` -+ hotplug_use_fds($1) -+') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.13/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.te 2008-10-28 10:56:19.000000000 -0400 -@@ -23,6 +23,9 @@ - type selinux_config_t; - files_type(selinux_config_t) - -+type selinux_var_lib_t; -+files_type(selinux_var_lib_t) -+ - type checkpolicy_t, can_write_binary_policy; - type checkpolicy_exec_t; - application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -75,7 +78,6 @@ - type restorecond_exec_t; - init_daemon_domain(restorecond_t,restorecond_exec_t) - domain_obj_id_change_exemption(restorecond_t) --role system_r types restorecond_t; - - type restorecond_var_run_t; - files_pid_file(restorecond_var_run_t) -@@ -92,6 +94,10 @@ - domain_interactive_fd(semanage_t) - role system_r types semanage_t; - -+type setsebool_t; -+type setsebool_exec_t; -+init_system_domain(setsebool_t, setsebool_exec_t) -+ - type semanage_store_t; - files_type(semanage_store_t) - -@@ -109,6 +115,11 @@ - init_system_domain(setfiles_t,setfiles_exec_t) - domain_obj_id_change_exemption(setfiles_t) - -+type setfiles_mac_t; -+domain_type(setfiles_mac_t) -+domain_entry_file(setfiles_mac_t, setfiles_exec_t) -+domain_obj_id_change_exemption(setfiles_mac_t) -+ - ######################################## - # - # Checkpolicy local policy -@@ -168,6 +179,7 @@ - files_read_etc_runtime_files(load_policy_t) - - fs_getattr_xattr_fs(load_policy_t) -+fs_list_inotifyfs(load_policy_t) - - mls_file_read_all_levels(load_policy_t) - -@@ -195,15 +207,6 @@ - ') - ') - --ifdef(`hide_broken_symptoms',` -- # cjp: cover up stray file descriptors. -- dontaudit load_policy_t selinux_config_t:file write; -- -- optional_policy(` -- unconfined_dontaudit_read_pipes(load_policy_t) -- ') --') -- - ######################################## - # - # Newrole local policy -@@ -221,7 +224,7 @@ - allow newrole_t self:msg { send receive }; - allow newrole_t self:unix_dgram_socket sendto; - allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+logging_send_audit_msgs(newrole_t) - - read_files_pattern(newrole_t,default_context_t,default_context_t) - read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) -@@ -277,6 +280,7 @@ - libs_use_ld_so(newrole_t) - libs_use_shared_libs(newrole_t) - -+logging_send_audit_msgs(newrole_t) - logging_send_syslog_msg(newrole_t) - - miscfiles_read_localization(newrole_t) -@@ -347,6 +351,8 @@ - - seutil_libselinux_linked(restorecond_t) - -+userdom_read_all_users_home_content_symlinks(restorecond_t) -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(restorecond_t) -@@ -365,7 +371,7 @@ - allow run_init_t self:process setexec; - allow run_init_t self:capability setuid; - allow run_init_t self:fifo_file rw_file_perms; --allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+logging_send_audit_msgs(run_init_t) - - # often the administrator runs such programs from a directory that is owned - # by a different user or has restrictive SE permissions, do not want to audit -@@ -396,7 +402,6 @@ - - auth_use_nsswitch(run_init_t) - auth_domtrans_chk_passwd(run_init_t) --auth_domtrans_upd_passwd(run_init_t) - auth_dontaudit_read_shadow(run_init_t) - - init_spec_domtrans_script(run_init_t) -@@ -435,64 +440,22 @@ - # semodule local policy - # - --allow semanage_t self:capability { dac_override audit_write }; --allow semanage_t self:unix_stream_socket create_stream_socket_perms; --allow semanage_t self:unix_dgram_socket create_socket_perms; --allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -- --allow semanage_t policy_config_t:file rw_file_perms; -- --allow semanage_t semanage_tmp_t:dir manage_dir_perms; --allow semanage_t semanage_tmp_t:file manage_file_perms; --files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -- --kernel_read_system_state(semanage_t) --kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -+seutil_semanage_policy(semanage_t) -+allow semanage_t self:fifo_file rw_fifo_file_perms; - --dev_read_urand(semanage_t) -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - --domain_use_interactive_fds(semanage_t) -- --files_read_etc_files(semanage_t) --files_read_etc_runtime_files(semanage_t) --files_read_usr_files(semanage_t) --files_list_pids(semanage_t) -- --mls_file_write_all_levels(semanage_t) --mls_file_read_all_levels(semanage_t) -- --selinux_validate_context(semanage_t) --selinux_get_enforce_mode(semanage_t) --selinux_getattr_fs(semanage_t) --# for setsebool: - selinux_set_boolean(semanage_t) -+can_exec(semanage_t, semanage_exec_t) - --term_use_all_terms(semanage_t) -- --# Running genhomedircon requires this for finding all users --auth_use_nsswitch(semanage_t) -- --libs_use_ld_so(semanage_t) --libs_use_shared_libs(semanage_t) -- --locallogin_use_fds(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - --logging_send_syslog_msg(semanage_t) -- --miscfiles_read_localization(semanage_t) -- --seutil_libselinux_linked(semanage_t) - seutil_manage_file_contexts(semanage_t) - seutil_manage_config(semanage_t) - seutil_domtrans_setfiles(semanage_t) --seutil_domtrans_loadpolicy(semanage_t) --seutil_manage_bin_policy(semanage_t) --seutil_use_newrole_fds(semanage_t) --seutil_manage_module_store(semanage_t) --seutil_get_semanage_trans_lock(semanage_t) --seutil_get_semanage_read_lock(semanage_t) -+ - # netfilter_contexts: - seutil_manage_default_contexts(semanage_t) - -@@ -501,12 +464,27 @@ - files_read_var_lib_symlinks(semanage_t) - ') - -+optional_policy(` -+ setrans_initrc_domtrans(semanage_t) -+ domain_system_change_exemption(semanage_t) -+ consoletype_exec(semanage_t) -+') -+ -+optional_policy(` -+ sysadm_search_home_dirs(semanage_t) -+') -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(semanage_t) - ') - ') - -+optional_policy(` -+ #signal mcstrans on reload -+ init_spec_domtrans_script(semanage_t) -+') -+ - # cjp: need a more general way to handle this: - ifdef(`enable_mls',` - # read secadm tmp files -@@ -514,121 +492,42 @@ - # Handle pp files created in homedir and /tmp - sysadm_read_home_content_files(semanage_t) - sysadm_read_tmp_files(semanage_t) -- -- optional_policy(` -- unconfined_read_home_content_files(semanage_t) -- unconfined_read_tmp_files(semanage_t) -- ') -+ userdom_read_unpriv_users_home_content_files(semanage_t) -+ userdom_read_unpriv_users_tmp_files(semanage_t) - ') - - ######################################## - # --# Setfiles local policy -+# setsebool local policy - # -+seutil_semanage_policy(setsebool_t) -+selinux_set_boolean(setsebool_t) - --allow setfiles_t self:capability { dac_override dac_read_search fowner }; --dontaudit setfiles_t self:capability sys_tty_config; --allow setfiles_t self:fifo_file rw_file_perms; -- --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; -- --kernel_read_system_state(setfiles_t) --kernel_relabelfrom_unlabeled_dirs(setfiles_t) --kernel_relabelfrom_unlabeled_files(setfiles_t) --kernel_relabelfrom_unlabeled_symlinks(setfiles_t) --kernel_relabelfrom_unlabeled_pipes(setfiles_t) --kernel_relabelfrom_unlabeled_sockets(setfiles_t) --kernel_use_fds(setfiles_t) --kernel_rw_pipes(setfiles_t) --kernel_rw_unix_dgram_sockets(setfiles_t) --kernel_dontaudit_list_all_proc(setfiles_t) --kernel_dontaudit_list_all_sysctls(setfiles_t) -- --dev_relabel_all_dev_nodes(setfiles_t) -- --domain_use_interactive_fds(setfiles_t) --domain_dontaudit_search_all_domains_state(setfiles_t) -- --files_read_etc_runtime_files(setfiles_t) --files_read_etc_files(setfiles_t) --files_list_all(setfiles_t) --files_relabel_all_files(setfiles_t) -- --fs_getattr_xattr_fs(setfiles_t) --fs_list_all(setfiles_t) --fs_search_auto_mountpoints(setfiles_t) --fs_relabelfrom_noxattr_fs(setfiles_t) -- --mls_file_read_all_levels(setfiles_t) --mls_file_write_all_levels(setfiles_t) --mls_file_upgrade(setfiles_t) --mls_file_downgrade(setfiles_t) -- --selinux_validate_context(setfiles_t) --selinux_compute_access_vector(setfiles_t) --selinux_compute_create_context(setfiles_t) --selinux_compute_relabel_context(setfiles_t) --selinux_compute_user_contexts(setfiles_t) -- --term_use_all_user_ttys(setfiles_t) --term_use_all_user_ptys(setfiles_t) --term_use_unallocated_ttys(setfiles_t) -- --# this is to satisfy the assertion: --auth_relabelto_shadow(setfiles_t) -- --init_use_fds(setfiles_t) --init_use_script_fds(setfiles_t) --init_use_script_ptys(setfiles_t) --init_exec_script_files(setfiles_t) -- --libs_use_ld_so(setfiles_t) --libs_use_shared_libs(setfiles_t) -- --logging_send_syslog_msg(setfiles_t) -- --miscfiles_read_localization(setfiles_t) -- --seutil_libselinux_linked(setfiles_t) -- --userdom_use_all_users_fds(setfiles_t) --# for config files in a home directory --userdom_read_all_users_home_content_files(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - --ifdef(`distro_debian',` -- # udev tmpfs is populated with static device nodes -- # and then relabeled afterwards; thus -- # /dev/console has the tmpfs type -- fs_rw_tmpfs_chr_files(setfiles_t) --') -+# Bug in semanage -+seutil_domtrans_setfiles(setsebool_t) -+seutil_manage_file_contexts(setsebool_t) -+seutil_manage_default_contexts(setsebool_t) -+seutil_manage_config(setsebool_t) - --ifdef(`distro_redhat', ` -- fs_rw_tmpfs_chr_files(setfiles_t) -- fs_rw_tmpfs_blk_files(setfiles_t) -- fs_relabel_tmpfs_blk_file(setfiles_t) -- fs_relabel_tmpfs_chr_file(setfiles_t) --') -+######################################## -+# -+# Setfiles local policy -+# - --ifdef(`distro_ubuntu',` -- optional_policy(` -- unconfined_domain(setfiles_t) -- ') --') -+seutil_setfiles(setfiles_t) -+# During boot in Rawhide -+term_use_generic_ptys(setfiles_t) - --ifdef(`hide_broken_symptoms',` - optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) -+ cron_system_entry(setfiles_t, setfiles_exec_t) - ') - -- # cjp: cover up stray file descriptors. -- optional_policy(` -- unconfined_dontaudit_read_pipes(setfiles_t) -- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) -- ') --') -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) - - optional_policy(` -- hotplug_use_fds(setfiles_t) -+ unconfined_domain(setfiles_mac_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.13/policy/modules/system/setrans.if ---- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/setrans.if 2008-10-28 10:56:19.000000000 -0400 -@@ -21,3 +21,23 @@ - stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) - files_list_pids($1) - ') -+ -+######################################## -+## -+## Execute setrans server in the setrans domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`setrans_initrc_domtrans',` -+ gen_require(` -+ type setrans_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, setrans_initrc_exec_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc ---- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -11,6 +11,7 @@ - /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - -@@ -20,6 +21,7 @@ - ifdef(`distro_redhat',` - /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0) - ') - - # -@@ -57,3 +59,5 @@ - ifdef(`distro_gentoo',` - /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) - ') -+ -+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-10-28 10:56:19.000000000 -0400 -@@ -553,6 +553,7 @@ - type net_conf_t; - ') - -+ allow $1 self:netlink_route_socket r_netlink_socket_perms; - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - -@@ -569,6 +570,10 @@ - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; -+ -+ optional_policy(` -+ avahi_stream_connect($1) -+ ') - ') - - ######################################## -@@ -598,6 +603,8 @@ - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; -+ # LDAP Configuration using encrypted requires -+ dev_read_urand($1) - ') - - ######################################## -@@ -632,3 +639,49 @@ - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - ') -+ -+######################################## -+## -+## Do not audit attempts to use -+## the dhcp file descriptors. -+## -+## -+## -+## The domain sending the SIGCHLD. -+## -+## -+# -+interface(`sysnet_dontaudit_dhcpc_use_fds',` -+ gen_require(` -+ type dhcpc_t; -+ ') -+ -+ dontaudit $1 dhcpc_t:fd use; -+') -+ -+######################################## -+## -+## Transition to system_r when execute an dhclient script -+## -+## -+##

-+## Execute dhclient script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+## -+## -+## -+## Role to transition from. -+## -+## -+interface(`sysnet_role_transition_dhcpc',` -+ gen_require(` -+ type dhcpc_exec_t; -+ ') -+ -+ role_transition $1 dhcpc_exec_t system_r; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-11-03 13:42:28.000000000 -0500 -@@ -20,6 +20,9 @@ - init_daemon_domain(dhcpc_t,dhcpc_exec_t) - role system_r types dhcpc_t; - -+type dhcpc_helper_exec_t; -+init_script_file(dhcpc_helper_exec_t) -+ - type dhcpc_state_t; - files_type(dhcpc_state_t) - -@@ -41,21 +44,22 @@ - # - # DHCP client local policy - # --allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; -+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config }; - dontaudit dhcpc_t self:capability sys_tty_config; - # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit dhcpc_t self:capability { dac_read_search sys_module }; --allow dhcpc_t self:process signal_perms; --allow dhcpc_t self:fifo_file rw_file_perms; -+allow dhcpc_t self:process { setfscreate ptrace signal_perms }; -+allow dhcpc_t self:fifo_file rw_fifo_file_perms; - allow dhcpc_t self:tcp_socket create_stream_socket_perms; - allow dhcpc_t self:udp_socket create_socket_perms; - allow dhcpc_t self:packet_socket create_socket_perms; --allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; -+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; - - allow dhcpc_t dhcp_etc_t:dir list_dir_perms; - read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) - exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) - -+allow dhcpc_t dhcp_state_t:file read_file_perms; - manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) - filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) - -@@ -116,7 +120,7 @@ - corecmd_exec_shell(dhcpc_t) - - domain_use_interactive_fds(dhcpc_t) --domain_dontaudit_list_all_domains_state(dhcpc_t) -+domain_dontaudit_read_all_domains_state(dhcpc_t) - - files_read_etc_files(dhcpc_t) - files_read_etc_runtime_files(dhcpc_t) -@@ -135,8 +139,6 @@ - - modutils_domtrans_insmod(dhcpc_t) - --staff_dontaudit_search_home_dirs(dhcpc_t) -- - ifdef(`distro_redhat', ` - files_exec_etc_files(dhcpc_t) - ') -@@ -185,25 +187,22 @@ - ') - - optional_policy(` -- nis_use_ypbind(dhcpc_t) -- nis_signal_ypbind(dhcpc_t) -- nis_read_ypbind_pid(dhcpc_t) -- nis_delete_ypbind_pid(dhcpc_t) -- -- # dhclient sometimes starts ypbind -- init_exec_script_files(dhcpc_t) -- nis_domtrans_ypbind(dhcpc_t) -+ networkmanager_domtrans(dhcpc_t) -+ networkmanager_read_pid_files(dhcpc_t) -+') -+ -+optional_policy(` -+ nis_ypbind_initrc_domtrans(dhcpc_t) - ') - - optional_policy(` -+ nscd_initrc_domtrans(dhcpc_t) - nscd_domtrans(dhcpc_t) - nscd_read_pid(dhcpc_t) - ') - - optional_policy(` -- # dhclient sometimes starts ntpd -- init_exec_script_files(dhcpc_t) -- ntp_domtrans(dhcpc_t) -+ ntp_initrc_domtrans(dhcpc_t) - ') - - optional_policy(` -@@ -214,6 +213,11 @@ - optional_policy(` - seutil_sigchld_newrole(dhcpc_t) - seutil_dontaudit_search_config(dhcpc_t) -+ seutil_domtrans_setfiles(dhcpc_t) -+') -+ -+optional_policy(` -+ sysadm_dontaudit_search_home_dirs(dhcpc_t) - ') - - optional_policy(` -@@ -225,6 +229,10 @@ - ') - - optional_policy(` -+ vmware_append_log(dhcpc_t) -+') -+ -+optional_policy(` - kernel_read_xen_state(dhcpc_t) - kernel_write_xen_state(dhcpc_t) - xen_append_log(dhcpc_t) -@@ -238,7 +246,6 @@ - - allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; - allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; --dontaudit ifconfig_t self:capability sys_module; - - allow ifconfig_t self:fd use; - allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -252,6 +259,7 @@ - allow ifconfig_t self:sem create_sem_perms; - allow ifconfig_t self:msgq create_msgq_perms; - allow ifconfig_t self:msg { send receive }; -+allow ifconfig_t net_conf_t:file read_file_perms; - - # Create UDP sockets, necessary when called from dhcpc - allow ifconfig_t self:udp_socket create_socket_perms; -@@ -261,13 +269,20 @@ - allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; - allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; - allow ifconfig_t self:tcp_socket { create ioctl }; -+ -+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) -+ - files_read_etc_files(ifconfig_t); -+files_read_etc_runtime_files(ifconfig_t); - - kernel_use_fds(ifconfig_t) - kernel_read_system_state(ifconfig_t) - kernel_read_network_state(ifconfig_t) - kernel_search_network_sysctl(ifconfig_t) -+kernel_search_debugfs(ifconfig_t) - kernel_rw_net_sysctls(ifconfig_t) -+# This should be put inside a boolean, but can not because of attributes -+kernel_load_module(ifconfig_t) - - corenet_rw_tun_tap_dev(ifconfig_t) - -@@ -278,8 +293,13 @@ - fs_getattr_xattr_fs(ifconfig_t) - fs_search_auto_mountpoints(ifconfig_t) - -+selinux_dontaudit_getattr_fs(ifconfig_t) -+ -+term_dontaudit_use_console(ifconfig_t) - term_dontaudit_use_all_user_ttys(ifconfig_t) - term_dontaudit_use_all_user_ptys(ifconfig_t) -+term_dontaudit_use_ptmx(ifconfig_t) -+term_dontaudit_use_generic_ptys(ifconfig_t) - - domain_use_interactive_fds(ifconfig_t) - -@@ -335,6 +355,14 @@ - ') - - optional_policy(` -+ unconfined_dontaudit_rw_pipes(ifconfig_t) -+') -+ -+optional_policy(` -+ vmware_append_log(ifconfig_t) -+') -+ -+optional_policy(` - kernel_read_xen_state(ifconfig_t) - kernel_write_xen_state(ifconfig_t) - xen_append_log(ifconfig_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc ---- nsaserefpolicy/policy/modules/system/udev.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-03 11:39:49.000000000 -0500 -@@ -13,8 +13,11 @@ - /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) -+/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) - - /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -+ -+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-28 10:56:19.000000000 -0400 -@@ -96,6 +96,24 @@ - - ######################################## - ## -+## dontaudit process read list of devices. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`udev_dontaudit_search_db',` -+ gen_require(` -+ type udev_tbl_t; -+ ') -+ -+ dontaudit $1 udev_tbl_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Allow process to read list of devices. - ## - ## -@@ -106,11 +124,13 @@ - # - interface(`udev_read_db',` - gen_require(` -- type udev_tdb_t; -+ type udev_tbl_t; - ') - - dev_list_all_dev_nodes($1) -- allow $1 udev_tdb_t:file read_file_perms; -+ allow $1 udev_tbl_t:dir list_dir_perms; -+ read_files_pattern($1, udev_tbl_t, udev_tbl_t) -+ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) - ') - - ######################################## -@@ -125,9 +145,9 @@ - # - interface(`udev_rw_db',` - gen_require(` -- type udev_tdb_t; -+ type udev_tbl_t; - ') - - dev_list_all_dev_nodes($1) -- allow $1 udev_tdb_t:file rw_file_perms; -+ allow $1 udev_tbl_t:file rw_file_perms; - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.13/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.te 2008-11-03 11:41:29.000000000 -0500 -@@ -83,6 +83,7 @@ - kernel_rw_unix_dgram_sockets(udev_t) - kernel_dgram_send(udev_t) - kernel_signal(udev_t) -+kernel_search_debugfs(udev_t) - - #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 - kernel_rw_net_sysctls(udev_t) -@@ -142,6 +143,7 @@ - - logging_search_logs(udev_t) - logging_send_syslog_msg(udev_t) -+logging_send_audit_msgs(udev_t) - - miscfiles_read_localization(udev_t) - -@@ -189,6 +191,7 @@ - - optional_policy(` - alsa_domtrans(udev_t) -+ alsa_read_lib(udev_t) - alsa_read_rw_config(udev_t) - ') - -@@ -197,6 +200,10 @@ - ') - - optional_policy(` -+ clock_domtrans(udev_t) -+') -+ -+optional_policy(` - consoletype_exec(udev_t) - ') - -@@ -233,6 +240,10 @@ - ') - - optional_policy(` -+ rpm_search_log(udev_t) -+') -+ -+optional_policy(` - kernel_write_xen_state(udev_t) - kernel_read_xen_state(udev_t) - xen_manage_log(udev_t) -@@ -240,5 +251,9 @@ - ') - - optional_policy(` -+ unconfined_domain(udev_t) -+') -+ -+optional_policy(` - xserver_read_xdm_pid(udev_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,15 +2,28 @@ - # e.g.: - # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) - # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t --/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -- --/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -- --/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) - -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - ifdef(`distro_gentoo',` --/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - ') -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+ -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+ -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-10-29 13:21:22.000000000 -0400 -@@ -12,14 +12,13 @@ - # - interface(`unconfined_domain_noaudit',` - gen_require(` -- type unconfined_t; - class dbus all_dbus_perms; - class nscd all_nscd_perms; - class passwd all_passwd_perms; - ') - - # Use any Linux capability. -- allow $1 self:capability *; -+ allow $1 self:capability all_capabilities; - allow $1 self:fifo_file manage_fifo_file_perms; - - # Transition to myself, to make get_ordered_context_list happy. -@@ -27,12 +26,13 @@ - - # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; -+ allow $1 self:dir rw_dir_perms; - - # Userland object managers -- allow $1 self:nscd *; -- allow $1 self:dbus *; -- allow $1 self:passwd *; -- allow $1 self:association *; -+ allow $1 self:nscd all_nscd_perms; -+ allow $1 self:dbus all_dbus_perms; -+ allow $1 self:passwd all_passwd_perms; -+ allow $1 self:association all_association_perms; - - kernel_unconfined($1) - corenet_unconfined($1) -@@ -44,6 +44,11 @@ - fs_unconfined($1) - selinux_unconfined($1) - -+ domain_mmap_low_type($1) -+ tunable_policy(`allow_unconfined_mmap_low',` -+ domain_mmap_low($1) -+ ') -+ - tunable_policy(`allow_execheap',` - # Allow making the stack executable via mprotect. - allow $1 self:process execheap; -@@ -70,6 +75,7 @@ - optional_policy(` - # Communicate via dbusd. - dbus_system_bus_unconfined($1) -+ dbus_unconfined($1) - ') - - optional_policy(` -@@ -380,6 +386,24 @@ - - ######################################## - ## -+## Send a SIGNULL signal to the unconfined execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_signull',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') -+ -+ allow $1 unconfined_execmem_t:process signull; -+') -+ -+######################################## -+## - ## Send generic signals to the unconfined domain. - ## - ## -@@ -654,3 +678,248 @@ - - allow $1 unconfined_tmp_t:file { getattr write append }; - ') -+ -+######################################## -+## -+## Allow ptrace of unconfined domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_ptrace',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process ptrace; -+') -+ -+######################################## -+## -+## Read and write to unconfined shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`unconfined_rw_shm',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Read and write to unconfined execmem shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`unconfined_execmem_rw_shm',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') -+ -+ allow $1 unconfined_execmem_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Transition to the unconfined_execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_domtrans',` -+ -+ gen_require(` -+ type unconfined_execmem_t, execmem_exec_t; -+ ') -+ -+ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) -+') -+ -+######################################## -+## -+## allow attempts to use unconfined ttys and ptys. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_use_terms',` -+ gen_require(` -+ type unconfined_devpts_t; -+ type unconfined_tty_device_t; -+ ') -+ -+ allow $1 unconfined_tty_device_t:chr_file rw_term_perms; -+ allow $1 unconfined_devpts_t:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to use unconfined ttys and ptys. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_use_terms',` -+ gen_require(` -+ type unconfined_devpts_t; -+ type unconfined_tty_device_t; -+ ') -+ -+ dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms; -+ dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_set_rlimitnh',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process rlimitinh; -+') -+ -+######################################## -+## -+## Read/write unconfined tmpfs files. -+## -+## -+##

-+## Read/write unconfined tmpfs files. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_rw_tmpfs_files',` -+ gen_require(` -+ type unconfined_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 unconfined_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) -+ read_lnk_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) -+') -+ -+######################################## -+## -+## Delete unconfined tmpfs files. -+## -+## -+##

-+## Read/write unconfined tmpfs files. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_delete_tmpfs_files',` -+ gen_require(` -+ type unconfined_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 unconfined_tmpfs_t:dir list_dir_perms; -+ delete_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) -+ read_lnk_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) -+') -+ -+######################################## -+## -+## Get the process group of unconfined. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_getpgid',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process getpgid; -+') -+ -+######################################## -+## -+## Change to the unconfined role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`unconfined_role_change_template',` -+ userdom_role_change_template($1, unconfined) -+') -+ -+######################################## -+## -+## Change from the unconfined role. -+## -+## -+##

-+## Change from the unconfined role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`unconfined_role_change_to_template',` -+ userdom_role_change_template(unconfined, $1) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-28 11:00:08.000000000 -0400 -@@ -6,35 +6,76 @@ - # Declarations - # - -+## -+##

-+## Transition to confined nsplugin domains from unconfined user -+##

-+## -+gen_tunable(allow_unconfined_nsplugin_transition, false) -+ -+## -+##

-+## Allow unconfined domain to map low memory in the kernel -+##

-+## -+gen_tunable(allow_unconfined_mmap_low, false) -+ -+## -+##

-+## Transition to confined qemu domains from unconfined user -+##

-+## -+gen_tunable(allow_unconfined_qemu_transition, false) -+ - # usage in this module of types created by these - # calls is not correct, however we dont currently - # have another method to add access to these types --userdom_base_user_template(unconfined) --userdom_manage_home_template(unconfined) --userdom_manage_tmp_template(unconfined) --userdom_manage_tmpfs_template(unconfined) -+userdom_restricted_user_template(unconfined) -+#userdom_common_user_template(unconfined) -+#userdom_xwindows_client_template(unconfined) - - type unconfined_exec_t; - init_system_domain(unconfined_t, unconfined_exec_t) -+role unconfined_r types unconfined_t; -+ -+domain_user_exemption_target(unconfined_t) -+allow system_r unconfined_r; -+allow unconfined_r system_r; -+init_script_role_transition(unconfined_r) -+role system_r types unconfined_t; - - type unconfined_execmem_t; --type unconfined_execmem_exec_t; --init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -+type execmem_exec_t; -+init_system_domain(unconfined_execmem_t, execmem_exec_t) - role unconfined_r types unconfined_execmem_t; -+typealias execmem_exec_t alias unconfined_execmem_exec_t; -+ -+type unconfined_notrans_t; -+type unconfined_notrans_exec_t; -+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) -+role unconfined_r types unconfined_notrans_t; - - ######################################## - # - # Local policy - # - --domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) -+dontaudit unconfined_t self:dir write; -+ -+allow unconfined_t self:system syslog_read; -+dontaudit unconfined_t self:capability sys_module; -+ -+domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) - - files_create_boot_flag(unconfined_t) -+files_create_default_dir(unconfined_t) - - mcs_killall(unconfined_t) - mcs_ptrace_all(unconfined_t) - - init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+init_domtrans_script(unconfined_t) -+init_chat(unconfined_t) - - libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - -@@ -42,28 +83,39 @@ - logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - - mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+# Unconfined running as system_r -+mount_domtrans_unconfined(unconfined_t) - -+seutil_run_setsebool(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - - unconfined_domain(unconfined_t) -+domain_mmap_low(unconfined_t) - - userdom_priveleged_home_dir_manager(unconfined_t) - -+optional_policy(` -+ nsplugin_per_role_template_notrans(unconfined, unconfined_t, unconfined_r) -+ tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans_user(unconfined, unconfined_execmem_t) -+ nsplugin_domtrans_user_config(unconfined, unconfined_execmem_t) -+ nsplugin_domtrans_user(unconfined, unconfined_t) -+ nsplugin_domtrans_user_config(unconfined, unconfined_t) -+ ') -+') -+ - ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - ') - - optional_policy(` -- ada_domtrans(unconfined_t) -+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` - apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- apache_per_role_template(unconfined, unconfined_t, unconfined_r) -- # this is disallowed usage: -- unconfined_domain(httpd_unconfined_script_t) - ') - - optional_policy(` -@@ -75,12 +127,6 @@ - ') - - optional_policy(` -- cron_per_role_template(unconfined, unconfined_t, unconfined_r) -- # this is disallowed usage: -- unconfined_domain(unconfined_crond_t) --') -- --optional_policy(` - init_dbus_chat_script(unconfined_t) - - dbus_stub(unconfined_t) -@@ -106,12 +152,24 @@ - ') - - optional_policy(` -+ gnomeclock_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ kerneloops_dbus_chat(unconfined_t) -+') -+ -+optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') -+ -+optional_policy(` -+ vpnc_dbus_chat(unconfined_t) -+ ') - ') - - optional_policy(` -@@ -123,31 +181,33 @@ - ') - - optional_policy(` -- inn_domtrans(unconfined_t) -+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- java_domtrans(unconfined_t) -+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - ') - - optional_policy(` -- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- mono_domtrans(unconfined_t) -+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- mta_per_role_template(unconfined, unconfined_t, unconfined_r) -+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- oddjob_domtrans_mkhomedir(unconfined_t) -+ mono_per_role_template(unconfined, unconfined_t, unconfined_r) -+ unconfined_domain(unconfined_mono_t) -+ role system_r types unconfined_mono_t; - ') - - optional_policy(` -@@ -159,43 +219,48 @@ - ') - - optional_policy(` -- postfix_per_role_template(unconfined, unconfined_t, unconfined_r) -- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- # cjp: this should probably be removed: -- postfix_domtrans_master(unconfined_t) --') -+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r) - -- --optional_policy(` -- pyzor_per_role_template(unconfined) -+ tunable_policy(`allow_unconfined_qemu_transition',` -+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ ',` -+ qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') -- --optional_policy(` -- qmail_per_role_template(unconfined, unconfined_t, unconfined_r) -+ qemu_role(unconfined_r) -+ qemu_unconfined_role(unconfined_r) - ') - - optional_policy(` -- # cjp: this should probably be removed: -- rpc_domtrans_nfsd(unconfined_t) -+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ # Allow SELinux aware applications to request rpm_script execution -+ rpm_transition_script(unconfined_t) -+ rpm_role_transition(unconfined_r) - ') - - optional_policy(` -- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ cron_per_role_template(unconfined, unconfined_t, unconfined_r) -+ # this is disallowed usage: -+ unconfined_domain(unconfined_crond_t) -+ unconfined_domain(unconfined_crontab_t) -+ role system_r types unconfined_crontab_t; -+ rpm_transition_script(unconfined_crond_t) - ') - - optional_policy(` - samba_per_role_template(unconfined) -- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) -+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - sysnet_dbus_chat_dhcpc(unconfined_t) -+ sysnet_role_transition_dhcpc(unconfined_r) - ') - - optional_policy(` -@@ -203,7 +268,7 @@ - ') - - optional_policy(` -- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ vbetool_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - ') - - optional_policy(` -@@ -215,11 +280,12 @@ - ') - - optional_policy(` -- wine_domtrans(unconfined_t) -+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- xserver_domtrans_xdm_xserver(unconfined_t) -+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ xserver_rw_xdm_xserver_shm(unconfined_t) - ') - - ######################################## -@@ -229,14 +295,58 @@ - - allow unconfined_execmem_t self:process { execstack execmem }; - unconfined_domain_noaudit(unconfined_execmem_t) -+allow unconfined_execmem_t unconfined_t:process transition; - - optional_policy(` -- dbus_stub(unconfined_execmem_t) -- - init_dbus_chat_script(unconfined_execmem_t) -+ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) -+ unconfined_dbus_connect(unconfined_execmem_t) -+') -+ -+optional_policy(` -+ avahi_dbus_chat(unconfined_execmem_t) -+') - - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') -+ -+optional_policy(` -+ xserver_rw_xdm_xserver_shm(unconfined_execmem_t) - ') -+ -+######################################## -+# -+# Unconfined notrans Local policy -+# -+ -+allow unconfined_notrans_t self:process { execstack execmem }; -+unconfined_domain_noaudit(unconfined_notrans_t) -+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) -+# Allow SELinux aware applications to request rpm_script execution -+rpm_transition_script(unconfined_notrans_t) -+domain_ptrace_all_domains(unconfined_notrans_t) -+ -+optional_policy(` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+') -+ -+tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ gen_require(` -+ type mozilla_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) -+') -+ -+optional_policy(` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) -+') -+ -+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc ---- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,4 +1,5 @@ --HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) --HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) -- --/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) -+HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) -+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) -+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) -+/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) -+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-03 17:15:19.000000000 -0500 -@@ -28,10 +28,14 @@ - class context contains; - ') - -- attribute $1_file_type; -+ attribute $1_usertype; - -- type $1_t, userdomain; -+ type $1_t, userdomain, $1_usertype; - domain_type($1_t) -+ ifndef(`enable_mls',` -+ # ignore user componant labeling on homedir entry -+ domain_obj_id_change_exemption($1_t) -+ ') - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) - domain_user_exemption_target($1_t) -@@ -45,66 +49,82 @@ - type $1_tty_device_t; - term_user_tty($1_t,$1_tty_device_t) - -- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; -- allow $1_t self:fd use; -- allow $1_t self:fifo_file rw_fifo_file_perms; -- allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; -- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; -- allow $1_t self:shm create_shm_perms; -- allow $1_t self:sem create_sem_perms; -- allow $1_t self:msgq create_msgq_perms; -- allow $1_t self:msg { send receive }; -- allow $1_t self:context contains; -- dontaudit $1_t self:socket create; -+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; -+ allow $1_usertype $1_usertype:fd use; -+ allow $1_usertype $1_t:key { create view read write search link setattr }; -+ -+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; -+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; -+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; -+ allow $1_usertype $1_usertype:shm create_shm_perms; -+ allow $1_usertype $1_usertype:sem create_sem_perms; -+ allow $1_usertype $1_usertype:msgq create_msgq_perms; -+ allow $1_usertype $1_usertype:msg { send receive }; -+ allow $1_usertype $1_usertype:context contains; -+ dontaudit $1_usertype $1_usertype:socket create; - -- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -- term_create_pty($1_t,$1_devpts_t) -+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -+ term_create_pty($1_usertype, $1_devpts_t) - -- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; -+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; - -- kernel_read_kernel_sysctls($1_t) -- kernel_dontaudit_list_unlabeled($1_t) -- kernel_dontaudit_getattr_unlabeled_files($1_t) -- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) -- kernel_dontaudit_getattr_unlabeled_pipes($1_t) -- kernel_dontaudit_getattr_unlabeled_sockets($1_t) -- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) -- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) -+ application_exec_all($1_usertype) - -- dev_dontaudit_getattr_all_blk_files($1_t) -- dev_dontaudit_getattr_all_chr_files($1_t) -+ files_exec_usr_files($1_t) -+ -+ kernel_read_kernel_sysctls($1_usertype) -+ kernel_read_all_sysctls($1_usertype) -+ -+ kernel_dontaudit_list_unlabeled($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_files($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) -+ kernel_dontaudit_list_proc($1_usertype) - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. -- domain_dontaudit_read_all_domains_state($1_t) -- domain_dontaudit_getattr_all_domains($1_t) -- domain_dontaudit_getsession_all_domains($1_t) -- -- files_read_etc_files($1_t) -- files_read_etc_runtime_files($1_t) -- files_read_usr_files($1_t) -+ domain_dontaudit_read_all_domains_state($1_usertype) -+ domain_dontaudit_getattr_all_domains($1_usertype) -+ domain_dontaudit_getsession_all_domains($1_usertype) -+ -+ files_read_etc_files($1_usertype) -+ files_read_mnt_files($1_usertype) -+ files_read_etc_runtime_files($1_usertype) -+ files_read_usr_files($1_usertype) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. -- files_list_world_readable($1_t) -- files_read_world_readable_files($1_t) -- files_read_world_readable_symlinks($1_t) -- files_read_world_readable_pipes($1_t) -- files_read_world_readable_sockets($1_t) -+ files_list_world_readable($1_usertype) -+ files_read_world_readable_files($1_usertype) -+ files_read_world_readable_symlinks($1_usertype) -+ files_read_world_readable_pipes($1_usertype) -+ files_read_world_readable_sockets($1_usertype) - # old broswer_domain(): -- files_dontaudit_list_non_security($1_t) -- files_dontaudit_getattr_non_security_files($1_t) -- files_dontaudit_getattr_non_security_symlinks($1_t) -- files_dontaudit_getattr_non_security_pipes($1_t) -- files_dontaudit_getattr_non_security_sockets($1_t) -- -- libs_use_ld_so($1_t) -- libs_use_shared_libs($1_t) -- libs_exec_ld_so($1_t) -+ files_dontaudit_getattr_all_dirs($1_usertype) -+ files_dontaudit_list_non_security($1_usertype) -+ files_dontaudit_getattr_non_security_files($1_usertype) -+ files_dontaudit_getattr_non_security_symlinks($1_usertype) -+ files_dontaudit_getattr_non_security_pipes($1_usertype) -+ files_dontaudit_getattr_non_security_sockets($1_usertype) -+ -+ dev_dontaudit_getattr_all_blk_files($1_usertype) -+ dev_dontaudit_getattr_all_chr_files($1_usertype) -+ dev_getattr_mtrr_dev($1_t) -+ -+ storage_rw_fuse($1_usertype) - -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) -+ auth_use_nsswitch($1_usertype) - -- sysnet_read_config($1_t) -+ libs_use_ld_so($1_usertype) -+ libs_use_shared_libs($1_usertype) -+ libs_exec_ld_so($1_usertype) -+ -+ miscfiles_read_certs($1_usertype) -+ miscfiles_read_localization($1_usertype) -+ miscfiles_read_man_pages($1_usertype) -+ miscfiles_read_public_files($1_usertype) - - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. -@@ -115,6 +135,11 @@ - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') -+ -+ optional_policy(` -+ ssh_rw_stream_sockets($1_usertype) -+ ssh_delete_tmp($1_t) -+ ') - ') - - ####################################### -@@ -141,33 +166,13 @@ - # - template(`userdom_ro_home_template',` - gen_require(` -- attribute home_type, home_dir_type, $1_file_type; -+ type user_home_t, user_home_dir_t; - ') - -- # type for contents of home directory -- type $1_home_t, $1_file_type, home_type; -- files_type($1_home_t) -- files_associate_tmp($1_home_t) -- fs_associate_tmpfs($1_home_t) -- files_mountpoint($1_home_t) -- -- # type of home directory -- type $1_home_dir_t, home_dir_type, home_type; -- files_type($1_home_dir_t) -- files_mountpoint($1_home_dir_t) -- files_associate_tmp($1_home_dir_t) -- fs_associate_tmpfs($1_home_dir_t) -- files_poly_member($1_home_dir_t) -- -- ############################## -- # -- # User home directory file rules -- # -- -- allow $1_file_type $1_home_t:filesystem associate; -- -- # Rules used to associate a homedir as a mountpoint -- allow $1_home_t self:filesystem associate; -+ ifelse(`$1',`user',`',` -+ typealias user_home_t alias $1_home_t; -+ typealias user_home_dir_t alias $1_home_dir_t; -+ ') - - ############################## - # -@@ -175,13 +180,14 @@ - # - - # read-only home directory -- allow $1_t $1_home_dir_t:dir list_dir_perms; -- allow $1_t $1_home_t:dir list_dir_perms; -- allow $1_t $1_home_t:file entrypoint; -- read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -+ allow $1_t user_home_dir_t:dir list_dir_perms; -+ allow $1_t user_home_t:dir list_dir_perms; -+ allow $1_t user_home_t:file entrypoint; -+ -+ read_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) -+ read_lnk_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) -+ read_fifo_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) -+ read_sock_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) - files_list_home($1_t) - - tunable_policy(`use_nfs_home_dirs',` -@@ -190,9 +196,6 @@ - fs_read_nfs_symlinks($1_t) - fs_read_nfs_named_sockets($1_t) - fs_read_nfs_named_pipes($1_t) -- ',` -- fs_dontaudit_list_nfs($1_t) -- fs_dontaudit_read_nfs_files($1_t) - ') - - tunable_policy(`use_samba_home_dirs',` -@@ -201,9 +204,6 @@ - fs_read_cifs_symlinks($1_t) - fs_read_cifs_named_sockets($1_t) - fs_read_cifs_named_pipes($1_t) -- ',` -- fs_dontaudit_list_cifs($1_t) -- fs_dontaudit_read_cifs_files($1_t) - ') - ') - -@@ -231,30 +231,14 @@ - # - template(`userdom_manage_home_template',` - gen_require(` -- attribute home_type, home_dir_type, $1_file_type; -+ attribute home_type, home_dir_type, user_home_type; -+ type user_home_t, user_home_dir_t; - ') - -- # type for contents of home directory -- type $1_home_t, $1_file_type, home_type; -- files_type($1_home_t) -- files_associate_tmp($1_home_t) -- fs_associate_tmpfs($1_home_t) -- -- # type of home directory -- type $1_home_dir_t, home_dir_type, home_type; -- files_type($1_home_dir_t) -- files_associate_tmp($1_home_dir_t) -- fs_associate_tmpfs($1_home_dir_t) -- -- ############################## -- # -- # User home directory file rules -- # -- -- allow $1_file_type $1_home_t:filesystem associate; -- -- # Rules used to associate a homedir as a mountpoint -- allow $1_home_t self:filesystem associate; -+ ifelse(`$1',`user',`',` -+ typealias user_home_t alias $1_home_t; -+ typealias user_home_dir_t alias $1_home_dir_t; -+ ') - - ############################## - # -@@ -262,43 +246,44 @@ - # - - # full control of the home directory -- allow $1_t $1_home_t:file entrypoint; -- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -- files_list_home($1_t) -+ allow $1_t user_home_t:dir mounton; -+ allow $1_t user_home_t:file entrypoint; -+ -+ allow $1_usertype user_home_type:dir_file_class_set { relabelto relabelfrom }; -+ manage_dirs_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ manage_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ manage_lnk_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ manage_sock_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ manage_fifo_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ relabel_dirs_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ relabel_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ relabel_lnk_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ relabel_sock_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ relabel_fifo_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) -+ filetrans_pattern($1_usertype, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) -+ files_list_home($1_usertype) - - # cjp: this should probably be removed: -- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; -+ allow $1_usertype user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - - tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs($1_t) -- fs_manage_nfs_files($1_t) -- fs_manage_nfs_symlinks($1_t) -- fs_manage_nfs_named_sockets($1_t) -- fs_manage_nfs_named_pipes($1_t) -- ',` -- fs_dontaudit_manage_nfs_dirs($1_t) -- fs_dontaudit_manage_nfs_files($1_t) -+ fs_mount_nfs($1_t) -+ fs_mounton_nfs($1_t) -+ fs_manage_nfs_dirs($1_usertype) -+ fs_manage_nfs_files($1_usertype) -+ fs_manage_nfs_symlinks($1_usertype) -+ fs_manage_nfs_named_sockets($1_usertype) -+ fs_manage_nfs_named_pipes($1_usertype) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs($1_t) -- fs_manage_cifs_files($1_t) -- fs_manage_cifs_symlinks($1_t) -- fs_manage_cifs_named_sockets($1_t) -- fs_manage_cifs_named_pipes($1_t) -- ',` -- fs_dontaudit_manage_cifs_dirs($1_t) -- fs_dontaudit_manage_cifs_files($1_t) -+ fs_mount_cifs($1_t) -+ fs_mounton_cifs($1_t) -+ fs_manage_cifs_dirs($1_usertype) -+ fs_manage_cifs_files($1_usertype) -+ fs_manage_cifs_symlinks($1_usertype) -+ fs_manage_cifs_named_sockets($1_usertype) -+ fs_manage_cifs_named_pipes($1_usertype) - ') - ') - -@@ -316,14 +301,20 @@ - ## - # - template(`userdom_exec_home_template',` -- can_exec($1_t,$1_home_t) - -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1_t) -+ tunable_policy(`allow_$1_exec_content',` -+ can_exec($1_usertype, user_home_type) -+ ',` -+ dontaudit $1_usertype user_home_type:file execute; - ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1_t) -+ -+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` -+ fs_exec_nfs_files($1_usertype) -+ ') -+ -+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` -+ fs_exec_cifs_files($1_usertype) - ') - ') - -@@ -341,11 +332,10 @@ - ## - # - template(`userdom_poly_home_template',` -- type_member $1_t $1_home_dir_t:dir $1_home_dir_t; -- files_poly($1_home_dir_t) -- files_poly_parent($1_home_dir_t) -- files_poly_parent($1_home_t) -- files_poly_member($1_home_t) -+ gen_require(` -+ type user_home_dir_t; -+ ') -+ type_member $1_t user_home_dir_t:dir user_home_dir_t; - ') - - ####################################### -@@ -369,18 +359,19 @@ - # - template(`userdom_manage_tmp_template',` - gen_require(` -- attribute $1_file_type; -+ type user_tmp_t; - ') - -- type $1_tmp_t, $1_file_type; -- files_tmp_file($1_tmp_t) -- -- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) -+ ifelse(`$1',`user',`',` -+ typealias user_tmp_t alias $1_tmp_t; -+ ') -+ manage_dirs_pattern($1_usertype, user_tmp_t, user_tmp_t) -+ manage_files_pattern($1_usertype, user_tmp_t, user_tmp_t) -+ manage_lnk_files_pattern($1_usertype, user_tmp_t, user_tmp_t) -+ manage_sock_files_pattern($1_usertype, user_tmp_t, user_tmp_t) -+ manage_fifo_files_pattern($1_usertype, user_tmp_t, user_tmp_t) -+ files_tmp_filetrans($1_usertype, user_tmp_t, { dir file lnk_file sock_file fifo_file }) -+ relabel_files_pattern($1_usertype, user_tmp_t, user_tmp_t) - ') - - ####################################### -@@ -396,7 +387,13 @@ - ## - # - template(`userdom_exec_tmp_template',` -- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ tunable_policy(`allow_$1_exec_content',` -+ exec_files_pattern($1_usertype, user_tmp_t, user_tmp_t) -+ ') - ') - - ####################################### -@@ -439,18 +436,15 @@ - # - template(`userdom_manage_tmpfs_template',` - gen_require(` -- attribute $1_file_type; -+ attribute $1_usertype; -+ type user_tmpfs_t; - ') - -- type $1_tmpfs_t, $1_file_type; -- files_tmpfs_file($1_tmpfs_t) -+ ifelse(`$1',`user',`',` -+ typealias user_tmpfs_t alias $1_tmpfs_t; -+ ') - -- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ userdom_manage_tmpfs($1_usertype) - ') - - ####################################### -@@ -468,17 +462,17 @@ - # - template(`userdom_untrusted_content_template',` - gen_require(` -- attribute $1_file_type; -+ attribute user_file_type; - attribute untrusted_content_type, untrusted_content_tmp_type; - type $1_t; - ') - - # types for network-obtained content -- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable -+ type $1_untrusted_content_t, user_file_type, untrusted_content_type; #, customizable - files_type($1_untrusted_content_t) - files_poly_member($1_untrusted_content_t) - -- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable -+ type $1_untrusted_content_tmp_t, user_file_type, untrusted_content_tmp_type; # customizable - files_tmp_file($1_untrusted_content_tmp_t) - - # Allow user to relabel untrusted content -@@ -510,10 +504,6 @@ - ## - # - template(`userdom_exec_generic_pgms_template',` -- gen_require(` -- type $1_t; -- ') -- - corecmd_exec_bin($1_t) - ') - -@@ -531,34 +521,20 @@ - ## - # - template(`userdom_basic_networking_template',` -- gen_require(` -- type $1_t; -- ') -- -- allow $1_t self:tcp_socket create_stream_socket_perms; -- allow $1_t self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled($1_t) -- corenet_all_recvfrom_netlabel($1_t) -- corenet_tcp_sendrecv_all_if($1_t) -- corenet_udp_sendrecv_all_if($1_t) -- corenet_tcp_sendrecv_all_nodes($1_t) -- corenet_udp_sendrecv_all_nodes($1_t) -- corenet_tcp_sendrecv_all_ports($1_t) -- corenet_udp_sendrecv_all_ports($1_t) -- corenet_tcp_connect_all_ports($1_t) -- corenet_sendrecv_all_client_packets($1_t) -+ allow $1_usertype self:tcp_socket create_stream_socket_perms; -+ allow $1_usertype self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_labeled($1_t, $1_t) -- -- optional_policy(` -- init_tcp_recvfrom_all_daemons($1_t) -- init_udp_recvfrom_all_daemons($1_t) -- ') -- -- optional_policy(` -- ipsec_match_default_spd($1_t) -- ') -+ corenet_all_recvfrom_unlabeled($1_usertype) -+ corenet_all_recvfrom_netlabel($1_usertype) -+ corenet_tcp_sendrecv_all_if($1_usertype) -+ corenet_udp_sendrecv_all_if($1_usertype) -+ corenet_tcp_sendrecv_all_nodes($1_usertype) -+ corenet_udp_sendrecv_all_nodes($1_usertype) -+ corenet_tcp_sendrecv_all_ports($1_usertype) -+ corenet_udp_sendrecv_all_ports($1_usertype) -+ corenet_tcp_connect_all_ports($1_usertype) -+ corenet_sendrecv_all_client_packets($1_usertype) - ') - - ####################################### -@@ -575,30 +551,33 @@ - # - template(`userdom_xwindows_client_template',` - gen_require(` -- type $1_t, $1_tmpfs_t; -+ type user_tmpfs_t; - ') - -- dev_rw_xserver_misc($1_t) -- dev_rw_power_management($1_t) -- dev_read_input($1_t) -- dev_read_misc($1_t) -- dev_write_misc($1_t) -+ dev_rwx_zero($1_usertype) -+ dev_rw_xserver_misc($1_usertype) -+ dev_rw_power_management($1_usertype) -+ dev_read_input($1_usertype) -+ dev_read_misc($1_usertype) -+ dev_write_misc($1_usertype) - # open office is looking for the following -- dev_getattr_agp_dev($1_t) -- dev_dontaudit_rw_dri($1_t) -+ dev_getattr_agp_dev($1_usertype) -+ dev_dontaudit_rw_dri($1_usertype) - # GNOME checks for usb and other devices: -- dev_rw_usbfs($1_t) -+ dev_rw_usbfs($1_usertype) -+ dev_rw_generic_usb_dev($1_usertype) - -- xserver_user_client_template($1,$1_t,$1_tmpfs_t) -- xserver_xsession_entry_type($1_t) -- xserver_dontaudit_write_log($1_t) -- xserver_stream_connect_xdm($1_t) -+ xserver_per_role_template($1, $1_usertype, $1_r) -+ xserver_xsession_entry_type($1_usertype) -+ xserver_dontaudit_write_log($1_usertype) -+ xserver_stream_connect_xdm($1_usertype) - # certain apps want to read xdm.pid file -- xserver_read_xdm_pid($1_t) -+ xserver_read_xdm_pid($1_usertype) - # gnome-session creates socket under /tmp/.ICE-unix/ -- xserver_create_xdm_tmp_sockets($1_t) -+ xserver_create_xdm_tmp_sockets($1_usertype) - # Needed for escd, remove if we get escd policy -- xserver_manage_xdm_tmp_files($1_t) -+ xserver_manage_xdm_tmp_files($1_usertype) -+ xserver_stream_connect_xdm_xserver($1_usertype) - ') - - ####################################### -@@ -629,13 +608,7 @@ - ## - ## The template for allowing the user to change roles. - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## --## -+## - ## - ## The prefix of the user domain (e.g., user - ## is the prefix for user_t). -@@ -686,10 +659,6 @@ - - userdom_exec_generic_pgms_template($1) - -- optional_policy(` -- userdom_xwindows_client_template($1) -- ') -- - ############################## - # - # User domain Local policy -@@ -699,188 +668,199 @@ - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - -- allow $1_t unpriv_userdomain:fd use; -+ allow $1_usertype unpriv_userdomain:fd use; - -- kernel_read_system_state($1_t) -- kernel_read_network_state($1_t) -- kernel_read_net_sysctls($1_t) -+ kernel_read_system_state($1_usertype) -+ kernel_read_network_state($1_usertype) -+ kernel_read_net_sysctls($1_usertype) - # Very permissive allowing every domain to see every type: -- kernel_get_sysvipc_info($1_t) -+ kernel_get_sysvipc_info($1_usertype) - # Find CDROM devices: -- kernel_read_device_sysctls($1_t) -+ kernel_read_device_sysctls($1_usertype) - -- corenet_udp_bind_all_nodes($1_t) -- corenet_udp_bind_generic_port($1_t) -+ corenet_udp_bind_all_nodes($1_usertype) -+ corenet_udp_bind_generic_port($1_usertype) - -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -+ dev_read_rand($1_usertype) -+ dev_write_sound($1_usertype) -+ dev_read_sound($1_usertype) -+ dev_read_sound_mixer($1_usertype) -+ dev_write_sound_mixer($1_usertype) - -- files_exec_etc_files($1_t) -- files_search_locks($1_t) -+ files_exec_etc_files($1_usertype) -+ files_search_locks($1_usertype) - # Check to see if cdrom is mounted -- files_search_mnt($1_t) -+ files_search_mnt($1_usertype) - # cjp: perhaps should cut back on file reads: -- files_read_var_files($1_t) -- files_read_var_symlinks($1_t) -- files_read_generic_spool($1_t) -- files_read_var_lib_files($1_t) -+ files_read_var_files($1_usertype) -+ files_read_var_symlinks($1_usertype) -+ files_read_generic_spool($1_usertype) -+ files_read_var_lib_files($1_usertype) - # Stat lost+found. -- files_getattr_lost_found_dirs($1_t) -+ files_getattr_lost_found_dirs($1_usertype) -+ files_read_config_files($1_usertype) -+ fs_read_noxattr_fs_files($1_usertype) -+ fs_read_noxattr_fs_symlinks($1_usertype) -+ -+ logging_send_syslog_msg($1_usertype) -+ logging_send_audit_msgs($1_usertype) -+ selinux_get_enforce_mode($1_usertype) - - # cjp: some of this probably can be removed -- selinux_get_fs_mount($1_t) -- selinux_validate_context($1_t) -- selinux_compute_access_vector($1_t) -- selinux_compute_create_context($1_t) -- selinux_compute_relabel_context($1_t) -- selinux_compute_user_contexts($1_t) -+ selinux_get_fs_mount($1_usertype) -+ selinux_validate_context($1_usertype) -+ selinux_compute_access_vector($1_usertype) -+ selinux_compute_create_context($1_usertype) -+ selinux_compute_relabel_context($1_usertype) -+ selinux_compute_user_contexts($1_usertype) - - # for eject -- storage_getattr_fixed_disk_dev($1_t) -+ storage_getattr_fixed_disk_dev($1_usertype) - -- auth_use_nsswitch($1_t) -- auth_read_login_records($1_t) -- auth_search_pam_console_data($1_t) -+ auth_read_login_records($1_usertype) - auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - -- init_read_utmp($1_t) -+ init_read_utmp($1_usertype) - -- seutil_read_file_contexts($1_t) -- seutil_read_default_contexts($1_t) -+ seutil_read_file_contexts($1_usertype) -+ seutil_read_default_contexts($1_usertype) - seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) - seutil_exec_checkpolicy($1_t) -- seutil_exec_setfiles($1_t) -+ seutil_exec_setfiles($1_usertype) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. - seutil_dontaudit_signal_newrole($1_t) - - tunable_policy(`read_default_t',` -- files_list_default($1_t) -- files_read_default_files($1_t) -- files_read_default_symlinks($1_t) -- files_read_default_sockets($1_t) -- files_read_default_pipes($1_t) -+ files_list_default($1_usertype) -+ files_read_default_files($1_usertype) -+ files_read_default_symlinks($1_usertype) -+ files_read_default_sockets($1_usertype) -+ files_read_default_pipes($1_usertype) - ') - - tunable_policy(`user_direct_mouse',` -- dev_read_mouse($1_t) -- ') -- -- tunable_policy(`user_ttyfile_stat',` -- term_getattr_all_user_ttys($1_t) -+ dev_read_mouse($1_usertype) - ') - - optional_policy(` -- alsa_read_rw_config($1_t) -+ alsa_read_rw_config($1_usertype) - ') - - optional_policy(` - # Allow graphical boot to check battery lifespan -- apm_stream_connect($1_t) -+ apm_stream_connect($1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) -+ canna_stream_connect($1_usertype) - ') - - optional_policy(` -- dbus_system_bus_client_template($1,$1_t) -+ dbus_system_bus_client_template($1, $1_usertype) - - optional_policy(` -- bluetooth_dbus_chat($1_t) -+ avahi_dbus_chat($1_usertype) - ') - - optional_policy(` -- evolution_dbus_chat($1,$1_t) -- evolution_alarm_dbus_chat($1,$1_t) -+ bluetooth_dbus_chat($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat_config($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) - ') - - optional_policy(` -- hal_dbus_chat($1_t) -+ evolution_dbus_chat($1, $1_usertype) -+ evolution_alarm_dbus_chat($1, $1_usertype) - ') - - optional_policy(` -- networkmanager_dbus_chat($1_t) -- ') -+ networkmanager_dbus_chat($1_usertype) - ') - - optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) -+ vpnc_dbus_chat($1_usertype) - ') - - optional_policy(` -- inn_read_config($1_t) -- inn_read_news_lib($1_t) -- inn_read_news_spool($1_t) -+ hal_dbus_chat($1_usertype) - ') - - optional_policy(` -- locate_read_lib_files($1_t) -+ nsplugin_per_role_template($1, $1_usertype, $1_r) -+ ') - ') - -- # for running depmod as part of the kernel packaging process - optional_policy(` -- modutils_read_module_config($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) - ') - - optional_policy(` -- mta_rw_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) - ') - -- - optional_policy(` -- tunable_policy(`allow_user_mysql_connect',` -- mysql_stream_connect($1_t) -+ locate_read_lib_files($1_usertype) - ') -+ -+ # for running depmod as part of the kernel packaging process -+ optional_policy(` -+ modutils_read_module_config($1_usertype) - ') - - optional_policy(` -- # to allow monitoring of pcmcia status -- pcmcia_read_pid($1_t) -+ mta_rw_spool($1_usertype) - ') - - optional_policy(` -- pcscd_read_pub_files($1_t) -- pcscd_stream_connect($1_t) -+ alsa_read_rw_config($1_usertype) - ') - - optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` -- postgresql_stream_connect($1_t) -- postgresql_tcp_connect($1_t) -+ postgresql_stream_connect($1_usertype) -+ ') -+ ') -+ -+ tunable_policy(`user_ttyfile_stat',` -+ term_getattr_all_user_ttys($1_usertype) - ') -+ -+ optional_policy(` -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) - ') - - optional_policy(` -- resmgr_stream_connect($1_t) -+ pcscd_read_pub_files($1_usertype) -+ pcscd_stream_connect($1_usertype) - ') - - optional_policy(` -- rpc_dontaudit_getattr_exports($1_t) -- rpc_manage_nfs_rw_content($1_t) -+ resmgr_stream_connect($1_usertype) - ') - - optional_policy(` -- samba_stream_connect_winbind($1_t) -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) - ') - - optional_policy(` -- slrnpull_search_spool($1_t) -+ samba_stream_connect_winbind($1_usertype) - ') - - optional_policy(` -- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -+ slrnpull_search_spool($1_usertype) - ') -+ - ') - - ####################################### -@@ -902,9 +882,7 @@ - ## - # - template(`userdom_login_user_template', ` -- gen_require(` -- class context contains; -- ') -+ gen_tunable(allow_$1_exec_content, true) - - userdom_base_user_template($1) - -@@ -930,74 +908,77 @@ - - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; - dontaudit $1_t self:process setrlimit; -+ - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - - allow $1_t self:context contains; - -- kernel_dontaudit_read_system_state($1_t) -+ kernel_dontaudit_read_system_state($1_usertype) - -- dev_read_sysfs($1_t) -- dev_read_urand($1_t) -+ dev_read_sysfs($1_usertype) -+ dev_read_urand($1_usertype) - -- domain_use_interactive_fds($1_t) -+ domain_use_interactive_fds($1_usertype) - # Command completion can fire hundreds of denials -- domain_dontaudit_exec_all_entry_files($1_t) -+ domain_dontaudit_exec_all_entry_files($1_usertype) - -- files_dontaudit_list_default($1_t) -- files_dontaudit_read_default_files($1_t) - # Stat lost+found. -- files_getattr_lost_found_dirs($1_t) -+ files_getattr_lost_found_dirs($1_usertype) - -- fs_get_all_fs_quotas($1_t) -- fs_getattr_all_fs($1_t) -- fs_getattr_all_dirs($1_t) -- fs_search_auto_mountpoints($1_t) -- fs_list_inotifyfs($1_t) -- fs_rw_anon_inodefs_files($1_t) -+ files_dontaudit_list_default($1_usertype) -+ files_dontaudit_read_default_files($1_usertype) - -- auth_dontaudit_write_login_records($1_t) -+ fs_get_all_fs_quotas($1_usertype) -+ fs_getattr_all_fs($1_usertype) -+ fs_search_all($1_usertype) -+ fs_list_inotifyfs($1_usertype) -+ fs_rw_anon_inodefs_files($1_usertype) - -- application_exec_all($1_t) -+ auth_dontaudit_write_login_records($1_t) -+ auth_rw_cache($1_t) - - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. -- init_dontaudit_rw_utmp($1_t) -+ init_dontaudit_rw_utmp($1_usertype) - # Stop warnings about access to /dev/console -- init_dontaudit_use_fds($1_t) -- init_dontaudit_use_script_fds($1_t) -+ init_dontaudit_use_fds($1_usertype) -+ init_dontaudit_use_script_fds($1_usertype) - -- libs_exec_lib_files($1_t) -+ libs_exec_lib_files($1_usertype) - -- logging_dontaudit_getattr_all_logs($1_t) -+ logging_dontaudit_getattr_all_logs($1_usertype) - -- miscfiles_read_man_pages($1_t) - # for running TeX programs -- miscfiles_read_tetex_data($1_t) -- miscfiles_exec_tetex_data($1_t) -+ miscfiles_read_tetex_data($1_usertype) -+ miscfiles_exec_tetex_data($1_usertype) - -- seutil_read_config($1_t) -+ seutil_read_config($1_usertype) -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') - - optional_policy(` -- cups_read_config($1_t) -- cups_stream_connect($1_t) -- cups_stream_connect_ptal($1_t) -+ kerberos_use($1_usertype) -+ kerberos_connect_524($1_usertype) - ') - - optional_policy(` -- kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) - ') - - optional_policy(` -- mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) - ') - - optional_policy(` -- quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) - ') - - optional_policy(` -- rpm_read_db($1_t) -- rpm_dontaudit_manage_db($1_t) -+ oddjob_run_mkhomedir($1_t, $1_r, { $1_devpts_t $1_tty_device_t }) - ') - ') - -@@ -1031,9 +1012,6 @@ - domain_interactive_fd($1_t) - - typeattribute $1_devpts_t user_ptynode; -- typeattribute $1_home_dir_t user_home_dir_type; -- typeattribute $1_home_t user_home_type; -- typeattribute $1_tmp_t user_tmpfile; - typeattribute $1_tty_device_t user_ttynode; - - ############################## -@@ -1042,12 +1020,32 @@ - # - - # privileged home directory writers -- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) -+ manage_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) -+ manage_lnk_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) -+ manage_sock_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) -+ manage_fifo_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) -+ filetrans_pattern(privhome, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) -+ -+ tunable_policy(`user_rw_noexattrfile',` -+ fs_manage_noxattr_fs_files($1_usertype) -+ fs_manage_noxattr_fs_dirs($1_usertype) -+ fs_manage_dos_dirs($1_usertype) -+ fs_manage_dos_files($1_usertype) -+ ') -+ -+ optional_policy(` -+ dbus_per_role_template($1, $1_usertype, $1_r) -+ dbus_system_bus_client_template($1, $1_usertype) -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ ') -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') -+ ') - - optional_policy(` - loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1079,7 +1077,9 @@ - - userdom_restricted_user_template($1) - -+ optional_policy(` - userdom_xwindows_client_template($1) -+ ') - - ############################## - # -@@ -1087,14 +1087,16 @@ - # - - authlogin_per_role_template($1, $1_t, $1_r) -- auth_search_pam_console_data($1_t) -+ auth_search_pam_console_data($1_usertype) - -- dev_read_sound($1_t) -- dev_write_sound($1_t) -+ dev_read_sound($1_usertype) -+ dev_write_sound($1_usertype) - # gnome keyring wants to read this. -- dev_dontaudit_read_rand($1_t) -+ dev_dontaudit_read_rand($1_usertype) -+ # temporarily allow since openoffice requires this -+ dev_read_rand($1_usertype) - -- logging_send_syslog_msg($1_t) -+ logging_send_syslog_msg($1_usertype) - logging_dontaudit_send_audit_msgs($1_t) - - # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1104,19 @@ - selinux_get_enforce_mode($1_t) - - optional_policy(` -- alsa_read_rw_config($1_t) -- ') -- -- optional_policy(` -- dbus_per_role_template($1, $1_t, $1_r) -- dbus_system_bus_client_template($1, $1_t) -- -- optional_policy(` -- consolekit_dbus_chat($1_t) -+ alsa_read_rw_config($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat($1_t) -- ') -+ apache_per_role_template($1, $1_usertype, $1_r) - ') - - optional_policy(` -- java_per_role_template($1, $1_t, $1_r) -+ openoffice_per_role_template($1, $1_usertype, $1_r) - ') - - optional_policy(` -- setroubleshoot_dontaudit_stream_connect($1_t) -+ polkit_per_role_template($1, $1_usertype, $1_r) - ') - ') - -@@ -1134,8 +1127,7 @@ - ## - ## - ##

--## The template for creating a unprivileged user roughly --## equivalent to a regular linux user. -+## The template containing the most basic rules common to all users. - ##

- ##

- ## This template creates a user domain, types, and -@@ -1157,8 +1149,8 @@ - # Declarations - # - -+ userdom_restricted_xwindows_user_template($1) - # Inherit rules for ordinary users. -- userdom_restricted_user_template($1) - userdom_common_user_template($1) - - ############################## -@@ -1167,11 +1159,10 @@ - # - - # port access is audited even if dac would not have allowed it, so dontaudit it here -- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) - -- files_exec_usr_files($1_t) - # cjp: why? - files_read_kernel_symbol_table($1_t) - -@@ -1189,36 +1180,41 @@ - ') - ') - -- tunable_policy(`user_dmesg',` -- kernel_read_ring_buffer($1_t) -- ',` -- kernel_dontaudit_read_ring_buffer($1_t) -- ') -- - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_all_nodes($1_t) -- corenet_tcp_bind_generic_port($1_t) -+ corenet_tcp_bind_all_unreserved_ports($1_t) - ') - -+ # Run pppd in pppd_t by default for user - optional_policy(` -- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) - ') - - optional_policy(` -- postgresql_userdom_template($1,$1_t,$1_r) -+ games_rw_data($1_usertype) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) -+ cron_per_role_template($1, $1_t, $1_r) -+ ') -+ -+ optional_policy(` -+ java_per_role_template($1, $1_t, $1_r) -+ ') -+ -+ optional_policy(` -+ mono_per_role_template($1, $1_t, $1_r) -+ ') -+ -+ optional_policy(` -+ gpg_per_role_template($1, $1_usertype, $1_r) - ') - ') - -@@ -1263,8 +1259,7 @@ - # - - # Inherit rules for ordinary users. -- userdom_login_user_template($1) -- userdom_common_user_template($1) -+ userdom_unpriv_user_template($1) - - typeattribute $1_t privhome; - domain_obj_id_change_exemption($1_t) -@@ -1295,8 +1290,6 @@ - # Manipulate other users crontab. - allow $1_t self:passwd crontab; - -- allow $1_t self:netlink_audit_socket nlmsg_readpriv; -- - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) -@@ -1318,8 +1311,6 @@ - - dev_getattr_generic_blk_files($1_t) - dev_getattr_generic_chr_files($1_t) -- # for lsof -- dev_getattr_mtrr_dev($1_t) - # Allow MAKEDEV to work - dev_create_all_blk_files($1_t) - dev_create_all_chr_files($1_t) -@@ -1374,13 +1365,6 @@ - # But presently necessary for installing the file_contexts file. - seutil_manage_bin_policy($1_t) - -- tunable_policy(`user_rw_noexattrfile',` -- fs_manage_noxattr_fs_files($1_t) -- fs_manage_noxattr_fs_dirs($1_t) -- ',` -- fs_read_noxattr_fs_files($1_t) -- ') -- - optional_policy(` - postgresql_unconfined($1_t) - ') -@@ -1432,6 +1416,7 @@ - dev_relabel_all_dev_nodes($1) - - files_create_boot_flag($1) -+ files_create_default_dir($1) - - # Necessary for managing /boot/efi - fs_manage_dos_files($1) -@@ -1461,10 +1446,6 @@ - seutil_run_semanage($1,$2,$3) - seutil_run_setfiles($1, $2, $3) - -- staff_dontaudit_append_home_content_files($1) -- -- sysadm_dontaudit_read_home_content_files($1) -- - optional_policy(` - aide_run($1,$2, $3) - ') -@@ -1484,6 +1465,14 @@ - optional_policy(` - netlabel_run_mgmt($1,$2, $3) - ') -+ -+ optional_policy(` -+ staff_dontaudit_append_home_content_files($1) -+ ') -+ -+ optional_policy(` -+ sysadm_dontaudit_read_home_content_files($1) -+ ') - ') - - ######################################## -@@ -1741,11 +1730,15 @@ - # - template(`userdom_user_home_content',` - gen_require(` -- attribute $1_file_type; -+ attribute user_file_type; -+ attribute user_home_type; -+ attribute home_type; - ') - -- typeattribute $2 $1_file_type; -- files_type($2) -+ typeattribute $2 user_file_type; -+ typeattribute $2 user_home_type; -+ typeattribute $2 home_type; -+ files_poly_member($2) - ') - - ######################################## -@@ -1841,11 +1834,11 @@ - # - template(`userdom_search_user_home_dirs',` - gen_require(` -- type $1_home_dir_t; -+ type user_home_dir_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir search_dir_perms; -+ allow $2 user_home_dir_t:dir search_dir_perms; - ') - - ######################################## -@@ -1875,11 +1868,11 @@ - # - template(`userdom_list_user_home_dirs',` - gen_require(` -- type $1_home_dir_t; -+ type user_home_dir_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir list_dir_perms; -+ allow $2 user_home_dir_t:dir list_dir_perms; - ') - - ######################################## -@@ -1923,12 +1916,12 @@ - # - template(`userdom_user_home_domtrans',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir search_dir_perms; -- domain_auto_trans($2,$1_home_t,$3) -+ allow $2 user_home_dir_t:dir search_dir_perms; -+ domain_auto_trans($2, user_home_t, $3) - ') - - ######################################## -@@ -1958,10 +1951,11 @@ - # - template(`userdom_dontaudit_list_user_home_dirs',` - gen_require(` -- type $1_home_dir_t; -+ type user_home_dir_t; - ') - -- dontaudit $2 $1_home_dir_t:dir list_dir_perms; -+ dontaudit $2 user_home_dir_t:dir list_dir_perms; -+ dontaudit $2 user_home_t:dir list_dir_perms; - ') - - ######################################## -@@ -1993,11 +1987,47 @@ - # - template(`userdom_manage_user_home_content_dirs',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - - files_search_home($2) -- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_t) -+') -+ -+######################################## -+##

-+## dontaudit attemps to Create files -+## in a user home subdirectory. -+## -+## -+##

-+## Create, read, write, and delete directories -+## in a user home subdirectory. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`userdom_dontaudit_create_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t; -+ ') -+ -+ dontaudit $2 user_home_dir_t:file create; - ') - - ######################################## -@@ -2029,10 +2059,10 @@ - # - template(`userdom_dontaudit_setattr_user_home_content_files',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - -- dontaudit $2 $1_home_t:file setattr; -+ dontaudit $2 user_home_t:file setattr; - ') - - ######################################## -@@ -2062,11 +2092,11 @@ - # - template(`userdom_read_user_home_content_files',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ read_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - ') - - ######################################## -@@ -2096,11 +2126,11 @@ - # - template(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` -- type $1_home_t; -+ type user_home_t; - ') - -- dontaudit $2 $1_home_t:dir list_dir_perms; -- dontaudit $2 $1_home_t:file read_file_perms; -+ dontaudit $2 user_home_t:dir list_dir_perms; -+ dontaudit $2 user_home_t:file read_file_perms; - ') - - ######################################## -@@ -2130,10 +2160,14 @@ - # - template(`userdom_dontaudit_write_user_home_content_files',` - gen_require(` -- type $1_home_t; -+ type user_home_t; - ') - -- dontaudit $2 $1_home_t:file write; -+ dontaudit $2 user_home_t:file write; -+ fs_dontaudit_list_nfs($2) -+ fs_dontaudit_rw_nfs_files($2) -+ fs_dontaudit_list_cifs($2) -+ fs_dontaudit_rw_cifs_files($2) - ') - - ######################################## -@@ -2163,11 +2197,11 @@ - # - template(`userdom_read_user_home_content_symlinks',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ read_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - ') - - ######################################## -@@ -2197,11 +2231,11 @@ - # - template(`userdom_exec_user_home_content_files',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ exec_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - ') - - ######################################## -@@ -2231,10 +2265,10 @@ - # - template(`userdom_dontaudit_exec_user_home_content_files',` - gen_require(` -- type $1_home_t; -+ type user_home_t; - ') - -- dontaudit $2 $1_home_t:file execute; -+ dontaudit $2 user_home_t:file execute; - ') - - ######################################## -@@ -2266,12 +2300,12 @@ - # - template(`userdom_manage_user_home_content_files',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir search_dir_perms; -- manage_files_pattern($2,$1_home_t,$1_home_t) -+ allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_files_pattern($2, user_home_t, user_home_t) - ') - - ######################################## -@@ -2303,10 +2337,10 @@ - # - template(`userdom_dontaudit_manage_user_home_content_dirs',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - -- dontaudit $2 $1_home_t:dir manage_dir_perms; -+ dontaudit $2 user_home_t:dir manage_dir_perms; - ') - - ######################################## -@@ -2338,12 +2372,12 @@ - # - template(`userdom_manage_user_home_content_symlinks',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir search_dir_perms; -- manage_lnk_files_pattern($2,$1_home_t,$1_home_t) -+ allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_lnk_files_pattern($2, user_home_t, user_home_t) - ') - - ######################################## -@@ -2375,12 +2409,12 @@ - # - template(`userdom_manage_user_home_content_pipes',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir search_dir_perms; -- manage_fifo_files_pattern($2,$1_home_t,$1_home_t) -+ allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_fifo_files_pattern($2, user_home_t, user_home_t) - ') - - ######################################## -@@ -2412,12 +2446,12 @@ - # - template(`userdom_manage_user_home_content_sockets',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- allow $2 $1_home_dir_t:dir search_dir_perms; -- manage_sock_files_pattern($2,$1_home_t,$1_home_t) -+ allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_sock_files_pattern($2, user_home_t, user_home_t) - ') - - ######################################## -@@ -2462,11 +2496,11 @@ - # - template(`userdom_user_home_dir_filetrans',` - gen_require(` -- type $1_home_dir_t; -+ type user_home_dir_t; - ') - - files_search_home($2) -- filetrans_pattern($2,$1_home_dir_t,$3,$4) -+ filetrans_pattern($2, user_home_dir_t, $3, $4) - ') - - ######################################## -@@ -2511,11 +2545,11 @@ - # - template(`userdom_user_home_content_filetrans',` - gen_require(` -- type $1_home_t; -+ type user_home_t; - ') - - files_search_home($2) -- filetrans_pattern($2,$1_home_t,$3,$4) -+ filetrans_pattern($2, user_home_t, $3, $4) - ') - - ######################################## -@@ -2555,11 +2589,11 @@ - # - template(`userdom_user_home_dir_filetrans_user_home_content',` - gen_require(` -- type $1_home_dir_t, $1_home_t; -+ type user_home_dir_t, user_home_t; - ') - - files_search_home($2) -- filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) -+ filetrans_pattern($2, user_home_dir_t, user_home_t, $3) - ') - - ######################################## -@@ -2589,11 +2623,11 @@ - # - template(`userdom_write_user_tmp_sockets',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- allow $2 $1_tmp_t:sock_file write; -+ write_sock_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -2623,11 +2657,11 @@ - # - template(`userdom_list_user_tmp',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- allow $2 $1_tmp_t:dir list_dir_perms; -+ allow $2 user_tmp_t:dir list_dir_perms; - ') - - ######################################## -@@ -2659,10 +2693,10 @@ - # - template(`userdom_dontaudit_list_user_tmp',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:dir list_dir_perms; -+ dontaudit $2 user_tmp_t:dir list_dir_perms; - ') - - ######################################## -@@ -2694,10 +2728,10 @@ - # - template(`userdom_dontaudit_manage_user_tmp_dirs',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:dir manage_dir_perms; -+ dontaudit $2 user_tmp_t:dir manage_dir_perms; - ') - - ######################################## -@@ -2727,12 +2761,12 @@ - # - template(`userdom_read_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- allow $2 $1_tmp_t:dir list_dir_perms; -- read_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ allow $2 user_tmp_t:dir list_dir_perms; -+ read_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -2764,10 +2798,10 @@ - # - template(`userdom_dontaudit_read_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:file read_file_perms; -+ dontaudit $2 user_tmp_t:file read_file_perms; - ') - - ######################################## -@@ -2799,10 +2833,10 @@ - # - template(`userdom_dontaudit_append_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:file append; -+ dontaudit $2 user_tmp_t:file append; - ') - - ######################################## -@@ -2832,12 +2866,12 @@ - # - template(`userdom_rw_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- allow $2 $1_tmp_t:dir list_dir_perms; -- rw_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ allow $2 user_tmp_t:dir list_dir_perms; -+ rw_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -2869,10 +2903,10 @@ - # - template(`userdom_dontaudit_manage_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:file manage_file_perms; -+ dontaudit $2 user_tmp_t:file manage_file_perms; - ') - - ######################################## -@@ -2904,12 +2938,12 @@ - # - template(`userdom_read_user_tmp_symlinks',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- allow $2 $1_tmp_t:dir list_dir_perms; -- read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ allow $2 user_tmp_t:dir list_dir_perms; -+ read_lnk_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -2941,11 +2975,11 @@ - # - template(`userdom_manage_user_tmp_dirs',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_dirs_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -2977,11 +3011,11 @@ - # - template(`userdom_manage_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- manage_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -3013,11 +3047,11 @@ - # - template(`userdom_manage_user_tmp_symlinks',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -3049,11 +3083,11 @@ - # - template(`userdom_manage_user_tmp_pipes',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -3085,11 +3119,11 @@ - # - template(`userdom_manage_user_tmp_sockets',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - - files_search_tmp($2) -- manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) - ') - - ######################################## -@@ -3134,10 +3168,10 @@ - # - template(`userdom_user_tmp_filetrans',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- filetrans_pattern($2,$1_tmp_t,$3,$4) -+ filetrans_pattern($2, user_tmp_t, $3, $4) - files_search_tmp($2) - ') - -@@ -3178,19 +3212,19 @@ - # - template(`userdom_tmp_filetrans_user_tmp',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- files_tmp_filetrans($2,$1_tmp_t,$3) -+ files_tmp_filetrans($2, user_tmp_t, $3) - ') - - ######################################## - ## --## Read user tmpfs files. -+## Read/write user tmpfs files. - ## - ## - ##

--## Read user tmpfs files. -+## Read/write user tmpfs files. - ##

- ##

- ## This is a templated interface, and should only -@@ -3211,13 +3245,13 @@ - # - template(`userdom_rw_user_tmpfs_files',` - gen_require(` -- type $1_tmpfs_t; -+ type user_tmpfs_t; - ') - - fs_search_tmpfs($2) -- allow $2 $1_tmpfs_t:dir list_dir_perms; -- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) -- read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) -+ allow $2 user_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($2,user_tmpfs_t,user_tmpfs_t) -+ read_lnk_files_pattern($2,user_tmpfs_t,user_tmpfs_t) - ') - - ######################################## -@@ -4616,11 +4650,11 @@ - # - interface(`userdom_search_all_users_home_dirs',` - gen_require(` -- attribute home_dir_type; -+ attribute user_home_dir_type; - ') - - files_list_home($1) -- allow $1 home_dir_type:dir search_dir_perms; -+ allow $1 user_home_dir_type:dir search_dir_perms; - ') - - ######################################## -@@ -4640,6 +4674,14 @@ - - files_list_home($1) - allow $1 home_dir_type:dir list_dir_perms; -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs($1) -+ ') - ') - - ######################################## -@@ -4677,6 +4719,8 @@ - ') - - dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; -+ fs_dontaudit_list_nfs($1) -+ fs_dontaudit_list_cifs($1) - ') - - ######################################## -@@ -4721,6 +4765,25 @@ - - ######################################## - ##

-+## Delete all files -+## in all users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_all_users_home_content_files',` -+ gen_require(` -+ attribute home_type; -+ ') -+ -+ delete_files_pattern($1, home_type, home_type) -+') -+ -+######################################## -+## - ## Create, read, write, and delete all files - ## in all users home directories. - ## -@@ -4946,7 +5009,7 @@ - - ######################################## - ## --## Relabel to generic user home directories. -+## Relabel to staff home directories. - ## - ## - ## -@@ -5318,7 +5381,7 @@ - - ######################################## - ## --## Read and write unprivileged user ttys. -+## Write all unprivileged users files in /tmp - ## - ## - ## -@@ -5326,18 +5389,17 @@ - ## - ## - # --interface(`userdom_use_unpriv_users_ttys',` -+interface(`userdom_manage_unpriv_users_tmp_files',` - gen_require(` -- attribute user_ttynode; -+ type user_tmp_t; - ') - -- allow $1 user_ttynode:chr_file rw_term_perms; -+ manage_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Do not audit attempts to use unprivileged --## user ttys. -+## Write all unprivileged users lnk_files in /tmp - ## - ## - ## -@@ -5345,17 +5407,17 @@ - ## - ## - # --interface(`userdom_dontaudit_use_unpriv_users_ttys',` -+interface(`userdom_manage_unpriv_users_tmp_symlinks',` - gen_require(` -- attribute user_ttynode; -+ type user_tmp_t; - ') - -- dontaudit $1 user_ttynode:chr_file rw_file_perms; -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Read the process state of all user domains. -+## Read and write unprivileged user ttys. - ## - ## - ## -@@ -5363,18 +5425,18 @@ - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_use_unpriv_users_ttys',` - gen_require(` -- attribute userdomain; -+ attribute user_ttynode; - ') - -- read_files_pattern($1,userdomain,userdomain) -- kernel_search_proc($1) -+ allow $1 user_ttynode:chr_file rw_term_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Do not audit attempts to use unprivileged -+## user ttys. - ## - ## - ## -@@ -5382,9 +5444,46 @@ - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_use_unpriv_users_ttys',` - gen_require(` -- attribute userdomain; -+ attribute user_ttynode; -+ ') -+ -+ dontaudit $1 user_ttynode:chr_file rw_file_perms; -+') -+ -+######################################## -+## -+## Read the process state of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_state',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ ps_process_pattern($1, userdomain) -+ kernel_search_proc($1) -+') -+ -+######################################## -+## -+## Get the attributes of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_all_users',` -+ gen_require(` -+ attribute userdomain; - ') - - allow $1 userdomain:process getattr; -@@ -5447,6 +5546,24 @@ - - ######################################## - ## -+## Send signull to all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_signull_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process signull; -+') -+ -+######################################## -+## - ## Send a SIGCHLD signal to all user domains. - ## - ## -@@ -5483,6 +5600,42 @@ - - ######################################## - ## -+## Manage keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_all_users_keys',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:key manage_key_perms; -+') -+ -+######################################## -+## -+## dontaudit search keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dontaudit_search_all_users_keys',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ dontaudit $1 userdomain:key search; -+') -+ -+######################################## -+## - ## Send a dbus message to all user domains. - ## - ## -@@ -5513,3 +5666,546 @@ - interface(`userdom_unconfined',` - refpolicywarn(`$0($*) has been deprecated.') - ') -+ -+######################################## -+## -+## allow getattr all user file type -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_list_user_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ allow $2 user_home_type:dir search_dir_perms; -+ allow $2 user_home_type:file getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to write to homedirs of sysadm users -+## home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_write_sysadm_home_dirs',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:dir write; -+') -+ -+######################################## -+## -+## Ptrace all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_ptrace_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process ptrace; -+') -+ -+######################################## -+## -+## unlink all unprivileged users home directory -+## files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_unlink_unpriv_users_home_content_files',` -+ gen_require(` -+ attribute user_home_dir_type, user_home_type; -+ ') -+ -+ files_search_home($1) -+ allow $1 user_home_dir_type:dir list_dir_perms; -+ allow $1 user_home_type:file unlink; -+') -+ -+######################################## -+## -+## dontaudit search all users home directory -+## files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dontaudit_search_users_home_dirs',` -+ -+ gen_require(` -+ attribute user_home_dir_type; -+ ') -+ -+ files_search_home($1) -+ dontaudit $1 user_home_dir_type:dir search_dir_perms; -+') -+ -+ -+######################################## -+## -+## Identify specified type as being in a users home directory -+## -+## -+##

-+## Make the specified type a home type. -+##

-+## -+## -+## -+## Type to be used as a home directory type. -+## -+## -+# -+interface(`userdom_user_home_type',` -+ gen_require(` -+ attribute user_home_type; -+ attribute home_type; -+ ') -+ typeattribute $1 user_home_type; -+ typeattribute $1 home_type; -+') -+ -+######################################## -+## -+## Do not audit attempts to relabel unpriv user -+## home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dontaudit_relabel_unpriv_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:file { relabelto relabelfrom }; -+') -+ -+ -+######################################## -+## -+## Mmap of unpriv user -+## home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_mmap_unpriv_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ allow $1 user_home_type:file execute; -+') -+ -+######################################## -+## -+## dontaudit attempts to write to user home dir files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dontaudit_write_unpriv_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ allow $1 user_home_type:file write_file_perms; -+') -+ -+######################################## -+## -+## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_set_rlimitnh',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ allow $1 userdomain:process rlimitinh; -+') -+ -+######################################## -+## -+## Define this type as a Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`userdom_unpriv_usertype',` -+ gen_require(` -+ attribute unpriv_userdomain, userdomain; -+ attribute $1_usertype; -+ ') -+ typeattribute $2 $1_usertype; -+ typeattribute $2 unpriv_userdomain; -+ typeattribute $2 userdomain; -+ -+# optional_policy(` -+# xserver_usertype($1, $2) -+# ') -+') -+ -+ -+######################################## -+## -+## Manage and create all files in /tmp on behalf of the user -+## -+## -+##

-+## The interface for full access to the temporary directories. -+## This creates a derived type for the user -+## temporary type. Execute access is not given. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object to be created. -+## If not specified, file is used. -+## -+## -+# -+template(`userdom_transition_user_tmp',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_tmp_filetrans($2, user_tmp_t, $3) -+') -+ -+################################################ -+## -+## Allow unpriv users read domains system state -+## -+## -+## Allow the ps command visibility to processes in -+## the specified domain when used by an -+## unprivileged user -+## -+## -+## -+## Domain for which the ps command will have access -+## -+## -+## -+## -+# -+interface(`userdom_readable_process',` -+ gen_require(` -+ attribute unpriv_process; -+ ') -+ -+ typeattribute $1 unpriv_process; -+') -+ -+######################################## -+## -+## Read user tmpfs files. -+## -+## -+##

-+## Read user tmpfs files. -+##

-+##

-+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`userdom_read_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($2) -+ allow $2 user_tmpfs_t:dir list_dir_perms; -+ read_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -+') -+ -+####################################### -+## -+## The template for creating a unprivileged user roughly -+## equivalent to a regular linux user. -+## -+## -+##

-+## The template for creating a unprivileged user roughly -+## equivalent to a regular linux user. -+##

-+##

-+## This template creates a user domain, types, and -+## rules for the user's tty, pty, home directories, -+## tmp, and tmpfs files. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+# -+template(`userdom_admin_login_user_template',` -+ -+ userdom_unpriv_user_template($1) -+ -+ domain_read_all_domains_state($1_t) -+ domain_getattr_all_domains($1_t) -+ -+ files_read_kernel_modules($1_t) -+ -+ kernel_read_fs_sysctls($1_t) -+ -+ modutils_read_module_config($1_t) -+ modutils_read_module_deps($1_t) -+ -+ miscfiles_read_hwdata($1_t) -+ -+ sudo_per_role_template($1, $1_t, $1_r) -+ seutil_run_newrole($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) -+ -+ optional_policy(` -+ gnomeclock_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` -+ kerneloops_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` -+ rpm_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` -+ setroubleshoot_stream_connect($1_t) -+ ') -+ -+ optional_policy(` -+ netutils_run_ping_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) -+ netutils_run_traceroute_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) -+ ') -+') -+ -+ -+######################################## -+## -+## Relabel to all user home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_relabel_all_home_dirs',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ relabel_dirs_pattern($1, user_home_type, user_home_type) -+') -+ -+######################################## -+## -+## Relabel to all user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_relabel_all_home_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ relabel_files_pattern($1, user_home_type, user_home_type) -+') -+ -+######################################## -+## -+## Read all users home directories symlinks. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_home_content_symlinks',` -+ gen_require(` -+ attribute home_type; -+ ') -+ -+ files_list_home($1) -+ read_lnk_files_pattern($1, home_type, home_type) -+') -+ -+######################################## -+## -+## delete all directories -+## in all users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_all_users_home_content_dirs',` -+ gen_require(` -+ attribute home_type; -+ ') -+ -+ files_list_home($1) -+ delete_dirs_pattern($1, home_type, home_type) -+') -+ -+######################################## -+## -+## Delete all symlinks -+## in all users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_all_users_home_content_symlinks',` -+ gen_require(` -+ attribute home_type; -+ ') -+ -+ files_list_home($1) -+ delete_lnk_files_pattern($1, home_type, home_type) -+') -+ -+######################################## -+## -+## Do not audit attempts to unlink to the -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_unlink_unpriv_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file unlink; -+') -+ -+####################################### -+## -+## The template for creating a tmpfs type -+## that the user has full access. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_tmpfs',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ manage_sock_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ manage_fifo_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-28 10:56:19.000000000 -0400 -@@ -8,13 +8,6 @@ - - ## - ##

--## Allow users to connect to mysql --##

--## --gen_tunable(allow_user_mysql_connect,false) -- --## --##

- ## Allow users to connect to PostgreSQL - ##

- ## -@@ -29,13 +22,6 @@ - - ## - ##

--## Allow users to read system messages. --##

--## --gen_tunable(user_dmesg,false) -- --## --##

- ## Allow user to r/w files on filesystems - ## that do not have extended attributes (FAT, CDROM, FLOPPY) - ##

-@@ -58,6 +44,12 @@ - # users home directory contents - attribute home_type; - -+# Executables to be run by user -+attribute user_exec_type; -+ -+# File types owned by users -+attribute user_file_type; -+ - # The privhome attribute identifies every domain that can create files under - # regular user home directories in the regular context (IE act on behalf of - # a user in writing regular files) -@@ -81,6 +73,76 @@ - - # unprivileged user domains - attribute unpriv_userdomain; -+attribute unpriv_process; - - attribute untrusted_content_type; - attribute untrusted_content_tmp_type; -+ -+type admin_home_t, home_type; -+files_type(admin_home_t) -+files_associate_tmp(admin_home_t) -+fs_associate_tmpfs(admin_home_t) -+files_mountpoint(admin_home_t) -+ -+type user_home_t, user_file_type, user_home_type, home_type; -+files_type(user_home_t) -+files_associate_tmp(user_home_t) -+fs_associate_tmpfs(user_home_t) -+files_mountpoint(user_home_t) -+files_poly_parent(user_home_t) -+files_poly_member(user_home_t) -+ -+# type of home directory -+type user_home_dir_t, home_dir_type, user_home_dir_type, home_type; -+files_type(user_home_dir_t) -+files_mountpoint(user_home_dir_t) -+files_associate_tmp(user_home_dir_t) -+fs_associate_tmpfs(user_home_dir_t) -+files_poly(user_home_dir_t) -+files_poly_member(user_home_dir_t) -+files_poly_parent(user_home_dir_t) -+ -+type user_tmp_t, user_file_type, user_tmpfile; -+files_tmp_file(user_tmp_t) -+ -+type user_tmpfs_t, user_file_type; -+files_tmpfs_file(user_tmpfs_t) -+ -+ -+############################## -+# -+# User home directory file rules -+# -+ -+allow user_file_type user_home_t:filesystem associate; -+ -+# Rules used to associate a homedir as a mountpoint -+allow user_home_t self:filesystem associate; -+ -+tunable_policy(`allow_console_login',` -+ term_use_console(userdomain) -+') -+ -+# Allow unpriv users to read system state of unpriv processes -+read_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) -+read_lnk_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) -+allow unpriv_userdomain unpriv_process:process getattr; -+dontaudit unpriv_userdomain unpriv_process:process ptrace; -+ -+ -+tunable_policy(`use_nfs_home_dirs',` -+ manage_dirs_pattern(privhome, nfs_t, nfs_t) -+ manage_files_pattern(privhome, nfs_t, nfs_t) -+ manage_lnk_files_pattern(privhome, nfs_t, nfs_t) -+ manage_sock_files_pattern(privhome, nfs_t, nfs_t) -+ manage_fifo_files_pattern(privhome, nfs_t, nfs_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ manage_dirs_pattern(privhome, cifs_t, cifs_t) -+ manage_files_pattern(privhome, cifs_t, cifs_t) -+ manage_lnk_files_pattern(privhome, cifs_t, cifs_t) -+ manage_sock_files_pattern(privhome, cifs_t, cifs_t) -+ manage_fifo_files_pattern(privhome, cifs_t, cifs_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc ---- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -20,6 +20,7 @@ - /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) - /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) - /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) -+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) - /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) - /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if ---- nsaserefpolicy/policy/modules/system/xen.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.if 2008-11-04 11:36:33.000000000 -0500 -@@ -155,7 +155,7 @@ - stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t) - ') - --######################################## -+####################################### - ## - ## Connect to xend over an unix domain stream socket. - ## -@@ -167,11 +167,14 @@ - # - interface(`xen_stream_connect',` - gen_require(` -- type xend_t, xend_var_run_t; -+ type xend_t, xend_var_run_t, xend_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) -+ -+ files_search_var_lib($1) -+ stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) - ') - - ######################################## -@@ -191,3 +194,24 @@ - - domtrans_pattern($1,xm_exec_t,xm_t) - ') -+ -+######################################## -+## -+## Allow the specified domain to read/write -+## xend image files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`xen_rw_image_files',` -+ gen_require(` -+ type xen_image_t, xend_var_lib_t; -+ ') -+ -+ files_list_var_lib($1) -+ allow $1 xend_var_lib_t:dir search_dir_perms; -+ rw_files_pattern($1, xen_image_t, xen_image_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-28 10:56:19.000000000 -0400 -@@ -6,6 +6,13 @@ - # Declarations - # - -+## -+##

-+## Allow xen to manage nfs files -+##

-+## -+gen_tunable(xen_use_nfs, false) -+ - # console ptys - type xen_devpts_t; - term_pty(xen_devpts_t); -@@ -42,25 +49,31 @@ - # pid files - type xend_var_run_t; - files_pid_file(xend_var_run_t) -+files_mountpoint(xend_var_run_t) - - type xenstored_t; - type xenstored_exec_t; --domain_type(xenstored_t) --domain_entry_file(xenstored_t,xenstored_exec_t) --role system_r types xenstored_t; -+init_daemon_domain(xenstored_t, xenstored_exec_t) -+ -+# tmp files -+type xenstored_tmp_t; -+files_tmp_file(xenstored_tmp_t) - - # var/lib files - type xenstored_var_lib_t; - files_type(xenstored_var_lib_t) - -+# log files -+type xenstored_var_log_t; -+logging_log_file(xenstored_var_log_t) -+ - # pid files - type xenstored_var_run_t; - files_pid_file(xenstored_var_run_t) - - type xenconsoled_t; - type xenconsoled_exec_t; --domain_type(xenconsoled_t) --domain_entry_file(xenconsoled_t,xenconsoled_exec_t) -+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - role system_r types xenconsoled_t; - - # pid files -@@ -95,7 +108,7 @@ - read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t) - rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t) - --allow xend_t xenctl_t:fifo_file manage_file_perms; -+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; - dev_filetrans(xend_t, xenctl_t, fifo_file) - - manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t) -@@ -103,14 +116,14 @@ - files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - - # pid file --allow xend_t xend_var_run_t:dir setattr; -+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) - manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) - manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) --files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file }) -+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - - # log files --allow xend_t xend_var_log_t:dir setattr; -+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) - manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) - manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) - logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) -@@ -122,12 +135,13 @@ - manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) - files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) - -+init_stream_connect_script(xend_t) -+ - # transition to store - domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) - - # transition to console --domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) --allow xenconsoled_t xend_t:fd use; -+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) - - kernel_read_kernel_sysctls(xend_t) - kernel_read_system_state(xend_t) -@@ -173,6 +187,7 @@ - files_manage_etc_runtime_files(xend_t) - files_etc_filetrans_etc_runtime(xend_t,file) - files_read_usr_files(xend_t) -+files_read_default_symlinks(xend_t) - - storage_raw_read_fixed_disk(xend_t) - storage_raw_write_fixed_disk(xend_t) -@@ -204,11 +219,15 @@ - sysnet_read_dhcpc_pid(xend_t) - sysnet_rw_dhcp_config(xend_t) - -+sysadm_dontaudit_search_home_dirs(xend_t) -+ - xen_stream_connect_xenstore(xend_t) - - netutils_domtrans(xend_t) - --sysadm_dontaudit_search_home_dirs(xend_t) -+optional_policy(` -+ brctl_domtrans(xend_t) -+') - - optional_policy(` - consoletype_exec(xend_t) -@@ -242,6 +261,8 @@ - - files_read_usr_files(xenconsoled_t) - -+fs_list_tmpfs(xenconsoled_t) -+ - term_create_pty(xenconsoled_t,xen_devpts_t); - term_use_generic_ptys(xenconsoled_t) - term_use_console(xenconsoled_t) -@@ -254,7 +275,7 @@ - - miscfiles_read_localization(xenconsoled_t) - --xen_append_log(xenconsoled_t) -+xen_manage_log(xenconsoled_t) - xen_stream_connect_xenstore(xenconsoled_t) - - ######################################## -@@ -262,15 +283,25 @@ - # Xen store local policy - # - --allow xenstored_t self:capability { dac_override mknod ipc_lock }; -+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; - allow xenstored_t self:unix_stream_socket create_stream_socket_perms; - allow xenstored_t self:unix_dgram_socket create_socket_perms; - -+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) -+ - # pid file - manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) - manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) - files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) - -+# log files -+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) -+ - # var/lib files for xenstored - manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) - manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) -@@ -321,18 +352,21 @@ - - manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) - manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) -+manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) - files_search_var_lib(xm_t) - - allow xm_t xen_image_t:dir rw_dir_perms; - allow xm_t xen_image_t:file read_file_perms; - allow xm_t xen_image_t:blk_file read_blk_file_perms; - --kernel_read_system_state(xm_t) - kernel_read_kernel_sysctls(xm_t) -+kernel_read_sysctl(xm_t) -+kernel_read_system_state(xm_t) - kernel_read_xen_state(xm_t) - kernel_write_xen_state(xm_t) - - corecmd_exec_bin(xm_t) -+corecmd_exec_shell(xm_t) - - corenet_tcp_sendrecv_generic_if(xm_t) - corenet_tcp_sendrecv_all_nodes(xm_t) -@@ -348,8 +382,11 @@ - - storage_raw_read_fixed_disk(xm_t) - -+fs_getattr_all_fs(xm_t) -+ - term_use_all_terms(xm_t) - -+init_stream_connect_script(xm_t) - init_rw_script_stream_sockets(xm_t) - init_use_fds(xm_t) - -@@ -360,6 +397,23 @@ - - sysnet_read_config(xm_t) - -+sysadm_dontaudit_search_home_dirs(xm_t) -+ - xen_append_log(xm_t) - xen_stream_connect(xm_t) - xen_stream_connect_xenstore(xm_t) -+ -+#Should have a boolean wrapping these -+fs_list_auto_mountpoints(xend_t) -+files_search_mnt(xend_t) -+fs_getattr_all_fs(xend_t) -+fs_read_dos_files(xend_t) -+ -+tunable_policy(`xen_use_nfs',` -+ fs_manage_nfs_files(xend_t) -+ fs_read_nfs_symlinks(xend_t) -+') -+ -+optional_policy(` -+ unconfined_domain(xend_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/policy_capabilities serefpolicy-3.5.13/policy/policy_capabilities ---- nsaserefpolicy/policy/policy_capabilities 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/policy_capabilities 2008-10-28 10:56:19.000000000 -0400 -@@ -29,4 +29,4 @@ - # chr_file: open - # blk_file: open - # --policycap open_perms; -+#policycap open_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.13/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/support/obj_perm_sets.spt 2008-10-28 10:56:19.000000000 -0400 -@@ -59,22 +59,22 @@ - # - # Permissions for executing files. - # --define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') -+define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') - - # - # Permissions for reading files and their attributes. - # --define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') -+define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') - - # - # Permissions for reading and executing files. - # --define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') -+define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') - - # - # Permissions for reading and appending to files. - # --define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') -+define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') - - # - # Permissions for linking, unlinking and renaming files. -@@ -89,12 +89,17 @@ - # - # Permissions for reading directories and their attributes. - # --define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') -+define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') -+ -+# -+# Permissions for reading and writing directories and their attributes. -+# -+define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') - - # - # Permissions for reading and adding names to directories. - # --define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') -+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') - - - # -@@ -182,10 +187,9 @@ - define(`getattr_dir_perms',`{ getattr }') - define(`setattr_dir_perms',`{ setattr }') - define(`search_dir_perms',`{ getattr search }') --define(`list_dir_perms',`{ getattr search open read lock ioctl }') --define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') --define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') --define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') -+define(`list_dir_perms',`{ getattr search read lock ioctl }') -+define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }') -+define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }') - define(`create_dir_perms',`{ getattr create }') - define(`rename_dir_perms',`{ getattr rename }') - define(`delete_dir_perms',`{ getattr rmdir }') -@@ -199,12 +203,12 @@ - # - define(`getattr_file_perms',`{ getattr }') - define(`setattr_file_perms',`{ setattr }') --define(`read_file_perms',`{ getattr open read lock ioctl }') --define(`mmap_file_perms',`{ getattr open read execute ioctl }') --define(`exec_file_perms',`{ getattr open read execute execute_no_trans }') --define(`append_file_perms',`{ getattr open append lock ioctl }') --define(`write_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_file_perms',`{ getattr open read write append ioctl lock }') -+define(`read_file_perms',`{ getattr read lock ioctl }') -+define(`mmap_file_perms',`{ getattr read execute ioctl }') -+define(`exec_file_perms',`{ getattr read execute execute_no_trans }') -+define(`append_file_perms',`{ getattr append lock ioctl }') -+define(`write_file_perms',`{ getattr write append lock ioctl }') -+define(`rw_file_perms',`{ getattr read write append ioctl lock }') - define(`create_file_perms',`{ getattr create open }') - define(`rename_file_perms',`{ getattr rename }') - define(`delete_file_perms',`{ getattr unlink }') -@@ -235,10 +239,10 @@ - # - define(`getattr_fifo_file_perms',`{ getattr }') - define(`setattr_fifo_file_perms',`{ setattr }') --define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') --define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') --define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') -+define(`read_fifo_file_perms',`{ getattr read lock ioctl }') -+define(`append_fifo_file_perms',`{ getattr append lock ioctl }') -+define(`write_fifo_file_perms',`{ getattr write append lock ioctl }') -+define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }') - define(`create_fifo_file_perms',`{ getattr create open }') - define(`rename_fifo_file_perms',`{ getattr rename }') - define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -268,10 +272,10 @@ - # - define(`getattr_blk_file_perms',`{ getattr }') - define(`setattr_blk_file_perms',`{ setattr }') --define(`read_blk_file_perms',`{ getattr open read lock ioctl }') --define(`append_blk_file_perms',`{ getattr open append lock ioctl }') --define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') -+define(`read_blk_file_perms',`{ getattr read lock ioctl }') -+define(`append_blk_file_perms',`{ getattr append lock ioctl }') -+define(`write_blk_file_perms',`{ getattr write append lock ioctl }') -+define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }') - define(`create_blk_file_perms',`{ getattr create }') - define(`rename_blk_file_perms',`{ getattr rename }') - define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -285,10 +289,10 @@ - # - define(`getattr_chr_file_perms',`{ getattr }') - define(`setattr_chr_file_perms',`{ setattr }') --define(`read_chr_file_perms',`{ getattr open read lock ioctl }') --define(`append_chr_file_perms',`{ getattr open append lock ioctl }') --define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') -+define(`read_chr_file_perms',`{ getattr read lock ioctl }') -+define(`append_chr_file_perms',`{ getattr append lock ioctl }') -+define(`write_chr_file_perms',`{ getattr write append lock ioctl }') -+define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }') - define(`create_chr_file_perms',`{ getattr create }') - define(`rename_chr_file_perms',`{ getattr rename }') - define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -305,10 +309,20 @@ - # - # Use (read and write) terminals - # --define(`rw_term_perms', `{ getattr open read write ioctl }') -+define(`rw_term_perms', `{ getattr read write ioctl }') - - # - # Sockets - # - define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') -+ -+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } -+') -+ -+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') -+define(`all_dbus_perms', `{ acquire_svc send_msg } ') -+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') -+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -+ -+define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.13/policy/users ---- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/users 2008-10-28 19:21:24.000000000 -0400 -@@ -25,11 +25,8 @@ - # permit any access to such users, then remove this entry. - # - gen_user(user_u, user, user_r, s0, s0) --gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) --gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -- --# Until order dependence is fixed for users: --gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - - # - # The following users correspond to Unix identities. -@@ -38,8 +35,4 @@ - # role should use the staff_r role instead of the user_r role when - # not in the sysadm_r. - # --ifdef(`direct_sysadm_daemon',` -- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) --',` -- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) --') -+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel ---- nsaserefpolicy/support/Makefile.devel 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-28 10:56:19.000000000 -0400 -@@ -181,8 +181,7 @@ - tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te - @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" - @test -d $(@D) || mkdir -p $(@D) -- $(call peruser-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - tmp/%.mod.fc: $(m4support) %.fc diff --git a/policy-20081111.patch b/policy-20081111.patch index 968e8e7..149a3dd 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -1102,7 +1102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-03 14:12:34.000000000 -0500 @@ -51,7 +51,7 @@ # @@ -1112,7 +1112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; -@@ -64,33 +64,36 @@ +@@ -64,33 +64,37 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; @@ -1137,6 +1137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand($1_sudo_t) + dev_rw_generic_usb_dev($1_sudo_t) ++ dev_list_sysfs($1_sudo_t) fs_search_auto_mountpoints($1_sudo_t) fs_getattr_xattr_fs($1_sudo_t) @@ -1153,7 +1154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) -@@ -102,9 +105,11 @@ +@@ -102,9 +106,11 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) @@ -1165,7 +1166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg($1_sudo_t) miscfiles_read_localization($1_sudo_t) -@@ -114,6 +119,30 @@ +@@ -114,6 +120,30 @@ userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) @@ -1456,8 +1457,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-11-25 09:45:43.000000000 -0500 -@@ -91,3 +91,106 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-03 16:50:28.000000000 -0500 +@@ -91,3 +91,131 @@ allow $1 gnome_home_t:file manage_file_perms; userdom_search_user_home_dirs($1) ') @@ -1506,6 +1507,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## read gconf config files ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`gnome_read_gconf_config',` ++ gen_require(` ++ type gconf_etc_t; ++ ') ++ ++ read_files_pattern($1, gconf_etc_t, gconf_etc_t) ++') ++ ++######################################## ++## +## Execute gconf programs in +## in the caller domain. +## @@ -1538,6 +1563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type gconf_home_t; + ') + ++ allow $1 gconf_home_t:dir list_dir_perms; + read_files_pattern($1, gconf_home_t, gconf_home_t) +') + @@ -2113,6 +2139,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.1/policy/modules/apps/mozilla.te +--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-11-11 16:13:42.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/apps/mozilla.te 2008-12-03 09:00:27.000000000 -0500 +@@ -105,6 +105,7 @@ + # Should not need other ports + corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) + corenet_dontaudit_tcp_bind_generic_port(mozilla_t) ++corenet_tcp_connect_speech_port(mozilla_t) + + dev_read_urand(mozilla_t) + dev_read_rand(mozilla_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.1/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/apps/mplayer.fc 2008-11-25 09:45:43.000000000 -0500 @@ -2425,8 +2462,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-01 16:31:07.000000000 -0500 -@@ -0,0 +1,272 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-03 09:00:12.000000000 -0500 +@@ -0,0 +1,273 @@ + +policy_module(nsplugin, 1.0.0) + @@ -2511,6 +2548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_all_nodes(nsplugin_t) +corenet_tcp_connect_ipp_port(nsplugin_t) ++corenet_tcp_connect_speech_port(nsplugin_t) + +domain_dontaudit_read_all_domains_state(nsplugin_t) + @@ -3851,7 +3889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-11-12 09:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-01 15:41:36.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-03 08:59:59.000000000 -0500 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -3935,19 +3973,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -160,9 +179,10 @@ +@@ -160,9 +179,11 @@ network_port(rwho, udp,513,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) +network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) network_port(spamd, tcp,783,s0) ++network_port(speech, tcp,8036,s0) network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -171,13 +191,16 @@ +@@ -171,13 +192,16 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -4668,7 +4707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.1/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-01 16:50:59.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-03 15:24:41.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -9666,7 +9705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.1/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-12-03 14:11:06.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -9687,12 +9726,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type crond_var_run_t; files_pid_file(crond_var_run_t) -@@ -103,6 +109,12 @@ +@@ -103,6 +109,13 @@ files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) +type system_cronjob_var_lib_t; +files_type(system_cronjob_var_lib_t) ++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) @@ -9700,7 +9740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Admin crontab local policy -@@ -130,7 +142,7 @@ +@@ -130,7 +143,7 @@ # Cron daemon local policy # @@ -9709,7 +9749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -149,15 +161,14 @@ +@@ -149,15 +162,14 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -9728,7 +9768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) -@@ -183,6 +194,8 @@ +@@ -183,6 +195,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -9737,7 +9777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -192,10 +205,13 @@ +@@ -192,10 +206,13 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -9751,7 +9791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -208,6 +224,7 @@ +@@ -208,6 +225,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) @@ -9759,7 +9799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +244,45 @@ +@@ -227,21 +245,45 @@ ') ') @@ -9806,7 +9846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -283,6 +324,9 @@ +@@ -283,6 +325,9 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -9816,7 +9856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_cronjob_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are -@@ -314,9 +358,13 @@ +@@ -314,9 +359,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -9831,7 +9871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -370,7 +418,8 @@ +@@ -370,7 +419,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -9841,7 +9881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +427,7 @@ +@@ -378,6 +428,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -9849,7 +9889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -428,11 +478,20 @@ +@@ -428,11 +479,20 @@ ') optional_policy(` @@ -9870,7 +9910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +519,7 @@ +@@ -460,8 +520,7 @@ ') optional_policy(` @@ -9880,7 +9920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,17 +527,11 @@ +@@ -469,17 +528,11 @@ ') optional_policy(` @@ -10661,8 +10701,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-11-25 09:45:43.000000000 -0500 -@@ -9,11 +9,11 @@ ++++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-12-03 14:17:27.000000000 -0500 +@@ -9,14 +9,15 @@ # # Delcarations # @@ -10676,7 +10716,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type dbusd_exec_t; corecmd_executable_file(dbusd_exec_t) -@@ -31,11 +31,23 @@ ++typealias dbusd_exec_t alias system_dbusd_exec_t; + + type session_dbusd_tmp_t; + typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; +@@ -31,11 +32,23 @@ files_tmp_file(system_dbusd_tmp_t) type system_dbusd_var_lib_t; @@ -10701,7 +10745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # System bus local policy -@@ -45,7 +57,7 @@ +@@ -45,7 +58,7 @@ # cjp: dac_override should probably go in a distro_debian allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; @@ -10710,7 +10754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -53,6 +65,8 @@ +@@ -53,6 +66,8 @@ # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; @@ -10719,7 +10763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -75,6 +89,8 @@ +@@ -75,6 +90,8 @@ fs_getattr_all_fs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) @@ -10728,7 +10772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) -@@ -91,7 +107,6 @@ +@@ -91,7 +108,6 @@ corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -10736,7 +10780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(system_dbusd_t) -@@ -101,6 +116,8 @@ +@@ -101,6 +117,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -10745,7 +10789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -128,9 +145,34 @@ +@@ -128,9 +146,34 @@ ') optional_policy(` @@ -12422,7 +12466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.1/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/mta.if 2008-11-25 14:26:16.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/mta.if 2008-12-03 16:44:26.000000000 -0500 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -12461,6 +12505,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') +@@ -612,7 +624,7 @@ + ') + + files_dontaudit_search_spool($1) +- dontaudit $1 mail_spool_t:dir search; ++ dontaudit $1 mail_spool_t:dir search_dir_perms; + dontaudit $1 mail_spool_t:lnk_file read; + dontaudit $1 mail_spool_t:file getattr; + ') @@ -665,7 +677,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -12749,7 +12802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-02 15:10:58.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -12802,7 +12855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) -@@ -73,24 +82,34 @@ +@@ -73,24 +82,35 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) @@ -12828,6 +12881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +auth_use_nsswitch(munin_t) + logging_send_syslog_msg(munin_t) ++logging_read_all_logs(munin_t) +miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -12838,7 +12892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) -@@ -105,7 +124,21 @@ +@@ -105,7 +125,30 @@ ') optional_policy(` @@ -12849,6 +12903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mta_read_config(munin_t) + mta_send_mail(munin_t) ++ mta_read_queue(munin_t) +') + +optional_policy(` @@ -12857,11 +12912,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ postfix_list_spool(munin_t) ++') ++ ++optional_policy(` ++ rpc_search_nfs_state_data(munin_t) ++') ++ ++optional_policy(` + sendmail_read_log(munin_t) ') optional_policy(` -@@ -115,3 +148,9 @@ +@@ -115,3 +158,10 @@ optional_policy(` udev_read_db(munin_t) ') @@ -12871,6 +12934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.1/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.1/policy/modules/services/nagios.fc 2008-11-25 09:45:43.000000000 -0500 @@ -13904,6 +13968,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(ntpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.1/policy/modules/services/nx.te +--- nsaserefpolicy/policy/modules/services/nx.te 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/nx.te 2008-12-03 14:42:01.000000000 -0500 +@@ -25,6 +25,9 @@ + type nx_server_var_run_t; + files_pid_file(nx_server_var_run_t) + ++type nx_server_home_ssh_t; ++files_type(nx_server_home_ssh_t) ++ + ######################################## + # + # NX server local policy +@@ -44,6 +47,9 @@ + manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) + files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + ++manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++ + kernel_read_system_state(nx_server_t) + kernel_read_kernel_sysctls(nx_server_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.1/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.1/policy/modules/services/oddjob.fc 2008-11-25 09:45:43.000000000 -0500 @@ -14078,7 +14165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.1/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/openvpn.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/openvpn.te 2008-12-03 10:19:06.000000000 -0500 @@ -22,6 +22,9 @@ type openvpn_etc_t; files_config_file(openvpn_etc_t) @@ -14089,7 +14176,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -47,10 +50,11 @@ +@@ -40,6 +43,7 @@ + + allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; + allow openvpn_t self:process { signal getsched }; ++allow openvpn_t self:fifo_file rw_fifo_file_perms; + + allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; + allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -47,10 +51,11 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; @@ -14103,6 +14198,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +@@ -99,6 +104,8 @@ + + sysnet_dns_name_resolve(openvpn_t) + sysnet_exec_ifconfig(openvpn_t) ++sysnet_write_config(openvpn_t) ++sysnet_etc_filetrans_config(openvpn_t) + + userdom_use_user_terminals(openvpn_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.1/policy/modules/services/pads.fc --- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/pads.fc 2008-11-25 09:45:43.000000000 -0500 @@ -15863,7 +15967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-02 15:09:03.000000000 -0500 @@ -174,9 +174,8 @@ type postfix_etc_t; ') @@ -19061,13 +19165,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.1/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/spamassassin.fc 2008-11-25 14:04:31.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/spamassassin.fc 2008-12-03 14:18:14.000000000 -0500 @@ -1,15 +1,24 @@ - HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) - +-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) ++HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++ +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -+ + /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) +/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) @@ -19180,7 +19285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/spamassassin.te 2008-11-25 14:02:44.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/spamassassin.te 2008-12-03 09:05:00.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(spamassassin, 2.0.1) @@ -19243,7 +19348,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type spamd_spool_t; files_type(spamd_spool_t) -@@ -221,11 +257,19 @@ +@@ -159,6 +195,7 @@ + corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) ++ corenet_udp_bind_all_nodes(spamassassin_t) + + sysnet_read_config(spamassassin_t) + ') +@@ -221,11 +258,20 @@ manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) @@ -19257,13 +19370,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; ++spamd_stream_connect(spamc_t) kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -255,9 +299,15 @@ +@@ -255,9 +301,15 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -19279,7 +19393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -265,31 +315,34 @@ +@@ -265,31 +317,34 @@ sysnet_read_config(spamc_t) @@ -19326,7 +19440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -301,7 +354,7 @@ +@@ -301,7 +356,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -19335,7 +19449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -317,10 +370,13 @@ +@@ -317,10 +372,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -19350,7 +19464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +385,11 @@ +@@ -329,10 +387,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -19363,7 +19477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -382,22 +439,27 @@ +@@ -382,22 +441,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -19395,7 +19509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -415,6 +477,7 @@ +@@ -415,6 +479,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -19403,7 +19517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -424,10 +487,6 @@ +@@ -424,10 +489,6 @@ ') optional_policy(` @@ -19414,7 +19528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -442,6 +501,10 @@ +@@ -442,6 +503,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -20360,7 +20474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-11-25 11:11:15.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-03 16:42:08.000000000 -0500 @@ -397,11 +397,12 @@ gen_require(` type xdm_t, xdm_tmp_t; @@ -20745,7 +20859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-11-27 06:23:46.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-03 16:48:20.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -20760,6 +20874,66 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow xdm logins as sysadm ##

## +@@ -65,14 +72,14 @@ + + type iceauth_t; + type iceauth_exec_t; +-typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; ++typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t }; + typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; + application_domain(iceauth_t, iceauth_exec_t) + ubac_constrained(iceauth_t) + + type iceauth_home_t; + typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; +-typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; ++typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; + files_poly_member(iceauth_home_t) + userdom_user_home_content(iceauth_home_t) + +@@ -112,17 +119,17 @@ + typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; + + type user_fonts_t; +-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; ++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t }; + typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; + userdom_user_home_content(user_fonts_t) + + type user_fonts_cache_t; +-typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; ++typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t }; + typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; + userdom_user_home_content(user_fonts_cache_t) + + type user_fonts_config_t; +-typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; ++typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t }; + typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; + userdom_user_home_content(user_fonts_config_t) + +@@ -134,18 +141,18 @@ + type xauth_t; + type xauth_exec_t; + typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; +-typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; ++typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t }; + application_domain(xauth_t, xauth_exec_t) + ubac_constrained(xauth_t) + + type xauth_home_t; + typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; +-typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; ++typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t }; + files_poly_member(xauth_home_t) + userdom_user_home_content(xauth_home_t) + + type xauth_tmp_t; +-typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; ++typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t }; + typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; + files_tmp_file(xauth_tmp_t) + ubac_constrained(xauth_tmp_t) @@ -166,7 +173,10 @@ files_lock_file(xdm_lock_t) @@ -20795,6 +20969,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) +@@ -197,12 +216,12 @@ + + type xserver_tmp_t; + typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; +-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t }; ++typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; + files_tmp_file(xserver_tmp_t) + ubac_constrained(xserver_tmp_t) + + type xserver_tmpfs_t; +-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; ++typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t }; + typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; + files_tmpfs_file(xserver_tmpfs_t) + ubac_constrained(xserver_tmpfs_t) @@ -256,6 +275,9 @@ allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) @@ -20983,12 +21172,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,6 +575,22 @@ +@@ -515,12 +575,35 @@ ') optional_policy(` + # Use dbus to start other processes as xdm_t + dbus_role_template(xdm, system_r, xdm_t) ++ ++ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; ++ + corecmd_bin_entry_type(xdm_t) + + dbus_system_bus_client(xdm_t) @@ -21006,7 +21198,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -542,6 +618,18 @@ + ') + + optional_policy(` ++ gnome_read_gconf_config(xdm_t) ++') ++ ++optional_policy(` + hostname_exec(xdm_t) + ') + +@@ -542,6 +625,18 @@ ') optional_policy(` @@ -21025,7 +21227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +638,8 @@ +@@ -550,8 +645,8 @@ ') optional_policy(` @@ -21035,7 +21237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -571,6 +659,10 @@ +@@ -571,6 +666,10 @@ ') optional_policy(` @@ -21046,7 +21248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -635,6 +727,15 @@ +@@ -635,6 +734,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21062,7 +21264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -682,6 +783,7 @@ +@@ -682,6 +790,7 @@ dev_rw_input_dev(xserver_t) dev_rwx_zero(xserver_t) @@ -21070,7 +21272,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low(xserver_t) files_read_etc_files(xserver_t) -@@ -806,7 +908,7 @@ +@@ -697,6 +806,7 @@ + fs_search_nfs(xserver_t) + fs_search_auto_mountpoints(xserver_t) + fs_search_ramfs(xserver_t) ++fs_list_inotifyfs(xdm_t) + + mls_xwin_read_to_clearance(xserver_t) + +@@ -806,7 +916,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -21079,7 +21289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +932,10 @@ +@@ -830,6 +940,10 @@ xserver_use_user_fonts(xserver_t) @@ -21090,7 +21300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +950,14 @@ +@@ -844,11 +958,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -21106,7 +21316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +965,11 @@ +@@ -856,6 +973,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -21118,7 +21328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1086,21 @@ +@@ -972,6 +1094,21 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -21140,7 +21350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1115,12 @@ +@@ -986,3 +1123,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -21153,6 +21363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +tunable_policy(`allow_execstack',` + allow xdm_t self:process { execstack execmem }; +') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.1/policy/modules/services/zosremote.fc --- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/zosremote.fc 2008-11-25 09:45:43.000000000 -0500 @@ -21293,7 +21504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-03 09:10:20.000000000 -0500 @@ -43,6 +43,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -21378,11 +21589,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -207,19 +255,15 @@ +@@ -207,19 +255,16 @@ dev_read_rand($1) dev_read_urand($1) + auth_use_nsswitch($1) ++ auth_rw_faillog($1) + logging_send_audit_msgs($1) @@ -21402,7 +21614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -230,6 +274,29 @@ +@@ -230,6 +275,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -21432,7 +21644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -254,6 +321,7 @@ +@@ -254,6 +322,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -21440,7 +21652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1031,6 +1099,32 @@ +@@ -1031,6 +1100,32 @@ ######################################## ## @@ -21473,7 +21685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1391,10 @@ +@@ -1297,6 +1392,10 @@ ') optional_policy(` @@ -21484,7 +21696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1307,6 +1405,7 @@ +@@ -1307,6 +1406,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -21492,7 +21704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1440,61 @@ +@@ -1341,3 +1441,61 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -22640,7 +22852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-11-18 18:57:21.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-12-02 15:03:25.000000000 -0500 @@ -707,6 +707,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) @@ -24098,7 +24310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.1/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if 2008-12-03 10:18:59.000000000 -0500 @@ -192,7 +192,25 @@ type dhcpc_state_t; ') @@ -24786,7 +24998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-02 14:32:40.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-03 14:30:00.000000000 -0500 @@ -6,35 +6,76 @@ # Declarations # @@ -25053,7 +25265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -218,14 +289,58 @@ +@@ -218,14 +289,60 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -25078,7 +25290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xserver_rw_shm(unconfined_execmem_t) - ') ++') + +######################################## +# @@ -25099,11 +25311,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) +') + ++optional_policy(` +tunable_policy(`allow_unconfined_nsplugin_transition',`', ` + gen_require(` + type mozilla_exec_t; + ') + domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) + ') +') + +optional_policy(` @@ -25116,14 +25330,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.1/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.fc 2008-11-25 09:45:43.000000000 -0500 -@@ -1,4 +1,5 @@ ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.fc 2008-12-03 14:15:33.000000000 -0500 +@@ -1,4 +1,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) ++/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) ++/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-02 14:58:08.000000000 -0500 @@ -27016,7 +27232,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.1/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.6.1/policy/support/obj_perm_sets.spt 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/support/obj_perm_sets.spt 2008-12-03 15:26:17.000000000 -0500 +@@ -179,20 +179,20 @@ + # + # Directory (dir) + # +-define(`getattr_dir_perms',`{ getattr }') +-define(`setattr_dir_perms',`{ setattr }') +-define(`search_dir_perms',`{ getattr search }') ++define(`getattr_dir_perms',`{ getattr open }') ++define(`setattr_dir_perms',`{ setattr open }') ++define(`search_dir_perms',`{ getattr search open }') + define(`list_dir_perms',`{ getattr search open read lock ioctl }') + define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') + define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') + define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') +-define(`create_dir_perms',`{ getattr create }') +-define(`rename_dir_perms',`{ getattr rename }') +-define(`delete_dir_perms',`{ getattr rmdir }') ++define(`create_dir_perms',`{ getattr create open }') ++define(`rename_dir_perms',`{ getattr rename open }') ++define(`delete_dir_perms',`{ getattr rmdir open }') + define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') +-define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') +-define(`relabelto_dir_perms',`{ getattr relabelto }') +-define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') ++define(`relabelfrom_dir_perms',`{ getattr open relabelfrom }') ++define(`relabelto_dir_perms',`{ getattr open relabelto }') ++define(`relabel_dir_perms',`{ getattr open relabelfrom relabelto }') + + # + # Regular file (file) @@ -312,3 +312,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') diff --git a/selinux-policy.spec b/selinux-policy.spec index beca6df..10b1803 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Wed Dec 3 2008 Dan Walsh 3.6.1-3 +- Cleanup policy + * Mon Dec 01 2008 Ignacio Vazquez-Abrams - 3.6.1-2 - Rebuild for Python 2.6