From 82f7df57c3206499844c0f8c7b3f786b3b4123de Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 07 2009 22:37:55 +0000 Subject: - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device - Allow sysadm_t to connect to zebra stream socket - Dontaudit policykit_auth trying to config terminal - Allow logrotate and asterisk to execute asterisk - Allow logrotate to read var_lib files (zope) and connect to fail2ban stream - Allow firewallgui to communicate with unconfined_t - Allow podsleuth to ask the kernel to load modules - Fix labeling on vhostmd scripts - Remove transition from unconfined_t to windbind_helper_t - Allow abrt_helper to look at inotify - Fix labels for mythtv - Allow apache to signal sendmail - allow asterisk to send mail - Allow rpcd to get and setcap - Add tor_bind_all_unreserved_ports boolean - Add policy for vhostmd - MOre textrel_shlib_t files - Add rw_herited_term_perms --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 22ee2d8..664a9c8 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1572,10 +1572,18 @@ unconfined = module # Layer: services # Module: ulogd # -# +# netfilter/iptables ULOG daemon # ulogd = module +# Layer: services +# Module: vhostmd +# +# vhostmd - A metrics gathering daemon +# +vhostmd = module + + # Layer: apps # Module: wine # diff --git a/modules-targeted.conf b/modules-targeted.conf index 22ee2d8..664a9c8 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1572,10 +1572,18 @@ unconfined = module # Layer: services # Module: ulogd # -# +# netfilter/iptables ULOG daemon # ulogd = module +# Layer: services +# Module: vhostmd +# +# vhostmd - A metrics gathering daemon +# +vhostmd = module + + # Layer: apps # Module: wine # diff --git a/policy-F12.patch b/policy-F12.patch index 1a930b7..f13ab3d 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -298,7 +298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-12-07 16:23:11.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -308,7 +308,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -@@ -116,8 +116,9 @@ +@@ -63,6 +63,7 @@ + create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) ++files_read_var_lib_files(logrotate_t) + + kernel_read_system_state(logrotate_t) + kernel_read_kernel_sysctls(logrotate_t) +@@ -116,8 +117,9 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) @@ -319,7 +327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -137,6 +138,10 @@ +@@ -137,6 +139,10 @@ ') optional_policy(` @@ -330,10 +338,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) -@@ -149,6 +154,14 @@ +@@ -149,6 +155,15 @@ ') optional_policy(` ++ asterisk_exec(logrotate_t) + asterisk_stream_connect(logrotate_t) +') + @@ -345,7 +354,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(logrotate_t) ') -@@ -183,6 +196,10 @@ +@@ -157,6 +172,10 @@ + ') + + optional_policy(` ++ fail2ban_stream_connect(logrotate_t) ++') ++ ++optional_policy(` + hostname_exec(logrotate_t) + ') + +@@ -183,6 +202,10 @@ ') optional_policy(` @@ -2401,11 +2421,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.6.32/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.if 2009-12-03 13:45:10.000000000 -0500 -@@ -0,0 +1,3 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.if 2009-12-06 10:19:32.000000000 -0500 +@@ -0,0 +1,23 @@ + +## policy for firewallgui + ++######################################## ++## ++## Send and receive messages from ++## firewallgui over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`firewallgui_dbus_chat',` ++ gen_require(` ++ type firewallgui_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 firewallgui_t:dbus send_msg; ++ allow firewallgui_t $1:dbus send_msg; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2009-12-03 13:45:10.000000000 -0500 @@ -4443,8 +4483,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +application_domain(openoffice_t, openoffice_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2009-12-03 13:45:10.000000000 -0500 -@@ -66,11 +66,14 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2009-12-06 06:05:01.000000000 -0500 +@@ -50,6 +50,7 @@ + fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) + + kernel_read_system_state(podsleuth_t) ++kernel_request_load_module(podsleuth_t) + + corecmd_exec_bin(podsleuth_t) + +@@ -66,11 +67,14 @@ fs_search_dos(podsleuth_t) fs_getattr_tmpfs(podsleuth_t) fs_list_tmpfs(podsleuth_t) @@ -6017,7 +6065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-06 11:18:47.000000000 -0500 @@ -1,4 +1,4 @@ - +c @@ -6082,7 +6130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,6 +229,9 @@ +@@ -221,12 +229,16 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -6092,7 +6140,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +274,7 @@ + /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/turboprint/lib(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) + +@@ -263,6 +275,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -6100,7 +6156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +327,21 @@ +@@ -315,3 +328,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7218,7 +7274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-03 13:48:14.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-05 18:26:09.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -8556,7 +8612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-12-05 06:22:07.000000000 -0500 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -8628,7 +8684,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read and write the controlling -@@ -991,10 +1029,12 @@ +@@ -774,7 +812,26 @@ + attribute ptynode; + ') + +- dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; ++') ++ ++######################################## ++## ++## Do not audit attempts to read any ++## server ptys. ++## ++## ++## ++## The type of the process to not audit. ++## ++## ++# ++interface(`term_dontaudit_use_all_server_ptys',` ++ gen_require(` ++ attribute ptynode; ++ ') ++ ++ dontaudit $1 server_ptynode:chr_file { rw_inherited_term_perms lock append }; + ') + + ######################################## +@@ -991,10 +1048,12 @@ interface(`term_use_unallocated_ttys',` gen_require(` type tty_device_t; @@ -8641,7 +8725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1011,8 +1051,10 @@ +@@ -1011,8 +1070,10 @@ interface(`term_dontaudit_use_unallocated_ttys',` gen_require(` type tty_device_t; @@ -8682,8 +8766,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2009-12-03 13:45:10.000000000 -0500 -@@ -10,161 +10,117 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2009-12-06 10:20:16.000000000 -0500 +@@ -10,161 +10,121 @@ userdom_unpriv_user_template(staff) @@ -8722,129 +8806,130 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -- --optional_policy(` -- ethereal_role(staff_r, staff_t) --') -- --optional_policy(` -- evolution_role(staff_r, staff_t) --') -- --optional_policy(` -- games_role(staff_r, staff_t) --') +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) -optional_policy(` -- gift_role(staff_r, staff_t) +- ethereal_role(staff_r, staff_t) -') +auth_domtrans_pam_console(staff_t) -optional_policy(` -- gnome_role(staff_r, staff_t) +- evolution_role(staff_r, staff_t) -') +seutil_run_newrole(staff_t, staff_r) +netutils_run_ping(staff_t, staff_r) optional_policy(` -- gpg_role(staff_r, staff_t) +- games_role(staff_r, staff_t) +-') +- +-optional_policy(` +- gift_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- irc_role(staff_r, staff_t) +- gnome_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- java_role(staff_r, staff_t) -+ kerneloops_manage_tmp_files(staff_t) +- gpg_role(staff_r, staff_t) ++ firewallgui_dbus_chat(staff_t) ') optional_policy(` -- lockdev_role(staff_r, staff_t) +- irc_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- lpd_role(staff_r, staff_t) +- java_role(staff_r, staff_t) ++ kerneloops_manage_tmp_files(staff_t) + ') + + optional_policy(` +- lockdev_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') optional_policy(` -- mozilla_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + rtkit_daemon_system_domain(staff_t) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- mozilla_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- mta_role(staff_r, staff_t) +- mplayer_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- mta_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- razor_role(staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + unconfined_role_change(staff_r) ') optional_policy(` -- rssh_role(staff_r, staff_t) +- razor_role(staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- rssh_role(staff_r, staff_t) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- secadm_role_change(staff_r) +- screen_role_template(staff, staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- spamassassin_role(staff_r, staff_t) +- secadm_role_change(staff_r) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- su_role_template(staff, staff_r, staff_t) +- ssh_role_template(staff, staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) -optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) +- su_role_template(staff, staff_r, staff_t) -') +term_use_unallocated_ttys(staff_t) optional_policy(` +- sudo_role_template(staff, staff_r, staff_t) +-') +- +-optional_policy(` - sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) + gnomeclock_dbus_chat(staff_t) @@ -8888,7 +8973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-12-06 09:58:03.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -9180,20 +9265,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -440,13 +343,12 @@ +@@ -440,13 +343,16 @@ ') optional_policy(` - wireshark_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- xserver_role(sysadm_r, sysadm_t) + virt_stream_connect(sysadm_t) ') optional_policy(` - yam_run(sysadm_t, sysadm_r) +- xserver_role(sysadm_r, sysadm_t) ++ yam_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- yam_run(sysadm_t, sysadm_r) ++ zebra_stream_connect(sysadm_t) ') + +init_script_role_transition(sysadm_r) @@ -9883,8 +9970,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-03 14:43:49.000000000 -0500 -@@ -0,0 +1,440 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-06 10:20:50.000000000 -0500 +@@ -0,0 +1,444 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10124,6 +10211,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ firewallgui_dbus_chat(unconfined_t) ++') ++ ++optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + @@ -10209,7 +10300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r) -+ samba_run_winbind_helper(unconfined_t, unconfined_r) ++# samba_run_winbind_helper(unconfined_t, unconfined_r) + samba_run_smbcontrol(unconfined_t, unconfined_r) +') + @@ -10478,11 +10569,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-12-03 13:45:11.000000000 -0500 -@@ -31,16 +31,38 @@ - - userdom_restricted_xwindows_user_template(xguest) - ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-12-03 17:50:59.000000000 -0500 +@@ -35,12 +35,34 @@ + # + # Local policy + # +ifndef(`enable_mls',` + fs_exec_noxattr(xguest_t) + @@ -10498,15 +10589,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') +storage_rw_fuse(xguest_t) + - ######################################## - # - # Local policy - # - +# Dontaudit fusermount -+dontaudit xguest_t self:capability sys_admin; -+allow xguest_t self:process execmem; ++mount_dontaudit_exec_fusermount(xguest_t) + ++allow xguest_t self:process execmem; + # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` @@ -10742,7 +10829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-03 13:49:13.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-06 09:56:21.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10822,7 +10909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +124,82 @@ +@@ -96,22 +124,84 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10892,6 +10979,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_etc_files(abrt_helper_t) +files_dontaudit_all_non_security_leaks(abrt_helper_t) + ++fs_list_inotifyfs(abrt_helper_t) ++ +auth_use_nsswitch(abrt_helper_t) + +miscfiles_read_localization(abrt_helper_t) @@ -11199,7 +11288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-12-03 13:47:24.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-12-04 08:24:12.000000000 -0500 @@ -1,12 +1,16 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -11234,12 +11323,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,12 +39,21 @@ +@@ -32,12 +39,22 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') +/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -11256,7 +11346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -46,7 +62,9 @@ +@@ -46,7 +63,9 @@ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -11266,7 +11356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,13 +68,17 @@ +@@ -50,13 +69,17 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -11284,7 +11374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +86,32 @@ +@@ -64,11 +87,32 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -11926,7 +12016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-07 16:00:19.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12228,7 +12318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -391,32 +475,70 @@ +@@ -391,32 +475,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12240,6 +12330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + corenet_sendrecv_pop_client_packets(httpd_t) + mta_send_mail(httpd_t) + mta_send_mail(httpd_sys_script_t) ++ mta_signal(httpd_t) +') + tunable_policy(`httpd_can_network_relay',` @@ -12304,7 +12395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +546,23 @@ +@@ -424,11 +547,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12328,7 +12419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +585,14 @@ +@@ -451,6 +586,14 @@ ') optional_policy(` @@ -12343,7 +12434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +601,13 @@ +@@ -459,8 +602,13 @@ ') optional_policy(` @@ -12359,7 +12450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -468,22 +615,19 @@ +@@ -468,22 +616,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12385,7 +12476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -494,12 +638,23 @@ +@@ -494,12 +639,23 @@ ') optional_policy(` @@ -12409,7 +12500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +663,7 @@ +@@ -508,6 +664,7 @@ ') optional_policy(` @@ -12417,7 +12508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +691,23 @@ +@@ -535,6 +692,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12441,7 +12532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +737,25 @@ +@@ -564,20 +738,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12473,7 +12564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +773,24 @@ +@@ -595,23 +774,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12502,7 +12593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +803,7 @@ +@@ -624,6 +804,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12510,7 +12601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +811,31 @@ +@@ -631,22 +812,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12549,7 +12640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +861,14 @@ +@@ -672,15 +862,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12568,7 +12659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +887,24 @@ +@@ -699,12 +888,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12595,7 +12686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +912,35 @@ +@@ -712,6 +913,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12631,7 +12722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +953,10 @@ +@@ -724,6 +954,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12642,7 +12733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +968,8 @@ +@@ -735,6 +969,8 @@ # httpd_rotatelogs local policy # @@ -12651,7 +12742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +989,88 @@ +@@ -754,11 +990,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12787,10 +12878,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_proc_symlinks(arpwatch_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-12-03 13:45:11.000000000 -0500 -@@ -1,5 +1,26 @@ ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-12-06 11:14:30.000000000 -0500 +@@ -1,5 +1,44 @@ ## Asterisk IP telephony server ++###################################### ++## ++## Execute asterisk ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`asterisk_exec',` ++ gen_require(` ++ type asterisk_exec_t; ++ ') ++ ++ can_exec($1, asterisk_exec_t) ++') ++ +##################################### +## +## Connect to asterisk over a unix domain @@ -12817,7 +12926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-07 15:03:47.000000000 -0500 @@ -34,6 +34,8 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12840,7 +12949,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow asterisk_t self:tcp_socket create_stream_socket_perms; allow asterisk_t self:udp_socket create_socket_perms; -@@ -84,6 +87,7 @@ +@@ -79,11 +82,14 @@ + manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) + ++can_exec(asterisk_t, asterisk_exec_t) ++ + kernel_read_system_state(asterisk_t) + kernel_read_kernel_sysctls(asterisk_t) corecmd_exec_bin(asterisk_t) corecmd_search_bin(asterisk_t) @@ -12848,7 +12964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(asterisk_t) corenet_all_recvfrom_netlabel(asterisk_t) -@@ -97,6 +101,7 @@ +@@ -97,6 +103,7 @@ corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) corenet_udp_bind_asterisk_port(asterisk_t) @@ -12856,7 +12972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_asterisk_server_packets(asterisk_t) # for VOIP voice channels. corenet_tcp_bind_generic_port(asterisk_t) -@@ -107,6 +112,7 @@ +@@ -107,6 +114,7 @@ dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -12864,7 +12980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(asterisk_t) -@@ -119,20 +125,16 @@ +@@ -119,17 +127,17 @@ fs_getattr_all_fs(asterisk_t) fs_search_auto_mountpoints(asterisk_t) @@ -12881,13 +12997,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - nis_use_ypbind(asterisk_t) --') -- --optional_policy(` - seutil_sigchld_newrole(asterisk_t) ++ mta_send_mail(asterisk_t) ') -@@ -140,7 +142,3 @@ + optional_policy(` +@@ -140,7 +148,3 @@ udev_read_db(asterisk_t) ') @@ -14286,7 +14400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/cron.te 2009-12-06 09:42:26.000000000 -0500 @@ -38,6 +38,7 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -14334,6 +14448,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Admin crontab local policy +@@ -139,7 +151,7 @@ + + allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; + dontaudit crond_t self:capability { sys_resource sys_tty_config }; +-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; + allow crond_t self:process { setexec setfscreate }; + allow crond_t self:fd use; + allow crond_t self:fifo_file rw_fifo_file_perms; @@ -194,6 +206,8 @@ corecmd_read_bin_symlinks(crond_t) @@ -15417,6 +15540,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_exec(exim_t) spamassassin_exec_client(exim_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if +--- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2009-12-07 16:23:35.000000000 -0500 +@@ -98,6 +98,27 @@ + allow $1 fail2ban_var_run_t:file read_file_perms; + ') + ++##################################### ++## ++## Connect to fail2ban over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fail2ban_stream_connect',` ++ gen_require(` ++ type fail2ban_t, fail2ban_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) ++') ++ ++ + ######################################## + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.32/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/fail2ban.te 2009-12-03 13:45:11.000000000 -0500 @@ -16586,7 +16740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-12-05 05:54:55.000000000 -0500 @@ -16,13 +16,9 @@ type lircd_etc_t; files_type(lircd_etc_t) @@ -16602,7 +16756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # lircd local policy -@@ -34,15 +30,26 @@ +@@ -34,15 +30,27 @@ # etc file read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) @@ -16617,6 +16771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dev_filetrans(lircd_t, lircd_sock_t, sock_file ) +dev_filetrans(lircd_t, lircd_var_run_t, sock_file ) +dev_read_generic_usb_dev(lircd_t) ++dev_read_mouse(lircd_t) +dev_filetrans_lirc(lircd_t) +dev_rw_lirc(lircd_t) +dev_rw_input_dev(lircd_t) @@ -16706,7 +16861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-12-07 16:00:12.000000000 -0500 @@ -69,6 +69,7 @@ can_exec($1_mail_t, sendmail_exec_t) allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; @@ -16769,6 +16924,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') +@@ -876,3 +883,22 @@ + + allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; + ') ++ ++######################################## ++## ++## Send mail client a signal ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`mta_signal',` ++ gen_require(` ++ type system_mail_t; ++ ') ++ ++ allow $1 system_mail_t:process signal; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-12-03 13:45:11.000000000 -0500 @@ -18550,8 +18728,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.32/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pcscd.if 2009-12-03 13:45:11.000000000 -0500 -@@ -39,6 +39,25 @@ ++++ serefpolicy-3.6.32/policy/modules/services/pcscd.if 2009-12-07 15:55:59.000000000 -0500 +@@ -39,6 +39,44 @@ ######################################## ## @@ -18574,10 +18752,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Manage pcscd pub fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pcscd_manage_pub_pipes',` ++ gen_require(` ++ type pcscd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) ++') ++ ++######################################## ++## ## Connect to pcscd over an unix stream socket. ## ## -@@ -53,6 +72,5 @@ +@@ -53,6 +91,5 @@ ') files_search_pids($1) @@ -19180,7 +19377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-06 09:57:32.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -19198,7 +19395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(policykit_t) -@@ -57,32 +58,52 @@ +@@ -57,32 +58,53 @@ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -19241,6 +19438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:capability { setgid setuid }; ++dontaudit policykit_auth_t self:capability { sys_tty_config }; +allow policykit_auth_t self:process { getattr getsched }; +allow policykit_auth_t self:fifo_file rw_fifo_file_perms; + @@ -19255,7 +19453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,12 +113,14 @@ +@@ -92,12 +114,14 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -19272,7 +19470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(policykit_auth_t) -@@ -106,7 +129,7 @@ +@@ -106,7 +130,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` @@ -19281,7 +19479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +142,14 @@ +@@ -119,6 +143,14 @@ hal_read_state(policykit_auth_t) ') @@ -19296,7 +19494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # polkit_grant local policy -@@ -126,7 +157,8 @@ +@@ -126,7 +158,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -19306,7 +19504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +188,12 @@ +@@ -156,9 +189,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -19320,7 +19518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +205,8 @@ +@@ -170,7 +206,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -21660,17 +21858,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-12-03 13:45:11.000000000 -0500 -@@ -53,7 +53,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-12-06 09:20:00.000000000 -0500 +@@ -53,7 +53,8 @@ # RPC local policy # -allow rpcd_t self:capability { chown dac_override setgid setuid }; +allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; ++allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; allow rpcd_t rpcd_var_run_t:dir setattr; -@@ -91,6 +91,8 @@ +@@ -91,14 +92,21 @@ seutil_dontaudit_search_config(rpcd_t) @@ -21678,8 +21877,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` automount_signal(rpcd_t) ++ automount_dontaudit_write_pipes(rpcd_t) ') -@@ -99,6 +101,10 @@ + + optional_policy(` nis_read_ypserv_config(rpcd_t) ') @@ -21690,7 +21891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy -@@ -127,6 +133,7 @@ +@@ -127,6 +135,7 @@ files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type files_manage_mounttab(nfsd_t) @@ -21698,7 +21899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) -@@ -135,6 +142,7 @@ +@@ -135,6 +144,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -21706,7 +21907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -151,6 +159,7 @@ +@@ -151,6 +161,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -21714,7 +21915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -182,6 +191,7 @@ +@@ -182,6 +193,7 @@ kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) @@ -21722,7 +21923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(gssd_t) -@@ -189,8 +199,10 @@ +@@ -189,8 +201,10 @@ fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -21733,7 +21934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) -@@ -199,10 +211,13 @@ +@@ -199,10 +213,13 @@ mount_signal(gssd_t) @@ -24443,8 +24644,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.32/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/tor.te 2009-12-03 13:45:11.000000000 -0500 -@@ -89,6 +89,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/tor.te 2009-12-06 11:07:48.000000000 -0500 +@@ -6,6 +6,14 @@ + # Declarations + # + ++## ++##

++## Allow tor daemon to bind ++## tcp sockets to all unreserved ports. ++##

++## ++gen_tunable(tor_bind_all_unreserved_ports, false) ++ + type tor_t; + type tor_exec_t; + init_daemon_domain(tor_t, tor_exec_t) +@@ -89,6 +97,7 @@ files_read_etc_files(tor_t) files_read_etc_runtime_files(tor_t) @@ -24452,6 +24668,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(tor_t) +@@ -97,3 +106,7 @@ + optional_policy(` + seutil_sigchld_newrole(tor_t) + ') ++ ++tunable_policy(`tor_bind_all_unreserved_ports', ` ++ corenet_tcp_bind_all_unreserved_ports(tor_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2009-12-03 13:45:11.000000000 -0500 @@ -24706,6 +24930,294 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.6.32/policy/modules/services/vhostmd.fc +--- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/vhostmd.fc 2009-12-06 11:17:52.000000000 -0500 +@@ -0,0 +1,6 @@ ++ ++/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) ++ ++/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) ++/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.6.32/policy/modules/services/vhostmd.if +--- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/vhostmd.if 2009-12-06 11:17:52.000000000 -0500 +@@ -0,0 +1,191 @@ ++ ++## policy for vhostmd ++ ++######################################## ++## ++## Execute a domain transition to run vhostmd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vhostmd_domtrans',` ++ gen_require(` ++ type vhostmd_t, vhostmd_exec_t; ++ ') ++ ++ domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) ++') ++ ++ ++######################################## ++## ++## Execute vhostmd server in the vhostmd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`vhostmd_initrc_domtrans',` ++ gen_require(` ++ type vhostmd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to read, ++## vhostmd tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`vhostmd_dontaudit_read_tmpfs_files',` ++ gen_require(` ++ type vhostmd_tmpfs_t; ++ ') ++ ++ dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Allow domain to read, vhostmd tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`vhostmd_read_tmpfs_files',` ++ gen_require(` ++ type vhostmd_tmpfs_t; ++ ') ++ ++ allow $1 vhostmd_tmpfs_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Allow domain to read and write vhostmd tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`vhostmd_rw_tmpfs_files',` ++ gen_require(` ++ type vhostmd_tmpfs_t; ++ ') ++ ++ read_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++ write_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++') ++ ++######################################## ++## ++## Allow domain to manage vhostmd tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`vhostmd_manage_tmpfs',` ++ gen_require(` ++ type vhostmd_tmpfs_t; ++ ') ++ ++ manage_dirs_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++ manage_lnk_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++') ++ ++######################################## ++## ++## Read vhostmd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vhostmd_read_pid_files',` ++ gen_require(` ++ type vhostmd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 vhostmd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage vhostmd var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vhostmd_manage_var_run',` ++ gen_require(` ++ type vhostmd_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ++ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ++ manage_lnk_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an vhostmd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`vhostmd_admin',` ++ gen_require(` ++ type vhostmd_t, vhostmd_initrc_exec_t; ++ ') ++ ++ allow $1 vhostmd_t:process { ptrace signal_perms getattr }; ++ ps_process_pattern($1, vhostmd_t) ++ ++ vhostmd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 vhostmd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ vhostmd_manage_tmpfs($1) ++ ++ vhostmd_manage_var_run($1) ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.6.32/policy/modules/services/vhostmd.te +--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/vhostmd.te 2009-12-06 11:17:52.000000000 -0500 +@@ -0,0 +1,79 @@ ++ ++policy_module(vhostmd,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type vhostmd_t; ++type vhostmd_exec_t; ++init_daemon_domain(vhostmd_t, vhostmd_exec_t) ++ ++permissive vhostmd_t; ++ ++type vhostmd_initrc_exec_t; ++init_script_file(vhostmd_initrc_exec_t) ++ ++type vhostmd_tmpfs_t; ++files_tmpfs_file(vhostmd_tmpfs_t) ++ ++type vhostmd_var_run_t; ++files_pid_file(vhostmd_var_run_t) ++ ++######################################## ++# ++# vhostmd local policy ++# ++ ++allow vhostmd_t self:capability { setuid setgid }; ++allow vhostmd_t self:process { setsched getsched }; ++ ++# internal communication is often done using fifo and unix sockets. ++allow vhostmd_t self:fifo_file rw_file_perms; ++allow vhostmd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) ++fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) ++ ++manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) ++manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) ++files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) ++ ++corecmd_exec_bin(vhostmd_t) ++corecmd_exec_shell(vhostmd_t) ++ ++kernel_read_system_state(vhostmd_t) ++kernel_read_network_state(vhostmd_t) ++ ++files_read_etc_files(vhostmd_t) ++files_read_usr_files(vhostmd_t) ++files_read_generic_tmp_files(vhostmd_t) ++ ++dev_read_sysfs(vhostmd_t) ++ ++auth_use_nsswitch(vhostmd_t) ++ ++logging_send_syslog_msg(vhostmd_t) ++ ++miscfiles_read_localization(vhostmd_t) ++ ++optional_policy(` ++ hostname_exec(vhostmd_t) ++') ++ ++optional_policy(` ++ rpm_exec(vhostmd_t) ++ rpm_read_db(vhostmd_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(vhostmd_t) ++') ++ ++optional_policy(` ++ xen_domtrans_xm(vhostmd_t) ++ xen_stream_connect(vhostmd_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.32/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/virt.fc 2009-12-03 13:45:11.000000000 -0500 @@ -25506,7 +26018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-05 06:43:26.000000000 -0500 @@ -74,6 +74,12 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) @@ -25994,7 +26506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1248,6 +1407,286 @@ +@@ -1248,6 +1407,288 @@ ######################################## ## @@ -26128,9 +26640,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` + type xdm_home_t; ++ type xserver_tmp_t; + ') + + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; ++ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files($1) @@ -26281,7 +26795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1261,7 +1700,103 @@ +@@ -1261,7 +1702,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -26290,7 +26804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1 xserver_unconfined_type; + typeattribute $1 x_domain; -+') + ') + +######################################## +## @@ -26343,7 +26857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + class x_selection all_x_selection_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; - ') ++') + + # Type attributes + typeattribute $1 x_domain; @@ -27204,6 +27718,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.6.32/policy/modules/services/zebra.if +--- nsaserefpolicy/policy/modules/services/zebra.if 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/zebra.if 2009-12-06 09:58:33.000000000 -0500 +@@ -24,6 +24,26 @@ + + ######################################## + ## ++## Connect to zebra over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zebra_stream_connect',` ++ gen_require(` ++ type zebra_t, zebra_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 zebra_var_run_t:sock_file write; ++ allow $1 zebra_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an zebra environment + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.32/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/application.if 2009-12-03 13:45:11.000000000 -0500 @@ -27291,7 +27835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-07 15:55:13.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -27445,7 +27989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, auth_cache_t, auth_cache_t) ') -@@ -305,29 +381,49 @@ +@@ -305,29 +381,50 @@ dev_read_rand($1) dev_read_urand($1) @@ -27472,6 +28016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - optional_policy(` - pcscd_read_pub_files($1) + pcscd_manage_pub_files($1) ++ pcscd_manage_pub_pipes($1) pcscd_stream_connect($1) ') @@ -27504,7 +28049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -352,6 +448,7 @@ +@@ -352,6 +449,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -27512,7 +28057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1129,6 +1226,32 @@ +@@ -1129,6 +1227,32 @@ ######################################## ## @@ -27545,7 +28090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1254,6 +1377,25 @@ +@@ -1254,6 +1378,25 @@ ######################################## ## @@ -27571,7 +28116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write to ## login records files. ## -@@ -1395,16 +1537,33 @@ +@@ -1395,16 +1538,33 @@ ') optional_policy(` @@ -29119,7 +29664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-07 09:47:51.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -29326,7 +29871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +308,106 @@ +@@ -307,10 +308,107 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -29432,6 +29977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400 @@ -29648,7 +30194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/logging.if 2009-12-07 16:18:19.000000000 -0500 @@ -69,6 +69,20 @@ ######################################## @@ -29679,10 +30225,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -708,6 +722,8 @@ +@@ -707,7 +721,9 @@ + files_search_var($1) manage_files_pattern($1, logfile, logfile) - read_lnk_files_pattern($1, logfile, logfile) +- read_lnk_files_pattern($1, logfile, logfile) ++ manage_lnk_files_pattern($1, logfile, logfile) + allow $1 logfile:dir { relabelfrom relabelto }; + allow $1 logfile:file { relabelfrom relabelto }; ') @@ -29993,7 +30541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-12-05 07:13:25.000000000 -0500 @@ -87,6 +87,45 @@ ######################################## @@ -30343,22 +30891,116 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.32/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.fc 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/mount.fc 2009-12-03 17:44:32.000000000 -0500 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -- +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) - /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -+ ++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) + +-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2009-12-03 13:45:11.000000000 -0500 -@@ -84,9 +84,11 @@ ++++ serefpolicy-3.6.32/policy/modules/system/mount.if 2009-12-03 17:54:50.000000000 -0500 +@@ -20,6 +20,60 @@ + + ######################################## + ## ++## Execute fusermount in the mount domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mount_domtrans_fusermount',` ++ gen_require(` ++ type mount_t, fusermount_exec_t; ++ ') ++ ++ domtrans_pattern($1, fusermount_exec_t, mount_t) ++') ++ ++######################################## ++## ++## Execute fusermount. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mount_exec_fusermount',` ++ gen_require(` ++ type fusermount_exec_t; ++ ') ++ ++ can_exec($1, fusermount_exec_t) ++') ++ ++######################################## ++## ++## dontaudit Execute fusermount. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mount_dontaudit_exec_fusermount',` ++ gen_require(` ++ type fusermount_exec_t; ++ ') ++ ++ dontaudit $1 fusermount_exec_t:file exec_file_perms; ++') ++ ++######################################## ++## + ## Execute mount in the mount domain, and + ## allow the specified role the mount domain, + ## and use the caller's terminal. +@@ -51,6 +105,32 @@ + + ######################################## + ## ++## Execute fusermount in the mount domain, and ++## allow the specified role the mount domain ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the mount domain. ++## ++## ++## ++# ++interface(`mount_run_fusermount',` ++ gen_require(` ++ type mount_t; ++ ') ++ ++ mount_domtrans_fusermount($1) ++ role $2 types mount_t; ++') ++ ++######################################## ++## + ## Execute mount in the caller domain. + ## + ## +@@ -84,9 +164,11 @@ interface(`mount_signal',` gen_require(` type mount_t; @@ -30372,11 +31014,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-12-03 13:45:11.000000000 -0500 -@@ -18,8 +18,12 @@ ++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-12-03 17:43:50.000000000 -0500 +@@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; ++type fusermount_exec_t; ++domain_entry_file(mount_t, fusermount_exec_t) ++ +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; + @@ -30386,7 +31031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -29,6 +33,10 @@ +@@ -29,6 +36,10 @@ # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -30397,7 +31042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -36,7 +44,11 @@ +@@ -36,7 +47,11 @@ # # setuid/setgid needed to mount cifs @@ -30410,7 +31055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,21 +59,38 @@ +@@ -47,21 +62,38 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -30450,7 +31095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -70,7 +99,7 @@ +@@ -70,7 +102,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -30459,7 +31104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +109,17 @@ +@@ -80,15 +112,17 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -30480,7 +31125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +130,7 @@ +@@ -99,6 +133,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -30488,7 +31133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(mount_t) -@@ -107,6 +139,8 @@ +@@ -107,6 +142,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -30497,7 +31142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(mount_t) -@@ -117,6 +151,7 @@ +@@ -117,6 +154,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -30505,7 +31150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -132,6 +167,10 @@ +@@ -132,6 +170,10 @@ ') ') @@ -30516,7 +31161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) -@@ -165,6 +204,8 @@ +@@ -165,6 +207,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -30525,7 +31170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -172,6 +213,25 @@ +@@ -172,6 +216,25 @@ ') optional_policy(` @@ -30551,7 +31196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +239,11 @@ +@@ -179,6 +242,11 @@ ') ') @@ -30563,7 +31208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +251,7 @@ +@@ -186,6 +254,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -30571,7 +31216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,5 +261,8 @@ +@@ -195,5 +264,8 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -32814,7 +33459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-03 14:41:25.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-03 17:55:00.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -33855,7 +34500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1086,67 @@ +@@ -953,58 +1086,68 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -33937,6 +34582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + mount_run($1_t, $1_r) ++ mount_run_fusermount($1_usertype, $1_r) + ') + + optional_policy(` @@ -33953,7 +34599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1182,7 @@ +@@ -1040,7 +1183,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -33962,7 +34608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1191,7 @@ +@@ -1049,8 +1192,7 @@ # # Inherit rules for ordinary users. @@ -33972,7 +34618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1216,9 @@ +@@ -1075,6 +1217,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -33982,7 +34628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1233,7 @@ +@@ -1089,6 +1234,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -33990,7 +34636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1241,6 @@ +@@ -1096,8 +1242,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -33999,7 +34645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,12 +1267,11 @@ +@@ -1124,12 +1268,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -34014,7 +34660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1152,20 +1294,6 @@ +@@ -1152,20 +1295,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -34035,7 +34681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1339,7 @@ +@@ -1211,6 +1340,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -34043,7 +34689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1405,15 @@ +@@ -1276,11 +1406,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -34059,7 +34705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1524,13 @@ +@@ -1391,12 +1525,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -34074,7 +34720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1563,14 @@ +@@ -1429,6 +1564,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -34089,7 +34735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1586,11 @@ +@@ -1444,9 +1587,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -34101,7 +34747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1647,42 @@ +@@ -1503,6 +1648,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -34144,7 +34790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1757,8 @@ +@@ -1577,6 +1758,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -34153,7 +34799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1619,6 +1801,24 @@ +@@ -1619,6 +1802,24 @@ ######################################## ## @@ -34178,7 +34824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1670,6 +1870,7 @@ +@@ -1670,6 +1871,7 @@ type user_home_dir_t, user_home_t; ') @@ -34186,7 +34832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1686,11 +1887,11 @@ +@@ -1686,11 +1888,11 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34201,7 +34847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1797,19 +1998,32 @@ +@@ -1797,19 +1999,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -34241,7 +34887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2058,7 @@ +@@ -1844,6 +2059,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -34249,7 +34895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2196,7 +2411,7 @@ +@@ -2196,7 +2412,7 @@ ######################################## ## @@ -34258,7 +34904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary files. ## ## -@@ -2205,30 +2420,49 @@ +@@ -2205,30 +2421,49 @@ ## ## # @@ -34314,7 +34960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) ') -@@ -2276,6 +2510,46 @@ +@@ -2276,6 +2511,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -34361,7 +35007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary symbolic links. ## ## -@@ -2391,7 +2665,7 @@ +@@ -2391,7 +2666,7 @@ ######################################## ## @@ -34370,7 +35016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2399,19 +2673,20 @@ +@@ -2399,19 +2674,20 @@ ## ## # @@ -34395,7 +35041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2419,15 +2694,14 @@ +@@ -2419,15 +2695,14 @@ ## ## # @@ -34415,7 +35061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2749,7 +3023,7 @@ +@@ -2749,7 +3024,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -34424,7 +35070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3039,33 @@ +@@ -2765,11 +3040,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -34460,7 +35106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3193,43 @@ +@@ -2897,7 +3194,43 @@ type user_tmp_t; ') @@ -34505,7 +35151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3266,7 @@ +@@ -2934,6 +3267,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -34513,7 +35159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3397,656 @@ +@@ -3064,3 +3398,656 @@ allow $1 userdomain:dbus send_msg; ') @@ -35346,7 +35992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-06 11:17:52.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -35542,7 +36188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # internal communication is often done using fifo and unix sockets. allow xm_t self:fifo_file rw_fifo_file_perms; -@@ -312,24 +360,28 @@ +@@ -312,24 +360,29 @@ manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) @@ -35554,6 +36200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xm_t xen_image_t:blk_file read_blk_file_perms; -kernel_read_system_state(xm_t) ++kernel_read_network_state(xm_t) kernel_read_kernel_sysctls(xm_t) +kernel_read_sysctl(xm_t) +kernel_read_system_state(xm_t) @@ -35572,7 +36219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(xm_t) files_read_usr_files(xm_t) -@@ -339,15 +391,70 @@ +@@ -339,15 +392,74 @@ storage_raw_read_fixed_disk(xm_t) @@ -35596,6 +36243,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_stream_connect_xenstore(xm_t) + +optional_policy(` ++ vhostmd_rw_tmpfs_files(xm_t) ++') ++ ++optional_policy(` + virt_manage_images(xm_t) + virt_stream_connect(xm_t) +') @@ -35646,7 +36297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-12-05 06:20:50.000000000 -0500 @@ -181,7 +181,7 @@ # define(`getattr_dir_perms',`{ getattr }') @@ -35683,7 +36334,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -312,3 +314,19 @@ +@@ -305,10 +307,27 @@ + # + # Use (read and write) terminals + # +-define(`rw_term_perms', `{ getattr open read write ioctl }') ++define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }') ++define(`rw_term_perms', `{ open rw_inherited_term_perms }') + + # + # Sockets # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') diff --git a/selinux-policy.spec b/selinux-policy.spec index 82a004f..68e5148 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 55%{?dist} +Release: 56%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,27 @@ exit 0 %endif %changelog +* Mon Dec 7 2009 Dan Walsh 3.6.32-56 +- Dontaudit exec of fusermount from xguest +- Allow licrd to use mouse_device +- Allow sysadm_t to connect to zebra stream socket +- Dontaudit policykit_auth trying to config terminal +- Allow logrotate and asterisk to execute asterisk +- Allow logrotate to read var_lib files (zope) and connect to fail2ban stream +- Allow firewallgui to communicate with unconfined_t +- Allow podsleuth to ask the kernel to load modules +- Fix labeling on vhostmd scripts +- Remove transition from unconfined_t to windbind_helper_t +- Allow abrt_helper to look at inotify +- Fix labels for mythtv +- Allow apache to signal sendmail +- allow asterisk to send mail +- Allow rpcd to get and setcap +- Add tor_bind_all_unreserved_ports boolean +- Add policy for vhostmd +- MOre textrel_shlib_t files +- Add rw_herited_term_perms + * Thu Dec 3 2009 Dan Walsh 3.6.32-55 - Add fprintd_chat(unconfined_t) to fix su timeout problem - Make xguest follow allow_execstack boolean