From c42cb334e8bb1ecf4b5a2dd4c27cb49a79270f9f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 21 2010 19:37:28 +0000 Subject: - Allow virtd_t to manage firewall/iptables config Resolves: #573585 --- diff --git a/policy-F13.patch b/policy-F13.patch index f3e46f4..2a82830 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -237,7 +237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.19/policy/modules/admin/accountsd.te --- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-04-20 14:17:59.000000000 -0400 @@ -0,0 +1,55 @@ +policy_module(accountsd,1.0.0) + @@ -259,7 +259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +# +# accountsd local policy +# -+allow accountsd_t self:capability sys_ptrace; ++allow accountsd_t self:capability { dac_override sys_ptrace }; + +allow accountsd_t self:fifo_file rw_fifo_file_perms; + @@ -2102,7 +2102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.19/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-04-19 09:28:05.000000000 -0400 @@ -31,7 +31,7 @@ allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; @@ -2145,7 +2145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.f +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.19/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/chrome.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/chrome.if 2010-04-20 09:54:27.000000000 -0400 @@ -0,0 +1,90 @@ + +## policy for chrome @@ -4155,8 +4155,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.19/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/mono.if 2010-04-14 10:48:18.000000000 -0400 -@@ -40,10 +40,10 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/mono.if 2010-04-20 11:03:19.000000000 -0400 +@@ -40,16 +40,19 @@ domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -4168,6 +4168,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) + corecmd_bin_domtrans($1_mono_t, $1_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_t $1_mono_t:socket_class_set { read write }; ++') + + optional_policy(` + xserver_role($1_r, $1_mono_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.19/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/apps/mozilla.fc 2010-04-14 10:48:18.000000000 -0400 @@ -4468,8 +4477,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.19/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.if 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,390 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.if 2010-04-21 09:27:25.000000000 -0400 +@@ -0,0 +1,391 @@ + +## policy for nsplugin + @@ -4582,6 +4591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow nsplugin_t $2:sem rw_sem_perms; + allow nsplugin_t $2:shm rw_shm_perms; + dontaudit nsplugin_t $2:shm destroy; ++ allow $2 nsplugin_t:sem rw_sem_perms; + + allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; @@ -5404,7 +5414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-03-29 15:04:22.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-04-20 08:58:33.000000000 -0400 @@ -41,6 +41,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) @@ -5413,6 +5423,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +@@ -128,6 +129,7 @@ + ') + + optional_policy(` ++ udev_read_state(pulseaudio_t) + udev_read_db(pulseaudio_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.19/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-04-14 10:48:18.000000000 -0400 @@ -6814,6 +6832,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.19/policy/modules/apps/wine.fc +--- nsaserefpolicy/policy/modules/apps/wine.fc 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/apps/wine.fc 2010-04-19 09:13:04.000000000 -0400 +@@ -2,6 +2,7 @@ + + /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + ++/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.19/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/apps/wine.if 2010-04-14 10:48:18.000000000 -0400 @@ -7028,7 +7057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 14:43:42.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-04-21 12:35:46.000000000 -0400 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -7078,6 +7107,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) +@@ -109,7 +116,7 @@ + network_port(hddtemp, tcp,7634,s0) + network_port(howl, tcp,5335,s0, udp,5353,s0) + network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) +-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port ++network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,3636,s0, tcp,8008,s0,tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port + network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy + network_port(i18n_input, tcp,9010,s0) + network_port(imaze, tcp,5323,s0, udp,5323,s0) @@ -132,6 +139,7 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) @@ -7333,7 +7371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.19/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-04-20 08:57:24.000000000 -0400 @@ -611,7 +611,7 @@ ######################################## @@ -7702,7 +7740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-16 14:29:31.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-21 10:00:28.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -7843,16 +7881,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ########################################## ## ## Manage generic directories in /etc -@@ -2280,6 +2368,8 @@ +@@ -2280,6 +2368,7 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) -+ files_read_etc_runtime_files($1) + files_read_config_files($1) ') ######################################## -@@ -2362,6 +2452,24 @@ +@@ -2362,6 +2451,24 @@ ######################################## ## @@ -7877,7 +7914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2789,6 +2897,120 @@ +@@ -2789,6 +2896,120 @@ ######################################## ## @@ -7998,7 +8035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## -@@ -2899,6 +3121,7 @@ +@@ -2899,6 +3120,7 @@ ') allow $1 home_root_t:dir getattr; @@ -8006,7 +8043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2919,6 +3142,7 @@ +@@ -2919,6 +3141,7 @@ ') dontaudit $1 home_root_t:dir getattr; @@ -8014,7 +8051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2937,6 +3161,7 @@ +@@ -2937,6 +3160,7 @@ ') allow $1 home_root_t:dir search_dir_perms; @@ -8022,7 +8059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2956,6 +3181,7 @@ +@@ -2956,6 +3180,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; @@ -8030,7 +8067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2975,6 +3201,7 @@ +@@ -2975,6 +3200,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; @@ -8038,7 +8075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2993,6 +3220,7 @@ +@@ -2993,6 +3219,7 @@ ') allow $1 home_root_t:dir list_dir_perms; @@ -8046,7 +8083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3520,6 +3748,64 @@ +@@ -3520,6 +3747,64 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -8111,7 +8148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3705,6 +3991,32 @@ +@@ -3705,6 +3990,32 @@ ######################################## ## @@ -8144,7 +8181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3918,6 +4230,13 @@ +@@ -3918,6 +4229,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -8158,7 +8195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4013,6 +4332,24 @@ +@@ -4013,6 +4331,24 @@ ######################################## ## @@ -8183,7 +8220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Delete generic files in /usr in the caller domain. ## ## -@@ -4026,7 +4363,7 @@ +@@ -4026,7 +4362,7 @@ type usr_t; ') @@ -8192,7 +8229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4107,6 +4444,24 @@ +@@ -4107,6 +4443,24 @@ ######################################## ## @@ -8217,7 +8254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5032,6 +5387,25 @@ +@@ -5032,6 +5386,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -8243,7 +8280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5091,6 +5465,24 @@ +@@ -5091,6 +5464,24 @@ ######################################## ## @@ -8268,7 +8305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5238,6 +5630,7 @@ +@@ -5238,6 +5629,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -8276,7 +8313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5306,6 +5699,24 @@ +@@ -5306,6 +5698,24 @@ ######################################## ## @@ -8301,7 +8338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5494,12 +5905,15 @@ +@@ -5494,12 +5904,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -8318,7 +8355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +5934,210 @@ +@@ -5520,3 +5933,210 @@ typeattribute $1 files_unconfined_type; ') @@ -8531,7 +8568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.19/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-05 14:44:26.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-04-21 10:00:10.000000000 -0400 @@ -12,6 +12,7 @@ attribute mountpoint; attribute pidfile; @@ -8540,7 +8577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # For labeling types that are to be polyinstantiated attribute polydir; -@@ -59,6 +60,15 @@ +@@ -59,12 +60,21 @@ typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -8556,6 +8593,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # etc_runtime_t is the type of various # files in /etc that are automatically + # generated during initialization. + # +-type etc_runtime_t; ++type etc_runtime_t, configfile; + files_type(etc_runtime_t) + #Temporarily in policy until FC5 dissappears + typealias etc_runtime_t alias firstboot_rw_t; @@ -194,6 +204,7 @@ fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) @@ -8934,7 +8978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-15 16:56:03.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-20 08:55:34.000000000 -0400 @@ -1959,7 +1959,7 @@ ') @@ -8944,7 +8988,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -2195,6 +2195,24 @@ +@@ -2046,6 +2046,24 @@ + allow $1 unlabeled_t:filesystem mount; + ') + ++######################################## ++## ++## Unmount a kernel unlabeled filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_unmount_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:filesystem unmount; ++') ++ + + ######################################## + ## +@@ -2195,6 +2213,24 @@ ######################################## ## @@ -8969,7 +9038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Do not audit attempts by caller to get the ## attributes of an unlabeled file. ## -@@ -2792,6 +2810,24 @@ +@@ -2792,6 +2828,24 @@ ######################################## ## @@ -8994,7 +9063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2807,3 +2843,22 @@ +@@ -2807,3 +2861,22 @@ typeattribute $1 kern_unconfined; ') @@ -9210,7 +9279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-04-20 08:46:40.000000000 -0400 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -10563,7 +10632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-04-21 11:40:24.000000000 -0400 @@ -0,0 +1,433 @@ +policy_module(unconfineduser, 1.0.0) + @@ -13272,8 +13341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,81 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-20 08:19:53.000000000 -0400 +@@ -0,0 +1,91 @@ + +policy_module(boinc,1.0.0) + @@ -13291,6 +13360,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +type boinc_initrc_exec_t; +init_script_file(boinc_initrc_exec_t) + ++type boinc_tmp_t; ++files_tmp_file(boinc_tmp_t) ++ +type boinc_tmpfs_t; +files_tmpfs_file(boinc_tmpfs_t) + @@ -13308,8 +13380,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; +allow boinc_t self:tcp_socket create_stream_socket_perms; ++allow boinc_t self:sem create_sem_perms; +allow boinc_t self:shm create_shm_perms; + ++manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) ++manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) ++files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) ++ +manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) +fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file) + @@ -13337,7 +13414,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +corenet_tcp_bind_boinc_port(boinc_t) +corenet_tcp_connect_http_port(boinc_t) + ++dev_read_rand(boinc_t) +dev_read_urand(boinc_t) ++dev_read_sysfs(boinc_t) + +domain_read_all_domains_state(boinc_t) + @@ -15672,7 +15751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_stream_connect(cyrus_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.19/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dbus.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/dbus.if 2010-04-21 13:33:13.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15714,17 +15793,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus selinux_get_fs_mount($1_dbusd_t) selinux_validate_context($1_dbusd_t) -@@ -146,6 +149,9 @@ +@@ -146,20 +149,25 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) +- userdom_read_user_home_content_files($1_dbusd_t) + term_use_all_terms($1_dbusd_t) + + userdom_dontaudit_search_admin_dir($1_dbusd_t) - userdom_read_user_home_content_files($1_dbusd_t) ++ userdom_manage_user_home_content_dirs($1_dbusd_t) ++ userdom_manage_user_home_content_files($1_dbusd_t) ++ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file }) ifdef(`hide_broken_symptoms', ` -@@ -153,13 +159,13 @@ + dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') optional_policy(` @@ -15741,7 +15823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -178,10 +184,12 @@ +@@ -178,10 +186,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -15754,7 +15836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -256,7 +264,7 @@ +@@ -256,7 +266,7 @@ ######################################## ## @@ -15763,7 +15845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## for service (acquire_svc). ## ## -@@ -334,6 +342,34 @@ +@@ -334,6 +344,34 @@ ######################################## ## @@ -15798,7 +15880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Create a domain for processes ## which can be started by the system dbus ## -@@ -364,6 +400,19 @@ +@@ -364,6 +402,19 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) @@ -15818,7 +15900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -@@ -405,3 +454,43 @@ +@@ -405,3 +456,43 @@ typeattribute $1 dbusd_unconfined; ') @@ -17843,6 +17925,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if +--- nsaserefpolicy/policy/modules/services/hal.if 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-04-20 08:14:46.000000000 -0400 +@@ -367,7 +367,7 @@ + ## + # + interface(`hal_read_pid_files',` +- gen_require(` ++ gen_require(` + type hald_var_run_t; + ') + +@@ -377,6 +377,26 @@ + + ######################################## + ## ++## Do not audit attempts to read ++## hald PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_dontaudit_read_pid_files',` ++ gen_require(` ++ type hald_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 hald_var_run_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## + ## Read/Write hald PID files. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.19/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-04-14 10:48:18.000000000 -0400 @@ -18047,7 +18168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.19/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-04-21 13:40:21.000000000 -0400 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -18092,6 +18213,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP +@@ -71,6 +109,30 @@ + files_search_pids($1) + allow $1 slapd_var_run_t:sock_file write; + allow $1 slapd_t:unix_stream_socket connectto; ++ ++ optional_policy(` ++ ldap_stream_connect_dirsrv($1) ++ ') ++') ++ ++######################################## ++## ++## Connect to dirsrv over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ldap_stream_connect_dirsrv',` ++ gen_require(` ++ type dirsrv_t, dirsrv_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 dirsrv_var_run_t:sock_file write; ++ allow $1 dirsrv_t:unix_stream_socket connectto; + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.19/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/ldap.te 2010-04-14 10:48:18.000000000 -0400 @@ -20515,7 +20667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-04-19 09:28:13.000000000 -0400 @@ -25,6 +25,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -20536,6 +20688,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +@@ -114,6 +120,7 @@ + sysnet_etc_filetrans_config(openvpn_t) + + userdom_use_user_terminals(openvpn_t) ++userdom_read_home_certs(openvpn_t) + + tunable_policy(`openvpn_enable_homedirs',` + userdom_read_user_home_content_files(openvpn_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.19/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/pegasus.te 2010-04-14 10:48:18.000000000 -0400 @@ -20951,8 +21111,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.19/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.te 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,105 @@ ++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.te 2010-04-20 08:47:32.000000000 -0400 +@@ -0,0 +1,107 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -21007,6 +21167,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +files_read_etc_files(plymouthd_t) +files_read_usr_files(plymouthd_t) + ++term_use_unallocated_ttys(plymouthd_t) ++ +miscfiles_read_localization(plymouthd_t) +miscfiles_read_fonts(plymouthd_t) +miscfiles_manage_fonts_cache(plymouthd_t) @@ -26159,7 +26321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-04-20 14:14:36.000000000 -0400 @@ -36,13 +36,6 @@ ## @@ -26212,7 +26374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt allow virtd_t virt_image_type:file { relabelfrom relabelto }; allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; -@@ -252,13 +245,18 @@ +@@ -252,14 +245,20 @@ # Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) @@ -26225,13 +26387,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_search_all(virtd_t) files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) +-files_manage_etc_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +files_manage_system_conf_files(virtd_t) - files_manage_etc_files(virtd_t) ++files_manage_system_conf_files(virtd_t) ++files_etc_filetrans_system_conf(virtd_t) fs_list_auto_mountpoints(virtd_t) -@@ -268,6 +266,14 @@ + fs_getattr_xattr_fs(virtd_t) +@@ -268,6 +267,14 @@ fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -26246,7 +26411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) storage_manage_fixed_disk(virtd_t) -@@ -291,15 +297,22 @@ +@@ -291,15 +298,22 @@ logging_send_syslog_msg(virtd_t) @@ -26269,7 +26434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -370,6 +383,7 @@ +@@ -370,6 +384,7 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -26277,7 +26442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -446,6 +460,10 @@ +@@ -446,6 +461,10 @@ fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -28975,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-04-20 09:06:19.000000000 -0400 @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -28983,6 +29148,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) +@@ -11,3 +9,5 @@ + /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) + /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + /usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++ ++/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-04-14 10:48:18.000000000 -0400 @@ -29062,7 +29233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-04-19 09:16:53.000000000 -0400 @@ -208,6 +208,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29087,7 +29258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +315,146 @@ +@@ -319,14 +315,148 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -29236,6 +29407,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.19/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-03-23 10:55:15.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/system/libraries.te 2010-04-14 10:48:18.000000000 -0400 @@ -29943,7 +30116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-04-16 13:49:19.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-04-21 11:57:10.000000000 -0400 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -29993,7 +30166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,30 +71,49 @@ +@@ -47,30 +71,50 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -30006,6 +30179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +kernel_dontaudit_getattr_core_if(mount_t) +kernel_list_unlabeled(mount_t) +kernel_mount_unlabeled(mount_t) ++kernel_unmount_unlabeled(mount_t) kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) @@ -30045,7 +30219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +123,18 @@ +@@ -80,15 +124,18 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -30067,7 +30241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +145,7 @@ +@@ -99,6 +146,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -30075,7 +30249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +154,8 @@ +@@ -107,6 +155,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -30084,7 +30258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +166,8 @@ +@@ -117,6 +167,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -30093,7 +30267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +183,17 @@ +@@ -132,10 +184,17 @@ ') ') @@ -30111,7 +30285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +223,8 @@ +@@ -165,6 +224,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -30120,7 +30294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +232,25 @@ +@@ -172,6 +233,25 @@ ') optional_policy(` @@ -30146,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +258,11 @@ +@@ -179,6 +259,11 @@ ') ') @@ -30158,7 +30332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +270,19 @@ +@@ -186,6 +271,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -30178,21 +30352,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -194,6 +291,45 @@ +@@ -194,6 +292,42 @@ # optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) - ') ++ unconfined_domain_noaudit(unconfined_mount_t) ++') + +optional_policy(` + userdom_unpriv_usertype(unconfined, unconfined_mount_t) -+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -+ -+ rpc_domtrans_rpcd(unconfined_mount_t) -+ devicekit_dbus_chat_disk(unconfined_mount_t ) -+') + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) + ') + +###################################### +# @@ -31460,7 +31631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-04-20 08:13:32.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -31530,6 +31701,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) +@@ -328,6 +346,7 @@ + optional_policy(` + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) ++ hal_dontaudit_read_pid_files(ifconfig_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.19/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2009-11-25 11:47:19.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/system/udev.fc 2010-04-14 10:48:18.000000000 -0400 @@ -31540,7 +31719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-04-20 08:58:15.000000000 -0400 @@ -196,6 +196,25 @@ ######################################## @@ -32377,7 +32556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-15 15:55:01.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-20 12:26:39.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index bee04c0..daddb15 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,20 @@ exit 0 %endif %changelog +* Wed Apr 21 2010 Dan Walsh 3.7.19-4 +- Allow virtd_t to manage firewall/iptables config +Resolves: #573585 + +* Tue Apr 20 2010 Dan Walsh 3.7.19-3 +- Fix label on /root/.rhosts +Resolves: #582760 +- Add labels for Picasa +- Allow openvpn to read home certs +- Allow plymouthd_t to use tty_device_t +- Run ncftool as iptables_t +- Allow mount to unmount unlabeled_t +- Dontaudit hal leaks + * Wed Apr 14 2010 Dan Walsh 3.7.19-2 - Allow livecd to transition to mount