From 8f320eb71114068648e6ee753f5a52da3f216a61 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 01 2010 16:42:02 +0000 Subject: - Add cachefilesfd policy - Update cobbler policy from F13 - Allow hald connect to usbmuxd over a unix domain - Allow staff_t to read semanage module store --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 7b89489..fad1a4e 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # diff --git a/modules-mls.conf b/modules-mls.conf index 24e2bff..734931a 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # diff --git a/modules-targeted.conf b/modules-targeted.conf index 7b89489..fad1a4e 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # diff --git a/policy-20100106.patch b/policy-20100106.patch index 81cde45..023fa47 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -125,7 +125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100 -+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-02-16 16:59:33.332598118 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-03-01 13:34:16.025492348 +0100 @@ -132,6 +132,8 @@ kernel_read_system_state(ping_t) @@ -135,6 +135,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ping_t) logging_send_syslog_msg(ping_t) +@@ -158,6 +160,10 @@ + ') + + optional_policy(` ++ nagios_rw_inerited_tmp_files(ping_t) ++') ++ ++optional_policy(` + pcmcia_use_cardmgr_fds(ping_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100 @@ -743,8 +754,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-02-21 20:34:21.100559574 +0100 -@@ -11,6 +11,12 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-03-01 16:03:40.936502769 +0100 +@@ -8,14 +8,22 @@ + + type pulseaudio_t; + type pulseaudio_exec_t; ++init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; @@ -757,7 +772,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # pulseaudio local policy -@@ -24,6 +30,11 @@ + # + ++allow pulseaudio_t self:capability { setuid sys_nice setgid }; + allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; + allow pulseaudio_t self:fifo_file rw_file_perms; + allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -24,6 +32,11 @@ allow pulseaudio_t self:udp_socket create_socket_perms; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -769,7 +790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(pulseaudio_t, pulseaudio_exec_t) kernel_getattr_proc(pulseaudio_t) -@@ -72,6 +83,8 @@ +@@ -72,6 +85,8 @@ ') optional_policy(` @@ -778,7 +799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) -@@ -111,4 +124,5 @@ +@@ -111,4 +126,5 @@ xserver_manage_xdm_tmp_files(pulseaudio_t) xserver_read_xdm_lib_files(pulseaudio_t) xserver_common_app(pulseaudio_t) @@ -1198,8 +1219,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low(wine_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-02-10 11:51:39.387858338 +0100 -@@ -218,8 +218,9 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-03-01 09:10:51.189491683 +0100 +@@ -166,6 +166,7 @@ + /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -218,8 +219,9 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -1210,7 +1239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) -@@ -237,6 +238,7 @@ +@@ -237,6 +239,7 @@ /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -1248,8 +1277,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Getattr the point-to-point device. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-02-16 17:21:28.658848158 +0100 -@@ -92,11 +92,12 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-01 09:53:43.085750129 +0100 +@@ -85,6 +85,7 @@ + network_port(clamd, tcp,3310,s0) + network_port(clockspeed, udp,4041,s0) + network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) ++network_port(cobbler, tcp,25151,s0) + network_port(comsat, udp,512,s0) + network_port(cvs, tcp,2401,s0, udp,2401,s0) + network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) +@@ -92,11 +93,12 @@ network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dccm, tcp,5679,s0, udp,5679,s0) @@ -1609,7 +1646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to get the attributes diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-02-26 09:33:50.290799322 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-03-01 13:31:38.484740499 +0100 @@ -1,5 +1,5 @@ -policy_module(devices, 1.8.2) @@ -1659,6 +1696,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type v4l_device_t; dev_node(v4l_device_t) +@@ -278,5 +295,5 @@ + # + + allow devices_unconfined_type self:capability sys_rawio; +-allow devices_unconfined_type device_node:{ blk_file chr_file } *; ++allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; + allow devices_unconfined_type mtrr_device_t:file *; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-01-18 18:24:22.683530317 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-02-26 09:33:54.830549053 +0100 @@ -1700,7 +1744,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2010-01-18 18:24:22.685530781 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-02-26 16:50:12.859856633 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-03-01 15:15:36.898740594 +0100 +@@ -106,7 +106,7 @@ + kernel_dontaudit_link_key(domain) + + # create child processes in the domain +-allow domain self:process { fork sigchld }; ++allow domain self:process { fork getsched sigchld }; + + # Use trusted objects in /dev + dev_rw_null(domain) @@ -216,8 +216,10 @@ optional_policy(` rpm_use_fds(domain) @@ -2997,8 +3050,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-02-11 17:58:37.444708661 +0100 -@@ -76,20 +76,20 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-01 16:05:50.238492151 +0100 +@@ -26,6 +26,8 @@ + auth_domtrans_pam_console(staff_t) + + seutil_run_newrole(staff_t, staff_r) ++seutil_read_module_store(staff_t) ++ + netutils_run_ping(staff_t, staff_r) + + optional_policy(` +@@ -76,20 +78,20 @@ webadm_role_change(staff_r) ') @@ -3253,7 +3315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(amavis_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-02-23 16:43:34.009526021 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-03-01 16:56:36.009747781 +0100 @@ -8,10 +8,12 @@ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) @@ -3275,7 +3337,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -@@ -71,6 +74,9 @@ +@@ -66,11 +69,14 @@ + /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) + + /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++#/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -3295,7 +3363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-02-01 15:06:59.560081274 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-03-01 15:49:14.043490674 +0100 @@ -16,6 +16,7 @@ attribute httpd_exec_scripts; attribute httpd_script_exec_type; @@ -3321,7 +3389,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_cgi',` -@@ -1167,6 +1171,29 @@ +@@ -833,6 +837,27 @@ + domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) + ') + ++####################################### ++## ++## Allow the specified domain to list ++## apache system content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_list_sys_content',` ++ gen_require(` ++ type httpd_sys_content_t; ++ ') ++ ++ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ++ files_search_var($1) ++') ++ + ######################################## + ## + ## Allow the specified domain to manage +@@ -1167,6 +1192,29 @@ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; ') @@ -3353,8 +3449,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-23 19:15:56.528525860 +0100 -@@ -309,7 +309,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-01 09:52:48.889491880 +0100 +@@ -67,6 +67,13 @@ + + ## + ##

++## Allow HTTPD scripts and modules to connect to cobbler over the network. ++##

++## ++gen_tunable(httpd_can_network_connect_cobbler, false) ++ ++## ++##

+ ## Allow HTTPD scripts and modules to connect to databases over the network. + ##

+ ## +@@ -309,7 +316,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -3363,7 +3473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -363,10 +363,10 @@ +@@ -363,10 +370,10 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -3376,7 +3486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -400,6 +400,7 @@ +@@ -400,6 +407,7 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) @@ -3384,7 +3494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(httpd_t) fs_read_iso9660_files(httpd_t) -@@ -483,8 +484,14 @@ +@@ -483,8 +491,14 @@ corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) @@ -3400,7 +3510,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_can_network_relay',` -@@ -612,6 +619,11 @@ +@@ -588,6 +602,9 @@ + + optional_policy(` + cobbler_search_lib(httpd_t) ++ tunable_policy(`httpd_can_network_connect_cobbler',` ++ corenet_tcp_connect_cobbler_port(httpd_t) ++ ') + ') + + optional_policy(` +@@ -612,6 +629,11 @@ avahi_dbus_chat(httpd_t) ') ') @@ -3412,7 +3532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') -@@ -895,6 +907,9 @@ +@@ -895,6 +917,9 @@ sysnet_read_config(httpd_sys_script_t) @@ -3422,7 +3542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -906,6 +921,7 @@ +@@ -906,6 +931,7 @@ fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) @@ -3430,7 +3550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) -@@ -945,6 +960,7 @@ +@@ -945,6 +970,7 @@ fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) @@ -3462,6 +3582,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te +--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-01-18 18:24:22.742540405 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-03-01 16:56:10.526493733 +0100 +@@ -128,6 +128,7 @@ + files_read_usr_files(asterisk_t) + + fs_getattr_all_fs(asterisk_t) ++fs_list_inotifyfs(asterisk_t) + fs_search_auto_mountpoints(asterisk_t) + + auth_use_nsswitch(asterisk_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 21:19:40.967763409 +0100 @@ -3471,6 +3602,262 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if +--- nsaserefpolicy/policy/modules/services/bind.if 2010-01-18 18:24:22.745530450 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-03-01 15:52:05.256741085 +0100 +@@ -290,6 +290,25 @@ + read_files_pattern($1, named_zone_t, named_zone_t) + ') + ++####################################### ++## ++## Manage BIND zone files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_manage_zone',` ++ gen_require(` ++ type named_zone_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, named_zone_t, named_zone_t) ++') ++ + ######################################## + ## + ## Send and receive datagrams to and from named. (Deprecated) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc +--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc 2010-03-01 09:30:08.471741607 +0100 +@@ -0,0 +1,28 @@ ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the contexts to be assigned to various files and directories of ++# importance to the CacheFiles kernel module and userspace management daemon. ++# ++ ++# cachefilesd executable will have: ++# label: system_u:object_r:cachefilesd_exec_t ++# MLS sensitivity: s0 ++# MCS categories: ++ ++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) ++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) ++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) ++ ++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.6.32/policy/modules/services/cachefilesd.if +--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.if 2010-03-01 09:30:08.471741607 +0100 +@@ -0,0 +1,41 @@ ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the policy interface for the CacheFiles userspace management daemon. ++# ++ ++## policy for cachefilesd ++ ++######################################## ++## ++## Execute a domain transition to run cachefilesd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cachefilesd_domtrans',` ++ gen_require(` ++ type cachefilesd_t, cachefilesd_exec_t; ++ ') ++ ++ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t) ++ ++ allow $1 cachefilesd_t:fd use; ++ allow cachefilesd_t $1:fd use; ++ allow cachefilesd_t $1:fifo_file rw_file_perms; ++ allow cachefilesd_t $1:process sigchld; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.6.32/policy/modules/services/cachefilesd.te +--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.te 2010-03-01 09:30:08.471741607 +0100 +@@ -0,0 +1,146 @@ ++############################################################################### ++# ++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# This security policy governs access by the CacheFiles kernel module and ++# userspace management daemon to the files and directories in the on-disk ++# cache, on behalf of the processes accessing the cache through a network ++# filesystem such as NFS ++# ++policy_module(cachefilesd,1.0.17) ++ ++############################################################################### ++# ++# Declarations ++# ++require { type kernel_t; } ++ ++# ++# Files in the cache are created by the cachefiles module with security ID ++# cachefiles_var_t ++# ++type cachefiles_var_t; ++files_type(cachefiles_var_t) ++ ++# ++# The /dev/cachefiles character device has security ID cachefiles_dev_t ++# ++type cachefiles_dev_t; ++dev_node(cachefiles_dev_t) ++ ++# ++# The cachefilesd daemon normally runs with security ID cachefilesd_t ++# ++type cachefilesd_t; ++type cachefilesd_exec_t; ++domain_type(cachefilesd_t) ++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) ++ ++# ++# The cachefilesd daemon pid file context ++# ++type cachefilesd_var_run_t; ++files_pid_file(cachefilesd_var_run_t) ++ ++# ++# The CacheFiles kernel module causes processes accessing the cache files to do ++# so acting as security ID cachefiles_kernel_t ++# ++type cachefiles_kernel_t; ++domain_type(cachefiles_kernel_t) ++domain_obj_id_change_exemption(cachefiles_kernel_t) ++role system_r types cachefiles_kernel_t; ++ ++############################################################################### ++# ++# Permit RPM to deal with files in the cache ++# ++rpm_use_script_fds(cachefilesd_t) ++ ++############################################################################### ++# ++# cachefilesd local policy ++# ++# These define what cachefilesd is permitted to do. This doesn't include very ++# much: startup stuff, logging, pid file, scanning the cache superstructure and ++# deleting files from the cache. It is not permitted to read/write files in ++# the cache. ++# ++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow ++# rules. ++# ++allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override }; ++ ++# Basic access ++files_read_etc_files(cachefilesd_t) ++libs_use_ld_so(cachefilesd_t) ++libs_use_shared_libs(cachefilesd_t) ++miscfiles_read_localization(cachefilesd_t) ++logging_send_syslog_msg(cachefilesd_t) ++init_dontaudit_use_script_ptys(cachefilesd_t) ++term_dontaudit_use_generic_ptys(cachefilesd_t) ++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) ++ ++# Allow manipulation of pid file ++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; ++manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) ++manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) ++files_pid_file(cachefilesd_var_run_t) ++files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) ++ ++# Allow access to cachefiles device file ++allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; ++ ++# Allow access to cache superstructure ++allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms; ++allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; ++ ++# Permit statfs on the backing filesystem ++fs_getattr_xattr_fs(cachefilesd_t) ++ ++############################################################################### ++# ++# When cachefilesd invokes the kernel module to begin caching, it has to tell ++# the kernel module the security context in which it should act, and this ++# policy has to approve that. ++# ++# There are two parts to this: ++# ++# (1) the security context used by the module to access files in the cache, ++# as set by the 'secctx' command in /etc/cachefilesd.conf, and ++# ++allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override }; ++ ++# ++# (2) the label that will be assigned to new files and directories created in ++# the cache by the module, which will be the same as the label on the ++# directory pointed to by the 'dir' command. ++# ++allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as }; ++ ++############################################################################### ++# ++# cachefiles kernel module local policy ++# ++# This governs what the kernel module is allowed to do the contents of the ++# cache. ++# ++allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; ++allow cachefiles_kernel_t initrc_t:process sigchld; ++ ++manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++ ++fs_getattr_xattr_fs(cachefiles_kernel_t) ++ ++dev_search_sysfs(cachefiles_kernel_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-01-18 18:24:22.749530749 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ccs.te 2010-02-17 15:18:32.630863465 +0100 @@ -3539,73 +3926,419 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -permissive chronyd_t; +optional_policy(` -+ gpsd_rw_shm(chronyd_t) ++ gpsd_rw_shm(chronyd_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if +--- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100 +@@ -42,26 +42,6 @@ + + ##################################### + ## +-## Manage clogd tmpfs files. +-## +-## +-## +-## The type of the process performing this action. +-## +-## +-# +-interface(`clogd_manage_tmpfs_files',` +- gen_require(` +- type clogd_tmpfs_t; +- ') +- +- fs_search_tmpfs($1) +- manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) +- manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) +-') +- +-##################################### +-## + ## Allow read and write access to clogd semaphores. + ## + ## +@@ -94,5 +74,9 @@ + ') + + allow $1 clogd_t:shm { rw_shm_perms destroy }; ++ allow $1 clogd_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) ++ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) ++ fs_search_tmpfs($1) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te +--- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100 +@@ -41,8 +41,6 @@ + manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) + files_pid_filetrans(clogd_t,clogd_var_run_t, { file }) + +-aisexec_stream_connect(clogd_t) +- + dev_manage_generic_blk_files(clogd_t) + + storage_raw_read_fixed_disk(clogd_t) +@@ -56,6 +54,11 @@ + miscfiles_read_localization(clogd_t) + + optional_policy(` ++ aisexec_stream_connect(clogd_t) ++ corosync_stream_connect(clogd_t) ++') ++ ++optional_policy(` + dev_read_lvm_control(clogd_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc +--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-01-18 18:24:22.758539996 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2010-03-01 09:49:55.450759811 +0100 +@@ -1,2 +1,7 @@ ++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) ++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) ++ ++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) + + /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if +--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-01-18 18:24:22.759530345 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2010-03-01 09:49:55.450759811 +0100 +@@ -1,10 +1,111 @@ ++## Cobbler installation server. ++## ++##

++## Cobbler is a Linux installation server that allows for ++## rapid setup of network installation environments. It ++## glues together and automates many associated Linux ++## tasks so you do not have to hop between lots of various ++## commands and applications when rolling out new systems, ++## and, in some cases, changing existing ones. ++##

++## ++ ++######################################## ++## ++## Execute a domain transition to run cobblerd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cobblerd_domtrans',` ++ gen_require(` ++ type cobblerd_t, cobblerd_exec_t; ++ ') ++ ++ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) ++') ++ ++######################################## ++## ++## Execute cobblerd server in the cobblerd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`cobblerd_initrc_domtrans',` ++ gen_require(` ++ type cobblerd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read Cobbler content in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_read_config',` ++ gen_require(` ++ type cobbler_etc_t; ++ ') ++ ++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## Cobbler log files (leaked fd). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_dontaudit_rw_log',` ++ gen_require(` ++ type cobbler_var_log_t; ++ ') ++ ++ dontaudit $1 cobbler_var_log_t:file rw_file_perms; ++') ++ ++######################################## + ## +-## Cobbler var_lib_t ++## Search cobbler dirs in /var/lib + ## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_search_lib',` ++ gen_require(` ++ type cobbler_var_lib_t; ++ ') ++ ++ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ files_search_var_lib($1) ++') + + ######################################## + ## +-## Read cobbler lib files. ++## Read cobbler files in /var/lib + ## + ## + ## +@@ -18,7 +119,6 @@ + ') + + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +- allow $1 cobbler_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) + ') + +@@ -22,10 +122,9 @@ + files_search_var_lib($1) + ') + +- + ######################################## + ## +-## Read cobbler lib files. ++## Manage cobbler files in /var/lib + ## + ## + ## +@@ -33,12 +132,55 @@ + ## + ## + # +-interface(`cobbler_search_lib',` ++interface(`cobbler_manage_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + +- allow $1 cobbler_var_lib_t:dir search_dir_perms; ++ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) + ') + ++######################################## ++## ++## All of the rules required to administrate ++## an cobblerd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cobblerd_admin',` ++ gen_require(` ++ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; ++ type cobbler_etc_t; ++ type httpd_cobbler_content_rw_t; ++ ') ++ ++ allow $1 cobblerd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, cobblerd_t, cobblerd_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, cobbler_etc_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, cobbler_var_lib_t) ++ ++ files_search_var_log($1) ++ admin_pattern($1, cobbler_var_log_t) ++ ++ admin_pattern($1, httpd_cobbler_content_rw_t) ++ ++ cobblerd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 cobblerd_initrc_exec_t system_r; ++ allow $2 system_r; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te +--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-01-18 18:24:22.760530473 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-03-01 15:49:21.826741385 +0100 +@@ -1,5 +1,135 @@ + +-policy_module(cobbler, 1.10.0) ++policy_module(cobbler, 1.0.0) ++ ++######################################## ++# ++# Cobbler personal declarations. ++# ++ ++## ++##

++## Allow Cobbler to modify public files ++## used for public file transfer services. ++##

++## ++gen_tunable(cobbler_anon_write, false) ++ ++type cobblerd_t; ++type cobblerd_exec_t; ++init_daemon_domain(cobblerd_t, cobblerd_exec_t) ++ ++permissive cobblerd_t; ++ ++type cobblerd_initrc_exec_t; ++init_script_file(cobblerd_initrc_exec_t) ++ ++type cobbler_etc_t; ++files_config_file(cobbler_etc_t) ++ ++type cobbler_var_log_t; ++logging_log_file(cobbler_var_log_t) + + type cobbler_var_lib_t; + files_type(cobbler_var_lib_t) ++ ++######################################## ++# ++# Cobbler personal policy. ++# ++ ++allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; ++allow cobblerd_t self:process { getsched setsched signal }; ++allow cobblerd_t self:fifo_file rw_fifo_file_perms; ++allow cobblerd_t self:tcp_socket create_stream_socket_perms; ++ ++list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) ++read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) ++ ++manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) ++manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) ++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) ++ ++append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) ++logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) ++ ++kernel_read_system_state(cobblerd_t) ++ ++corecmd_exec_bin(cobblerd_t) ++corecmd_exec_shell(cobblerd_t) ++ ++corenet_all_recvfrom_netlabel(cobblerd_t) ++corenet_all_recvfrom_unlabeled(cobblerd_t) ++corenet_sendrecv_cobbler_server_packets(cobblerd_t) ++corenet_tcp_bind_cobbler_port(cobblerd_t) ++corenet_tcp_bind_generic_node(cobblerd_t) ++corenet_tcp_sendrecv_generic_if(cobblerd_t) ++corenet_tcp_sendrecv_generic_node(cobblerd_t) ++corenet_tcp_sendrecv_generic_port(cobblerd_t) ++ ++dev_read_urand(cobblerd_t) ++ ++# read /etc/nsswitch.conf ++files_read_etc_files(cobblerd_t) ++files_read_usr_files(cobblerd_t) ++files_list_boot(cobblerd_t) ++files_list_tmp(cobblerd_t) ++ ++miscfiles_read_localization(cobblerd_t) ++miscfiles_read_public_files(cobblerd_t) ++ ++sysnet_read_config(cobblerd_t) ++sysnet_rw_dhcp_config(cobblerd_t) ++sysnet_write_config(cobblerd_t) ++ ++tunable_policy(`cobbler_anon_write',` ++ miscfiles_manage_public_files(cobblerd_t) ++') ++ ++optional_policy(` ++ apache_list_sys_content(cobblerd_t) ++') ++ ++optional_policy(` ++ bind_read_config(cobblerd_t) ++ bind_write_config(cobblerd_t) ++ bind_domtrans_ndc(cobblerd_t) ++ bind_domtrans(cobblerd_t) ++ bind_initrc_domtrans(cobblerd_t) ++ bind_manage_zone(cobblerd_t) ++') ++ ++optional_policy(` ++ dhcpd_domtrans(cobblerd_t) ++ dhcpd_initrc_domtrans(cobblerd_t) ++') ++ ++optional_policy(` ++ dnsmasq_domtrans(cobblerd_t) ++ dnsmasq_initrc_domtrans(cobblerd_t) ++ dnsmasq_write_config(cobblerd_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if ---- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100 -@@ -42,26 +42,6 @@ - - ##################################### - ## --## Manage clogd tmpfs files. --## --## --## --## The type of the process performing this action. --## --## --# --interface(`clogd_manage_tmpfs_files',` -- gen_require(` -- type clogd_tmpfs_t; -- ') -- -- fs_search_tmpfs($1) -- manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) -- manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) --') -- --##################################### --## - ## Allow read and write access to clogd semaphores. - ## - ## -@@ -94,5 +74,9 @@ - ') - - allow $1 clogd_t:shm { rw_shm_perms destroy }; -+ allow $1 clogd_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) -+ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) -+ fs_search_tmpfs($1) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te ---- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100 -@@ -41,8 +41,6 @@ - manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) - files_pid_filetrans(clogd_t,clogd_var_run_t, { file }) - --aisexec_stream_connect(clogd_t) -- - dev_manage_generic_blk_files(clogd_t) - - storage_raw_read_fixed_disk(clogd_t) -@@ -56,6 +54,11 @@ - miscfiles_read_localization(clogd_t) - - optional_policy(` -+ aisexec_stream_connect(clogd_t) -+ corosync_stream_connect(clogd_t) ++optional_policy(` ++ rpm_exec(cobblerd_t) +') + +optional_policy(` - dev_read_lvm_control(clogd_t) - ') - ++ rsync_read_config(cobblerd_t) ++ rsync_write_config(cobblerd_t) ++') ++ ++optional_policy(` ++ tftp_manage_rw_content(cobblerd_t) ++') ++ ++######################################## ++# ++# Cobbler web local policy. ++# ++ ++apache_content_template(cobbler) ++manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) ++manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100 +++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-02-21 20:34:33.717586944 +0100 @@ -3762,13 +4495,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_usr_files(hplip_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2010-01-18 18:24:22.774530577 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-02-09 15:13:10.361616292 +0100 -@@ -375,6 +375,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-03-01 16:43:21.835743624 +0100 +@@ -375,6 +375,9 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) + ps_process_pattern(system_dbusd_t, $1) + ++ userdom_read_all_users_state($1) userdom_dontaudit_search_admin_dir($1) optional_policy(` @@ -3863,6 +4597,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.32/policy/modules/services/dhcp.if +--- nsaserefpolicy/policy/modules/services/dhcp.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/dhcp.if 2010-03-01 15:53:56.974502467 +0100 +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Transition to dhcpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dhcpd_domtrans',` ++ gen_require(` ++ type dhcpd_t, dhcpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) ++') ++ ++######################################## ++## + ## Set the attributes of the DCHP + ## server state files. + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.6.32/policy/modules/services/dhcp.te +--- nsaserefpolicy/policy/modules/services/dhcp.te 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/dhcp.te 2010-03-01 09:56:40.715740296 +0100 +@@ -112,6 +112,10 @@ + ') + + optional_policy(` ++ cobbler_dontaudit_rw_log(dhcpd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(dhcpd_t) + dbus_connect_system_bus(dhcpd_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100 @@ -3941,6 +4718,54 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.32/policy/modules/services/dnsmasq.if +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.if 2010-03-01 15:57:23.556490055 +0100 +@@ -96,6 +96,44 @@ + allow $1 dnsmasq_t:process sigkill; + ') + ++####################################### ++## ++## Read dnsmasq config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`dnsmasq_read_config',` ++ gen_require(` ++ type dnsmasq_etc_t; ++ ') ++ ++ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) ++ files_search_etc($1) ++') ++ ++####################################### ++## ++## Write to dnsmasq config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`dnsmasq_write_config',` ++ gen_require(` ++ type dnsmasq_etc_t; ++ ') ++ ++ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) ++ files_search_etc($1) ++') ++ + ######################################## + ## + ## Delete dnsmasq pid files diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.32/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-01-18 18:24:22.780530921 +0100 +++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.te 2010-02-12 17:24:31.727729095 +0100 @@ -5163,6 +5988,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) + +/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te +--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-01 15:09:45.271494370 +0100 +@@ -121,6 +121,7 @@ + corenet_udp_sendrecv_all_ports(hald_t) + + dev_rw_usbfs(hald_t) ++dev_read_rand(hald_t) + dev_read_urand(hald_t) + dev_read_input(hald_t) + dev_read_mouse(hald_t) +@@ -272,6 +273,10 @@ + ') + + optional_policy(` ++ gnome_read_config(hald_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(hald_t) + ') + +@@ -331,6 +336,10 @@ + ') + + optional_policy(` ++ usbmuxd_stream_connect(hald_t) ++') ++ ++optional_policy(` + vbetool_domtrans(hald_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.6.32/policy/modules/services/inn.te +--- nsaserefpolicy/policy/modules/services/inn.te 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-03-01 15:13:35.203742322 +0100 +@@ -104,6 +104,7 @@ + + sysnet_read_config(innd_t) + ++userdom_stream_connect(innd_t) + userdom_dontaudit_use_unpriv_user_fds(innd_t) + userdom_dontaudit_search_user_home_dirs(innd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100 +++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100 @@ -5484,30 +6353,61 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-02-21 19:01:11.642309589 +0100 -@@ -134,6 +134,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-03-01 16:06:40.837490351 +0100 +@@ -119,6 +119,26 @@ + read_files_pattern($1, nagios_log_t, nagios_log_t) + ') + ++####################################### ++## ++## Allow the specified domain to read ++## nagios temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_rw_inerited_tmp_files',` ++ gen_require(` ++ type nagios_tmp_t; ++ ') ++ ++ allow $1 nagios_tmp_t:file rw_inherited_file_perms; ++ files_search_tmp($1) ++') ++ + ######################################## + ## + ## Create a set of derived types for various +@@ -134,6 +154,7 @@ gen_require(` type nagios_t, nrpe_t; -+ type nagios_log_t; ++ type nagios_log_t, nagios_tmp_t; ') type nagios_$1_plugin_t; -@@ -150,8 +151,11 @@ +@@ -150,8 +171,15 @@ # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + allow nagios_t nagios_$1_plugin_t:process signal_perms; + ++ allow nagios_$1_plugin_t nagios_tmp_t:file rw_inherited_file_perms; ++ # cjp: leaked file descriptor dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; + dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; ++ ++ files_search_tmp(nagios_$1_plugin_t) miscfiles_read_localization(nagios_$1_plugin_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-21 19:02:48.521559835 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-03-01 13:28:37.750491019 +0100 @@ -45,10 +45,18 @@ type nrpe_var_run_t; files_pid_file(nrpe_var_run_t) @@ -5636,7 +6536,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ###################################### # -@@ -315,6 +390,10 @@ +@@ -290,6 +365,8 @@ + allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; + allow nagios_services_plugin_t self:udp_socket create_socket_perms; + ++kernel_read_system_state(nagios_services_plugin_t) ++ + corecmd_exec_bin(nagios_services_plugin_t) + + corenet_tcp_connect_all_ports(nagios_services_plugin_t) +@@ -315,6 +392,10 @@ mysql_stream_connect(nagios_services_plugin_t) ') @@ -6095,7 +7004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-23 18:54:23.577526518 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-03-01 09:17:31.825491287 +0100 @@ -22,6 +22,9 @@ type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) @@ -6106,16 +7015,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # log files type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) -@@ -36,7 +39,7 @@ +@@ -36,8 +39,9 @@ # rgmanager local policy # -allow rgmanager_t self:capability { sys_nice ipc_lock }; -+allow rgmanager_t self:capability { dac_override sys_nice sys_resource ipc_lock }; ++allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; dontaudit rgmanager_t self:capability { sys_ptrace }; ++ allow rgmanager_t self:process { setsched signal }; dontaudit rgmanager_t self:process { ptrace }; -@@ -51,6 +54,10 @@ + +@@ -51,6 +55,10 @@ manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) @@ -6126,7 +7037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # log files manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t) logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file }) -@@ -60,35 +67,44 @@ +@@ -60,35 +68,44 @@ manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) @@ -6179,7 +7090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_xattr_fs(rgmanager_t) -@@ -104,11 +120,18 @@ +@@ -104,11 +121,18 @@ miscfiles_read_localization(rgmanager_t) @@ -6198,7 +7109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_domtrans(rgmanager_t) -@@ -158,11 +181,16 @@ +@@ -158,11 +182,16 @@ ') optional_policy(` @@ -6215,7 +7126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -183,5 +211,16 @@ +@@ -183,5 +212,16 @@ udev_read_db(rgmanager_t) ') @@ -6329,7 +7240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute a domain transition to run groupd. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-23 15:15:57.274776910 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-03-01 09:19:23.343490629 +0100 @@ -1,5 +1,5 @@ -policy_module(rhcs,1.0.0) @@ -6502,7 +7413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; -@@ -166,25 +74,15 @@ +@@ -166,25 +74,17 @@ # tmp files manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) @@ -6531,10 +7442,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -ccs_stream_connect(fenced_t) + +kernel_read_system_state(fenced_t) ++ ++corenet_tcp_connect_http_port(fenced_t) corecmd_exec_bin(fenced_t) -@@ -195,19 +93,13 @@ +@@ -195,19 +95,13 @@ storage_raw_write_fixed_disk(fenced_t) storage_raw_read_removable_device(fenced_t) @@ -6555,7 +7468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fenced_can_network_connect',` corenet_tcp_connect_all_ports(fenced_t) ') -@@ -217,10 +109,6 @@ +@@ -217,10 +111,6 @@ ') optional_policy(` @@ -6566,7 +7479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(fenced_t) lvm_read_config(fenced_t) ') -@@ -230,53 +118,26 @@ +@@ -230,53 +120,26 @@ # gfs_controld local policy # @@ -6626,7 +7539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -290,78 +151,29 @@ +@@ -290,78 +153,29 @@ allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -6707,7 +7620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_getattr_sbin_files(qdiskd_t) corecmd_exec_shell(qdiskd_t) -@@ -391,13 +203,6 @@ +@@ -391,13 +205,6 @@ files_read_etc_files(qdiskd_t) @@ -6721,7 +7634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` netutils_domtrans_ping(qdiskd_t) ') -@@ -406,5 +211,28 @@ +@@ -406,5 +213,28 @@ udev_read_db(qdiskd_t) ') @@ -6829,6 +7742,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.6.32/policy/modules/services/rsync.if +--- nsaserefpolicy/policy/modules/services/rsync.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/rsync.if 2010-03-01 16:02:14.881494801 +0100 +@@ -103,3 +103,41 @@ + + can_exec($1, rsync_exec_t) + ') ++ ++####################################### ++## ++## Read rsync config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`rsync_read_config',` ++ gen_require(` ++ type rsync_etc_t; ++ ') ++ ++ read_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ++') ++ ++####################################### ++## ++## Write to rsync config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`rsync_write_config',` ++ gen_require(` ++ type rsync_etc_t; ++ ') ++ ++ write_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 +++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-23 10:50:43.134867505 +0100 @@ -7460,6 +8418,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(sssd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.32/policy/modules/services/tftp.if +--- nsaserefpolicy/policy/modules/services/tftp.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/tftp.if 2010-03-01 15:59:20.787741600 +0100 +@@ -18,6 +18,26 @@ + read_files_pattern($1, tftpdir_t, tftpdir_t) + ') + ++####################################### ++## ++## Manage tftp /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_manage_rw_content',` ++ gen_require(` ++ type tftpdir_rw_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++') ++ + ######################################## + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100 @@ -7716,7 +8704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-11 20:30:04.756691338 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-03-01 17:22:48.963740399 +0100 @@ -1,5 +1,5 @@ -policy_module(virt, 1.2.1) @@ -7764,6 +8752,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(virt_domain) +@@ -446,6 +450,11 @@ + fs_rw_anon_inodefs_files(virt_domain) + fs_rw_tmpfs_files(virt_domain) + ++# we need these for now. ++miscfiles_read_public_files(virt_domain) ++storage_raw_read_removable_device(virt_domain) ++ ++ + term_use_all_terms(virt_domain) + term_getattr_pty_fs(virt_domain) + term_use_generic_ptys(virt_domain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100 +++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-03 14:24:48.062145095 +0100 @@ -8522,7 +9522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-25 10:34:31.079617322 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-01 15:02:25.227490412 +0100 @@ -245,8 +245,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -8547,7 +9547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -432,9 +434,21 @@ +@@ -432,9 +434,22 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -8563,6 +9563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/transcode/filter_yuvdenoise\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -8771,8 +9772,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-01-18 18:24:22.954530704 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-02-21 19:50:59.003309596 +0100 -@@ -71,6 +71,8 @@ ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-03-01 09:54:58.045489944 +0100 +@@ -71,10 +71,15 @@ /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -8781,6 +9782,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) + ++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) ++ ++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) + + ifdef(`distro_debian',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100 @@ -8827,7 +9835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-01-18 18:24:22.959530712 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-02-09 09:59:53.815865530 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-03-01 09:21:42.982491122 +0100 @@ -131,6 +131,7 @@ kernel_read_debugfs(insmod_t) # Rules for /proc/sys/kernel/tainted @@ -8836,6 +9844,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) kernel_setsched(insmod_t) +@@ -165,6 +166,7 @@ + + fs_getattr_xattr_fs(insmod_t) + fs_dontaudit_use_tmpfs_chr_dev(insmod_t) ++fs_search_rpc(insmod_t) + fs_mount_rpc_pipefs(insmod_t) + + init_rw_initctl(insmod_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2010-01-18 18:24:22.960539988 +0100 +++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-02-17 16:23:56.866863904 +0100 @@ -8897,6 +9913,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domtrans_rpcd(unconfined_mount_t) devicekit_dbus_chat_disk(unconfined_mount_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-01-18 18:24:22.965530078 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-03-01 16:18:46.909490203 +0100 +@@ -1142,6 +1142,27 @@ + role $2 types setsebool_t; + ') + ++####################################### ++## ++## Full management of the semanage ++## module store. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_read_module_store',` ++ gen_require(` ++ type selinux_config_t, semanage_store_t; ++ ') ++ ++ files_search_etc($1) ++ list_dirs_pattern($1, selinux_config_t, semanage_store_t) ++ read_files_pattern($1, semanage_store_t, semanage_store_t) ++') ++ + ######################################## + ## + ## Full management of the semanage diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100 +++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100 @@ -8908,6 +9955,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(load_policy_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc +--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-01-18 18:24:22.968540028 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-03-01 16:01:07.867490672 +0100 +@@ -11,6 +11,7 @@ + /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100 +++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100 @@ -9054,7 +10112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-02-22 12:49:42.249615189 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-03-01 16:28:30.815490952 +0100 @@ -13,6 +13,8 @@ ## gen_tunable(xen_use_nfs, false) @@ -9099,7 +10157,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_xenfs(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) -@@ -431,11 +440,15 @@ +@@ -413,12 +422,21 @@ + xen_stream_connect_xenstore(xm_t) + + optional_policy(` ++ dbus_system_bus_client(xm_t) ++ optional_policy(` ++ hal_dbus_chat(xm_t) ++ ') ++') ++ ++optional_policy(` + vhostmd_rw_tmpfs_files(xm_t) + vhostmd_stream_connect(xm_t) + vhostmd_dontaudit_rw_stream_connect(xm_t) + ') + + optional_policy(` ++ virt_domtrans(xm_t) ++ virt_manage_config(xm_t) + virt_manage_images(xm_t) + virt_stream_connect(xm_t) + ') +@@ -431,11 +449,15 @@ kernel_read_xen_state(xm_ssh_t) kernel_write_xen_state(xm_ssh_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b8d5712..8a2933a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 95%{?dist} +Release: 96%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Mon Mar 1 2010 Miroslav Grepl 3.6.32-96 +- Add cachefilesfd policy +- Update cobbler policy from F13 +- Allow hald connect to usbmuxd over a unix domain +- Allow staff_t to read semanage module store + * Fri Feb 26 2010 Miroslav Grepl 3.6.32-95 - Add fixes from Dan Walsh