From b2c5e72a15d948e17c4c8b8cc37b0fda2cd26fad Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 13 2009 22:33:07 +0000 Subject: - Make all unconfined_domains permissive so we can see what AVC's happen --- diff --git a/policy-F12.patch b/policy-F12.patch index 02c5d8d..8bf919a 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -568,7 +568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.26/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/admin/rpm.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/admin/rpm.if 2009-08-13 15:26:27.000000000 -0400 @@ -66,6 +66,11 @@ rpm_domtrans($1) role $2 types rpm_t; @@ -1124,10 +1124,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.26/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/admin/vbetool.te 2009-07-30 15:33:08.000000000 -0400 -@@ -23,7 +23,10 @@ ++++ serefpolicy-3.6.26/policy/modules/admin/vbetool.te 2009-08-13 15:29:00.000000000 -0400 +@@ -15,15 +15,20 @@ + # Local policy + # + +-allow vbetool_t self:capability { sys_tty_config sys_admin }; ++allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; + allow vbetool_t self:process execmem; + + dev_wx_raw_memory(vbetool_t) + dev_read_raw_memory(vbetool_t) dev_rwx_zero(vbetool_t) - dev_read_sysfs(vbetool_t) +-dev_read_sysfs(vbetool_t) ++dev_rw_sysfs(vbetool_t) ++dev_rw_xserver_misc(vbetool_t) ++dev_rw_mtrr(vbetool_t) +domain_mmap_low_type(vbetool_t) +tunable_policy(`mmap_low_allowed',` @@ -1136,7 +1148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_unallocated_ttys(vbetool_t) -@@ -34,3 +37,8 @@ +@@ -34,3 +39,8 @@ hal_write_log(vbetool_t) hal_dontaudit_append_lib_files(vbetool_t) ') @@ -2693,7 +2705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.26/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-08-06 08:01:24.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-08-13 14:58:45.000000000 -0400 @@ -0,0 +1,286 @@ + +policy_module(nsplugin, 1.0.0) @@ -3137,8 +3149,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.26/policy/modules/apps/ptchown.te --- nsaserefpolicy/policy/modules/apps/ptchown.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/apps/ptchown.te 2009-08-12 14:55:11.000000000 -0400 -@@ -0,0 +1,35 @@ ++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.te 2009-08-13 17:39:44.000000000 -0400 +@@ -0,0 +1,38 @@ +policy_module(ptchown,1.0.0) + +######################################## @@ -3158,7 +3170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# ptchown local policy +# + -+allow ptchown_t self:capability { chown setuid }; ++allow ptchown_t self:capability { fowner chown setuid }; +allow ptchown_t self:process { getcap setcap }; + +# Init script handling @@ -3170,13 +3182,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +files_read_etc_files(ptchown_t) + ++fs_rw_anon_inodefs_files(ptchown_t) ++ ++term_use_generic_ptys(ptchown_t) +term_setattr_generic_ptys(ptchown_t) +term_setattr_all_user_ptys(ptchown_t) + +miscfiles_read_localization(ptchown_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te 2009-08-04 05:32:34.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te 2009-08-13 15:27:08.000000000 -0400 @@ -22,6 +22,7 @@ allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; allow pulseaudio_t self:tcp_socket create_stream_socket_perms; @@ -3193,7 +3208,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ttys(pulseaudio_t) term_use_all_user_ptys(pulseaudio_t) -@@ -85,8 +87,8 @@ +@@ -81,12 +83,15 @@ + ') + + optional_policy(` ++ rpm_dbus_chat(pulseaudio_t) ++') ++ ++optional_policy(` + udev_read_db(pulseaudio_t) ') optional_policy(` @@ -3202,7 +3225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_read_xdm_lib_files(pulseaudio_t) + xserver_common_app(pulseaudio_t) ') - +- diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.26/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/apps/qemu.fc 2009-07-30 15:33:08.000000000 -0400 @@ -3643,8 +3666,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.26/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/apps/sambagui.te 2009-07-30 15:33:08.000000000 -0400 -@@ -0,0 +1,57 @@ ++++ serefpolicy-3.6.26/policy/modules/apps/sambagui.te 2009-08-13 09:46:37.000000000 -0400 +@@ -0,0 +1,55 @@ +policy_module(sambagui,1.0.0) + +######################################## @@ -3700,8 +3723,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -+ -+permissive sambagui_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.26/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.26/policy/modules/apps/sandbox.fc 2009-07-30 15:33:08.000000000 -0400 @@ -3709,8 +3730,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.26/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/apps/sandbox.if 2009-07-30 15:33:08.000000000 -0400 -@@ -0,0 +1,145 @@ ++++ serefpolicy-3.6.26/policy/modules/apps/sandbox.if 2009-08-13 09:52:58.000000000 -0400 +@@ -0,0 +1,143 @@ + +## policy for sandbox + @@ -3834,8 +3855,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ -+# permissive $1_client_t; +') + +######################################## @@ -4516,7 +4535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-03 06:30:31.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-13 15:24:04.000000000 -0400 @@ -47,8 +47,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -4536,9 +4555,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -148,6 +151,8 @@ + /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) + ++/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++ + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-11 18:56:44.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-13 15:36:14.000000000 -0400 @@ -1655,6 +1655,78 @@ ######################################## @@ -5120,7 +5148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-10 11:51:27.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-13 18:17:55.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5531,7 +5559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.26/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-08-11 16:06:07.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-08-13 15:46:05.000000000 -0400 @@ -1537,6 +1537,24 @@ ######################################## @@ -5557,7 +5585,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## -@@ -3971,3 +3989,23 @@ +@@ -2542,6 +2560,24 @@ + + ######################################## + ## ++## Getattr files on an nfsd filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_nfsd_files',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ allow $1 nfsd_fs_t:file getattr; ++') ++ ++######################################## ++## + ## Read and write NFS server files. + ## + ## +@@ -3971,3 +4007,23 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -5655,7 +5708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.26/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/kernel.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/kernel.te 2009-08-13 18:32:39.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -5731,14 +5784,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -387,3 +410,7 @@ +@@ -387,3 +410,5 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) -+ -+permissive kernel_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.26/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/kernel/selinux.if 2009-07-30 15:33:08.000000000 -0400 @@ -9207,14 +9258,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.26/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-08-10 13:11:45.000000000 -0400 -@@ -57,3 +57,23 @@ ++++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-08-13 15:40:37.000000000 -0400 +@@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) ') + +######################################## +## ++## Manage consolekit log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_manage_log',` ++ gen_require(` ++ type consolekit_log_t; ++ ') ++ ++ manage_files_pattern($1, consolekit_log_t, consolekit_log_t) ++ files_search_pids($1) ++') ++ ++######################################## ++## +## Read consolekit PID files. +## +## @@ -10410,7 +10480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-11 13:59:10.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-13 09:46:15.000000000 -0400 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -10490,22 +10560,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -134,14 +152,28 @@ +@@ -134,14 +152,22 @@ udev_read_db(devicekit_disk_t) ') + -+#ifdef(`TESTING',` -+ permissive devicekit_t; -+ permissive devicekit_power_t; -+ permissive devicekit_disk_t; -+#',` -+#optional_policy(` -+# unconfined_domain(devicekit_t) -+# unconfined_domain(devicekit_power_t) -+# unconfined_domain(devicekit_disk_t) -+#') -+#') ++optional_policy(` ++ unconfined_domain(devicekit_t) ++ unconfined_domain(devicekit_power_t) ++ unconfined_domain(devicekit_disk_t) ++') + ######################################## # @@ -10520,7 +10584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +183,7 @@ +@@ -151,6 +177,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -10528,7 +10592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +192,7 @@ +@@ -159,6 +186,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -10536,7 +10600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +201,16 @@ +@@ -167,12 +195,16 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -10553,7 +10617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,8 +218,11 @@ +@@ -180,8 +212,11 @@ ') optional_policy(` @@ -10566,7 +10630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` -@@ -203,17 +244,23 @@ +@@ -203,17 +238,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -10663,8 +10727,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_generic_if(fetchmail_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.26/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/fprintd.te 2009-07-30 15:33:08.000000000 -0400 -@@ -51,5 +51,7 @@ ++++ serefpolicy-3.6.26/policy/modules/services/fprintd.te 2009-08-13 12:03:17.000000000 -0400 +@@ -37,6 +37,8 @@ + files_read_etc_files(fprintd_t) + files_read_usr_files(fprintd_t) + ++fs_getattr_all_fs(fprintd_t) ++ + auth_use_nsswitch(fprintd_t) + + miscfiles_read_localization(fprintd_t) +@@ -51,5 +53,7 @@ optional_policy(` policykit_read_reload(fprintd_t) policykit_read_lib(fprintd_t) @@ -11043,7 +11116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.26/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-05 17:09:21.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-13 12:00:48.000000000 -0400 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -11074,7 +11147,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_mountpoints(hald_t) mls_file_read_all_levels(hald_t) -@@ -290,6 +299,7 @@ +@@ -202,8 +211,9 @@ + seutil_read_default_contexts(hald_t) + seutil_read_file_contexts(hald_t) + +-sysnet_read_config(hald_t) + sysnet_domtrans_dhcpc(hald_t) ++sysnet_read_config(hald_t) ++sysnet_read_dhcp_config(hald_t) + + userdom_dontaudit_use_unpriv_user_fds(hald_t) + userdom_dontaudit_search_user_home_dirs(hald_t) +@@ -290,6 +300,7 @@ ') optional_policy(` @@ -11082,7 +11166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -321,6 +331,10 @@ +@@ -321,6 +332,10 @@ virt_manage_images(hald_t) ') @@ -11093,7 +11177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Hal acl local policy -@@ -341,6 +355,7 @@ +@@ -341,6 +356,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -11101,7 +11185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -357,6 +372,8 @@ +@@ -357,6 +373,8 @@ files_read_usr_files(hald_acl_t) files_read_etc_files(hald_acl_t) @@ -11110,7 +11194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) storage_getattr_fixed_disk_dev(hald_acl_t) -@@ -369,6 +386,7 @@ +@@ -369,6 +387,7 @@ miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -11118,7 +11202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -450,12 +468,16 @@ +@@ -450,12 +469,16 @@ miscfiles_read_localization(hald_keymap_t) @@ -11137,7 +11221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_dccm_t self:process getsched; allow hald_dccm_t self:tcp_socket create_stream_socket_perms; allow hald_dccm_t self:udp_socket create_socket_perms; -@@ -469,10 +491,22 @@ +@@ -469,10 +492,22 @@ manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_dccm_t) @@ -11160,7 +11244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(hald_dccm_t) corenet_all_recvfrom_netlabel(hald_dccm_t) corenet_tcp_sendrecv_generic_if(hald_dccm_t) -@@ -484,6 +518,7 @@ +@@ -484,6 +519,7 @@ corenet_tcp_bind_generic_node(hald_dccm_t) corenet_udp_bind_generic_node(hald_dccm_t) corenet_udp_bind_dhcpc_port(hald_dccm_t) @@ -11168,7 +11252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_dccm_port(hald_dccm_t) logging_send_syslog_msg(hald_dccm_t) -@@ -491,3 +526,9 @@ +@@ -491,3 +527,7 @@ files_read_usr_files(hald_dccm_t) miscfiles_read_localization(hald_dccm_t) @@ -11176,8 +11260,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + dbus_system_bus_client(hald_dccm_t) +') -+ -+permissive hald_dccm_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.26/policy/modules/services/hddtemp.fc --- nsaserefpolicy/policy/modules/services/hddtemp.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.26/policy/modules/services/hddtemp.fc 2009-08-11 14:24:37.000000000 -0400 @@ -12672,8 +12754,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.26/policy/modules/services/nslcd.te --- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/services/nslcd.te 2009-07-30 15:33:09.000000000 -0400 -@@ -0,0 +1,50 @@ ++++ serefpolicy-3.6.26/policy/modules/services/nslcd.te 2009-08-13 09:51:48.000000000 -0400 +@@ -0,0 +1,48 @@ +policy_module(nslcd,1.0.0) + +######################################## @@ -12685,8 +12767,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type nslcd_exec_t; +init_daemon_domain(nslcd_t, nslcd_exec_t) + -+#permissive nslcd_t; -+ +type nslcd_initrc_exec_t; +init_script_file(nslcd_initrc_exec_t) + @@ -12976,18 +13056,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.26/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/policykit.fc 2009-07-31 06:55:00.000000000 -0400 -@@ -1,7 +1,9 @@ ++++ serefpolicy-3.6.26/policy/modules/services/policykit.fc 2009-08-13 15:56:23.000000000 -0400 +@@ -1,10 +1,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -+/usr/libexec/polkit-gnome-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) + /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) + /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-08-03 06:44:10.000000000 -0400 @@ -14789,7 +14873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.26/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/samba.te 2009-08-06 07:30:26.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/samba.te 2009-08-13 18:18:57.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -14823,7 +14907,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` pcscd_read_pub_files(samba_net_t) -@@ -341,6 +350,8 @@ +@@ -325,6 +334,8 @@ + files_read_etc_runtime_files(smbd_t) + files_read_usr_files(smbd_t) + files_search_spool(smbd_t) ++# smbd seems to getattr all mountpoints ++files_dontaudit_getattr_all_dirs(smbd_t) + # Allow samba to list mnt_t for potential mounted dirs + files_list_mnt(smbd_t) + +@@ -341,6 +352,8 @@ usermanage_read_crack_db(smbd_t) @@ -14832,7 +14925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -352,19 +363,19 @@ +@@ -352,19 +365,19 @@ ') tunable_policy(`samba_domain_controller',` @@ -14858,7 +14951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # Support Samba sharing of NFS mount points -@@ -376,6 +387,15 @@ +@@ -376,6 +389,15 @@ fs_manage_nfs_named_sockets(smbd_t) ') @@ -14874,7 +14967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -391,6 +411,11 @@ +@@ -391,6 +413,11 @@ ') optional_policy(` @@ -14886,7 +14979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(smbd_t) ') -@@ -405,13 +430,15 @@ +@@ -405,13 +432,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -14903,7 +14996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') -@@ -420,8 +447,8 @@ +@@ -420,8 +449,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -14913,7 +15006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -525,6 +552,7 @@ +@@ -525,6 +554,7 @@ allow smbcontrol_t winbind_t:process { signal signull }; @@ -14921,7 +15014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -638,6 +666,10 @@ +@@ -638,6 +668,10 @@ allow swat_t smbd_var_run_t:file { lock unlink }; @@ -14932,7 +15025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -713,12 +745,23 @@ +@@ -713,12 +747,23 @@ kerberos_use(swat_t) ') @@ -14957,7 +15050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -866,6 +909,16 @@ +@@ -866,6 +911,16 @@ # optional_policy(` @@ -14974,7 +15067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +929,12 @@ +@@ -876,9 +931,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -15803,8 +15896,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.26/policy/modules/services/shorewall.te --- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/services/shorewall.te 2009-07-30 15:33:09.000000000 -0400 -@@ -0,0 +1,97 @@ ++++ serefpolicy-3.6.26/policy/modules/services/shorewall.te 2009-08-13 09:47:21.000000000 -0400 +@@ -0,0 +1,95 @@ +policy_module(shorewall,1.0.0) + +######################################## @@ -15900,8 +15993,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + ulogd_search_log(shorewall_t) +') -+ -+permissive shorewall_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.26/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/smartmon.te 2009-07-30 15:33:09.000000000 -0400 @@ -17012,7 +17103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-12 16:06:07.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-13 15:24:46.000000000 -0400 @@ -103,7 +103,7 @@ ######################################## @@ -17110,7 +17201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an virt environment ## -@@ -327,3 +364,76 @@ +@@ -327,3 +364,77 @@ virt_manage_log($1) ') @@ -17184,12 +17275,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + files_search_var($1) ++ manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) + manage_files_pattern($1, svirt_cache_t, svirt_cache_t) + manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-12 16:05:46.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-13 16:49:58.000000000 -0400 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -17391,16 +17483,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + lvm_domtrans(virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + policykit_dbus_chat(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -17409,7 +17501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +292,161 @@ +@@ -195,8 +292,159 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -17427,8 +17519,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) + -+permissive virtd_t; -+ +######################################## +# +# svirt local policy @@ -17595,8 +17685,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.26/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/xserver.fc 2009-07-30 15:33:09.000000000 -0400 -@@ -3,12 +3,16 @@ ++++ serefpolicy-3.6.26/policy/modules/services/xserver.fc 2009-08-13 13:40:39.000000000 -0400 +@@ -3,12 +3,17 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) @@ -17607,13 +17697,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) -+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) -+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev # -@@ -32,11 +36,6 @@ +@@ -32,11 +37,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -17625,7 +17716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -61,7 +60,9 @@ +@@ -61,7 +61,9 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -17635,7 +17726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,16 +90,27 @@ +@@ -89,16 +91,27 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -19843,7 +19934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-12 16:06:54.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-13 15:46:16.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -19912,7 +20003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -+ consolekit_read_log(init_t) ++ consolekit_manage_log(init_t) +') + +optional_policy(` @@ -20005,7 +20096,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs fs_write_ramfs_pipes(initrc_t) -@@ -328,7 +375,7 @@ +@@ -289,6 +336,8 @@ + fs_unmount_all_fs(initrc_t) + fs_remount_all_fs(initrc_t) + fs_getattr_all_fs(initrc_t) ++fs_search_nfsd_fs(initrc_t) ++fs_getattr_nfsd_files(initrc_t) + + # initrc_t needs to do a pidof which requires ptrace + mcs_ptrace_all(initrc_t) +@@ -328,7 +377,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -20014,7 +20114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +390,15 @@ +@@ -343,14 +392,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -20032,7 +20132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +414,9 @@ +@@ -366,7 +416,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -20042,7 +20142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -423,8 +473,6 @@ +@@ -423,8 +475,6 @@ # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -20051,7 +20151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for integrated run_init to read run_init_type. # happens during boot (/sbin/rc execs init scripts) seutil_read_default_contexts(initrc_t) -@@ -451,11 +499,9 @@ +@@ -451,11 +501,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -20064,7 +20164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -465,6 +511,7 @@ +@@ -465,6 +513,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -20072,7 +20172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +545,7 @@ +@@ -498,6 +547,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -20080,7 +20180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +564,33 @@ +@@ -516,6 +566,33 @@ ') ') @@ -20114,7 +20214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +645,10 @@ +@@ -570,6 +647,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -20125,7 +20225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +670,10 @@ +@@ -591,6 +672,10 @@ ') optional_policy(` @@ -20136,7 +20236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,20 +730,20 @@ +@@ -647,20 +732,20 @@ ') optional_policy(` @@ -20163,7 +20263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -669,6 +752,7 @@ +@@ -669,6 +754,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -20171,7 +20271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -697,7 +781,6 @@ +@@ -697,7 +783,6 @@ ') optional_policy(` @@ -20179,7 +20279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -719,8 +802,6 @@ +@@ -719,8 +804,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -20188,7 +20288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +814,12 @@ +@@ -733,10 +816,12 @@ squid_manage_logs(initrc_t) ') @@ -20201,7 +20301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -755,6 +838,15 @@ +@@ -755,6 +840,15 @@ ') optional_policy(` @@ -20217,7 +20317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(initrc_t) ifdef(`distro_redhat',` -@@ -765,6 +857,13 @@ +@@ -765,6 +859,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -20231,7 +20331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +889,31 @@ +@@ -790,3 +891,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -22504,7 +22604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.26/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-08-11 13:58:43.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-08-13 12:00:25.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -22592,7 +22692,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -541,6 +594,7 @@ +@@ -464,6 +517,7 @@ + ') + + files_search_etc($1) ++ allow $1 dhcp_etc_t:dir list_dir_perms; + read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) + ') + +@@ -541,6 +595,7 @@ type net_conf_t; ') @@ -22600,7 +22708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -557,6 +611,14 @@ +@@ -557,6 +612,14 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -22615,7 +22723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -586,6 +648,8 @@ +@@ -586,6 +649,8 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -22624,7 +22732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -620,3 +684,49 @@ +@@ -620,3 +685,49 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; ') @@ -22889,7 +22997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.26/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-11 14:30:39.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-13 09:56:06.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -22922,22 +23030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(udev_t) # read modules.inputmap: -@@ -182,9 +186,11 @@ - # for arping used for static IP addresses on PCMCIA ethernet - netutils_domtrans(udev_t) - -- optional_policy(` -- unconfined_domain(udev_t) -- ') -+ permissive udev_t; -+ -+# optional_policy(` -+# unconfined_domain(udev_t) -+# ') - ') - - optional_policy(` -@@ -194,6 +200,10 @@ +@@ -194,6 +198,10 @@ ') optional_policy(` @@ -22948,7 +23041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol brctl_domtrans(udev_t) ') -@@ -202,14 +212,27 @@ +@@ -202,14 +210,27 @@ ') optional_policy(` @@ -22976,7 +23069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(udev_t) ') -@@ -219,6 +242,7 @@ +@@ -219,6 +240,7 @@ optional_policy(` hal_dgram_send(udev_t) @@ -22984,7 +23077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,6 +252,10 @@ +@@ -228,6 +250,10 @@ ') optional_policy(` @@ -22995,7 +23088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -242,6 +270,14 @@ +@@ -242,6 +268,18 @@ ') optional_policy(` @@ -23007,6 +23100,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ unconfined_signal(udev_t) ++') ++ ++optional_policy(` kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) @@ -23032,7 +23129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.26/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/unconfined.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/unconfined.if 2009-08-13 16:47:59.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -23103,18 +23200,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -111,6 +122,10 @@ +@@ -111,16 +122,17 @@ ## # interface(`unconfined_domain',` +- unconfined_domain_noaudit($1) + gen_require(` + attribute unconfined_services; + ') + - unconfined_domain_noaudit($1) ++ # unconfined_domain_noaudit($1) ++ permissive $1; tunable_policy(`allow_execheap',` -@@ -173,411 +188,3 @@ + auditallow $1 self:process execheap; + ') + +-# Turn off this audit for FC5 +-# tunable_policy(`allow_execmem',` +-# auditallow $1 self:process execmem; +-# ') + ') + + ######################################## +@@ -173,411 +185,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') @@ -23777,7 +23886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-10 11:36:42.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-12 16:13:59.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -24215,11 +24324,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -511,182 +518,194 @@ +@@ -511,182 +518,195 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; ++ allow $1_t self:socket create_socket_perms; - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; @@ -24486,7 +24596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -714,13 +733,26 @@ +@@ -714,13 +734,26 @@ userdom_base_user_template($1) @@ -24518,7 +24628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -738,70 +770,71 @@ +@@ -738,70 +771,71 @@ allow $1_t self:context contains; @@ -24623,7 +24733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -838,6 +871,28 @@ +@@ -838,6 +872,28 @@ # Local policy # @@ -24652,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -868,7 +923,10 @@ +@@ -868,7 +924,10 @@ userdom_restricted_user_template($1) @@ -24664,7 +24774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -876,14 +934,19 @@ +@@ -876,14 +935,19 @@ # auth_role($1_r, $1_t) @@ -24689,7 +24799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -891,28 +954,47 @@ +@@ -891,28 +955,47 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -24744,7 +24854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -946,8 +1028,8 @@ +@@ -946,8 +1029,8 @@ # Declarations # @@ -24754,7 +24864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -956,11 +1038,12 @@ +@@ -956,11 +1039,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -24769,7 +24879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -978,36 +1061,53 @@ +@@ -978,36 +1062,53 @@ ') ') @@ -24837,7 +24947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1042,7 +1142,7 @@ +@@ -1042,7 +1143,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -24846,7 +24956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1051,8 +1151,7 @@ +@@ -1051,8 +1152,7 @@ # # Inherit rules for ordinary users. @@ -24856,7 +24966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,7 +1174,8 @@ +@@ -1075,7 +1175,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -24866,7 +24976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1091,6 +1191,7 @@ +@@ -1091,6 +1192,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -24874,7 +24984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1098,8 +1199,6 @@ +@@ -1098,8 +1200,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -24883,7 +24993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1154,20 +1253,6 @@ +@@ -1154,20 +1254,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -24904,7 +25014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1213,6 +1298,7 @@ +@@ -1213,6 +1299,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -24912,7 +25022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1278,11 +1364,15 @@ +@@ -1278,11 +1365,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -24928,7 +25038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1374,12 +1464,13 @@ +@@ -1374,12 +1465,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -24943,7 +25053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1412,6 +1503,14 @@ +@@ -1412,6 +1504,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -24958,7 +25068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1427,9 +1526,11 @@ +@@ -1427,9 +1527,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -24970,7 +25080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1486,6 +1587,25 @@ +@@ -1486,6 +1588,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -24996,7 +25106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1560,6 +1680,8 @@ +@@ -1560,6 +1681,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -25005,7 +25115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1653,6 +1775,7 @@ +@@ -1653,6 +1776,7 @@ type user_home_dir_t, user_home_t; ') @@ -25013,7 +25123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1780,19 +1903,32 @@ +@@ -1780,19 +1904,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -25053,7 +25163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1827,6 +1963,7 @@ +@@ -1827,6 +1964,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -25061,7 +25171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2374,7 +2511,7 @@ +@@ -2374,7 +2512,7 @@ ######################################## ## @@ -25070,7 +25180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2728,11 +2865,32 @@ +@@ -2728,11 +2866,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -25105,7 +25215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2860,7 +3018,25 @@ +@@ -2860,7 +3019,25 @@ type user_tmp_t; ') @@ -25132,7 +25242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,6 +3073,7 @@ +@@ -2897,6 +3074,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -25140,7 +25250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3027,3 +3204,501 @@ +@@ -3027,3 +3205,501 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index dcb0734..dc78601 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -15,12 +15,12 @@ %endif %define POLICYVER 23 %define libsepolver 2.0.20-1 -%define POLICYCOREUTILSVER 2.0.62-10 +%define POLICYCOREUTILSVER 2.0.71-2 %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.26 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -348,7 +348,7 @@ if [ $1 -eq 1 ]; then %loadpolicy targeted $packages restorecon -R /root /var/log /var/run 2> /dev/null else - semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth 2>/dev/null + semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit 2>/dev/null packages="%{expand:%%moduleList targeted} `get_unconfined`" %loadpolicy targeted $packages %relabel targeted @@ -459,7 +459,7 @@ SELinux Reference policy mls base module. %saveFileContext mls %post mls -semodule -n -s mls -r mailscanner -r polkit_auth 2>/dev/null +semodule -n -s mls -r mailscanner -r polkit 2>/dev/null packages="%{expand:%%moduleList mls}" %loadpolicy mls $packages @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Thu Aug 13 2009 Dan Walsh 3.6.26-11 +- Make all unconfined_domains permissive so we can see what AVC's happen + * Mon Aug 10 2009 Dan Walsh 3.6.26-10 - Add pt_chown policy