From a32a1594b60cc7c672eaf596e671f4de23e0b95b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 21 2009 20:31:51 +0000 Subject: - Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 3acc136..25cb9db 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -164,6 +164,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.12/config/appconfig-mls/securetty_types +--- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.6.12/config/appconfig-mls/securetty_types 2009-04-20 10:13:02.000000000 -0400 +@@ -1,6 +1 @@ +-auditadm_tty_device_t +-secadm_tty_device_t +-staff_tty_device_t +-sysadm_tty_device_t +-unconfined_tty_device_t + user_tty_device_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400 @@ -729,17 +739,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -3,6 +3,7 @@ ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-19 15:52:53.000000000 -0400 +@@ -3,15 +3,12 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +- +-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) -@@ -11,7 +12,8 @@ - /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) - @@ -748,7 +759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` -@@ -21,14 +23,18 @@ +@@ -21,14 +18,18 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -771,7 +782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-21 14:06:47.000000000 -0400 @@ -146,6 +146,24 @@ ######################################## @@ -926,7 +937,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -283,3 +401,175 @@ +@@ -245,6 +363,24 @@ + + ######################################## + ## ++## Delete the RPM package database. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rpm_delete_db',` ++ gen_require(` ++ type rpm_var_lib_t; ++ ') ++ ++ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete the RPM package database. + ## + ## +@@ -283,3 +419,175 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1104,8 +1140,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-09 04:59:09.000000000 -0400 -@@ -31,6 +31,9 @@ ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-20 12:07:11.000000000 -0400 +@@ -9,6 +9,8 @@ + type rpm_t; + type rpm_exec_t; + init_system_domain(rpm_t, rpm_exec_t) ++#application_domain(rpm_t, rpm_exec_t) ++ + domain_obj_id_change_exemption(rpm_t) + domain_role_change_exemption(rpm_t) + domain_system_change_exemption(rpm_t) +@@ -31,11 +33,15 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1115,7 +1160,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type rpm_script_t; type rpm_script_exec_t; domain_obj_id_change_exemption(rpm_script_t) -@@ -52,8 +55,9 @@ + domain_system_change_exemption(rpm_script_t) + corecmd_shell_entry_type(rpm_script_t) ++corecmd_bin_entry_type(rpm_script_t) + domain_type(rpm_script_t) + domain_entry_file(rpm_t, rpm_script_exec_t) + domain_interactive_fd(rpm_script_t) +@@ -52,8 +58,9 @@ # rpm Local policy # @@ -1127,7 +1178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; -@@ -68,6 +72,8 @@ +@@ -68,6 +75,8 @@ allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; @@ -1136,7 +1187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -87,8 +93,12 @@ +@@ -87,8 +96,12 @@ manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -1149,7 +1200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_all_executables(rpm_t) -@@ -108,13 +118,16 @@ +@@ -108,13 +121,16 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1166,7 +1217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(rpm_t) mls_file_write_all_levels(rpm_t) -@@ -132,6 +145,8 @@ +@@ -132,6 +148,8 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) @@ -1175,7 +1226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +170,7 @@ +@@ -155,6 +173,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -1183,7 +1234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,17 +190,28 @@ +@@ -174,17 +193,28 @@ ') optional_policy(` @@ -1213,7 +1264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ifdef(`TODO',` -@@ -210,8 +237,8 @@ +@@ -210,8 +240,8 @@ # rpm-script Local policy # @@ -1224,7 +1275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +249,15 @@ +@@ -222,12 +252,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -1240,7 +1291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +269,9 @@ +@@ -239,6 +272,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -1250,7 +1301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(rpm_script_t) -@@ -255,6 +288,7 @@ +@@ -255,6 +291,7 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) @@ -1258,7 +1309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +306,19 @@ +@@ -272,14 +309,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -1278,7 +1329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,6 +330,7 @@ +@@ -291,6 +333,7 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -1286,7 +1337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_domtrans_script(rpm_script_t) -@@ -308,12 +348,15 @@ +@@ -308,12 +351,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1302,7 +1353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -326,6 +369,10 @@ +@@ -326,13 +372,18 @@ ') optional_policy(` @@ -1313,9 +1364,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -333,6 +380,7 @@ + optional_policy(` - unconfined_domain(rpm_script_t) +- unconfined_domain(rpm_script_t) ++ unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) + unconfined_execmem_domtrans(rpm_script_t) @@ -1472,7 +1524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol application_executable_file(sudo_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.12/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-21 15:49:55.000000000 -0400 @@ -90,15 +90,6 @@ miscfiles_read_localization($1_su_t) @@ -2725,8 +2777,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,272 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-21 15:54:32.000000000 -0400 +@@ -0,0 +1,274 @@ + +## policy for nsplugin + @@ -2837,6 +2889,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms; + allow nsplugin_t $2:unix_stream_socket connectto; + dontaudit nsplugin_t $2:process ptrace; ++ allow nsplugin_t $2:sem { unix_read unix_write }; ++ allow nsplugin_t $2:shm { unix_read unix_write }; + + allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; @@ -4676,7 +4730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-17 07:21:07.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-19 15:53:09.000000000 -0400 @@ -32,6 +32,8 @@ # # /etc @@ -4695,7 +4749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -299,3 +303,14 @@ +@@ -299,3 +303,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4710,6 +4764,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) + +/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) ++ ++/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.12/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.if 2009-04-07 16:01:44.000000000 -0400 @@ -5021,7 +5081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-21 16:08:44.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5092,7 +5152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -153,3 +172,43 @@ +@@ -153,3 +172,45 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5106,7 +5166,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + cron_dontaudit_write_system_job_tmp_files(domain) + cron_rw_pipes(domain) + cron_rw_system_job_pipes(domain) ++ +ifdef(`hide_broken_symptoms',` ++ fs_list_inotifyfs(domain) + allow domain domain:key { link search }; +') +') @@ -5167,7 +5229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-09 10:14:04.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5441,7 +5503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5077,95 @@ +@@ -4921,3 +5077,114 @@ typeattribute $1 files_unconfined_type; ') @@ -5537,6 +5599,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, root_t, root_t) + can_exec(kernel_t, root_t) +') ++ ++######################################## ++## ++## Do not audit attempts to getattr ++## all tmpfs files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_tmpfs_files',` ++ gen_require(` ++ attribute tmpfsfile; ++ ') ++ ++ allow $1 tmpfsfile:file getattr; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-04-07 16:01:44.000000000 -0400 @@ -5571,7 +5652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-14 14:14:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-20 12:16:40.000000000 -0400 @@ -723,6 +723,24 @@ ######################################## @@ -5660,7 +5741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-13 08:28:24.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-21 13:21:45.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -6242,7 +6323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## requiring the caller to use setexeccon(). diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-21 15:50:14.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -6290,15 +6371,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol certwatch_run(sysadm_t, sysadm_r) ') -@@ -127,18 +114,10 @@ +@@ -127,7 +114,7 @@ ') optional_policy(` - cron_admin_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - cvs_exec(sysadm_t) ++ su_exec(sysadm_t) + ') + + optional_policy(` +@@ -135,10 +122,6 @@ ') optional_policy(` @@ -6309,7 +6391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) -@@ -166,10 +145,6 @@ +@@ -166,10 +149,6 @@ ') optional_policy(` @@ -6320,7 +6402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol firstboot_run(sysadm_t, sysadm_r) ') -@@ -178,22 +153,6 @@ +@@ -178,22 +157,6 @@ ') optional_policy(` @@ -6343,7 +6425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_run(sysadm_t, sysadm_r) ') -@@ -212,11 +171,7 @@ +@@ -212,11 +175,7 @@ ') optional_policy(` @@ -6356,7 +6438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,10 +183,6 @@ +@@ -228,10 +187,6 @@ ') optional_policy(` @@ -6367,7 +6449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logrotate_run(sysadm_t, sysadm_r) ') -@@ -255,14 +206,6 @@ +@@ -255,14 +210,6 @@ ') optional_policy(` @@ -6382,7 +6464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_role(sysadm_r, sysadm_t) ') -@@ -290,11 +233,6 @@ +@@ -290,11 +237,6 @@ ') optional_policy(` @@ -6394,7 +6476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_run_cardctl(sysadm_t, sysadm_r) ') -@@ -308,10 +246,6 @@ +@@ -308,10 +250,6 @@ ') optional_policy(` @@ -6405,7 +6487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol quota_run(sysadm_t, sysadm_r) ') -@@ -320,22 +254,10 @@ +@@ -320,22 +258,10 @@ ') optional_policy(` @@ -6428,7 +6510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rsync_exec(sysadm_t) ') -@@ -345,10 +267,6 @@ +@@ -345,10 +271,6 @@ ') optional_policy(` @@ -6439,7 +6521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(sysadm_r) ') -@@ -358,35 +276,15 @@ +@@ -358,35 +280,15 @@ ') optional_policy(` @@ -6475,7 +6557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +292,10 @@ +@@ -394,18 +296,10 @@ ') optional_policy(` @@ -6494,7 +6576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(sysadm_t) ') -@@ -418,20 +308,12 @@ +@@ -418,20 +312,12 @@ ') optional_policy(` @@ -6515,7 +6597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vpn_run(sysadm_t, sysadm_r) ') -@@ -440,13 +322,5 @@ +@@ -440,13 +326,5 @@ ') optional_policy(` @@ -10611,7 +10693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-09 05:33:16.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10747,7 +10829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +256,43 @@ +@@ -227,21 +256,44 @@ ') ') @@ -10788,11 +10870,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - hal_dbus_send(crond_t) + hal_dbus_chat(crond_t) ++ hal_write_log(crond_t) + hal_dbus_chat(system_cronjob_t) ') optional_policy(` -@@ -268,8 +319,8 @@ +@@ -268,8 +320,8 @@ # System cron process domain # @@ -10803,7 +10886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -283,7 +334,14 @@ +@@ -283,7 +335,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -10818,7 +10901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -303,6 +361,7 @@ +@@ -303,6 +362,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -10826,7 +10909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -314,9 +373,13 @@ +@@ -314,9 +374,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -10841,7 +10924,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -370,7 +433,8 @@ +@@ -345,6 +409,7 @@ + fs_getattr_all_symlinks(system_cronjob_t) + fs_getattr_all_pipes(system_cronjob_t) + fs_getattr_all_sockets(system_cronjob_t) ++fs_list_inotifyfs(system_cronjob_t) + + # quiet other ps operations + domain_dontaudit_read_all_domains_state(system_cronjob_t) +@@ -370,7 +435,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -10851,7 +10942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +442,7 @@ +@@ -378,6 +444,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -10859,7 +10950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +483,10 @@ +@@ -418,6 +485,10 @@ ') optional_policy(` @@ -10870,7 +10961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ftp_read_log(system_cronjob_t) ') -@@ -428,11 +497,20 @@ +@@ -428,11 +499,20 @@ ') optional_policy(` @@ -10891,7 +10982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -447,6 +525,7 @@ +@@ -447,6 +527,7 @@ prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) @@ -10899,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +539,7 @@ +@@ -460,8 +541,7 @@ ') optional_policy(` @@ -10909,7 +11000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +547,17 @@ +@@ -469,24 +549,17 @@ ') optional_policy(` @@ -10937,7 +11028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +641,9 @@ +@@ -570,6 +643,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) @@ -11607,7 +11698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-13 10:31:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-21 13:57:58.000000000 -0400 @@ -44,6 +44,7 @@ attribute session_bus_type; @@ -12477,7 +12568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-21 10:30:59.000000000 -0400 @@ -42,8 +42,7 @@ files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) @@ -13382,6 +13473,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_read_reload(gnomeclock_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.if serefpolicy-3.6.12/policy/modules/services/gpm.if +--- nsaserefpolicy/policy/modules/services/gpm.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/gpm.if 2009-04-20 08:24:22.000000000 -0400 +@@ -16,7 +16,7 @@ + type gpmctl_t, gpm_t; + ') + +- allow $1 gpmctl_t:sock_file { getattr write }; ++ allow $1 gpmctl_t:sock_file rw_sock_file_perms; + allow $1 gpm_t:unix_stream_socket connectto; + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.12/policy/modules/services/gpm.te --- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gpm.te 2009-04-07 16:01:44.000000000 -0400 @@ -13685,7 +13788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-11 07:33:35.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-20 07:58:45.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -13745,16 +13848,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -301,12 +327,16 @@ - virt_manage_images(hald_t) +@@ -298,7 +324,11 @@ ') -+optional_policy(` -+ xserver_read_pid(hald_t) + optional_policy(` +- virt_manage_images(hald_t) ++ virtual_manage_image(hald_t) +') + ++optional_policy(` ++ xserver_read_pid(hald_t) + ') + ######################################## - # +@@ -306,7 +336,7 @@ # Hal acl local policy # @@ -17642,7 +17749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-20 07:42:10.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -17812,7 +17919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -500,3 +558,23 @@ +@@ -500,3 +558,43 @@ typeattribute $1 postfix_user_domtrans; ') @@ -17836,6 +17943,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + ++######################################## ++## ++## Execute the master postdrop in the ++## postfix_postdrop domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_run_postdrop',` ++ gen_require(` ++ type postfix_postdrop_t; ++ ') ++ ++ postfix_domtrans_postdrop($1) ++ role $2 types postfix_postdrop_t; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400 @@ -19814,9 +19941,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te 2009-04-21 13:15:10.000000000 -0400 +@@ -40,6 +40,8 @@ + manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) + ++fs_list_inotifyfs(rpcbind_t) ++ + kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-14 10:34:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-21 15:17:25.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -19826,7 +19965,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domain_template(gssd) -@@ -79,16 +79,25 @@ +@@ -74,21 +74,31 @@ + + files_manage_mounttab(rpcd_t) + ++fs_list_inotifyfs(rpcd_t) + fs_list_rpc(rpcd_t) + fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_rw_rpc_sockets(rpcd_t) @@ -19852,16 +19997,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy -@@ -116,7 +125,7 @@ +@@ -116,8 +126,9 @@ # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type -files_manage_mounttab(rpcd_t) +files_manage_mounttab(nfsd_t) ++fs_list_inotifyfs(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) -@@ -141,6 +150,7 @@ + fs_getattr_all_fs(nfsd_t) +@@ -125,6 +136,7 @@ + fs_rw_nfsd_fs(nfsd_t) + + storage_dontaudit_read_fixed_disk(nfsd_t) ++storage_raw_read_removable_device(nfsd_t) + + # Read access to public_content_t and public_content_rw_t + miscfiles_read_public_files(nfsd_t) +@@ -141,6 +153,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -19869,7 +20024,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -183,9 +193,12 @@ +@@ -175,6 +188,7 @@ + + corecmd_exec_bin(gssd_t) + ++fs_list_inotifyfs(gssd_t) + fs_list_rpc(gssd_t) + fs_rw_rpc_sockets(gssd_t) + fs_read_rpc_files(gssd_t) +@@ -183,9 +197,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -21834,7 +21997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -21954,7 +22117,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -229,7 +223,12 @@ +@@ -214,6 +208,7 @@ + allow $1_t sshd_key_t:file read_file_perms; + + kernel_read_kernel_sysctls($1_t) ++ kernel_read_network_state($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) +@@ -229,7 +224,12 @@ corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -21967,7 +22138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -254,9 +253,14 @@ +@@ -254,9 +254,14 @@ userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) @@ -21982,7 +22153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -265,11 +269,7 @@ +@@ -265,11 +270,7 @@ optional_policy(` kerberos_use($1_t) @@ -21995,7 +22166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,6 +454,24 @@ +@@ -454,6 +455,24 @@ ######################################## ## @@ -22020,7 +22191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read a ssh server unnamed pipe. ## ## -@@ -611,3 +629,42 @@ +@@ -611,3 +630,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -22843,7 +23014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.12/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-20 08:00:16.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## @@ -22896,7 +23067,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ') -@@ -293,6 +272,41 @@ +@@ -272,11 +251,7 @@ + ') + + virt_search_lib($1) +- allow $1 virt_image_t:dir list_dir_perms; +- manage_dirs_pattern($1, virt_image_t, virt_image_t) +- manage_files_pattern($1, virt_image_t, virt_image_t) +- read_lnk_files_pattern($1, virt_image_t, virt_image_t) +- rw_blk_files_pattern($1, virt_image_t, virt_image_t) ++ virtual_manage_image($1) + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) +@@ -293,6 +268,41 @@ ######################################## ## @@ -22938,7 +23122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an virt environment ## -@@ -327,3 +341,53 @@ +@@ -327,3 +337,53 @@ virt_manage_log($1) ') @@ -22994,7 +23178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-17 11:32:56.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-20 07:48:51.000000000 -0400 @@ -8,19 +8,24 @@ ## @@ -23067,7 +23251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; -allow virtd_t self:process { getsched sigkill signal execmem }; +allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace }; -+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched }; ++allow virtd_t self:process { getsched sigkill signal signull execmem setexec setfscreate setsched }; allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; @@ -25519,7 +25703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:41:15.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-21 14:07:27.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25623,7 +25807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t,initrc_tmp_t) -allow initrc_t initrc_tmp_t:file manage_file_perms; -allow initrc_t initrc_tmp_t:dir manage_dir_perms; -+allow initrc_t initrc_tmp_t:file relabelfrom; ++allow initrc_t initrc_tmp_t:file relabel_file_perms; +manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) @@ -25687,12 +25871,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +384,13 @@ +@@ -343,14 +384,14 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) -files_delete_all_locks(initrc_t) +files_manage_all_locks(initrc_t) ++files_manage_boot_files(initrc_t) files_read_all_pids(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) @@ -25703,7 +25888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +406,9 @@ +@@ -366,7 +407,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -25713,7 +25898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -451,7 +493,7 @@ +@@ -451,7 +494,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -25722,7 +25907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) -@@ -465,6 +507,7 @@ +@@ -465,6 +508,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -25730,7 +25915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +541,7 @@ +@@ -498,6 +542,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -25738,7 +25923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +560,33 @@ +@@ -516,6 +561,33 @@ ') ') @@ -25772,7 +25957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +641,10 @@ +@@ -570,6 +642,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -25783,7 +25968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +666,10 @@ +@@ -591,6 +667,10 @@ ') optional_policy(` @@ -25794,7 +25979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,6 +726,11 @@ +@@ -647,6 +727,11 @@ ') optional_policy(` @@ -25806,7 +25991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') -@@ -655,12 +739,6 @@ +@@ -655,12 +740,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -25819,17 +26004,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -721,6 +799,9 @@ +@@ -719,8 +798,6 @@ + # bash tries ioctl for some reason + files_dontaudit_ioctl_all_pids(initrc_t) - # why is this needed: - rpm_manage_db(initrc_t) -+ # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) -+ +- # why is this needed: +- rpm_manage_db(initrc_t) ') optional_policy(` -@@ -733,10 +814,12 @@ +@@ -733,10 +810,12 @@ squid_manage_logs(initrc_t) ') @@ -25842,7 +26026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +837,11 @@ +@@ -754,6 +833,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -25854,27 +26038,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -761,6 +849,8 @@ - # system-config-services causes avc messages that should be dontaudited - unconfined_dontaudit_rw_pipes(daemon) - ') -+ # sudo service restart causes this -+ unconfined_signull(daemon) - +@@ -765,6 +849,13 @@ optional_policy(` mono_domtrans(initrc_t) -@@ -768,6 +858,10 @@ - ') - - optional_policy(` -+ rpm_dontaudit_rw_pipes(daemon) + ') ++ ++ # Allow SELinux aware applications to request rpm_script_t execution ++ rpm_transition_script(initrc_t) +') + +optional_policy(` - vmware_read_system_config(initrc_t) - vmware_append_system_config(initrc_t) ++ rpm_delete_db(initrc_t) ') -@@ -790,3 +884,25 @@ + + optional_policy(` +@@ -790,3 +881,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -25886,6 +26064,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_append_all_logs(daemon) + +optional_policy(` ++ # sudo service restart causes this ++ unconfined_signull(daemon) ++') ++ ++ ++optional_policy(` ++ rpm_dontaudit_rw_pipes(daemon) ++') ++ ++optional_policy(` + xserver_rw_xdm_home_files(daemon) + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(daemon) @@ -26037,7 +26225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-21 13:55:23.000000000 -0400 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) @@ -26438,7 +26626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-21 14:01:28.000000000 -0400 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -26549,7 +26737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-09 10:07:34.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-21 14:01:57.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -26606,8 +26794,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) -@@ -99,9 +109,12 @@ +@@ -97,11 +107,15 @@ + fs_search_auto_mountpoints(clvmd_t) + fs_dontaudit_list_tmpfs(clvmd_t) fs_dontaudit_read_removable_files(clvmd_t) ++fs_rw_anon_inodefs_files(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t) +storage_dev_filetrans_fixed_disk(clvmd_t) @@ -26619,7 +26810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_raw_read_fixed_disk(clvmd_t) auth_use_nsswitch(clvmd_t) -@@ -112,6 +125,9 @@ +@@ -112,6 +126,9 @@ seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) @@ -26629,7 +26820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_user_home_dirs(clvmd_t) -@@ -124,6 +140,14 @@ +@@ -124,6 +141,14 @@ ') optional_policy(` @@ -26644,7 +26835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gpm_dontaudit_getattr_gpmctl(clvmd_t) ') -@@ -133,6 +157,14 @@ +@@ -133,6 +158,14 @@ ') optional_policy(` @@ -26659,7 +26850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol udev_read_db(clvmd_t) ') -@@ -143,17 +175,19 @@ +@@ -143,17 +176,19 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -26682,7 +26873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) -@@ -185,6 +219,7 @@ +@@ -185,6 +220,7 @@ manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) @@ -26690,7 +26881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) -@@ -192,6 +227,8 @@ +@@ -192,6 +228,8 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) @@ -26699,7 +26890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -221,6 +258,7 @@ +@@ -221,6 +259,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -26707,7 +26898,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -239,12 +277,18 @@ +@@ -228,6 +267,7 @@ + fs_read_tmpfs_symlinks(lvm_t) + fs_dontaudit_read_removable_files(lvm_t) + fs_dontaudit_getattr_tmpfs_files(lvm_t) ++fs_rw_anon_inodefs_files(lvm_t) + + storage_relabel_fixed_disk(lvm_t) + storage_dontaudit_read_removable_device(lvm_t) +@@ -239,20 +279,28 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -26726,7 +26925,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -@@ -253,6 +297,7 @@ + files_dontaudit_search_isid_type_dirs(lvm_t) ++files_dontaudit_getattr_tmpfs_files(lvm_t) + init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) @@ -26734,7 +26935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(lvm_t) -@@ -283,5 +328,22 @@ +@@ -283,5 +331,22 @@ ') optional_policy(` @@ -28367,8 +28568,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-09 05:27:54.000000000 -0400 -@@ -210,6 +210,11 @@ ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-21 14:41:11.000000000 -0400 +@@ -50,6 +50,7 @@ + allow udev_t self:unix_stream_socket connectto; + allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; + allow udev_t self:rawip_socket create_socket_perms; ++allow udev_t self:netlink_socket create_socket_perms; + + allow udev_t udev_exec_t:file write; + can_exec(udev_t, udev_exec_t) +@@ -140,6 +141,7 @@ + logging_send_audit_msgs(udev_t) + + miscfiles_read_localization(udev_t) ++miscfiles_read_hwdata(udev_t) + + modutils_domtrans_insmod(udev_t) + # read modules.inputmap: +@@ -210,6 +212,11 @@ ') optional_policy(` @@ -28380,7 +28597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(udev_t) ') -@@ -219,6 +224,7 @@ +@@ -219,6 +226,7 @@ optional_policy(` hal_dgram_send(udev_t) @@ -28388,7 +28605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -242,6 +248,10 @@ +@@ -242,6 +250,10 @@ ') optional_policy(` @@ -29161,7 +29378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-18 06:14:35.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-20 08:25:48.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30146,7 +30363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1050,47 @@ +@@ -986,37 +1050,55 @@ ') ') @@ -30189,6 +30406,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ gpm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + java_role_template($1, $1_r, $1_t) + ') + @@ -30200,6 +30421,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mount_run($1_t, $1_r) + ') + ++ optional_policy(` ++ postfix_run_postdrop($1_t, $1_r) ++ ') ++ + # Run pppd in pppd_t by default for user + optional_policy(` + ppp_run_cond($1_t, $1_r) @@ -30208,7 +30433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1124,7 @@ +@@ -1050,7 +1132,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -30217,7 +30442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1133,7 @@ +@@ -1059,8 +1141,7 @@ # # Inherit rules for ordinary users. @@ -30227,7 +30452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1156,8 @@ +@@ -1083,7 +1164,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -30237,7 +30462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1173,7 @@ +@@ -1099,6 +1181,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -30245,7 +30470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1181,6 @@ +@@ -1106,8 +1189,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -30254,7 +30479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1235,6 @@ +@@ -1162,20 +1243,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30275,7 +30500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1280,7 @@ +@@ -1221,6 +1288,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30283,7 +30508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1346,15 @@ +@@ -1286,11 +1354,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -30299,7 +30524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1451,7 @@ +@@ -1387,7 +1459,7 @@ ######################################## ## @@ -30308,7 +30533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1484,14 @@ +@@ -1420,6 +1492,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -30323,7 +30548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1507,11 @@ +@@ -1435,9 +1515,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -30335,7 +30560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1568,25 @@ +@@ -1494,6 +1576,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -30361,7 +30586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1661,8 @@ +@@ -1568,6 +1669,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -30370,7 +30595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1738,7 @@ +@@ -1643,6 +1746,7 @@ type user_home_dir_t, user_home_t; ') @@ -30378,7 +30603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,30 +1837,80 @@ +@@ -1741,30 +1845,80 @@ ######################################## ## @@ -30441,7 +30666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`userdom_dontaudit_delete_user_home_content_files',` + gen_require(` + type user_home_t; -+ ') + ') + + allow $1 user_home_t:dir delete_file_perms; +') @@ -30461,7 +30686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type user_home_dir_t; + attribute user_home_type; - ') ++ ') + + files_search_home($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) @@ -30469,7 +30694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1933,46 @@ +@@ -1787,6 +1941,46 @@ ######################################## ## @@ -30516,7 +30741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1985,7 @@ +@@ -1799,6 +1993,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -30524,7 +30749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2515,7 @@ +@@ -2328,7 +2523,7 @@ ######################################## ## @@ -30533,17 +30758,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2814,7 +3001,25 @@ +@@ -2814,12 +3009,12 @@ type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to use user ttys. ++## Delete all users files in /tmp + ## + ## + ## +@@ -2827,17 +3022,17 @@ + ## + ## + # +-interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_delete_user_tmp_files',` + gen_require(` +- type user_tty_device_t; ++ type user_tmp_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ allow $1 user_tmp_t:file delete_file_perms; + ') + + ######################################## + ## +-## Read the process state of all user domains. ++## Do not audit attempts to use user ttys. + ## + ## + ## +@@ -2845,12 +3040,31 @@ + ## + ## + # +-interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_use_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_file_perms; +') + +######################################## +## -+## Delete all users files in /tmp ++## Read the process state of all user domains. +## +## +## @@ -30551,16 +30818,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`userdom_delete_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file delete_file_perms; - ') - - ######################################## -@@ -2851,6 +3056,7 @@ ++interface(`userdom_read_all_users_state',` + gen_require(` + attribute userdomain; ') read_files_pattern($1,userdomain,userdomain) @@ -30568,7 +30828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3187,481 @@ +@@ -2981,3 +3195,481 @@ allow $1 userdomain:dbus send_msg; ') @@ -31143,7 +31403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-20 07:58:28.000000000 -0400 @@ -0,0 +1,114 @@ +## Virtual machine emulator and virtualizer + @@ -31453,7 +31713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-20 07:59:14.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # diff --git a/selinux-policy.spec b/selinux-policy.spec index 333b624..a5feca4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 8%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,17 @@ exit 0 %endif %changelog +* Tue Apr 21 2009 Dan Walsh 3.6.12-11 +- Allow nsplugin unix_read and write on users shm and sem +- Allow sysadm_t to execute su + +* Tue Apr 21 2009 Dan Walsh 3.6.12-10 +- Dontaudit attempts to getattr user_tmpfs_t by lvm +- Allow nfs to share removable media + +* Mon Apr 20 2009 Dan Walsh 3.6.12-9 +- Add ability to run postdrop from confined users + * Sat Apr 18 2009 Dan Walsh 3.6.12-8 - Fixes for podsleuth