From 867473ac6293b60e11b811b17076f47af493873b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 10 2009 18:22:10 +0000 Subject: - Add kdump policy for Miroslav Grepl - Turn off execstack boolean --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index e42b66c..df05051 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +allow_execstack = false # Allow ftpd to read cifs directories. # diff --git a/modules-minimum.conf b/modules-minimum.conf index 6a94e6b..806f614 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -671,6 +671,20 @@ jabber = module # java = module +# Layer: system +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + # Layer: services # Module: kerberos # diff --git a/modules-mls.conf b/modules-mls.conf index d45f04a..0d7ee17 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -650,6 +650,20 @@ jabber = module # java = module +# Layer: system +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + # Layer: services # Module: kerberos # diff --git a/modules-targeted.conf b/modules-targeted.conf index 6a94e6b..806f614 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -671,6 +671,20 @@ jabber = module # java = module +# Layer: system +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + # Layer: services # Module: kerberos # diff --git a/policy-F12.patch b/policy-F12.patch index bf1183c..bc49842 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1922,6 +1922,86 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.26/policy/modules/apps/kdumpgui.fc +--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/apps/kdumpgui.fc 2009-08-10 09:44:30.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.26/policy/modules/apps/kdumpgui.if +--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/apps/kdumpgui.if 2009-08-10 09:44:30.000000000 -0400 +@@ -0,0 +1,2 @@ ++## system-config-kdump policy ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.26/policy/modules/apps/kdumpgui.te +--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/apps/kdumpgui.te 2009-08-10 09:44:30.000000000 -0400 +@@ -0,0 +1,64 @@ ++policy_module(kdumpgui,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type kdumpgui_t; ++type kdumpgui_exec_t; ++ ++dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) ++ ++###################################### ++# ++# system-config-kdump local policy ++# ++ ++allow kdumpgui_t self:capability { net_admin sys_rawio }; ++allow kdumpgui_t self:fifo_file rw_fifo_file_perms; ++ ++allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++kdump_manage_etc(kdumpgui_t) ++kdump_domtrans(kdumpgui_t) ++kdump_initrc_domtrans(kdumpgui_t) ++ ++corecmd_exec_bin(kdumpgui_t) ++corecmd_exec_shell(kdumpgui_t) ++consoletype_exec(kdumpgui_t) ++ ++kernel_read_system_state(kdumpgui_t) ++kernel_read_network_state(kdumpgui_t) ++ ++storage_raw_read_fixed_disk(kdumpgui_t) ++storage_raw_write_fixed_disk(kdumpgui_t) ++ ++dev_dontaudit_getattr_all_chr_files(kdumpgui_t) ++dev_read_sysfs(kdumpgui_t) ++ ++# for blkid.tab ++files_manage_etc_runtime_files(kdumpgui_t) ++files_etc_filetrans_etc_runtime(kdumpgui_t, file) ++ ++files_manage_boot_files(kdumpgui_t) ++files_manage_boot_symlinks(kdumpgui_t) ++# Needed for running chkconfig ++files_manage_etc_symlinks(kdumpgui_t) ++ ++auth_use_nsswitch(kdumpgui_t) ++ ++miscfiles_read_localization(kdumpgui_t) ++ ++dontaudit_init_read_all_script_files(kdumpgui_t) ++ ++optional_policy(` ++ dev_rw_lvm_control(kdumpgui_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(kdumpgui_t) ++') ++ ++permissive kdumpgui_t; ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.26/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.26/policy/modules/apps/livecd.fc 2009-07-30 15:33:08.000000000 -0400 @@ -4362,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-03 06:30:19.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-10 10:05:44.000000000 -0400 @@ -1655,6 +1655,78 @@ ######################################## @@ -4944,7 +5024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-05 17:20:50.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-10 11:51:27.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5374,7 +5454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.26/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/kernel.if 2009-08-07 07:36:43.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/kernel.if 2009-08-10 11:43:18.000000000 -0400 @@ -1807,7 +1807,7 @@ ') @@ -5880,7 +5960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.26/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/roles/sysadm.te 2009-08-06 07:59:15.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/roles/sysadm.te 2009-08-10 10:28:13.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -5890,7 +5970,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r) -@@ -70,7 +70,6 @@ +@@ -35,6 +35,7 @@ + ubac_fd_exempt(sysadm_t) + + init_exec(sysadm_t) ++init_exec_script_files(sysadm_t) + + # Add/remove user home directories + userdom_manage_user_home_dirs(sysadm_t) +@@ -70,7 +71,6 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -5898,7 +5986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -87,10 +86,6 @@ +@@ -87,10 +87,6 @@ ') optional_policy(` @@ -5909,7 +5997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol backup_run(sysadm_t, sysadm_r) ') -@@ -99,18 +94,10 @@ +@@ -99,18 +95,10 @@ ') optional_policy(` @@ -5928,7 +6016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol certwatch_run(sysadm_t, sysadm_r) ') -@@ -127,7 +114,7 @@ +@@ -127,7 +115,7 @@ ') optional_policy(` @@ -5937,7 +6025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -135,10 +122,6 @@ +@@ -135,10 +123,6 @@ ') optional_policy(` @@ -5948,7 +6036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) -@@ -166,10 +149,6 @@ +@@ -166,10 +150,6 @@ ') optional_policy(` @@ -5959,7 +6047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol firstboot_run(sysadm_t, sysadm_r) ') -@@ -178,22 +157,6 @@ +@@ -178,22 +158,6 @@ ') optional_policy(` @@ -5982,7 +6070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_run(sysadm_t, sysadm_r) ') -@@ -205,6 +168,8 @@ +@@ -205,6 +169,8 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -5991,7 +6079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -212,11 +177,7 @@ +@@ -212,11 +178,7 @@ ') optional_policy(` @@ -6004,7 +6092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,10 +189,6 @@ +@@ -228,10 +190,6 @@ ') optional_policy(` @@ -6015,7 +6103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logrotate_run(sysadm_t, sysadm_r) ') -@@ -255,14 +212,6 @@ +@@ -255,14 +213,6 @@ ') optional_policy(` @@ -6030,7 +6118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_role(sysadm_r, sysadm_t) ') -@@ -290,11 +239,6 @@ +@@ -290,11 +240,6 @@ ') optional_policy(` @@ -6042,7 +6130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_run_cardctl(sysadm_t, sysadm_r) ') -@@ -308,7 +252,7 @@ +@@ -308,7 +253,7 @@ ') optional_policy(` @@ -6051,7 +6139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -320,10 +264,6 @@ +@@ -320,10 +265,6 @@ ') optional_policy(` @@ -6062,7 +6150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domtrans_nfsd(sysadm_t) ') -@@ -332,10 +272,6 @@ +@@ -332,10 +273,6 @@ ') optional_policy(` @@ -6073,7 +6161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rsync_exec(sysadm_t) ') -@@ -345,10 +281,6 @@ +@@ -345,10 +282,6 @@ ') optional_policy(` @@ -6084,7 +6172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(sysadm_r) ') -@@ -358,35 +290,15 @@ +@@ -358,35 +291,15 @@ ') optional_policy(` @@ -6120,7 +6208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +306,10 @@ +@@ -394,18 +307,10 @@ ') optional_policy(` @@ -6139,7 +6227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(sysadm_t) ') -@@ -418,17 +322,13 @@ +@@ -418,17 +323,13 @@ ') optional_policy(` @@ -6158,7 +6246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -440,13 +340,12 @@ +@@ -440,13 +341,12 @@ ') optional_policy(` @@ -7578,7 +7666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.26/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/apache.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/apache.if 2009-08-10 10:52:44.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -8967,7 +9055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.26/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-08-10 13:11:45.000000000 -0400 @@ -57,3 +57,23 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -9786,19 +9874,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.26/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/cups.fc 2009-08-07 07:43:48.000000000 -0400 -@@ -13,7 +13,9 @@ ++++ serefpolicy-3.6.26/policy/modules/services/cups.fc 2009-08-10 13:19:57.000000000 -0400 +@@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) --/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) +/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) + -+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) + /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -52,6 +54,8 @@ ++/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++ + /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + + /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +@@ -52,6 +56,8 @@ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -9807,7 +9899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -@@ -62,3 +67,8 @@ +@@ -62,3 +69,8 @@ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -9818,7 +9910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.26/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/cups.te 2009-08-07 07:43:13.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/cups.te 2009-08-10 13:25:05.000000000 -0400 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -9829,23 +9921,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type cupsd_rw_etc_t; files_config_file(cupsd_rw_etc_t) -@@ -64,12 +67,12 @@ +@@ -64,11 +67,14 @@ # For CUPS to run as a backend cups_backend(hplip_t, hplip_exec_t) --type hplip_etc_t; --files_config_file(hplip_etc_t) -- - type hplip_tmp_t; - files_tmp_file(hplip_tmp_t) ++type hplip_tmp_t; ++files_tmp_file(hplip_tmp_t) ++ + type hplip_etc_t; + files_config_file(hplip_etc_t) -+type hplip_var_lib_t alias hplip_etc_t; +-type hplip_tmp_t; +-files_tmp_file(hplip_tmp_t) ++type hplip_var_lib_t; +files_type(hplip_var_lib_t) -+ + type hplip_var_run_t; files_pid_file(hplip_var_run_t) - -@@ -116,6 +119,9 @@ +@@ -116,6 +122,9 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) @@ -9855,16 +9948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -146,7 +152,7 @@ - - allow cupsd_t hplip_t:process { signal sigkill }; - --read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) - - allow cupsd_t hplip_var_run_t:file read_file_perms; - -@@ -250,6 +256,7 @@ +@@ -250,6 +259,7 @@ miscfiles_read_localization(cupsd_t) # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) @@ -9872,16 +9956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) -@@ -360,7 +367,7 @@ - - domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - --read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) -+read_files_pattern(cupsd_config_t, hplip_var_lib_t, hplip_var_lib_t) - - kernel_read_system_state(cupsd_config_t) - kernel_read_all_sysctls(cupsd_config_t) -@@ -419,6 +426,10 @@ +@@ -419,6 +429,10 @@ ') optional_policy(` @@ -9892,7 +9967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -542,6 +553,8 @@ +@@ -542,6 +556,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -9901,19 +9976,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -596,9 +609,9 @@ - - cups_stream_connect(hplip_t) - --allow hplip_t hplip_etc_t:dir list_dir_perms; --read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) --read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) -+allow hplip_t hplip_var_lib_t:dir list_dir_perms; -+read_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) -+read_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -601,6 +617,9 @@ + read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) ++manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) ++manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) ++ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) + files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.26/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/cvs.te 2009-07-30 15:33:08.000000000 -0400 @@ -10185,7 +10257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-07 07:49:12.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-10 11:51:36.000000000 -0400 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -10215,20 +10287,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -72,6 +78,7 @@ +@@ -71,7 +77,9 @@ + manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) ++kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) kernel_setsched(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t) -@@ -79,21 +86,26 @@ +@@ -79,21 +87,30 @@ dev_rw_sysfs(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) ++domain_read_all_domains_state(devicekit_disk_t) ++ ++files_getattr_all_mountpoints(devicekit_disk_t) ++files_getattr_all_files(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) @@ -10251,7 +10329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -110,6 +122,7 @@ +@@ -110,6 +127,7 @@ ') optional_policy(` @@ -10259,7 +10337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -134,14 +147,28 @@ +@@ -134,14 +152,28 @@ udev_read_db(devicekit_disk_t) ') @@ -10289,7 +10367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +178,7 @@ +@@ -151,6 +183,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -10297,7 +10375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +187,7 @@ +@@ -159,6 +192,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -10305,7 +10383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,6 +196,8 @@ +@@ -167,6 +201,8 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -10314,7 +10392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(devicekit_power_t) auth_use_nsswitch(devicekit_power_t) -@@ -180,8 +211,11 @@ +@@ -180,8 +216,11 @@ ') optional_policy(` @@ -10327,7 +10405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` -@@ -203,17 +237,23 @@ +@@ -203,17 +242,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -11677,7 +11755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.26/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-08-05 08:04:33.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-08-10 11:32:36.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -12734,7 +12812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-07 06:11:40.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-10 10:24:17.000000000 -0400 @@ -38,9 +38,10 @@ allow policykit_t self:capability { setgid setuid }; @@ -12748,7 +12826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(policykit_t) -@@ -62,14 +63,25 @@ +@@ -62,13 +63,25 @@ files_read_etc_files(policykit_t) files_read_usr_files(policykit_t) @@ -12762,7 +12840,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) - ++userdom_dontaudit_search_admin_dir(policykit_t) ++ +optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + @@ -12770,11 +12849,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + consolekit_dbus_chat(policykit_t) + ') +') -+ + ######################################## # - # polkit_auth local policy -@@ -77,12 +89,15 @@ +@@ -77,12 +90,15 @@ allow policykit_auth_t self:capability setgid; allow policykit_auth_t self:process getattr; @@ -12792,7 +12870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -95,7 +110,10 @@ +@@ -95,7 +111,10 @@ files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) @@ -12803,7 +12881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(policykit_auth_t) -@@ -104,6 +122,7 @@ +@@ -104,6 +123,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` @@ -12811,7 +12889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -116,6 +135,13 @@ +@@ -116,6 +136,13 @@ hal_read_state(policykit_auth_t) ') @@ -12825,7 +12903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # polkit_grant local policy -@@ -123,7 +149,8 @@ +@@ -123,7 +150,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -12835,7 +12913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -153,9 +180,12 @@ +@@ -153,9 +181,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -12849,7 +12927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,7 +197,8 @@ +@@ -167,7 +198,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -19231,7 +19309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.26/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/init.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/init.if 2009-08-10 10:27:53.000000000 -0400 @@ -174,6 +174,7 @@ role system_r types $1; @@ -19318,7 +19396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,19 +679,39 @@ +@@ -646,23 +679,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -19339,11 +19417,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -19356,13 +19434,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -904,6 +957,24 @@ + allow $1 init_script_file_type:file read_file_perms; ') ++####################################### ++## ++## Dontaudit read all init script files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dontaudit_init_read_all_script_files',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ dontaudit $1 init_script_file_type:file read_file_perms; ++') ++ ######################################## -@@ -1291,6 +1344,25 @@ + ## + ## Execute all init scripts in the caller domain. +@@ -1291,6 +1362,25 @@ ######################################## ## @@ -19388,7 +19495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1593,51 @@ +@@ -1521,3 +1611,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -19442,7 +19549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-05 07:18:15.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-10 13:12:20.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -19490,7 +19597,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -167,6 +182,8 @@ +@@ -140,6 +155,7 @@ + files_dontaudit_rw_root_files(init_t) + files_dontaudit_rw_root_chr_files(init_t) + ++fs_list_inotifyfs(init_t) + # cjp: this may be related to /dev/log + fs_write_ramfs_sockets(init_t) + +@@ -167,6 +183,8 @@ miscfiles_read_localization(init_t) @@ -19499,10 +19614,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -189,6 +206,14 @@ +@@ -189,6 +207,18 @@ ') optional_policy(` ++ consolekit_read_log(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -19514,7 +19633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nscd_socket_use(init_t) ') -@@ -202,9 +227,10 @@ +@@ -202,9 +232,10 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -19526,7 +19645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -217,7 +243,8 @@ +@@ -217,7 +248,8 @@ term_create_pty(initrc_t, initrc_devpts_t) # Going to single user mode @@ -19536,7 +19655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t, init_script_file_type) -@@ -230,10 +257,16 @@ +@@ -230,10 +262,16 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -19555,7 +19674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) -@@ -249,8 +282,12 @@ +@@ -249,8 +287,12 @@ kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) @@ -19568,7 +19687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -270,17 +307,22 @@ +@@ -270,17 +312,22 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -19592,7 +19711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs fs_write_ramfs_pipes(initrc_t) -@@ -328,7 +370,7 @@ +@@ -328,7 +375,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -19601,7 +19720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +385,15 @@ +@@ -343,14 +390,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -19619,7 +19738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +409,9 @@ +@@ -366,7 +414,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -19629,7 +19748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -423,8 +468,6 @@ +@@ -423,8 +473,6 @@ # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -19638,7 +19757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for integrated run_init to read run_init_type. # happens during boot (/sbin/rc execs init scripts) seutil_read_default_contexts(initrc_t) -@@ -451,11 +494,9 @@ +@@ -451,11 +499,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -19651,7 +19770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -465,6 +506,7 @@ +@@ -465,6 +511,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -19659,7 +19778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +540,7 @@ +@@ -498,6 +545,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -19667,7 +19786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +559,33 @@ +@@ -516,6 +564,33 @@ ') ') @@ -19701,7 +19820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +640,10 @@ +@@ -570,6 +645,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -19712,7 +19831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +665,10 @@ +@@ -591,6 +670,10 @@ ') optional_policy(` @@ -19723,7 +19842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,20 +725,20 @@ +@@ -647,20 +730,20 @@ ') optional_policy(` @@ -19750,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -669,6 +747,7 @@ +@@ -669,6 +752,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -19758,7 +19877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -697,7 +776,6 @@ +@@ -697,7 +781,6 @@ ') optional_policy(` @@ -19766,7 +19885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -719,8 +797,6 @@ +@@ -719,8 +802,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -19775,7 +19894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +809,12 @@ +@@ -733,10 +814,12 @@ squid_manage_logs(initrc_t) ') @@ -19788,7 +19907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +832,11 @@ +@@ -754,6 +837,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -19800,7 +19919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -765,6 +848,13 @@ +@@ -765,6 +853,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -19814,7 +19933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +880,31 @@ +@@ -790,3 +885,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -20104,9 +20223,178 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.fc serefpolicy-3.6.26/policy/modules/system/kdump.fc +--- nsaserefpolicy/policy/modules/system/kdump.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/system/kdump.fc 2009-08-10 09:44:25.000000000 -0400 +@@ -0,0 +1,8 @@ ++ ++/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) ++ ++/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) ++ ++/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.6.26/policy/modules/system/kdump.if +--- nsaserefpolicy/policy/modules/system/kdump.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/system/kdump.if 2009-08-10 09:47:15.000000000 -0400 +@@ -0,0 +1,111 @@ ++## kdump is kernel crash dumping mechanism ++ ++###################################### ++## ++## Execute kdump in the kdump domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`kdump_domtrans',` ++ gen_require(` ++ type kdump_t, kdump_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, kdump_exec_t, kdump_t) ++') ++ ++####################################### ++## ++## Execute kdump in the kdump domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`kdump_initrc_domtrans',` ++ gen_require(` ++ type kdump_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, kdump_initrc_exec_t) ++') ++ ++##################################### ++## ++## Read kdump configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_read_etc',` ++ gen_require(` ++ type kdump_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, kdump_etc_t, kdump_etc_t) ++') ++ ++#################################### ++## ++## Manage kdump configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_manage_etc',` ++ gen_require(` ++ type kdump_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern($1, kdump_etc_t, kdump_etc_t) ++') ++ ++###################################### ++## ++## All of the rules required to administrate ++## an kdump environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the kdump domain. ++## ++## ++## ++# ++interface(`kdump_admin',` ++ gen_require(` ++ type kdump_t,kdump_etc_t; ++ type kdump_initrc_exec_t; ++ ') ++ ++ allow $1 kdump_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, kdump_t) ++ ++ init_labeled_script_domtrans($1, kdump_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 kdump_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_etc($1) ++ admin_pattern($1, kdump_etc_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.26/policy/modules/system/kdump.te +--- nsaserefpolicy/policy/modules/system/kdump.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/system/kdump.te 2009-08-10 09:44:25.000000000 -0400 +@@ -0,0 +1,38 @@ ++policy_module(kdump,1.0.0) ++ ++####################################### ++# ++# Declarations ++# ++ ++type kdump_t; ++type kdump_exec_t; ++init_system_domain(kdump_t, kdump_exec_t) ++ ++type kdump_etc_t; ++files_config_file(kdump_etc_t) ++ ++type kdump_initrc_exec_t; ++init_script_file(kdump_initrc_exec_t) ++ ++##################################### ++# ++# kdump local policy ++# ++ ++allow kdump_t self:capability { sys_boot dac_override }; ++ ++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) ++ ++files_read_etc_runtime_files(kdump_t) ++files_read_kernel_img(kdump_t) ++ ++kernel_read_system_state(kdump_t) ++ ++dev_read_framebuffer(kdump_t) ++dev_read_sysfs(kdump_t) ++ ++term_use_console(kdump_t) ++ ++permissive kdump_t; ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-03 07:56:50.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-10 11:54:48.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -20156,7 +20444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,27 +120,29 @@ +@@ -115,27 +120,30 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20168,6 +20456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20194,7 +20483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -143,11 +150,8 @@ +@@ -143,11 +151,8 @@ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20206,7 +20495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +172,12 @@ +@@ -168,12 +173,12 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -20221,7 +20510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +189,10 @@ +@@ -185,15 +190,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20238,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +227,17 @@ +@@ -228,31 +228,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20274,7 +20563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -268,6 +253,9 @@ +@@ -268,6 +254,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20284,7 +20573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -292,6 +280,8 @@ +@@ -292,6 +281,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20293,7 +20582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -304,10 +294,92 @@ +@@ -304,10 +295,91 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -20330,6 +20619,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + +/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20344,8 +20635,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + -+ -+ +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20367,7 +20656,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -20927,7 +21215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.26/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/mount.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/mount.te 2009-08-10 10:06:05.000000000 -0400 @@ -18,8 +18,12 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -20965,7 +21253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,12 +59,25 @@ +@@ -47,12 +59,26 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -20988,10 +21276,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) ++dev_read_sysfs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) -@@ -62,16 +87,19 @@ +@@ -62,16 +88,19 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -21014,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(mount_t) -@@ -79,6 +107,7 @@ +@@ -79,6 +108,7 @@ corecmd_exec_bin(mount_t) domain_use_interactive_fds(mount_t) @@ -21022,7 +21311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -87,7 +116,7 @@ +@@ -87,7 +117,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -21031,7 +21320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -100,6 +129,8 @@ +@@ -100,6 +130,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -21040,7 +21329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(mount_t) -@@ -116,6 +147,7 @@ +@@ -116,6 +148,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -21048,7 +21337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -131,9 +163,13 @@ +@@ -131,9 +164,13 @@ ') ') @@ -21063,7 +21352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mounton_non_security(mount_t) ') -@@ -164,6 +200,8 @@ +@@ -164,6 +201,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -21072,7 +21361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -171,6 +209,21 @@ +@@ -171,6 +210,21 @@ ') optional_policy(` @@ -21094,7 +21383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +231,11 @@ +@@ -178,6 +232,11 @@ ') ') @@ -21106,7 +21395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +243,7 @@ +@@ -185,6 +244,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -21114,7 +21403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -194,5 +253,8 @@ +@@ -194,5 +254,8 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -22302,7 +22591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.26/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-10 10:36:14.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -22361,7 +22650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol brctl_domtrans(udev_t) ') -@@ -202,6 +212,10 @@ +@@ -202,14 +212,27 @@ ') optional_policy(` @@ -22372,7 +22661,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') -@@ -210,6 +224,11 @@ + optional_policy(` ++ cups_domtrans_config(udev_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(udev_t) ') optional_policy(` @@ -22384,7 +22678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(udev_t) ') -@@ -219,6 +238,7 @@ +@@ -219,6 +242,7 @@ optional_policy(` hal_dgram_send(udev_t) @@ -22392,7 +22686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,6 +248,10 @@ +@@ -228,6 +252,10 @@ ') optional_policy(` @@ -22403,7 +22697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -242,6 +266,10 @@ +@@ -242,6 +270,10 @@ ') optional_policy(` @@ -23181,7 +23475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-07 06:43:58.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-10 11:36:42.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -23619,9 +23913,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,181 +519,192 @@ +@@ -511,182 +518,194 @@ + # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; ++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; @@ -23888,7 +24184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -714,13 +732,26 @@ +@@ -714,13 +733,26 @@ userdom_base_user_template($1) @@ -23920,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -738,70 +769,71 @@ +@@ -738,70 +770,71 @@ allow $1_t self:context contains; @@ -24025,7 +24321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -838,6 +870,28 @@ +@@ -838,6 +871,28 @@ # Local policy # @@ -24054,7 +24350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -868,7 +922,10 @@ +@@ -868,7 +923,10 @@ userdom_restricted_user_template($1) @@ -24066,7 +24362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -876,14 +933,19 @@ +@@ -876,14 +934,19 @@ # auth_role($1_r, $1_t) @@ -24091,7 +24387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -891,28 +953,47 @@ +@@ -891,28 +954,47 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -24146,7 +24442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -946,8 +1027,8 @@ +@@ -946,8 +1028,8 @@ # Declarations # @@ -24156,7 +24452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -956,11 +1037,12 @@ +@@ -956,11 +1038,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -24171,7 +24467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -978,36 +1060,53 @@ +@@ -978,36 +1061,53 @@ ') ') @@ -24239,7 +24535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1042,7 +1141,7 @@ +@@ -1042,7 +1142,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -24248,7 +24544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1051,8 +1150,7 @@ +@@ -1051,8 +1151,7 @@ # # Inherit rules for ordinary users. @@ -24258,7 +24554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,7 +1173,8 @@ +@@ -1075,7 +1174,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -24268,7 +24564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1091,6 +1190,7 @@ +@@ -1091,6 +1191,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -24276,7 +24572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1098,8 +1198,6 @@ +@@ -1098,8 +1199,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -24285,7 +24581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1154,20 +1252,6 @@ +@@ -1154,20 +1253,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -24306,7 +24602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1213,6 +1297,7 @@ +@@ -1213,6 +1298,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -24314,7 +24610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1278,11 +1363,15 @@ +@@ -1278,11 +1364,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -24330,7 +24626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1374,12 +1463,13 @@ +@@ -1374,12 +1464,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -24345,7 +24641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1412,6 +1502,14 @@ +@@ -1412,6 +1503,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -24360,7 +24656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1427,9 +1525,11 @@ +@@ -1427,9 +1526,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -24372,7 +24668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1486,6 +1586,25 @@ +@@ -1486,6 +1587,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -24398,7 +24694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1560,6 +1679,8 @@ +@@ -1560,6 +1680,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -24407,7 +24703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1653,6 +1774,7 @@ +@@ -1653,6 +1775,7 @@ type user_home_dir_t, user_home_t; ') @@ -24415,7 +24711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1780,19 +1902,32 @@ +@@ -1780,19 +1903,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -24455,7 +24751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1827,6 +1962,7 @@ +@@ -1827,6 +1963,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -24463,7 +24759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2374,7 +2510,7 @@ +@@ -2374,7 +2511,7 @@ ######################################## ## @@ -24472,7 +24768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2728,11 +2864,32 @@ +@@ -2728,11 +2865,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -24507,7 +24803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2860,7 +3017,25 @@ +@@ -2860,7 +3018,25 @@ type user_tmp_t; ') @@ -24534,7 +24830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,6 +3072,7 @@ +@@ -2897,6 +3073,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -24542,7 +24838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3027,3 +3203,501 @@ +@@ -3027,3 +3204,501 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 40aed6d..ef29733 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.26 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,10 @@ exit 0 %endif %changelog +* Mon Aug 10 2009 Dan Walsh 3.6.26-9 +- Add kdump policy for Miroslav Grepl +- Turn off execstack boolean + * Fri Aug 7 2009 Bill Nottingham 3.6.26-8 - Turn on execstack on a temporary basis (#512845)