From 8d1b760232f4994c6ef34d78de43e3977fe06d91 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 23 2010 18:27:16 +0000 Subject: - Fixes for cluster policy - Fixes for rgmanager - Add label for /etc/pki dir in bind-chroot - Allow system-config-firewall to send system log messages - Remove label for Directory Server --- diff --git a/policy-20100106.patch b/policy-20100106.patch index d7038a0..fec1d81 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -1,3 +1,17 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.6.32/policy/modules/admin/consoletype.if +--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/admin/consoletype.if 2010-02-21 19:47:22.082308968 +0100 +@@ -19,6 +19,10 @@ + + corecmd_search_bin($1) + domtrans_pattern($1, consoletype_exec_t, consoletype_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit consoletype_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc --- nsaserefpolicy/policy/modules/admin/dmesg.fc 2010-01-18 18:24:22.545542516 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2010-02-03 20:56:22.897834567 +0100 @@ -6,6 +20,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te +--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-01-18 18:24:22.549542536 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-02-23 10:29:44.779867996 +0100 +@@ -215,5 +215,9 @@ + ') + + optional_policy(` ++ su_exec(logrotate_t) ++') ++ ++optional_policy(` + varnishd_manage_log(logrotate_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-01-18 18:24:22.550542523 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2010-02-17 16:16:54.606863741 +0100 @@ -86,6 +113,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(mcelog_t) + +logging_send_syslog_msg(mcelog_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.6.32/policy/modules/admin/netutils.fc +--- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/admin/netutils.fc 2010-02-21 19:56:24.909309647 +0100 +@@ -10,5 +11,6 @@ + /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + + /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) ++/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-02-16 16:59:33.332598118 +0100 @@ -246,8 +283,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 2010-01-18 18:24:22.593530742 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-02-02 18:41:27.873067758 +0100 -@@ -59,6 +59,10 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-02-21 23:44:58.357559518 +0100 +@@ -53,12 +53,18 @@ + nscd_dontaudit_search_pid(firewallgui_t) + nscd_socket_use(firewallgui_t) + ++logging_send_syslog_msg(firewallgui_t) ++ + miscfiles_read_localization(firewallgui_t) + + iptables_domtrans(firewallgui_t) iptables_initrc_domtrans(firewallgui_t) optional_policy(` @@ -596,19 +641,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te ---- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-01-18 18:24:22.633540020 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-02-12 17:14:46.763717264 +0100 -@@ -11,6 +11,9 @@ +--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-02-21 20:34:21.100559574 +0100 +@@ -11,6 +11,12 @@ application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; +type pulseaudio_var_run_t; +files_pid_file(pulseaudio_var_run_t) + ++type pulseaudio_tmpfs_t; ++files_tmpfs_file(pulseaudio_tmpfs_t) ++ ######################################## # # pulseaudio local policy -@@ -24,6 +27,11 @@ +@@ -24,6 +30,11 @@ allow pulseaudio_t self:udp_socket create_socket_perms; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -620,7 +668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(pulseaudio_t, pulseaudio_exec_t) kernel_getattr_proc(pulseaudio_t) -@@ -72,6 +80,8 @@ +@@ -72,6 +83,8 @@ ') optional_policy(` @@ -629,6 +677,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) +@@ -111,4 +124,5 @@ + xserver_manage_xdm_tmp_files(pulseaudio_t) + xserver_read_xdm_lib_files(pulseaudio_t) + xserver_common_app(pulseaudio_t) ++ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 2010-01-18 18:24:22.646540277 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2010-02-08 10:39:43.173336716 +0100 @@ -1321,35 +1375,602 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type v4l_device_t; dev_node(v4l_device_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc +--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-02-21 20:44:28.920309784 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-02-21 20:53:20.192309481 +0100 +@@ -100,7 +100,7 @@ + # HOME_ROOT + # expanded by genhomedircon + # +-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) ++HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) + HOME_ROOT/\.journal <> + HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + HOME_ROOT/lost\+found/.* <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2010-01-18 18:24:22.691530426 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-02-17 16:16:16.656863896 +0100 -@@ -2049,6 +2049,24 @@ - dontaudit $1 etc_t:file write; +--- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-02-21 20:53:36.436310090 +0100 +@@ -1152,6 +1152,102 @@ + allow $1 file_type:filesystem unmount; ') ++############################################# ++## ++## Manage all configuration directories on filesystem ++## ++## ++## ++## The type of domain performing this action ++## ++## ++## ++# ++interface(`files_manage_config_dirs',` ++ gen_require(` ++ attribute configfile; ++ ') ++ ++ manage_dirs_pattern($1, configfile, configfile) ++') ++ ++######################################### ++## ++## Relabel configuration directories ++## ++## ++## ++## Type of domain performing this action ++## ++## ++## ++# ++interface(`files_relabel_config_dirs',` ++ gen_require(` ++ attribute configfile; ++ ') ++ ++ relabel_dirs_pattern($1, configfile, configfile) ++') ++ ++######################################## ++## ++## Read config files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_config_files',` ++ gen_require(` ++ attribute configfile; ++ ') ++ ++ allow $1 configfile:dir list_dir_perms; ++ read_files_pattern($1, configfile, configfile) ++ read_lnk_files_pattern($1, configfile, configfile) ++') ++ ++########################################### ++## ++## Manage all configuration files on filesystem ++## ++## ++## ++## The type of domain performing this action ++## ++## ++## ++# ++interface(`files_manage_config_files',` ++ gen_require(` ++ attribute configfile; ++ ') ++ ++ manage_files_pattern($1, configfile, configfile) ++') ++ +####################################### +## -+## Do not audit attempts to write /etc dirs. ++## Relabel configuration files +## +## ++## ++## Type of domain performing this action ++## ++## ++## ++# ++interface(`files_relabel_config_files',` ++ gen_require(` ++ attribute configfile; ++ ') ++ ++ relabel_files_pattern($1, configfile, configfile) ++') ++ + ######################################## + ## + ## Mount a filesystem on all mount points. +@@ -1478,6 +1574,24 @@ + + ######################################## + ## ++## List the /boot directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_boot',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir list_dir_perms; ++') ++ ++######################################## +## -+## Domain allowed access. + ## Create directories in /boot + ## + ## +@@ -1772,7 +1886,8 @@ + + ######################################## + ## +-## Manage a filesystem on a directory with the default file type. ++## Create, read, write, and delete directories with ++## the default file type. + ## + ## + ## +@@ -1780,13 +1895,12 @@ + ## + ## + # +-interface(`files_manage_default',` ++interface(`files_manage_default_dirs',` + gen_require(` + type default_t; + ') + + manage_dirs_pattern($1, default_t, default_t) +- manage_files_pattern($1, default_t, default_t) + ') + + ######################################## +@@ -1865,6 +1979,25 @@ + + ######################################## + ## ++## Create, read, write, and delete files with ++## the default file type. +## ++## ++## ++## Domain allowed access. ++## +## +# ++interface(`files_manage_default_files',` ++ gen_require(` ++ type default_t; ++ ') ++ ++ manage_files_pattern($1, default_t, default_t) ++') ++ ++######################################## ++## + ## Read symbolic links with the default file type. + ## + ## +@@ -1991,7 +2124,7 @@ + + ######################################## + ## +-## Read generic files in /etc. ++## Do not audit attempts to write to /etc dirs. + ## + ## + ## +@@ -1999,21 +2132,36 @@ + ## + ## + # +-interface(`files_read_etc_files',` +interface(`files_dontaudit_write_etc_dirs',` + gen_require(` + type etc_t; + ') + +- allow $1 etc_t:dir list_dir_perms; +- read_files_pattern($1, etc_t, etc_t) +- read_lnk_files_pattern($1, etc_t, etc_t) +- files_read_etc_runtime_files($1) +- files_read_config_files($1) ++ dontaudit $1 etc_t:dir write; ++') ++ ++########################################## ++## ++## Manage generic directories in /etc ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++# ++interface(`files_manage_etc_dirs',` + gen_require(` + type etc_t; + ') -+ -+ dontaudit $1 etc_t:dir write; ++ ++ manage_dirs_pattern($1, etc_t, etc_t) + ') + + ######################################## + ## +-## Read config files in /etc. ++## Read generic files in /etc. + ## + ## + ## +@@ -2021,14 +2169,16 @@ + ## + ## + # +-interface(`files_read_config_files',` ++interface(`files_read_etc_files',` + gen_require(` +- attribute configfile; ++ type etc_t; + ') + +- allow $1 configfile:dir list_dir_perms; +- read_files_pattern($1, configfile, configfile) +- read_lnk_files_pattern($1, configfile, configfile) ++ allow $1 etc_t:dir list_dir_perms; ++ read_files_pattern($1, etc_t, etc_t) ++ read_lnk_files_pattern($1, etc_t, etc_t) ++ files_read_etc_runtime_files($1) ++ files_read_config_files($1) + ') + + ######################################## +@@ -2276,8 +2426,8 @@ + ') + + allow $1 etc_t:dir list_dir_perms; +- read_files_pattern($1, etc_runtime_t, etc_runtime_t) +- read_lnk_files_pattern($1, etc_runtime_t, etc_runtime_t) ++ read_files_pattern($1, etc_t, etc_runtime_t) ++ read_lnk_files_pattern($1, etc_t, etc_runtime_t) + ') + + ######################################## +@@ -2654,6 +2804,7 @@ + ') + + allow $1 home_root_t:dir getattr; ++ allow $1 home_root_t:lnk_file getattr; + ') + + ######################################## +@@ -2674,6 +2825,7 @@ + ') + + dontaudit $1 home_root_t:dir getattr; ++ dontaudit $1 home_root_t:lnk_file getattr; + ') + + ######################################## +@@ -2692,6 +2844,7 @@ + ') + + allow $1 home_root_t:dir search_dir_perms; ++ allow $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2711,6 +2864,7 @@ + ') + + dontaudit $1 home_root_t:dir search_dir_perms; ++ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2730,6 +2884,7 @@ + ') + + dontaudit $1 home_root_t:dir list_dir_perms; ++ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2748,6 +2903,7 @@ + ') + + allow $1 home_root_t:dir list_dir_perms; ++ allow $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -3598,26 +3754,25 @@ + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## List all tmp directories. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:file getattr; ++ allow $1 tmpfile:dir list_dir_perms; + ') + + ######################################## + ## +-## Allow attempts to get the attributes ++## Do not audit attempts to get the attributes + ## of all tmp files. + ## + ## +@@ -3626,18 +3781,18 @@ + ## + ## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` + attribute tmpfile; + ') + +- allow $1 tmpfile:file getattr; ++ dontaudit $1 tmpfile:file getattr; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Allow attempts to get the attributes ++## of all tmp files. + ## + ## + ## +@@ -3645,30 +3800,31 @@ + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ allow $1 tmpfile:file getattr; + ') + + ######################################## + ## +-## List all tmp directories. ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## +-## Domain allowed access. ++## Domain not to audit. + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` + attribute tmpfile; + ') + +- allow $1 tmppfile:dir list_dir_perms; ++ dontaudit $1 tmpfile:sock_file getattr; + ') + + ######################################## +@@ -4438,7 +4594,7 @@ + + ######################################## + ## +-## Set the attributes of the /var/run directory. ++## Search the /var/lib directory. + ## + ## + ## +@@ -4446,17 +4602,17 @@ + ## + ## + # +-interface(`files_setattr_pid_dirs',` ++interface(`files_search_var_lib',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:dir setattr; ++ search_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Search the /var/lib directory. ++## List the contents of the /var/lib directory. + ## + ## + ## +@@ -4464,17 +4620,17 @@ + ## + ## + # +-interface(`files_search_var_lib',` ++interface(`files_list_var_lib',` + gen_require(` + type var_t, var_lib_t; + ') + +- search_dirs_pattern($1, var_t, var_lib_t) ++ list_dirs_pattern($1, var_t, var_lib_t) + ') + +-######################################## ++########################################### + ## +-## List the contents of the /var/lib directory. ++## Read-write /var/lib directories + ## + ## + ## +@@ -4482,12 +4638,12 @@ + ## + ## + # +-interface(`files_list_var_lib',` ++interface(`files_rw_var_lib_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_lib_t; + ') + +- list_dirs_pattern($1, var_t, var_lib_t) ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## +@@ -4846,6 +5002,25 @@ + search_dirs_pattern($1, var_t, var_run_t) + ') + ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; +') + ######################################## ## - ## Read and write generic files in /etc. -@@ -5537,3 +5555,23 @@ + ## Do not audit attempts to search +@@ -4970,9 +5145,9 @@ + rw_files_pattern($1, var_run_t, var_run_t) + ') + +-####################################### ++######################################## + ## +-## Create generic pid directory. ++## Do not audit attempts to getattr daemon runtime data files. + ## + ## + ## +@@ -4980,13 +5155,12 @@ + ## + ## + # +-interface(`files_create_var_run_dirs',` ++interface(`files_dontaudit_getattr_all_pids',` + gen_require(` +- type var_t, var_run_t; ++ attribute pidfile; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:dir create_dir_perms; ++ dontaudit $1 pidfile:file getattr; + ') + + ######################################## +@@ -5009,24 +5183,6 @@ + + ######################################## + ## +-## Do not audit attempts to getattr daemon runtime data files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`files_dontaudit_getattr_all_pids',` +- gen_require(` +- attribute pidfile; +- ') +- +- dontaudit $1 pidfile:file getattr; +-') +- +-######################################## +-## + ## Do not audit attempts to ioctl daemon runtime data files. + ## + ## +@@ -5131,6 +5287,24 @@ + + ######################################## + ## ++## Set the attributes of the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir setattr; ++') ++ ++######################################## ++## + ## Search the contents of generic spool + ## directories (/var/spool). + ## +@@ -5537,3 +5711,23 @@ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') @@ -1373,10 +1994,64 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-21 20:44:28.935574123 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2010-02-21 20:53:45.874571808 +0100 +@@ -1,5 +1,5 @@ + +-policy_module(files, 1.12.0) ++policy_module(files, 1.12.2) + + ######################################## + # +@@ -11,6 +11,7 @@ + attribute lockfile; + attribute mountpoint; + attribute pidfile; ++attribute configfile; + + # For labeling types that are to be polyinstantiated + attribute polydir; +@@ -53,9 +54,6 @@ + # + # etc_t is the type of the system etc directories. + # +-attribute etcfile; +-attribute configfile; +- + type etc_t, configfile; + files_type(etc_t) + # compatibility aliases for removed types: diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-02-11 20:29:48.903440849 +0100 -@@ -1632,6 +1632,36 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-02-22 12:09:52.108626415 +0100 +@@ -988,6 +988,25 @@ + exec_files_pattern($1, cifs_t, cifs_t) + ') + ++###################################### ++## ++## Make general progams in cifs an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which cifs_t is an entrypoint. ++## ++## ++# ++interface(`fs_cifs_entry_type',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file entrypoint; ++') ++ + ######################################## + ## + ## Create, read, write, and delete directories +@@ -1632,6 +1651,36 @@ ######################################## ## @@ -1413,7 +2088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## -@@ -1668,6 +1698,24 @@ +@@ -1668,6 +1717,24 @@ ######################################## ## @@ -1438,7 +2113,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## -@@ -3496,6 +3544,24 @@ +@@ -2010,6 +2077,25 @@ + exec_files_pattern($1, nfs_t, nfs_t) + ') + ++###################################### ++## ++## Make general progams in nfs an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which nfs_t is an entrypoint. ++## ++## ++# ++interface(`fs_nfs_entry_type',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file entrypoint; ++') ++ + ######################################## + ## + ## Append files +@@ -3496,6 +3582,24 @@ ######################################## ## @@ -1463,7 +2164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write generic tmpfs files. ## ## -@@ -3722,7 +3788,7 @@ +@@ -3722,7 +3826,7 @@ ######################################## ## @@ -1472,7 +2173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -3730,17 +3796,17 @@ +@@ -3730,17 +3834,17 @@ ## ## # @@ -1493,7 +2194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -3748,12 +3814,12 @@ +@@ -3748,12 +3852,12 @@ ## ## # @@ -1508,7 +2209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4297,6 +4363,26 @@ +@@ -4297,6 +4401,26 @@ ######################################## ## @@ -1535,7 +2236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write files on cgroup ## file systems. ## -@@ -4409,3 +4495,23 @@ +@@ -4409,3 +4533,23 @@ write_files_pattern($1, cgroup_t, cgroup_t) ') @@ -1593,6 +2294,60 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules for all filesystem types +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-01-18 18:24:22.708530703 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2010-02-23 18:52:15.577526310 +0100 +@@ -2732,3 +2732,21 @@ + + allow $1 kernel_t:unix_stream_socket connectto; + ') ++ ++####################################### ++## ++## Send a kill signal to kernel processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_sigkill',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:process sigkill; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-01-18 18:24:22.716539752 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-23 18:59:49.535775282 +0100 +@@ -1098,6 +1098,25 @@ + allow $1 ttynode:chr_file getattr; + ') + ++####################################### ++## ++## Relabel from and to all tty device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_relabel_all_ttys',` ++ gen_require(` ++ attribute ttynode; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 ttynode:chr_file { relabelfrom relabelto }; ++') ++ + ######################################## + ## + ## Do not audit attempts to get the diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-02-11 17:58:37.444708661 +0100 @@ -1835,7 +2590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(amavis_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-02-10 11:49:16.515609331 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-02-23 16:43:34.009526021 +0100 @@ -8,10 +8,12 @@ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) @@ -1849,7 +2604,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -71,6 +73,9 @@ +@@ -47,6 +49,7 @@ + /usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +@@ -71,6 +74,9 @@ /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -1859,6 +2622,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) +@@ -108,6 +114,7 @@ + /usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) + /usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) + /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) ++/var/lib/smokeping(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + + /var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100 +++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-02-01 15:06:59.560081274 +0100 @@ -1919,7 +2690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-16 16:54:40.527598125 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-19 15:04:33.153787458 +0100 @@ -309,7 +309,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -1950,7 +2721,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(httpd_t) fs_read_iso9660_files(httpd_t) -@@ -612,6 +613,11 @@ +@@ -483,8 +484,14 @@ + corenet_tcp_connect_pop_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) + mta_send_mail(httpd_t) +- mta_send_mail(httpd_sys_script_t) + mta_signal(httpd_t) ++ ++ corenet_tcp_connect_smtp_port(httpd_sys_script_t) ++ corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_pop_port(httpd_sys_script_t) ++ corenet_sendrecv_pop_client_packets(httpd_sys_script_t) ++ mta_send_mail(httpd_sys_script_t) ++ mta_signal(httpd_sys_script_t) + ') + + tunable_policy(`httpd_can_network_relay',` +@@ -612,6 +619,11 @@ avahi_dbus_chat(httpd_t) ') ') @@ -1962,15 +2749,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') -@@ -895,6 +901,8 @@ +@@ -895,12 +907,17 @@ sysnet_read_config(httpd_sys_script_t) +logging_inherit_append_all_logs(httpd_sys_script_t) ++logging_send_syslog_msg(httpd_sys_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') + + fs_read_iso9660_files(httpd_sys_script_t) + ++fs_nfs_entry_type(httpd_sys_script_t) ++ + tunable_policy(`httpd_use_nfs',` + fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) +@@ -950,6 +967,7 @@ + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) ++ fs_cifs_entry_type(httpd_sys_script_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100 @@ -2140,9 +2944,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2010-01-18 18:24:22.762530308 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-02-16 22:55:22.460609811 +0100 -@@ -80,13 +80,11 @@ +--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-02-21 20:34:33.717586944 +0100 +@@ -16,6 +16,9 @@ + type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + ++type consolekit_tmpfs_t; ++files_tmpfs_file(consolekit_tmpfs_t) ++ + ######################################## + # + # consolekit local policy +@@ -80,13 +83,11 @@ hal_ptrace(consolekit_t) tunable_policy(`use_nfs_home_dirs',` @@ -2158,6 +2972,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +@@ -134,5 +135,6 @@ + #reading .Xauthity + unconfined_ptrace(consolekit_t) + unconfined_stream_connect(consolekit_t) ++ xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 2010-01-18 18:24:22.762530308 +0100 +++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2010-02-17 15:36:57.020864395 +0100 @@ -2170,17 +2991,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 2010-01-18 18:24:22.764539991 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-02-17 15:10:00.826864054 +0100 -@@ -73,6 +73,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-02-21 19:02:15.511309414 +0100 +@@ -72,6 +72,9 @@ + files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file }) kernel_read_system_state(corosync_t) - -+domain_read_all_domains_state(corosync_t) ++kernel_read_network_state(corosync_t) + ++domain_read_all_domains_state(corosync_t) + corenet_udp_bind_netsupport_port(corosync_t) - corecmd_exec_bin(corosync_t) -@@ -92,6 +94,7 @@ +@@ -92,6 +95,7 @@ userdom_rw_user_tmpfs_files(corosync_t) @@ -2188,7 +3010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # to communication with RHCS dlm_controld_manage_tmpfs_files(corosync_t) dlm_controld_rw_semaphores(corosync_t) -@@ -101,6 +104,11 @@ +@@ -101,6 +105,11 @@ gfs_controld_manage_tmpfs_files(corosync_t) gfs_controld_rw_semaphores(corosync_t) @@ -2287,6 +3109,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_admin_dir($1) optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.32/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-18 18:24:22.776530971 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/dcc.te 2010-02-23 16:38:38.729526813 +0100 +@@ -81,7 +81,7 @@ + # dcc daemon controller local policy + # + +-allow cdcc_t self:capability setuid; ++allow cdcc_t self:capability { setgid setuid }; + allow cdcc_t self:unix_dgram_socket create_socket_perms; + allow cdcc_t self:udp_socket create_socket_perms; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100 @@ -3601,33 +4435,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_kerberos',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-09 10:45:23.074866029 +0100 -@@ -1,8 +1,12 @@ ++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-23 14:49:51.037529698 +0100 +@@ -1,5 +1,7 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/dirsrv.* -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - - ifdef(`distro_debian',` - /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -@@ -10,8 +14,12 @@ - - /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) -+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -+ -+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:slapd_log_t,s0) - - /var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +@@ -15,3 +17,4 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-01-29 10:41:13.184864510 +0100 @@ -3742,7 +4563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-09 12:33:50.721866005 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-21 18:58:04.580309576 +0100 @@ -786,6 +786,25 @@ allow $1 mqueue_spool_t:dir search_dir_perms; ') @@ -3766,9 +4587,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_spool($1) +') + - ####################################### - ## - ## Read the mail queue. + ####################################### + ## + ## Read the mail queue. +@@ -902,3 +921,22 @@ + + allow $1 system_mail_t:process signal; + ') ++ ++####################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mta_dontaudit_leaks_system_mail',` ++ gen_require(` ++ type system_mail_t; ++ ') ++ ++ dontaudit $1 system_mail_t:fifo_file write; ++ dontaudit $1 system_mail_t:tcp_socket { read write }; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100 @@ -3898,8 +4742,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-02-09 12:44:57.821616516 +0100 -@@ -150,6 +150,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-02-21 19:01:11.642309589 +0100 +@@ -134,6 +134,7 @@ + + gen_require(` + type nagios_t, nrpe_t; ++ type nagios_log_t; + ') + + type nagios_$1_plugin_t; +@@ -150,8 +151,11 @@ # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) @@ -3907,10 +4759,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # cjp: leaked file descriptor dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; ++ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; + miscfiles_read_localization(nagios_$1_plugin_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-16 22:43:30.246609111 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-21 19:02:48.521559835 +0100 @@ -45,10 +45,18 @@ type nrpe_var_run_t; files_pid_file(nrpe_var_run_t) @@ -3940,7 +4795,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol permissive nagios_services_plugin_t; permissive nagios_system_plugin_t; -@@ -118,6 +128,9 @@ +@@ -82,9 +92,6 @@ + allow nagios_t self:tcp_socket create_stream_socket_perms; + allow nagios_t self:udp_socket create_socket_perms; + +-# needed by command.cfg +-can_exec(nagios_t, nagios_checkdisk_plugin_exec_t) +- + read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) + read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) + allow nagios_t nagios_etc_t:dir list_dir_perms; +@@ -118,6 +125,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) @@ -3950,7 +4815,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) -@@ -264,6 +277,77 @@ +@@ -253,6 +263,11 @@ + ') + + optional_policy(` ++ mta_dontaudit_leaks_system_mail(nrpe_t) ++ mta_send_mail(nrpe_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(nrpe_t) + ') + +@@ -264,6 +279,66 @@ udev_read_db(nrpe_t) ') @@ -4007,28 +4884,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +nscd_dontaudit_search_pid(nagios_mail_plugin_t) + +optional_policy(` -+ exim_exec(nagios_mail_plugin_t) -+') -+ -+optional_policy(` -+ mta_read_config(nagios_mail_plugin_t) -+ mta_list_queue(nagios_mail_plugin_t) -+ mta_read_queue(nagios_mail_plugin_t) -+ mta_sendmail_exec(nagios_mail_plugin_t) ++ mta_send_mail(nagios_mail_plugin_t) +') + +optional_policy(` + postfix_stream_connect_master(nagios_mail_plugin_t) + posftix_exec_postqueue(nagios_mail_plugin_t) +') -+ -+optional_policy(` -+ qmail_exec_queue(nagios_mail_plugin_t) -+') ###################################### # -@@ -315,6 +399,10 @@ +@@ -315,6 +390,10 @@ mysql_stream_connect(nagios_services_plugin_t) ') @@ -4433,7 +5299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read qmail configuration files. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-01-18 18:24:22.870539995 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-02-17 12:16:40.504614881 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-02-23 18:50:35.095776522 +0100 @@ -16,7 +16,7 @@ ') @@ -4443,7 +5309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') -@@ -57,3 +57,22 @@ +@@ -57,3 +57,41 @@ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) ') @@ -4466,9 +5332,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) + manage_lnk_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +') ++ ++###################################### ++## ++## Manage rgmanager tmp files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rgmanager_manage_tmp_files',` ++ gen_require(` ++ type rgmanager_tmp_t; ++ ') ++ ++ manage_dirs_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) ++ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-17 15:18:47.432864765 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-23 18:54:23.577526518 +0100 @@ -22,6 +22,9 @@ type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) @@ -4479,6 +5364,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # log files type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) +@@ -36,7 +39,7 @@ + # rgmanager local policy + # + +-allow rgmanager_t self:capability { sys_nice ipc_lock }; ++allow rgmanager_t self:capability { dac_override sys_nice sys_resource ipc_lock }; + dontaudit rgmanager_t self:capability { sys_ptrace }; + allow rgmanager_t self:process { setsched signal }; + dontaudit rgmanager_t self:process { ptrace }; @@ -51,6 +54,10 @@ manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) @@ -4490,7 +5384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # log files manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t) logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file }) -@@ -60,9 +67,6 @@ +@@ -60,35 +67,44 @@ manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) @@ -4500,8 +5394,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(rgmanager_t) corecmd_exec_sbin(rgmanager_t) corecmd_exec_shell(rgmanager_t) -@@ -74,7 +78,8 @@ - fs_getattr_xattr_fs(rgmanager_t) ++corecmd_exec_ls(rgmanager_t) + consoletype_exec(rgmanager_t) + + kernel_read_kernel_sysctls(rgmanager_t) ++kernel_read_rpc_sysctls(rgmanager_t) ++kernel_read_system_state(rgmanager_t) ++kernel_rw_rpc_sysctls(rgmanager_t) ++kernel_sigkill(rgmanager_t) + kernel_search_debugfs(rgmanager_t) ++kernel_search_network_state(rgmanager_t) + +-fs_getattr_xattr_fs(rgmanager_t) ++fs_getattr_all_fs(rgmanager_t) # need to write to /dev/misc/dlm-control -dev_manage_generic_chr_files(rgmanager_t) @@ -4510,7 +5415,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_search_sysfs(rgmanager_t) domain_read_all_domains_state(rgmanager_t) -@@ -109,6 +114,11 @@ + domain_getattr_all_domains(rgmanager_t) + domain_dontaudit_ptrace_all_domains(rgmanager_t) + ++storage_raw_read_fixed_disk(rgmanager_t) ++ + # needed by resources scripts + auth_read_all_files_except_shadow(rgmanager_t) + auth_dontaudit_getattr_shadow(rgmanager_t) + +-files_list_all(rgmanager_t) +-files_getattr_all_symlinks(rgmanager_t) +- + files_create_var_run_dirs(rgmanager_t) ++files_getattr_all_symlinks(rgmanager_t) ++files_list_all(rgmanager_t) ++files_manage_mnt_files(rgmanager_t) ++files_manage_mnt_symlinks(rgmanager_t) ++files_manage_isid_type_files(rgmanager_t) ++files_manage_isid_type_dirs(rgmanager_t) + + fs_getattr_xattr_fs(rgmanager_t) + +@@ -104,11 +120,18 @@ + + miscfiles_read_localization(rgmanager_t) + ++mount_domtrans(rgmanager_t) ++ + tunable_policy(`rgmanager_can_network_connect',` + corenet_tcp_connect_all_ports(rgmanager_t) ') # rgmanager can run resource scripts @@ -4522,7 +5456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_domtrans(rgmanager_t) -@@ -158,6 +168,10 @@ +@@ -158,11 +181,16 @@ ') optional_policy(` @@ -4533,6 +5467,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_initrc_domtrans_nfsd(rgmanager_t) rpc_initrc_domtrans_rpcd(rgmanager_t) + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) ++ rpc_manage_nfs_state_data(rgmanager_t) + ') + + optional_policy(` +@@ -183,5 +211,16 @@ + udev_read_db(rgmanager_t) + ') + ++optional_policy(` ++ unconfined_domain(rgmanager_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(rgmanager_t) ++') ++ ++optional_policy(` ++ xen_domtrans_xm(rgmanager_t) ++') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-17 15:54:23.838864423 +0100 @@ -4561,22 +5518,208 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.32/policy/modules/services/rhcs.if +--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-01-18 18:24:22.873540027 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rhcs.if 2010-02-21 18:55:41.750325266 +0100 +@@ -1,5 +1,63 @@ + ## SELinux policy for RHCS - Red Hat Cluster Suite + ++####################################### ++## ++## Creates types and rules for a basic ++## cluster init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`rhcs_domain_template',` ++ ++ gen_require(` ++ attribute cluster_domain; ++ ') ++ ++ ############################## ++ # ++ # $1_t declarations ++ # ++ ++ type $1_t, cluster_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) ++ ++ # log files ++ type $1_var_log_t; ++ logging_log_file($1_var_log_t) ++ ++ # pid files ++ type $1_var_run_t; ++ files_pid_file($1_var_run_t) ++ ++ ############################## ++ # ++ # $1_t local policy ++ # ++ # ++ ++ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file }) ++ ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) ++ ++ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t) ++ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t) ++ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file }) ++ ++') ++ + ###################################### + ## + ## Execute a domain transition to run groupd. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-17 15:13:44.349614415 +0100 -@@ -40,6 +40,9 @@ - type fenced_tmpfs_t; - files_tmpfs_file(fenced_tmpfs_t) ++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-23 15:15:57.274776910 +0100 +@@ -1,5 +1,5 @@ +-policy_module(rhcs,1.0.0) ++policy_module(rhcs,1.1.0) + + ######################################## + # +@@ -13,125 +13,44 @@ + ## + gen_tunable(fenced_can_network_connect, false) + +-type dlm_controld_t; +-type dlm_controld_exec_t; +-init_daemon_domain(dlm_controld_t, dlm_controld_exec_t) ++attribute cluster_domain; + +-# log files +-type dlm_controld_var_log_t; +-logging_log_file(dlm_controld_var_log_t) ++rhcs_domain_template(dlm_controld) + +-# pid files +-type dlm_controld_var_run_t; +-files_pid_file(dlm_controld_var_run_t) +- +-type dlm_controld_tmpfs_t; +-files_tmpfs_file(dlm_controld_tmpfs_t) +- +- +-type fenced_t; +-type fenced_exec_t; +-init_daemon_domain(fenced_t, fenced_exec_t) ++rhcs_domain_template(fenced) + + # tmp files + type fenced_tmp_t; + files_tmp_file(fenced_tmp_t) + +-type fenced_tmpfs_t; +-files_tmpfs_file(fenced_tmpfs_t) +- +-# log files +-type fenced_var_log_t; +-logging_log_file(fenced_var_log_t) +- +-# pid files +-type fenced_var_run_t; +-files_pid_file(fenced_var_run_t) +- +-type gfs_controld_t; +-type gfs_controld_exec_t; +-init_daemon_domain(gfs_controld_t, gfs_controld_exec_t) +- +-# log files +-type gfs_controld_var_log_t; +-logging_log_file(gfs_controld_var_log_t) +type fenced_lock_t; +files_lock_file(fenced_lock_t) -+ - # log files - type fenced_var_log_t; - logging_log_file(fenced_var_log_t) -@@ -126,12 +128,11 @@ - files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file }) +-# pid files +-type gfs_controld_var_run_t; +-files_pid_file(gfs_controld_var_run_t) ++rhcs_domain_template(gfs_controld) + +-type gfs_controld_tmpfs_t; +-files_tmpfs_file(gfs_controld_tmpfs_t) ++rhcs_domain_template(groupd) + +- +-type groupd_t; +-type groupd_exec_t; +-init_daemon_domain(groupd_t, groupd_exec_t) +- +-# log files +-type groupd_var_log_t; +-logging_log_file(groupd_var_log_t) +- +-# pid files +-type groupd_var_run_t; +-files_pid_file(groupd_var_run_t) +- +-type groupd_tmpfs_t; +-files_tmpfs_file(groupd_tmpfs_t) +- +-type qdiskd_t; +-type qdiskd_exec_t; +-init_daemon_domain(qdiskd_t, qdiskd_exec_t) +- +-type qdiskd_tmpfs_t; +-files_tmpfs_file(qdiskd_tmpfs_t) ++rhcs_domain_template(qdiskd) + + # var/lib files + type qdiskd_var_lib_t; + files_type(qdiskd_var_lib_t) + +-# log files +-type qdiskd_var_log_t; +-logging_log_file(qdiskd_var_log_t) +- +-# pid files +-type qdiskd_var_run_t; +-files_pid_file(qdiskd_var_run_t) +- + ##################################### + # + # dlm_controld local policy + # + +-allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource }; +-allow dlm_controld_t self:process setsched; ++allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; + +-allow dlm_controld_t self:sem create_sem_perms; +-allow dlm_controld_t self:fifo_file rw_fifo_file_perms; +-allow dlm_controld_t self:unix_stream_socket { create_stream_socket_perms }; +-allow dlm_controld_t self:unix_dgram_socket { create_socket_perms }; + allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + +-manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +-manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +-fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file }) +- +-# log files +-manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t) +-logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file }) +- +-# pid files +-manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) +-manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) +-files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file }) +- stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -aisexec_stream_connect(dlm_controld_t) -ccs_stream_connect(dlm_controld_t) @@ -4589,20 +5732,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_sysfs(dlm_controld_t) fs_manage_configfs_files(dlm_controld_t) -@@ -146,6 +147,12 @@ +@@ -139,25 +58,14 @@ - miscfiles_read_localization(dlm_controld_t) + init_rw_script_tmp_files(dlm_controld_t) -+optional_policy(` -+ aisexec_stream_connect(dlm_controld_t) -+ ccs_stream_connect(dlm_controld_t) -+ corosync_stream_connect(dlm_controld_t) -+') -+ +-libs_use_ld_so(dlm_controld_t) +-libs_use_shared_libs(dlm_controld_t) +- +-logging_send_syslog_msg(dlm_controld_t) +- +-miscfiles_read_localization(dlm_controld_t) +- ####################################### # # fenced local policy -@@ -166,12 +173,16 @@ + # + +-allow fenced_t self:capability { sys_nice sys_rawio sys_resource }; +-allow fenced_t self:process { setsched getsched }; ++allow fenced_t self:capability { sys_rawio sys_resource }; ++allow fenced_t self:process getsched; + +-allow fenced_t self:fifo_file rw_fifo_file_perms; +-allow fenced_t self:sem create_sem_perms; +-allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow fenced_t self:unix_dgram_socket create_socket_perms; + allow fenced_t self:tcp_socket create_stream_socket_perms; + allow fenced_t self:udp_socket create_socket_perms; + +@@ -166,25 +74,15 @@ # tmp files manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) @@ -4610,26 +5768,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) - manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) - manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) - fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file }) - +-manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) +-manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) +-fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file }) +- +-# log files +-manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t) +-logging_log_filetrans(fenced_t,fenced_var_log_t,{ file }) +- +-# pid file +-manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t) +-manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) +-manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) +-files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) +manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) +files_lock_filetrans(fenced_t,fenced_lock_t,file) -+ - # log files - manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t) - logging_log_filetrans(fenced_t,fenced_var_log_t,{ file }) -@@ -183,8 +194,6 @@ - files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -aisexec_stream_connect(fenced_t) -ccs_stream_connect(fenced_t) ++ ++kernel_read_system_state(fenced_t) corecmd_exec_bin(fenced_t) -@@ -195,6 +204,7 @@ +@@ -195,19 +93,13 @@ storage_raw_write_fixed_disk(fenced_t) storage_raw_read_removable_device(fenced_t) @@ -4637,22 +5800,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(fenced_t) auth_use_nsswitch(fenced_t) -@@ -214,9 +224,11 @@ - optional_policy(` - ccs_read_config(fenced_t) -+ ccs_stream_connect(fenced_t) + files_read_usr_symlinks(fenced_t) + +-libs_use_ld_so(fenced_t) +-libs_use_shared_libs(fenced_t) +- +-logging_send_syslog_msg(fenced_t) +- +-miscfiles_read_localization(fenced_t) +- + tunable_policy(`fenced_can_network_connect',` + corenet_tcp_connect_all_ports(fenced_t) + ') +@@ -217,10 +109,6 @@ ') optional_policy(` -+ aisexec_stream_connect(fenced_t) - corosync_stream_connect(fenced_t) +- corosync_stream_connect(fenced_t) +-') +- +-optional_policy(` + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) ') +@@ -230,53 +118,26 @@ + # gfs_controld local policy + # + +-allow gfs_controld_t self:capability { net_admin sys_nice sys_resource }; +-allow gfs_controld_t self:process setsched; ++allow gfs_controld_t self:capability { net_admin sys_resource }; -@@ -253,19 +265,17 @@ - manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) - files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file }) +-allow gfs_controld_t self:sem create_sem_perms; + allow gfs_controld_t self:shm create_shm_perms; +-allow gfs_controld_t self:fifo_file rw_fifo_file_perms; +-allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms }; +-allow gfs_controld_t self:unix_dgram_socket { create_socket_perms }; + allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; +-manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +-manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +-fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file }) +- +-# log files +-manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t) +-logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file }) +- +-# pid files +-manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) +-manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) +-files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file }) +- -stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) - @@ -4674,75 +5873,144 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_sysfs(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) -@@ -278,6 +288,12 @@ - miscfiles_read_localization(gfs_controld_t) +-libs_use_ld_so(gfs_controld_t) +-libs_use_shared_libs(gfs_controld_t) +- +-logging_send_syslog_msg(gfs_controld_t) +- +-miscfiles_read_localization(gfs_controld_t) +- optional_policy(` -+ aisexec_stream_connect(gfs_controld_t) -+ ccs_stream_connect(gfs_controld_t) -+ corosync_stream_connect(gfs_controld_t) -+') -+ -+optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) - ') -@@ -309,8 +325,6 @@ - manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) - files_pid_filetrans(groupd_t, groupd_var_run_t, { file }) - --aisexec_stream_connect(groupd_t) +@@ -290,78 +151,29 @@ + allow groupd_t self:capability { sys_nice sys_resource }; + allow groupd_t self:process setsched; + +-allow groupd_t self:sem create_sem_perms; + allow groupd_t self:shm create_shm_perms; +-allow groupd_t self:fifo_file rw_fifo_file_perms; +-allow groupd_t self:unix_stream_socket create_stream_socket_perms; +-allow groupd_t self:unix_dgram_socket create_socket_perms; - +-manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) +-manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) +-fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file }) +- +-# log files +-manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t) +-logging_log_filetrans(groupd_t,groupd_var_log_t,{ file }) +- +-# pid files +-manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) +-manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) +-files_pid_filetrans(groupd_t, groupd_var_run_t, { file }) +- +-aisexec_stream_connect(groupd_t) + dev_list_sysfs(groupd_t) files_read_etc_files(groupd_t) -@@ -326,6 +340,11 @@ - logging_send_syslog_msg(groupd_t) +-libs_use_ld_so(groupd_t) +-libs_use_shared_libs(groupd_t) +- +-logging_send_syslog_msg(groupd_t) +- +-miscfiles_read_localization(groupd_t) +- + init_rw_script_tmp_files(groupd_t) -+optional_policy(` -+ aisexec_stream_connect(groupd_t) -+ corosync_stream_connect(groupd_t) -+') -+ +-logging_send_syslog_msg(groupd_t) +- ###################################### # # qdiskd local policy -@@ -359,9 +378,6 @@ - manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) - files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file }) + # +-allow qdiskd_t self:capability { sys_nice ipc_lock }; +-allow qdiskd_t self:process setsched; ++allow qdiskd_t self:capability { ipc_lock sys_boot }; + +-allow qdiskd_t self:sem create_sem_perms; ++allow qdiskd_t self:tcp_socket create_stream_socket_perms; + allow qdiskd_t self:udp_socket create_socket_perms; +-allow qdiskd_t self:udp_socket create_socket_perms; +-allow qdiskd_t self:unix_dgram_socket create_socket_perms; +-allow qdiskd_t self:unix_stream_socket create_stream_socket_perms; + + manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) + manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) + manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) + files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file }) + +-# log files +-manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) +-manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) +-logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file }) +- +-manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) +-manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) +-fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file }) +- +-# pid files +-manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) +-manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) +-files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file }) +- -aisexec_stream_connect(qdiskd_t) -ccs_stream_connect(qdiskd_t) - corecmd_getattr_sbin_files(qdiskd_t) corecmd_exec_shell(qdiskd_t) -@@ -399,12 +415,19 @@ - miscfiles_read_localization(qdiskd_t) +@@ -391,13 +203,6 @@ - optional_policy(` -- netutils_domtrans_ping(qdiskd_t) -+ aisexec_stream_connect(qdiskd_t) -+ corosync_stream_connect(qdiskd_t) - ') + files_read_etc_files(qdiskd_t) +-libs_use_ld_so(qdiskd_t) +-libs_use_shared_libs(qdiskd_t) +- +-logging_send_syslog_msg(qdiskd_t) +- +-miscfiles_read_localization(qdiskd_t) +- optional_policy(` -- udev_read_db(qdiskd_t) -+ ccs_stream_connect(qdiskd_t) + netutils_domtrans_ping(qdiskd_t) + ') +@@ -406,5 +211,28 @@ + udev_read_db(qdiskd_t) ') -+optional_policy(` -+ netutils_domtrans_ping(qdiskd_t) -+') ++##################################### ++# ++# rhcs domains common policy ++# ++ ++allow cluster_domain self:capability { sys_nice }; ++allow cluster_domain self:process setsched; ++allow cluster_domain self:sem create_sem_perms; ++allow cluster_domain self:fifo_file rw_fifo_file_perms; ++allow cluster_domain self:unix_stream_socket create_stream_socket_perms; ++allow cluster_domain self:unix_dgram_socket create_socket_perms; ++ ++libs_use_ld_so(cluster_domain) ++libs_use_shared_libs(cluster_domain) ++ ++logging_send_syslog_msg(cluster_domain) ++ ++miscfiles_read_localization(cluster_domain) ++ +optional_policy(` -+ udev_read_db(qdiskd_t) ++ corosync_stream_connect(cluster_domain) ++ ccs_stream_connect(cluster_domain) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2010-01-18 18:24:22.875542796 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2010-02-17 15:15:28.470864257 +0100 +--- nsaserefpolicy/policy/modules/services/ricci.te 2010-02-21 20:45:42.344558749 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2010-02-21 20:53:51.336572739 +0100 @@ -231,6 +231,7 @@ optional_policy(` @@ -4759,7 +6027,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -482,6 +484,7 @@ +@@ -462,7 +464,8 @@ + + files_create_default_dir(ricci_modstorage_t) + files_mounton_default(ricci_modstorage_t) +-files_manage_default(ricci_modstorage_t) ++files_manage_default_dirs(ricci_modstorage_t) ++files_manage_default_files(ricci_modstorage_t) + + storage_raw_read_fixed_disk(ricci_modstorage_t) + +@@ -482,6 +485,7 @@ optional_policy(` aisexec_stream_connect(ricci_modstorage_t) @@ -4769,7 +6047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2010-01-18 18:24:22.880531210 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2010-02-11 21:29:42.257440026 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2010-02-23 18:51:13.680527323 +0100 @@ -82,6 +82,8 @@ files_manage_mounttab(rpcd_t) @@ -4779,9 +6057,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) +@@ -100,6 +102,8 @@ + + userdom_signal_unpriv_users(rpcd_t) + ++userdom_read_user_home_content_files(rpcd_t) ++ + optional_policy(` + automount_signal(rpcd_t) + automount_dontaudit_write_pipes(rpcd_t) +@@ -113,6 +117,10 @@ + domain_unconfined_signal(rpcd_t) + ') + ++optional_policy(` ++ rgmanager_manage_tmp_files(rpcd_t) ++') ++ + ######################################## + # + # NFSD local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-16 17:22:07.619848238 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-23 10:50:43.134867505 +0100 @@ -208,7 +208,7 @@ files_read_usr_symlinks(samba_net_t) @@ -4800,7 +6098,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) -@@ -327,6 +329,7 @@ +@@ -313,6 +315,8 @@ + corenet_tcp_connect_ipp_port(smbd_t) + corenet_tcp_connect_smbd_port(smbd_t) + ++dev_getattr_all_blk_files(smbd_t) ++dev_getattr_all_chr_files(smbd_t) + dev_read_sysfs(smbd_t) + dev_read_urand(smbd_t) + dev_getattr_mtrr_dev(smbd_t) +@@ -327,6 +331,7 @@ auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) auth_domtrans_upd_passwd(smbd_t) @@ -4808,7 +6115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -350,7 +353,7 @@ +@@ -350,7 +355,7 @@ miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -4817,7 +6124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_signal_all_users(smbd_t) usermanage_read_crack_db(smbd_t) -@@ -485,6 +488,8 @@ +@@ -485,6 +490,8 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) @@ -4826,7 +6133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow nmbd_t smbcontrol_t:process signal; allow nmbd_t smbd_var_run_t:dir rw_dir_perms; -@@ -661,6 +666,7 @@ +@@ -661,6 +668,7 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; @@ -4834,7 +6141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow swat_t nmbd_t:process { signal signull }; allow swat_t nmbd_exec_t:file mmap_file_perms; -@@ -828,7 +834,9 @@ +@@ -828,7 +836,9 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) @@ -4844,7 +6151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -838,7 +846,7 @@ +@@ -838,7 +848,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -4967,7 +6274,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 18:24:22.898539086 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2010-02-11 17:58:41.983708667 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2010-02-23 16:04:29.107525602 +0100 +@@ -177,7 +177,7 @@ + type $1_var_run_t; + files_pid_file($1_var_run_t) + +- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:process { signal getsched setsched setrlimit setexec }; + allow $1_t self:tcp_socket create_stream_socket_perms; @@ -393,6 +393,7 @@ logging_send_syslog_msg($1_ssh_agent_t) @@ -5615,7 +6931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(usbmuxd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-02-11 20:29:58.819441475 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-02-23 10:25:58.052618246 +0100 @@ -194,6 +194,7 @@ files_search_var_lib($1) @@ -5624,6 +6940,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -444,6 +445,9 @@ + + domain_user_exemption_target($1_t) + ++ type $1_devpts_t; ++ term_pty($1_devpts_t) ++ + type $1_tmp_t; + files_tmp_file($1_tmp_t) + +@@ -457,6 +461,9 @@ + type $1_var_run_t; + files_pid_file($1_var_run_t) + ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ++ term_create_pty($1_t, $1_devpts_t) ++ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100 +++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-11 20:30:04.756691338 +0100 @@ -5720,7 +7056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-16 22:51:37.723859395 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-23 18:48:15.962774898 +0100 @@ -253,6 +253,7 @@ allow xdm_t iceauth_home_t:file read_file_perms; @@ -5781,7 +7117,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) dev_read_sound(xdm_t) -@@ -582,6 +598,7 @@ +@@ -548,7 +564,9 @@ + storage_dontaudit_rw_scsi_generic(xdm_t) + storage_dontaudit_rw_fuse(xdm_t) + ++ + term_setattr_console(xdm_t) ++term_relabel_all_ttys(xdm_t) + term_use_unallocated_ttys(xdm_t) + term_setattr_unallocated_ttys(xdm_t) + +@@ -582,6 +600,7 @@ userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) userdom_stream_connect(xdm_t) @@ -5789,7 +7135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_sockets(xdm_t) userdom_manage_tmpfs_role(system_r, xdm_t) -@@ -668,6 +685,7 @@ +@@ -668,6 +687,7 @@ optional_policy(` gnome_read_gconf_config(xdm_t) @@ -5797,7 +7143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -675,6 +693,10 @@ +@@ -675,6 +695,10 @@ ') optional_policy(` @@ -5808,7 +7154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol loadkeys_exec(xdm_t) ') -@@ -712,6 +734,7 @@ +@@ -712,6 +736,7 @@ optional_policy(` pulseaudio_exec(xdm_t) pulseaudio_dbus_chat(xdm_t) @@ -6005,7 +7351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_manage_svc(svc_start_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-01-27 18:13:10.349614395 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-02-23 18:55:42.216525227 +0100 @@ -18,6 +18,7 @@ /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -6014,6 +7360,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -38,6 +39,7 @@ + /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + ++/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/hostname.te 2010-01-29 10:03:19.733864870 +0100 @@ -6406,7 +7760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-15 20:42:14.719317823 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-22 12:38:28.432618673 +0100 @@ -245,8 +245,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -6431,7 +7785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -432,9 +434,19 @@ +@@ -432,9 +434,20 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -6448,8 +7802,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/transcode/filter_yuvdenoise\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ ++/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100 @@ -6588,6 +7943,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc +--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-01-18 18:24:22.954530704 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-02-21 19:50:59.003309596 +0100 +@@ -71,6 +71,8 @@ + + /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) + ++/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) ++ + /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) + /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) + /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100 @@ -6731,7 +8098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-01-27 18:34:03.409614110 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-02-21 19:46:42.369309573 +0100 @@ -87,6 +87,7 @@ kernel_read_system_state(dhcpc_t) @@ -6740,6 +8107,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(dhcpc_t) kernel_request_load_module(dhcpc_t) kernel_use_fds(dhcpc_t) +@@ -157,7 +158,7 @@ + ') + + optional_policy(` +- consoletype_exec(dhcpc_t) ++ consoletype_domtrans(dhcpc_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100 +++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100 @@ -6836,10 +8212,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow Search /root ## ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.32/policy/modules/system/xen.if +--- nsaserefpolicy/policy/modules/system/xen.if 2010-01-18 18:24:22.986540012 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/xen.if 2010-02-22 12:42:55.475866743 +0100 +@@ -211,8 +211,10 @@ + interface(`xen_domtrans_xm',` + gen_require(` + type xm_t, xm_exec_t; ++ attribute xm_transition_domain; + ') + ++ typeattribute $1 xm_transition_domain; + domtrans_pattern($1, xm_exec_t, xm_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-25 17:55:42.768687784 +0100 -@@ -248,6 +248,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-02-22 12:49:42.249615189 +0100 +@@ -13,6 +13,8 @@ + ## + gen_tunable(xen_use_nfs, false) + ++attribute xm_transition_domain; ++ + # console ptys + type xen_devpts_t; + term_pty(xen_devpts_t) +@@ -248,6 +250,7 @@ # allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; @@ -6847,7 +8246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; -@@ -268,6 +269,7 @@ +@@ -268,6 +271,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) @@ -6855,7 +8254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_usr_files(xenconsoled_t) fs_list_tmpfs(xenconsoled_t) -@@ -286,6 +288,10 @@ +@@ -286,6 +290,10 @@ xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) @@ -6866,7 +8265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Xen store local policy -@@ -329,6 +335,7 @@ +@@ -329,6 +337,7 @@ files_read_usr_files(xenstored_t) @@ -6874,6 +8273,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_xenfs(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) +@@ -431,11 +440,15 @@ + kernel_read_xen_state(xm_ssh_t) + kernel_write_xen_state(xm_ssh_t) + ++files_search_tmp(xm_ssh_t) ++ + fs_manage_xenfs_dirs(xm_ssh_t) + fs_manage_xenfs_files(xm_ssh_t) + + userdom_search_admin_dir(xm_ssh_t) + ++dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_fifo_file_perms; ++ + #Should have a boolean wrapping these + fs_list_auto_mountpoints(xend_t) + files_search_mnt(xend_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100 +++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-09 10:00:01.300658461 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index b6794dd..dafa67e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 91%{?dist} +Release: 92%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,13 @@ exit 0 %endif %changelog +* Tue Feb 23 2010 Miroslav Grepl 3.6.32-92 +- Fixes for cluster policy +- Fixes for rgmanager +- Add label for /etc/pki dir in bind-chroot +- Allow system-config-firewall to send system log messages +- Remove label for Directory Server + * Wed Feb 17 2010 Miroslav Grepl 3.6.32-91 - Add label for /opt/zimbra/log directory - Add label for /usr/local/centreon/log directory