diff --git a/policy-20080710.patch b/policy-20080710.patch index 5d8bb6e..b4a94c9 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.1/Makefile ---- nsaserefpolicy/Makefile 2008-06-12 23:25:10.000000000 -0400 -+++ serefpolicy-3.5.1/Makefile 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.2/Makefile +--- nsaserefpolicy/Makefile 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/Makefile 2008-08-05 12:15:11.000000000 -0400 @@ -311,20 +311,22 @@ # parse-rolemap modulename,outputfile @@ -45,9 +45,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.1/M $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.1/Rules.modular ---- nsaserefpolicy/Rules.modular 2008-06-12 23:25:10.000000000 -0400 -+++ serefpolicy-3.5.1/Rules.modular 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.2/Rules.modular +--- nsaserefpolicy/Rules.modular 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/Rules.modular 2008-08-05 12:15:11.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -77,9 +77,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3. $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.1/config/appconfig-mcs/default_contexts ---- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/config/appconfig-mcs/default_contexts 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.2/config/appconfig-mcs/default_contexts +--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mcs/default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -2,7 +2,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 @@ -89,23 +89,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.1/config/appconfig-mcs/failsafe_context ---- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/config/appconfig-mcs/failsafe_context 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.2/config/appconfig-mcs/failsafe_context +--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mcs/failsafe_context 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.1/config/appconfig-mcs/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.2/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/config/appconfig-mcs/guest_u_default_contexts 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mcs/guest_u_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.1/config/appconfig-mcs/root_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/config/appconfig-mcs/root_default_contexts 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.2/config/appconfig-mcs/root_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mcs/root_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -1,11 +1,7 @@ system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -119,53 +119,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.1/config/appconfig-mcs/unconfined_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-07-25 12:35:13.000000000 -0400 -@@ -0,0 +1,9 @@ -+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 -+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 -+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 -+system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 -+system_r:rshd_t:s0 unconfined_r:unconfined_t:s0 -+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 -+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 -+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 -+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.1/config/appconfig-mcs/userhelper_context ---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/config/appconfig-mcs/userhelper_context 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.2/config/appconfig-mcs/userhelper_context +--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mcs/userhelper_context 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.1/config/appconfig-mcs/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.2/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/config/appconfig-mcs/xguest_u_default_contexts 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mcs/xguest_u_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 +system_r:sshd_t xguest_r:xguest_t:s0 +system_r:crond_t xguest_r:xguest_crond_t:s0 +system_r:xdm_t xguest_r:xguest_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.1/config/appconfig-mls/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.2/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/config/appconfig-mls/guest_u_default_contexts 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-mls/guest_u_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.1/config/appconfig-standard/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.2/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/config/appconfig-standard/guest_u_default_contexts 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-standard/guest_u_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t guest_r:guest_t +system_r:remote_login_t guest_r:guest_t +system_r:sshd_t guest_r:guest_t +system_r:crond_t guest_r:guest_crond_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.1/config/appconfig-standard/root_default_contexts ---- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/config/appconfig-standard/root_default_contexts 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.2/config/appconfig-standard/root_default_contexts +--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-standard/root_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -1,11 +1,7 @@ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t @@ -179,18 +166,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/ro # -#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.1/config/appconfig-standard/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.2/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/config/appconfig-standard/xguest_u_default_contexts 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/config/appconfig-standard/xguest_u_default_contexts 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t +system_r:remote_login_t xguest_r:xguest_t +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.5.1/man/man8/ftpd_selinux.8 ---- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/man/man8/ftpd_selinux.8 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.5.2/man/man8/ftpd_selinux.8 +--- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/man/man8/ftpd_selinux.8 2008-08-05 12:15:11.000000000 -0400 @@ -1,52 +1,65 @@ -.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation" +.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" @@ -285,8 +272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere +setsebool -P allow_ftpd_use_nfs on .TP system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR -+.SH AUTHOR + .SH AUTHOR +.PP This manual page was written by Dan Walsh . @@ -296,9 +282,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere +.PP +selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.5.1/man/man8/httpd_selinux.8 ---- nsaserefpolicy/man/man8/httpd_selinux.8 2008-06-12 23:25:09.000000000 -0400 -+++ serefpolicy-3.5.1/man/man8/httpd_selinux.8 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.5.2/man/man8/httpd_selinux.8 +--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-04 16:39:58.000000000 -0400 ++++ serefpolicy-3.5.2/man/man8/httpd_selinux.8 2008-08-05 12:15:11.000000000 -0400 @@ -22,23 +22,19 @@ .EX httpd_sys_content_t @@ -328,9 +314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 ser .EX httpd_unconfined_script_exec_t .EE -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.1/policy/global_tunables ---- nsaserefpolicy/policy/global_tunables 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/global_tunables 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.2/policy/global_tunables +--- nsaserefpolicy/policy/global_tunables 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/global_tunables 2008-08-05 12:15:11.000000000 -0400 @@ -34,7 +34,7 @@ ## @@ -369,9 +355,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +gen_tunable(allow_console_login,false) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.1/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/alsa.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.2/policy/modules/admin/alsa.te +--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/alsa.te 2008-08-05 12:15:11.000000000 -0400 @@ -51,6 +51,8 @@ auth_use_nsswitch(alsa_t) @@ -381,9 +367,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.5.1/policy/modules/admin/amanda.fc ---- nsaserefpolicy/policy/modules/admin/amanda.fc 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/amanda.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.5.2/policy/modules/admin/amanda.fc +--- nsaserefpolicy/policy/modules/admin/amanda.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/amanda.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,6 +3,7 @@ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) @@ -392,9 +378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.5.1/policy/modules/admin/amanda.te ---- nsaserefpolicy/policy/modules/admin/amanda.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/amanda.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.5.2/policy/modules/admin/amanda.te +--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/amanda.te 2008-08-05 12:15:11.000000000 -0400 @@ -82,8 +82,9 @@ allow amanda_t amanda_config_t:file { getattr read }; @@ -424,9 +410,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. libs_use_ld_so(amanda_recover_t) libs_use_shared_libs(amanda_recover_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.1/policy/modules/admin/anaconda.te ---- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/anaconda.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.2/policy/modules/admin/anaconda.te +--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/anaconda.te 2008-08-05 12:15:11.000000000 -0400 @@ -31,16 +31,11 @@ modutils_domtrans_insmod(anaconda_t) @@ -435,7 +421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond -unconfined_domain(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) - unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) + unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` - dmesg_domtrans(anaconda_t) @@ -455,9 +441,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond +optional_policy(` usermanage_domtrans_admin_passwd(anaconda_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.5.1/policy/modules/admin/bootloader.if ---- nsaserefpolicy/policy/modules/admin/bootloader.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/bootloader.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.5.2/policy/modules/admin/bootloader.if +--- nsaserefpolicy/policy/modules/admin/bootloader.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/bootloader.if 2008-08-05 12:15:11.000000000 -0400 @@ -49,6 +49,11 @@ role $2 types bootloader_t; @@ -470,9 +456,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.5.1/policy/modules/admin/bootloader.te ---- nsaserefpolicy/policy/modules/admin/bootloader.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/bootloader.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.5.2/policy/modules/admin/bootloader.te +--- nsaserefpolicy/policy/modules/admin/bootloader.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/bootloader.te 2008-08-05 12:15:11.000000000 -0400 @@ -218,3 +218,7 @@ optional_policy(` sysadm_dontaudit_search_home_dirs(bootloader_t) @@ -481,9 +467,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa +optional_policy(` + unconfined_domain(bootloader_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.5.1/policy/modules/admin/brctl.te ---- nsaserefpolicy/policy/modules/admin/brctl.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/brctl.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.5.2/policy/modules/admin/brctl.te +--- nsaserefpolicy/policy/modules/admin/brctl.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/brctl.te 2008-08-05 12:15:11.000000000 -0400 @@ -33,6 +33,8 @@ files_read_etc_files(brctl_t) @@ -493,9 +479,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t libs_use_ld_so(brctl_t) libs_use_shared_libs(brctl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.1/policy/modules/admin/certwatch.te ---- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/certwatch.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.2/policy/modules/admin/certwatch.te +--- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/certwatch.te 2008-08-05 12:15:11.000000000 -0400 @@ -15,8 +15,19 @@ # # Local policy @@ -520,32 +506,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat miscfiles_read_certs(certwatch_t) miscfiles_read_localization(certwatch_t) --apache_exec_modules(certwatch_t) +optional_policy(` -+ apache_exec_modules(certwatch_t) + apache_exec_modules(certwatch_t) +') optional_policy(` - cron_system_entry(certwatch_t,certwatch_exec_t) + cron_system_entry(certwatch_t, certwatch_exec_t) ') + +optional_policy(` + pcscd_stream_connect(certwatch_t) + pcscd_read_pub_files(certwatch_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.1/policy/modules/admin/consoletype.te ---- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/consoletype.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.2/policy/modules/admin/consoletype.te +--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/consoletype.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,9 +8,11 @@ type consoletype_t; type consoletype_exec_t; -application_executable_file(consoletype_exec_t) --init_domain(consoletype_t,consoletype_exec_t) --init_system_domain(consoletype_t,consoletype_exec_t) +-init_domain(consoletype_t, consoletype_exec_t) +-init_system_domain(consoletype_t, consoletype_exec_t) +#dont transition from initrc -+#init_domain(consoletype_t,consoletype_exec_t) -+#init_system_domain(consoletype_t,consoletype_exec_t) ++#init_domain(consoletype_t, consoletype_exec_t) ++#init_system_domain(consoletype_t, consoletype_exec_t) +application_domain(consoletype_t, consoletype_exec_t) + role system_r types consoletype_t; @@ -559,9 +544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console term_use_all_terms(consoletype_t) init_use_fds(consoletype_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.5.1/policy/modules/admin/firstboot.if ---- nsaserefpolicy/policy/modules/admin/firstboot.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/firstboot.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.5.2/policy/modules/admin/firstboot.if +--- nsaserefpolicy/policy/modules/admin/firstboot.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/firstboot.if 2008-08-05 12:15:11.000000000 -0400 @@ -141,4 +141,6 @@ ') @@ -569,9 +554,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo + dontaudit $1 firstboot_t:unix_stream_socket { read write }; + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.5.1/policy/modules/admin/firstboot.te ---- nsaserefpolicy/policy/modules/admin/firstboot.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/firstboot.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.5.2/policy/modules/admin/firstboot.te +--- nsaserefpolicy/policy/modules/admin/firstboot.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/firstboot.te 2008-08-05 12:15:11.000000000 -0400 @@ -35,9 +35,6 @@ allow firstboot_t firstboot_etc_t:file { getattr read }; @@ -618,22 +603,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo - domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') ') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.1/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/kismet.te 2008-07-25 12:35:13.000000000 -0400 -@@ -25,7 +25,8 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.2/policy/modules/admin/kismet.te +--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/kismet.te 2008-08-05 12:15:11.000000000 -0400 +@@ -25,7 +25,7 @@ # kismet local policy # -allow kismet_t self:capability { net_admin setuid setgid }; +allow kismet_t self:capability { net_admin net_raw setuid setgid }; -+allow kismet_t self:packet_socket create_socket_perms; + allow kismet_t self:packet_socket create_socket_perms; manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) - allow kismet_t kismet_log_t:dir setattr; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.5.1/policy/modules/admin/kudzu.te ---- nsaserefpolicy/policy/modules/admin/kudzu.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/kudzu.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.5.2/policy/modules/admin/kudzu.te +--- nsaserefpolicy/policy/modules/admin/kudzu.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/kudzu.te 2008-08-05 12:15:11.000000000 -0400 @@ -21,8 +21,8 @@ # Local policy # @@ -692,18 +676,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t -') -allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.1/policy/modules/admin/logrotate.te ---- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/logrotate.te 2008-07-25 12:35:13.000000000 -0400 -@@ -71,6 +71,7 @@ - - fs_search_auto_mountpoints(logrotate_t) - fs_getattr_xattr_fs(logrotate_t) -+fs_list_inotifyfs(logrotate_t) - - mls_file_read_all_levels(logrotate_t) - mls_file_write_all_levels(logrotate_t) -@@ -96,9 +97,11 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.2/policy/modules/admin/logrotate.te +--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/logrotate.te 2008-08-05 12:15:11.000000000 -0400 +@@ -97,6 +97,7 @@ files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) @@ -711,11 +687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota # Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) -+files_getattr_generic_locks(logrotate_t) - - # cjp: why is this needed? - init_domtrans_script(logrotate_t) -@@ -140,9 +143,8 @@ +@@ -142,9 +143,8 @@ ') optional_policy(` @@ -726,7 +698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota ') optional_policy(` -@@ -184,6 +186,5 @@ +@@ -186,6 +186,5 @@ ') optional_policy(` @@ -734,9 +706,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota - squid_domtrans(logrotate_t) + squid_signal(logrotate_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.1/policy/modules/admin/logwatch.te ---- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/logwatch.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.2/policy/modules/admin/logwatch.te +--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/logwatch.te 2008-08-05 12:15:11.000000000 -0400 @@ -54,18 +54,19 @@ domain_read_all_domains_state(logwatch_t) @@ -766,9 +738,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.1/policy/modules/admin/mrtg.te ---- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/mrtg.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.2/policy/modules/admin/mrtg.te +--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/mrtg.te 2008-08-05 12:15:11.000000000 -0400 @@ -78,6 +78,7 @@ dev_read_urand(mrtg_t) @@ -826,9 +798,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te - dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; - dontaudit mrtg_t root_t:lnk_file getattr; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.5.1/policy/modules/admin/netutils.if ---- nsaserefpolicy/policy/modules/admin/netutils.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/netutils.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.5.2/policy/modules/admin/netutils.if +--- nsaserefpolicy/policy/modules/admin/netutils.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/netutils.if 2008-08-05 12:15:11.000000000 -0400 @@ -124,6 +124,24 @@ ######################################## @@ -854,9 +826,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil ## Execute ping in the ping domain, and ## allow the specified role the ping domain. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.1/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/netutils.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.2/policy/modules/admin/netutils.te +--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/netutils.te 2008-08-05 12:15:11.000000000 -0400 @@ -50,6 +50,7 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) @@ -976,9 +948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil -optional_policy(` - nscd_socket_use(traceroute_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.1/policy/modules/admin/prelink.te ---- nsaserefpolicy/policy/modules/admin/prelink.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/prelink.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.2/policy/modules/admin/prelink.te +--- nsaserefpolicy/policy/modules/admin/prelink.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/prelink.te 2008-08-05 12:15:11.000000000 -0400 @@ -26,7 +26,7 @@ # Local policy # @@ -989,7 +961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink allow prelink_t self:fifo_file rw_fifo_file_perms; @@ -40,7 +40,7 @@ - read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t) + read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) -allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom }; @@ -1036,9 +1008,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + unconfined_domain(prelink_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.1/policy/modules/admin/rpm.fc ---- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/rpm.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.2/policy/modules/admin/rpm.fc +--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/rpm.fc 2008-08-05 12:15:11.000000000 -0400 @@ -11,7 +11,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1067,9 +1039,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc # SuSE ifdef(`distro_suse', ` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.1/policy/modules/admin/rpm.if ---- nsaserefpolicy/policy/modules/admin/rpm.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/rpm.if 2008-07-25 16:04:50.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.2/policy/modules/admin/rpm.if +--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/rpm.if 2008-08-05 12:15:11.000000000 -0400 @@ -152,6 +152,24 @@ ######################################## @@ -1173,9 +1145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') files_search_tmp($1) -+ manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) - manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) -+ manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) ++ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ++ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + +######################################## @@ -1194,8 +1166,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + type rpm_script_tmp_t; + ') + -+ read_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) -+ read_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) ++ read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ++ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ') ######################################## @@ -1307,8 +1279,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + + fs_search_tmpfs($1) + allow $1 rpm_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) -+ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) ++ rw_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t) ++ read_lnk_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t) +') + +######################################## @@ -1357,9 +1329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + dontaudit $1 rpm_var_run_t:file write_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.1/policy/modules/admin/rpm.te ---- nsaserefpolicy/policy/modules/admin/rpm.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/rpm.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.2/policy/modules/admin/rpm.te +--- nsaserefpolicy/policy/modules/admin/rpm.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/rpm.te 2008-08-05 12:15:11.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1371,34 +1343,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te type rpm_script_exec_t; domain_obj_id_change_exemption(rpm_script_t) @@ -89,6 +92,9 @@ - manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t) - files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir) + manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) + files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) -+manage_files_pattern(rpm_t,rpm_var_run_t,rpm_var_run_t) -+files_pid_filetrans(rpm_t,rpm_var_run_t, file) ++manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) ++files_pid_filetrans(rpm_t, rpm_var_run_t, file) + kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) -@@ -179,7 +185,17 @@ +@@ -179,10 +185,20 @@ ') optional_policy(` -- hal_dbus_chat(rpm_t) -+ optional_policy(` -+ hal_dbus_chat(rpm_t) -+ ') -+ + optional_policy(` + hal_dbus_chat(rpm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') + + optional_policy(` -+ dbus_system_domain(rpm_t,rpm_exec_t) ++ dbus_system_domain(rpm_t, rpm_exec_t) + ') ++') ++ ++optional_policy(` + prelink_domtrans(rpm_t) ') - optional_policy(` @@ -190,6 +206,7 @@ unconfined_domain(rpm_t) # yum-updatesd requires this @@ -1444,9 +1418,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.1/policy/modules/admin/su.if ---- nsaserefpolicy/policy/modules/admin/su.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/su.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.2/policy/modules/admin/su.if +--- nsaserefpolicy/policy/modules/admin/su.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/su.if 2008-08-05 12:15:11.000000000 -0400 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1516,7 +1490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) @@ -188,7 +186,7 @@ - corecmd_shell_domtrans($1_su_t,$2) + corecmd_shell_domtrans($1_su_t, $2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; @@ -1528,7 +1502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s # needed for pam_rootok selinux_compute_access_vector($1_su_t) -- auth_domtrans_user_chk_passwd($1,$1_su_t) +- auth_domtrans_user_chk_passwd($1, $1_su_t) + auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t }) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) @@ -1552,10 +1526,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s miscfiles_read_localization($1_su_t) -- userdom_use_user_terminals($1,$1_su_t) +- userdom_use_user_terminals($1, $1_su_t) + sysadm_search_home_dirs($1_su_t) - userdom_search_user_home_dirs($1,$1_su_t) -+ userdom_use_user_terminals($1,$1_su_t) + userdom_search_user_home_dirs($1, $1_su_t) ++ userdom_use_user_terminals($1, $1_su_t) ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) @@ -1574,9 +1548,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.1/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/sudo.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.2/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/sudo.if 2008-08-05 12:15:11.000000000 -0400 @@ -55,7 +55,7 @@ # @@ -1598,8 +1572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if domtrans_pattern($2, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t,$2) -+ corecmd_bin_domtrans($1_sudo_t,$2) + corecmd_shell_domtrans($1_sudo_t, $2) ++ corecmd_bin_domtrans($1_sudo_t, $2) allow $2 $1_sudo_t:fd use; allow $2 $1_sudo_t:fifo_file rw_file_perms; allow $2 $1_sudo_t:process sigchld; @@ -1642,10 +1616,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if miscfiles_read_localization($1_sudo_t) -- userdom_manage_user_home_content_files($1,$1_sudo_t) -- userdom_manage_user_home_content_symlinks($1,$1_sudo_t) -- userdom_manage_user_tmp_files($1,$1_sudo_t) -- userdom_manage_user_tmp_symlinks($1,$1_sudo_t) +- userdom_manage_user_home_content_files($1, $1_sudo_t) +- userdom_manage_user_home_content_symlinks($1, $1_sudo_t) +- userdom_manage_user_tmp_files($1, $1_sudo_t) +- userdom_manage_user_tmp_symlinks($1, $1_sudo_t) + mta_per_role_template($1, $1_sudo_t, $3) + + unprivuser_manage_home_content_files($1_sudo_t) @@ -1659,8 +1633,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if + ') + unprivuser_manage_tmp_files($1_sudo_t) + unprivuser_manage_tmp_symlinks($1_sudo_t) -+ userdom_exec_user_home_content_files($1,$1_sudo_t) - userdom_use_user_terminals($1,$1_sudo_t) ++ userdom_exec_user_home_content_files($1, $1_sudo_t) + userdom_use_user_terminals($1, $1_sudo_t) userdom_use_unpriv_users_fds($1_sudo_t) # for some PAM modules and for cwd + sysadm_search_home_content_dirs($1_sudo_t) @@ -1689,10 +1663,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if + term_relabel_all_user_ttys($1_sudo_t) + term_relabel_all_user_ptys($1_sudo_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te ---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-31 07:13:29.000000000 -0400 -@@ -22,12 +22,18 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.2/policy/modules/admin/tmpreaper.te +--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/tmpreaper.te 2008-08-05 16:24:46.000000000 -0400 +@@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) @@ -1706,14 +1680,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +files_getattr_lost_found_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) -+files_delete_usr_dirs(tmpreaper_t) -+files_delete_usr_files(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -42,6 +48,23 @@ +@@ -42,6 +46,26 @@ - cron_system_entry(tmpreaper_t,tmpreaper_exec_t) + cron_system_entry(tmpreaper_t, tmpreaper_exec_t) +userdom_delete_all_users_home_content_dirs(tmpreaper_t) +userdom_delete_all_users_home_content_files(tmpreaper_t) @@ -1735,9 +1707,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap lpd_manage_spool(tmpreaper_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.1/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/usermanage.te 2008-07-25 12:35:13.000000000 -0400 ++optional_policy(` ++ unconfined_domain(tmpreaper_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.2/policy/modules/admin/usermanage.te +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/usermanage.te 2008-08-05 12:15:11.000000000 -0400 @@ -97,6 +97,7 @@ # allow checking if a shell is executable @@ -1808,9 +1783,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman +optional_policy(` + unconfined_domain(useradd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.1/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/vbetool.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.2/policy/modules/admin/vbetool.te +--- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/vbetool.te 2008-08-05 12:15:11.000000000 -0400 @@ -23,6 +23,9 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1830,9 +1805,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool + xserver_exec_pid(vbetool_t) + xserver_write_pid(vbetool_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.1/policy/modules/admin/vpn.if ---- nsaserefpolicy/policy/modules/admin/vpn.if 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/vpn.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.2/policy/modules/admin/vpn.if +--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/vpn.if 2008-08-05 12:15:11.000000000 -0400 @@ -48,6 +48,7 @@ vpn_domtrans($1) role $2 types vpnc_t; @@ -1841,9 +1816,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.1/policy/modules/admin/vpn.te ---- nsaserefpolicy/policy/modules/admin/vpn.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/vpn.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.2/policy/modules/admin/vpn.te +--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/admin/vpn.te 2008-08-05 12:15:11.000000000 -0400 @@ -22,9 +22,10 @@ # Local policy # @@ -1865,64 +1840,104 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.1/policy/modules/apps/ethereal.fc ---- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/ethereal.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.2/policy/modules/apps/ethereal.fc +--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/ethereal.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) -+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0) ++HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0) /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.1/policy/modules/apps/ethereal.if ---- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/ethereal.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.2/policy/modules/apps/ethereal.if +--- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/ethereal.if 2008-08-05 12:15:11.000000000 -0400 @@ -35,6 +35,7 @@ template(`ethereal_per_role_template',` gen_require(` -+ type user_ethereal_home_t, user_ethereal_tmp_t; ++ type ethereal_home_t, ethereal_tmp_t; type ethereal_exec_t; ') -@@ -48,12 +49,10 @@ - application_domain($1_ethereal_t,ethereal_exec_t) +@@ -48,12 +49,8 @@ + application_domain($1_ethereal_t, ethereal_exec_t) role $3 types $1_ethereal_t; - type $1_ethereal_home_t alias $1_ethereal_rw_t; - files_poly_member($1_ethereal_home_t) -- userdom_user_home_content($1,$1_ethereal_home_t) +- userdom_user_home_content($1, $1_ethereal_home_t) - - type $1_ethereal_tmp_t; - files_tmp_file($1_ethereal_tmp_t) -+ ifelse(`$1',`user',`',` -+ typealias user_ethereal_home_t alias $1_ethereal_home_t; -+ typealias user_ethereal_tmp_t alias $1_ethereal_tmp_t; -+ ') ++ typealias ethereal_home_t alias $1_ethereal_home_t; ++ typealias ethereal_tmp_t alias $1_ethereal_tmp_t; type $1_ethereal_tmpfs_t; files_tmpfs_file($1_ethereal_tmpfs_t) -@@ -134,7 +133,7 @@ +@@ -78,15 +75,15 @@ + corecmd_search_bin($1_ethereal_t) + + # /home/.ethereal +- manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) +- manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) +- manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t) +- userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir) ++ manage_dirs_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t) ++ manage_files_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t) ++ manage_lnk_files_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t) ++ userdom_user_home_dir_filetrans($1, $1_ethereal_t, ethereal_home_t, dir) + + # Store temporary files +- manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t) +- manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t) +- files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) ++ manage_dirs_pattern($1_ethereal_t, ethereal_tmp_t, ethereal_tmp_t) ++ manage_files_pattern($1_ethereal_t, ethereal_tmp_t, ethereal_tmp_t) ++ files_tmp_filetrans($1_ethereal_t, ethereal_tmp_t, { dir file }) + + manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) + manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t) +@@ -99,12 +96,12 @@ + allow $1_ethereal_t $2:fd use; + allow $1_ethereal_t $2:process sigchld; + +- manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) +- manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) +- manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) +- relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) +- relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) +- relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t) ++ manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t) ++ manage_files_pattern($2, ethereal_home_t, ethereal_home_t) ++ manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t) ++ relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t) ++ relabel_files_pattern($2, ethereal_home_t, ethereal_home_t) ++ relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t) + + kernel_read_kernel_sysctls($1_ethereal_t) + kernel_read_system_state($1_ethereal_t) +@@ -134,7 +131,7 @@ sysnet_read_config($1_ethereal_t) -- userdom_manage_user_home_content_files($1,$1_ethereal_t) +- userdom_manage_user_home_content_files($1, $1_ethereal_t) + unprivuser_manage_home_content_files($1_ethereal_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_ethereal_t) -@@ -152,28 +151,11 @@ +@@ -152,28 +149,11 @@ nscd_socket_use($1_ethereal_t) ') - # Manual transition from userhelper - optional_policy(` -- userhelper_use_user_fd($1,$1_ethereal_t) -- userhelper_sigchld_user($1,$1_ethereal_t) +- userhelper_use_user_fd($1, $1_ethereal_t) +- userhelper_sigchld_user($1, $1_ethereal_t) - ') - optional_policy(` - xserver_user_x_domain_template($1,$1_ethereal,$1_ethereal_t,$1_ethereal_tmpfs_t) + xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t) xserver_create_xdm_tmp_sockets($1_ethereal_t) ') @@ -1940,71 +1955,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal ') ####################################### -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.1/policy/modules/apps/ethereal.te ---- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/ethereal.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.2/policy/modules/apps/ethereal.te +--- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/ethereal.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) -+type user_ethereal_home_t; -+files_poly_member(user_ethereal_home_t) -+userdom_user_home_content(user,user_ethereal_home_t) ++type ethereal_home_t; ++files_poly_member(ethereal_home_t) ++userdom_user_home_content(user, ethereal_home_t) + -+type user_ethereal_tmp_t; -+files_tmp_file(user_ethereal_tmp_t) ++type ethereal_tmp_t; ++files_tmp_file(ethereal_tmp_t) + ######################################## # # Tethereal policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.5.1/policy/modules/apps/evolution.fc ---- nsaserefpolicy/policy/modules/apps/evolution.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/evolution.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -2,13 +2,13 @@ - # HOME_DIR/ - # - --HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) --HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) -+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:user_evolution_home_t,s0) -+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:user_evolution_home_t,s0) - - # - # /tmp - # --/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0) -+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:user_evolution_exchange_tmp_t,s0) - - # - # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-3.5.1/policy/modules/apps/evolution.if ---- nsaserefpolicy/policy/modules/apps/evolution.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/evolution.if 2008-07-25 12:35:13.000000000 -0400 -@@ -236,9 +236,9 @@ - udev_read_state($1_evolution_t) - - userdom_rw_user_tmp_files($1,$1_evolution_t) -- userdom_manage_user_tmp_dirs($1,$1_evolution_t) -- userdom_manage_user_tmp_sockets($1,$1_evolution_t) -- userdom_manage_user_tmp_files($1,$1_evolution_t) -+ unprivuser_manage_tmp_dirs($1_evolution_t) -+ unprivuser_manage_tmp_sockets($1_evolution_t) -+ unprivuser_manage_tmp_files($1_evolution_t) - userdom_use_user_terminals($1, $1_evolution_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -@@ -370,7 +370,7 @@ - tunable_policy(`write_untrusted_content',` - files_search_home($1_evolution_t) - -- userdom_manage_user_untrusted_content_files($1,$1_evolution_t) -+ unprivuser_manage_untrusted_content_files($1_evolution_t) - userdom_user_home_dir_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir }) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.1/policy/modules/apps/games.if ---- nsaserefpolicy/policy/modules/apps/games.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/games.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.2/policy/modules/apps/games.if +--- nsaserefpolicy/policy/modules/apps/games.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/games.if 2008-08-05 12:15:11.000000000 -0400 @@ -130,10 +130,10 @@ sysnet_read_config($1_games_t) @@ -2041,97 +2011,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if + type games_data_t; + ') + -+ rw_files_pattern($1,games_data_t, games_data_t) ++ rw_files_pattern($1, games_data_t, games_data_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.5.1/policy/modules/apps/gift.fc ---- nsaserefpolicy/policy/modules/apps/gift.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gift.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -1,4 +1,4 @@ --HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) -+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0) - - /usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) - /usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.5.1/policy/modules/apps/gift.if ---- nsaserefpolicy/policy/modules/apps/gift.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gift.if 2008-07-25 12:35:13.000000000 -0400 -@@ -43,9 +43,9 @@ - application_domain($1_gift_t,gift_exec_t) - role $3 types $1_gift_t; - -- type $1_gift_home_t alias $1_gift_rw_t; -- files_poly_member($1_gift_home_t) -- userdom_user_home_content($1,$1_gift_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_gift_home_t alias $1_gift_home_t; -+ ') - - type $1_gift_tmpfs_t; - files_tmpfs_file($1_gift_tmpfs_t) -@@ -67,10 +67,10 @@ - manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t) - fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -- manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) -- manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) -- manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) -- userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir) -+ manage_dirs_pattern($1_gift_t,user_gift_home_t,user_gift_home_t) -+ manage_files_pattern($1_gift_t,user_gift_home_t,user_gift_home_t) -+ manage_lnk_files_pattern($1_gift_t,user_gift_home_t,user_gift_home_t) -+ userdom_user_home_dir_filetrans($1,$1_gift_t,user_gift_home_t,dir) - - # Launch gift daemon - domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t) -@@ -79,12 +79,12 @@ - domtrans_pattern($2, gift_exec_t, $1_gift_t) - - # user managed content -- manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t) -- manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t) -- manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t) -- relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t) -- relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t) -- relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t) -+ manage_dirs_pattern($2,user_gift_home_t,user_gift_home_t) -+ manage_files_pattern($2,user_gift_home_t,user_gift_home_t) -+ manage_lnk_files_pattern($2,user_gift_home_t,user_gift_home_t) -+ relabel_dirs_pattern($2,user_gift_home_t,user_gift_home_t) -+ relabel_files_pattern($2,user_gift_home_t,user_gift_home_t) -+ relabel_lnk_files_pattern($2,user_gift_home_t,user_gift_home_t) - - # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_gift_t) -@@ -143,10 +143,10 @@ - allow $1_giftd_t self:tcp_socket create_stream_socket_perms; - allow $1_giftd_t self:udp_socket create_socket_perms; - -- manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) -- manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) -- manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) -- userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir) -+ manage_dirs_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t) -+ manage_files_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t) -+ manage_lnk_files_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t) -+ userdom_user_home_dir_filetrans($1,$1_giftd_t,user_gift_home_t,dir) - - domtrans_pattern($2, giftd_exec_t, $1_giftd_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.5.1/policy/modules/apps/gift.te ---- nsaserefpolicy/policy/modules/apps/gift.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gift.te 2008-07-25 12:35:13.000000000 -0400 -@@ -11,3 +11,7 @@ - - type giftd_exec_t; - application_executable_file(giftd_exec_t) -+ -+type user_gift_home_t alias user_gift_rw_t; -+userdom_user_home_content(user,user_gift_home_t) -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.1/policy/modules/apps/gnome.fc ---- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gnome.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.2/policy/modules/apps/gnome.fc +--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/gnome.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,8 +1,9 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) @@ -2148,9 +2033,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.1/policy/modules/apps/gnome.if ---- nsaserefpolicy/policy/modules/apps/gnome.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gnome.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.2/policy/modules/apps/gnome.if +--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/gnome.if 2008-08-05 12:15:11.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -2159,12 +2044,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ') ############################## -@@ -44,41 +45,32 @@ - # - type $1_gconfd_t, gnomedomain; - -- application_domain($1_gconfd_t, gconfd_exec_t) -+ application_domain($1_gconfd_t, gconfd_exec_t) +@@ -47,14 +48,9 @@ + application_domain($1_gconfd_t, gconfd_exec_t) role $3 types $1_gconfd_t; - type $1_gconf_home_t; @@ -2181,43 +2062,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ############################## # - # Local Policy - # -- +@@ -64,21 +60,18 @@ allow $1_gconfd_t self:process getsched; -- allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; -+ allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; + allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; -- manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) -- manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) +- manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t) +- manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t) - userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir) - -- manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t) -- manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t) -- userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file }) +- manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t) +- manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t) +- userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file }) - - domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t) - allow $1_gconfd_t $2:fd use; - allow $1_gconfd_t $2:fifo_file write; - allow $1_gconfd_t $2:unix_stream_socket connectto; -+ manage_dirs_pattern($1_gconfd_t,gconf_home_t,gconf_home_t) -+ manage_files_pattern($1_gconfd_t,gconf_home_t,gconf_home_t) ++ manage_dirs_pattern($1_gconfd_t, gconf_home_t, gconf_home_t) ++ manage_files_pattern($1_gconfd_t, gconf_home_t, gconf_home_t) - allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; -- read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t) -+ manage_dirs_pattern($1_gconfd_t,gconf_tmp_t,gconf_tmp_t) -+ manage_files_pattern($1_gconfd_t,gconf_tmp_t,gconf_tmp_t) +- read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t) ++ manage_dirs_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t) ++ manage_files_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t) + userdom_user_home_dir_filetrans($1, $1_gconfd_t, gconf_home_t, dir) -+ userdom_user_tmp_filetrans($1,$1_gconfd_t,gconf_tmp_t,{ dir file }) -+ userdom_tmp_filetrans_user_tmp($1,$1_gconfd_t,dir) ++ userdom_user_tmp_filetrans($1, $1_gconfd_t, gconf_tmp_t, { dir file }) ++ userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t, dir) + + domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t) + allow $1_gconfd_t $2:unix_stream_socket connectto; + allow $2 $1_gconfd_t:unix_stream_socket connectto; - ps_process_pattern($2,$1_gconfd_t) + ps_process_pattern($2, $1_gconfd_t) -@@ -86,6 +78,10 @@ +@@ -86,6 +79,10 @@ files_read_etc_files($1_gconfd_t) @@ -2228,43 +2106,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if libs_use_ld_so($1_gconfd_t) libs_use_shared_libs($1_gconfd_t) -@@ -93,11 +89,8 @@ +@@ -93,11 +90,8 @@ logging_send_syslog_msg($1_gconfd_t) - userdom_manage_user_tmp_sockets($1, $1_gconfd_t) -- userdom_manage_user_tmp_dirs($1,$1_gconfd_t) -- userdom_tmp_filetrans_user_tmp($1,$1_gconfd_t,dir) +- userdom_manage_user_tmp_dirs($1, $1_gconfd_t) +- userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir) - -- gnome_stream_connect_gconf_template($1,$2) +- gnome_stream_connect_gconf_template($1, $2) + unprivuser_manage_tmp_sockets($1_gconfd_t) + unprivuser_manage_tmp_dirs($1_gconfd_t) optional_policy(` nscd_dontaudit_search_pid($1_gconfd_t) -@@ -107,6 +100,10 @@ +@@ -107,6 +101,10 @@ xserver_use_xdm_fds($1_gconfd_t) xserver_rw_xdm_pipes($1_gconfd_t) ') + +# optional_policy(` -+# mozilla_stream_connect_template($1,$1_gconfd_t) ++# mozilla_stream_connect_template($1, $1_gconfd_t) +# ') ') ######################################## -@@ -128,11 +125,28 @@ +@@ -127,20 +125,39 @@ + # template(`gnome_stream_connect_gconf_template',` gen_require(` - type $1_gconfd_t; -- type $1_gconf_tmp_t; -+ type gconf_tmp_t; +- type $1_gconfd_t, $1_gconf_tmp_t; ++ type $1_gconfd_t, gconf_tmp_t; ') -- read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t) -- allow $2 $1_gconfd_t:unix_stream_socket connectto; -+') -+ + read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t) + allow $2 $1_gconfd_t:unix_stream_socket connectto; + ') + + +######################################## +## @@ -2282,10 +2160,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + ') + + allow $1 gnomedomain:process signal; - ') - ++') ++ ######################################## -@@ -141,7 +155,7 @@ + ## + ## Run gconfd in the role-specific gconfd domain. ## ## ##

@@ -2294,7 +2173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ##

##

## This is a templated interface, and should only -@@ -170,6 +184,30 @@ +@@ -169,6 +186,30 @@ ######################################## ##

@@ -2325,7 +2204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -186,9 +224,29 @@ +@@ -185,9 +226,29 @@ # template(`gnome_manage_user_gnome_config',` gen_require(` @@ -2358,9 +2237,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + can_exec($1, gconfd_exec_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.1/policy/modules/apps/gnome.te ---- nsaserefpolicy/policy/modules/apps/gnome.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gnome.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.2/policy/modules/apps/gnome.te +--- nsaserefpolicy/policy/modules/apps/gnome.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/gnome.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,8 +8,34 @@ attribute gnomedomain; @@ -2399,12 +2278,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +# Local Policy +# + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.1/policy/modules/apps/gpg.fc ---- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gpg.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.2/policy/modules/apps/gpg.fc +--- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/gpg.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,9 +1,9 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) -+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0) ++HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0) @@ -2416,48 +2295,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.1/policy/modules/apps/gpg.if ---- nsaserefpolicy/policy/modules/apps/gpg.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gpg.if 2008-07-25 12:35:13.000000000 -0400 -@@ -38,6 +38,10 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.2/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/gpg.if 2008-08-05 12:15:11.000000000 -0400 +@@ -37,6 +37,9 @@ + template(`gpg_per_role_template',` gen_require(` - type gpg_exec_t, gpg_helper_exec_t; - type gpg_agent_exec_t, pinentry_exec_t; + type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t; + type gpg_t, gpg_helper_t; + type gpg_agent_t, gpg_pinentry_t; -+ type user_gpg_agent_tmp_t; -+ type user_gpg_secret_t; ++ type gpg_agent_tmp_t, gpg_secret_t; ') ######################################## -@@ -45,290 +49,62 @@ +@@ -44,290 +47,60 @@ # Declarations # - type $1_gpg_t; -- application_domain($1_gpg_t,gpg_exec_t) +- application_domain($1_gpg_t, gpg_exec_t) - role $3 types $1_gpg_t; - - type $1_gpg_agent_t; -- application_domain($1_gpg_agent_t,gpg_agent_exec_t) +- application_domain($1_gpg_agent_t, gpg_agent_exec_t) - role $3 types $1_gpg_agent_t; - - type $1_gpg_agent_tmp_t; - files_tmp_file($1_gpg_agent_tmp_t) - - type $1_gpg_secret_t; -- userdom_user_home_content($1,$1_gpg_secret_t) +- userdom_user_home_content($1, $1_gpg_secret_t) - - type $1_gpg_helper_t; -- application_domain($1_gpg_helper_t,gpg_helper_exec_t) +- application_domain($1_gpg_helper_t, gpg_helper_exec_t) - role $3 types $1_gpg_helper_t; - - type $1_gpg_pinentry_t; -- application_domain($1_gpg_pinentry_t,pinentry_exec_t) +- application_domain($1_gpg_pinentry_t, pinentry_exec_t) - role $3 types $1_gpg_pinentry_t; -+ typealias gpg_t alias $1_gpg_t; -+ role $3 types gpg_t; - +- - ######################################## - # - # GPG local policy @@ -2472,18 +2348,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - - # transition from the gpg domain to the helper domain -- domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) +- domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) - -- manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) -- manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) +- manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t) +- manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t) - allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms; - userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir) - - # transition from the userdomain to the derived domain -- domtrans_pattern($2,gpg_exec_t,$1_gpg_t) +- domtrans_pattern($2, gpg_exec_t, $1_gpg_t) - - # allow ps to show gpg -- ps_process_pattern($2,$1_gpg_t) +- ps_process_pattern($2, $1_gpg_t) - - corenet_all_recvfrom_unlabeled($1_gpg_t) - corenet_all_recvfrom_netlabel($1_gpg_t) @@ -2498,17 +2374,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - - dev_read_rand($1_gpg_t) - dev_read_urand($1_gpg_t) -+ typealias gpg_agent_t alias $1_gpg_agent_t; -+ role $3 types gpg_agent_t; - +- - fs_getattr_xattr_fs($1_gpg_t) -+ typealias gpg_helper_t alias $1_gpg_helper_t; -+ role $3 types gpg_helper_t; - +- - domain_use_interactive_fds($1_gpg_t) -+ typealias gpg_pinentry_t alias $1_gpg_pinentry_t; -+ role $3 types gpg_pinentry_t; - +- - files_read_etc_files($1_gpg_t) - files_read_usr_files($1_gpg_t) - files_dontaudit_search_var($1_gpg_t) @@ -2519,18 +2389,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - miscfiles_read_localization($1_gpg_t) - - logging_send_syslog_msg($1_gpg_t) -- ++ typealias gpg_t alias $1_gpg_t; ++ role $3 types gpg_t; + - sysnet_read_config($1_gpg_t) -- -- userdom_use_user_terminals($1,$1_gpg_t) -- ++ typealias gpg_agent_t alias $1_gpg_agent_t; ++ role $3 types gpg_agent_t; + +- userdom_use_user_terminals($1, $1_gpg_t) ++ typealias gpg_helper_t alias $1_gpg_helper_t; ++ role $3 types gpg_helper_t; + - optional_policy(` - nis_use_ypbind($1_gpg_t) -+ ifelse(`$1',`user',`',` -+ typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t; -+ typealias user_gpg_secret_t alias $1_gpg_secret_t; - ') - +- ') +- - ifdef(`TODO',` - # Read content to encrypt/decrypt/sign - read_content($1_gpg_t, $1) @@ -2557,7 +2430,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - allow $1_gpg_helper_t $2:fifo_file write; - - dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; -- ++ typealias gpg_pinentry_t alias $1_gpg_pinentry_t; ++ role $3 types gpg_pinentry_t; + - corenet_all_recvfrom_unlabeled($1_gpg_helper_t) - corenet_all_recvfrom_netlabel($1_gpg_helper_t) - corenet_tcp_sendrecv_all_if($1_gpg_helper_t) @@ -2577,7 +2452,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - files_read_etc_files($1_gpg_helper_t) - # for nscd - files_dontaudit_search_var($1_gpg_helper_t) -- ++ typealias gpg_agent_tmp_t alias $1_gpg_agent_tmp_t; ++ typealias gpg_secret_t alias $1_gpg_secret_t; + - libs_use_ld_so($1_gpg_helper_t) - libs_use_shared_libs($1_gpg_helper_t) - @@ -2601,7 +2478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - # GPG agent local policy - # + # transition from the userdomain to the derived domain -+ domtrans_pattern($2,gpg_exec_t,gpg_t) ++ domtrans_pattern($2, gpg_exec_t, gpg_t) - # rlimit: gpg-agent wants to prevent coredumps - allow $1_gpg_agent_t self:process setrlimit; @@ -2613,15 +2490,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s + allow $2 gpg_t:process signal_perms; - # Allow the gpg-agent to manage its tmp files (socket) -- manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) -- manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) -- manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) +- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) +- manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) +- manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) - - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -- manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) -- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) -- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) +- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) +- manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) +- manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t) + # Thunderbird leaks descriptors + dontaudit gpg_t $2:tcp_socket rw_socket_perms; + dontaudit gpg_t $2:udp_socket rw_socket_perms; @@ -2632,20 +2509,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s + dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; - # allow gpg to connect to the gpg agent -- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t) +- stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t) + # allow ps to show gpg -+ ps_process_pattern($2,gpg_t) ++ ps_process_pattern($2, gpg_t) # allow ps to show gpg-agent - ps_process_pattern($2,$1_gpg_agent_t) + ps_process_pattern($2, $1_gpg_agent_t) # Allow the user shell to signal the gpg-agent program. - allow $2 $1_gpg_agent_t:process { signal sigkill signull }; - - # Allow the user to manage gpg-agent tmp files (socket) -- manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) -- manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) -- manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) +- manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) +- manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) +- manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) @@ -2660,28 +2537,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - miscfiles_read_localization($1_gpg_agent_t) + allow $2 gpg_agent_t:process signal_perms; -+ userdom_use_user_terminals($1,gpg_t) ++ userdom_use_user_terminals($1, gpg_t) # Write to the user domain tty. -- userdom_use_user_terminals($1,$1_gpg_agent_t) +- userdom_use_user_terminals($1, $1_gpg_agent_t) - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -- userdom_search_user_home_dirs($1,$1_gpg_agent_t) +- userdom_search_user_home_dirs($1, $1_gpg_agent_t) - - tunable_policy(`gpg_agent_env_file',` - # write ~/.gpg-agent-info or a similar to the users home dir - # or subdir (gpg-agent --write-env-file option) - # -- userdom_user_home_dir_filetrans_user_home_content($1,$1_gpg_agent_t,file) -- userdom_manage_user_home_content_dirs($1,$1_gpg_agent_t) -- userdom_manage_user_home_content_files($1,$1_gpg_agent_t) +- userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file) +- userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t) +- userdom_manage_user_home_content_files($1, $1_gpg_agent_t) - ') -- ++ userdom_use_user_terminals($1, gpg_agent_t) + - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_gpg_agent_t) - fs_manage_nfs_files($1_gpg_agent_t) - fs_manage_nfs_symlinks($1_gpg_agent_t) - ') -+ userdom_use_user_terminals($1,gpg_agent_t) - +- - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_gpg_agent_t) - fs_manage_cifs_files($1_gpg_agent_t) @@ -2698,7 +2575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - - # we need to allow gpg-agent to call pinentry so it can get the passphrase - # from the user. -- domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) +- domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) - - # read /proc/meminfo - kernel_read_system_state($1_gpg_pinentry_t) @@ -2714,7 +2591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - miscfiles_read_localization($1_gpg_pinentry_t) - - # for .Xauthority -- userdom_read_user_home_content_files($1,$1_gpg_pinentry_t) +- userdom_read_user_home_content_files($1, $1_gpg_pinentry_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_gpg_pinentry_t) @@ -2751,46 +2628,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; - ') dnl end TODO -+ manage_dirs_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) -+ manage_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) -+ manage_sock_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) ++ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.1/policy/modules/apps/gpg.te ---- nsaserefpolicy/policy/modules/apps/gpg.te 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/gpg.te 2008-07-25 12:35:13.000000000 -0400 -@@ -15,15 +15,251 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.2/policy/modules/apps/gpg.te +--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/gpg.te 2008-08-05 12:15:11.000000000 -0400 +@@ -15,15 +15,248 @@ gen_tunable(gpg_agent_env_file, false) # Type for gpg or pgp executables. +type gpg_t; type gpg_exec_t; -+application_domain(gpg_t,gpg_exec_t) ++application_domain(gpg_t, gpg_exec_t) + +type gpg_helper_t; type gpg_helper_exec_t; -application_executable_file(gpg_exec_t) -application_executable_file(gpg_helper_exec_t) -+application_domain(gpg_helper_t,gpg_helper_exec_t) ++application_domain(gpg_helper_t, gpg_helper_exec_t) # Type for the gpg-agent executable. +type gpg_agent_t; type gpg_agent_exec_t; -application_executable_file(gpg_agent_exec_t) -+application_domain(gpg_agent_t,gpg_agent_exec_t) ++application_domain(gpg_agent_t, gpg_agent_exec_t) # type for the pinentry executable +type gpg_pinentry_t; type pinentry_exec_t; -application_executable_file(pinentry_exec_t) -+application_domain(gpg_pinentry_t,pinentry_exec_t) ++application_domain(gpg_pinentry_t, pinentry_exec_t) + -+type user_gpg_agent_tmp_t; -+files_tmp_file(user_gpg_agent_tmp_t) ++type gpg_agent_tmp_t; ++files_tmp_file(gpg_agent_tmp_t) + -+type user_gpg_secret_t; -+userdom_user_home_content(user,user_gpg_secret_t) ++type gpg_secret_t; ++userdom_user_home_content(user, gpg_secret_t) + +######################################## +# @@ -2805,17 +2682,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +allow gpg_t self:fifo_file rw_fifo_file_perms; +allow gpg_t self:tcp_socket create_stream_socket_perms; + -+manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) -+manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) -+allow gpg_t user_gpg_secret_t:dir create_dir_perms; ++manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) ++manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) ++allow gpg_t gpg_secret_t:dir create_dir_perms; +unprivuser_home_dir_filetrans_home_content(gpg_t, file) -+unprivuser_home_dir_filetrans(gpg_t, user_gpg_secret_t, dir) ++unprivuser_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +unprivuser_manage_home_content_files(gpg_t) +unprivuser_manage_tmp_files(gpg_t) +unprivuser_stream_connect(gpg_t) + +# transition from the gpg domain to the helper domain -+domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t) ++domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + +corenet_all_recvfrom_unlabeled(gpg_t) +corenet_all_recvfrom_netlabel(gpg_t) @@ -2864,7 +2741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; +allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + -+dontaudit gpg_helper_t user_gpg_secret_t:file read; ++dontaudit gpg_helper_t gpg_secret_t:file read; + +corenet_all_recvfrom_unlabeled(gpg_helper_t) +corenet_all_recvfrom_netlabel(gpg_helper_t) @@ -2925,21 +2802,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +allow gpg_agent_t self:fifo_file rw_fifo_file_perms; + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -+manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) -+manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) -+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) ++manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) ++manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + +# allow gpg to connect to the gpg agent -+manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) -+manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) -+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) ++manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) ++manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + -+stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t) ++stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + -+manage_dirs_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) -+manage_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) -+manage_sock_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) -+files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir }) ++manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) ++manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) ++manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) ++files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + +corecmd_search_bin(gpg_agent_t) + @@ -2969,7 +2846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + # write ~/.gpg-agent-info or a similar to the users home dir + # or subdir (gpg-agent --write-env-file option) + # -+ unprivuser_home_dir_filetrans_home_content(gpg_agent_t,file) ++ unprivuser_home_dir_filetrans_home_content(gpg_agent_t, file) + unprivuser_manage_home_content_dirs(gpg_agent_t) + unprivuser_manage_home_content_files(gpg_agent_t) +') @@ -2984,7 +2861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. -+domtrans_pattern(gpg_agent_t,pinentry_exec_t,gpg_pinentry_t) ++domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) + +# read /proc/meminfo +kernel_read_system_state(gpg_pinentry_t) @@ -3013,95 +2890,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +optional_policy(` + xserver_stream_connect_xdm_xserver(gpg_pinentry_t) +') -+ -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.5.1/policy/modules/apps/irc.fc ---- nsaserefpolicy/policy/modules/apps/irc.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/irc.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -1,7 +1,7 @@ - # - # /home - # --HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0) -+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:user_irc_home_t,s0) - - # - # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.5.1/policy/modules/apps/irc.if ---- nsaserefpolicy/policy/modules/apps/irc.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/irc.if 2008-07-25 12:35:13.000000000 -0400 -@@ -35,6 +35,7 @@ - template(`irc_per_role_template',` - gen_require(` - type irc_exec_t; -+ type user_irc_home_t, user_irc_tmp_t; - ') - - ######################################## -@@ -50,12 +51,11 @@ - userdom_user_home_content($1,$1_irc_exec_t) - application_domain($1_irc_t,$1_irc_exec_t) - -- type $1_irc_home_t; -- userdom_user_home_content($1,$1_irc_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_irc_home_t alias $1_irc_home_t; -+ typealias user_irc_tmp_t alias $1_irc_tmp_t; -+ ') - -- type $1_irc_tmp_t; -- userdom_user_home_content($1,$1_irc_tmp_t) -- - ######################################## - # - # Local policy -@@ -65,18 +65,18 @@ - allow $1_irc_t self:tcp_socket create_socket_perms; - allow $1_irc_t self:udp_socket create_socket_perms; - -- manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) -- manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) -- manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) -- userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file }) -+ manage_dirs_pattern($1_irc_t,user_irc_home_t,user_irc_home_t) -+ manage_files_pattern($1_irc_t,user_irc_home_t,user_irc_home_t) -+ manage_lnk_files_pattern($1_irc_t,user_irc_home_t,user_irc_home_t) -+ userdom_user_home_dir_filetrans($1,$1_irc_t,user_irc_home_t,{ dir file lnk_file }) - - # access files under /tmp -- manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) -- manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) -- manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) -- manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) -- manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) -- files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) -+ manage_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) -+ manage_lnk_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) -+ manage_fifo_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) -+ manage_sock_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) -+ files_tmp_filetrans($1_irc_t,user_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2,irc_exec_t,$1_irc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.5.1/policy/modules/apps/irc.te ---- nsaserefpolicy/policy/modules/apps/irc.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/irc.te 2008-07-25 12:35:13.000000000 -0400 -@@ -8,3 +8,10 @@ - - type irc_exec_t; - application_executable_file(irc_exec_t) -+ -+type user_irc_home_t; -+userdom_user_home_content(user,user_irc_home_t) -+ -+type user_irc_tmp_t; -+userdom_user_home_content(user,user_irc_tmp_t) -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.1/policy/modules/apps/java.fc ---- nsaserefpolicy/policy/modules/apps/java.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/java.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.2/policy/modules/apps/java.fc +--- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/java.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,14 +3,15 @@ # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3133,9 +2924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.1/policy/modules/apps/java.if ---- nsaserefpolicy/policy/modules/apps/java.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/java.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.2/policy/modules/apps/java.if +--- nsaserefpolicy/policy/modules/apps/java.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/java.if 2008-08-05 12:15:11.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -3161,22 +2952,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + allow $1_t $1_javaplugin_t:unix_stream_socket connectto; allow $1_javaplugin_t $2:unix_stream_socket connectto; - allow $1_javaplugin_t $2:unix_stream_socket { read write }; -- userdom_write_user_tmp_sockets($1,$1_javaplugin_t) +- userdom_write_user_tmp_sockets($1, $1_javaplugin_t) + allow $1_javaplugin_t $2:tcp_socket { read write }; - manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) - manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) - files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) + manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t) + manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t) + files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir }) + allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; - manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) - manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) + manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) @@ -76,14 +79,9 @@ - manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) - fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file }) + manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t) + fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file }) -- rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t) -- read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t) +- rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t) +- read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t) - can_exec($1_javaplugin_t, java_exec_t) @@ -3226,25 +3017,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if - sysnet_read_config($1_javaplugin_t) - + unprivuser_manage_home_content_files($1_javaplugin_t) - userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) - userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) - userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) -- userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) -- userdom_manage_user_home_content_files($1,$1_javaplugin_t) -- userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) -- userdom_manage_user_home_content_pipes($1,$1_javaplugin_t) -- userdom_manage_user_home_content_sockets($1,$1_javaplugin_t) -- userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) + userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t) + userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t) + userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t) +- userdom_manage_user_home_content_dirs($1, $1_javaplugin_t) +- userdom_manage_user_home_content_files($1, $1_javaplugin_t) +- userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t) +- userdom_manage_user_home_content_pipes($1, $1_javaplugin_t) +- userdom_manage_user_home_content_sockets($1, $1_javaplugin_t) +- userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file }) + unprivuser_manage_tmp_dirs($1_javaplugin_t) + unprivuser_manage_tmp_files($1_javaplugin_t) + unprivuser_manage_tmp_sockets($1_javaplugin_t) -+ userdom_read_user_tmpfs_files($1,$1_javaplugin_t) ++ userdom_read_user_tmpfs_files($1, $1_javaplugin_t) + unprivuser_manage_home_content_dirs($1_javaplugin_t) + unprivuser_manage_home_content_files($1_javaplugin_t) + unprivuser_manage_home_content_symlinks($1_javaplugin_t) + unprivuser_manage_home_content_pipes($1_javaplugin_t) + unprivuser_manage_home_content_sockets($1_javaplugin_t) -+ unprivuser_home_dir_filetrans_home_content($1_javaplugin_t,{ file lnk_file sock_file fifo_file }) ++ unprivuser_home_dir_filetrans_home_content($1_javaplugin_t, { file lnk_file sock_file fifo_file }) tunable_policy(`allow_java_execstack',` allow $1_javaplugin_t self:process execstack; @@ -3259,16 +3050,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if optional_policy(` - nis_use_ypbind($1_javaplugin_t) -+ xserver_user_x_domain_template($1,$1_javaplugin,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ++ xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t) ') - optional_policy(` - nscd_socket_use($1_javaplugin_t) -- ') -+') + ') - optional_policy(` -- xserver_user_x_domain_template($1,$1_javaplugin,$1_javaplugin_t,$1_javaplugin_tmpfs_t) +- xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t) +####################################### +## +## The per role template for the java module. @@ -3303,7 +3093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + + type $1_java_t; + domain_type($1_java_t) -+ domain_entry_file($1_java_t,java_exec_t) ++ domain_entry_file($1_java_t, java_exec_t) + role $3 types $1_java_t; + + domain_interactive_fd($1_java_t) @@ -3357,7 +3147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + type java_exec_t; + ') + -+ domain_trans($1,java_exec_t,$2) ++ domain_trans($1, java_exec_t, $2) + type_transition $1 java_exec_t:process $2; +') + @@ -3392,9 +3182,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + allow java_t $3:chr_file rw_term_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.1/policy/modules/apps/java.te ---- nsaserefpolicy/policy/modules/apps/java.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/java.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.2/policy/modules/apps/java.te +--- nsaserefpolicy/policy/modules/apps/java.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/java.te 2008-08-05 12:15:11.000000000 -0400 @@ -6,16 +6,10 @@ # Declarations # @@ -3404,11 +3194,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te -## Allow java executable stack -##

-## --gen_tunable(allow_java_execstack,false) +-gen_tunable(allow_java_execstack, false) - type java_t; type java_exec_t; - init_system_domain(java_t,java_exec_t) + init_system_domain(java_t, java_exec_t) +typealias java_t alias unconfined_java_t; ######################################## @@ -3420,40 +3210,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te -allow java_t self:process { execstack execmem execheap }; +allow java_t self:process { getsched sigkill execheap execmem execstack }; --init_dbus_chat_script(java_t) +optional_policy(` -+ init_dbus_chat_script(java_t) + init_dbus_chat_script(java_t) + optional_policy(` + hal_dbus_chat(java_t) + ') -+ -+ optional_policy(` -+ unconfined_dbus_chat(java_t) -+ ') + + optional_policy(` +- unconfined_domain_noaudit(java_t) + unconfined_dbus_chat(java_t) + ') +') + +optional_policy(` + rpm_domtrans(java_t) +') - - optional_policy(` - unconfined_domain_noaudit(java_t) -- unconfined_dbus_chat(java_t) - ') ++ ++optional_policy(` ++ unconfined_domain_noaudit(java_t) ++') + +optional_policy(` + xserver_xdm_rw_shm(java_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.1/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.2/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/livecd.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/livecd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.1/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.2/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/livecd.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/livecd.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,56 @@ + +## policy for livecd @@ -3474,7 +3263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + type livecd_exec_t; + ') + -+ domtrans_pattern($1,livecd_exec_t,livecd_t) ++ domtrans_pattern($1, livecd_exec_t, livecd_t) +') + + @@ -3511,9 +3300,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + seutil_run_setfiles_mac(livecd_t, $2, $3) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.1/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.2/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/livecd.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/livecd.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -3541,9 +3330,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.1/policy/modules/apps/loadkeys.te ---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/loadkeys.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.2/policy/modules/apps/loadkeys.te +--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/loadkeys.te 2008-08-05 12:15:11.000000000 -0400 @@ -32,7 +32,6 @@ term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) @@ -3560,9 +3349,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +unprivuser_dontaudit_write_home_content_files(loadkeys_t) +unprivuser_dontaudit_list_home_dirs(loadkeys_t) +sysadm_dontaudit_list_home_dirs(loadkeys_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.1/policy/modules/apps/mono.if ---- nsaserefpolicy/policy/modules/apps/mono.if 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mono.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.2/policy/modules/apps/mono.if +--- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mono.if 2008-08-05 12:15:11.000000000 -0400 @@ -21,7 +21,106 @@ ######################################## @@ -3649,7 +3438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + + type $1_mono_t; + domain_type($1_mono_t) -+ domain_entry_file($1_mono_t,mono_exec_t) ++ domain_entry_file($1_mono_t, mono_exec_t) + role $3 types $1_mono_t; + + domain_interactive_fd($1_mono_t) @@ -3671,7 +3460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if ## ## ## -@@ -31,9 +130,10 @@ +@@ -31,7 +130,7 @@ # interface(`mono_exec',` gen_require(` @@ -3680,12 +3469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if ') corecmd_search_bin($1) - can_exec($1, mono_exec_t) - ') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.1/policy/modules/apps/mono.te ---- nsaserefpolicy/policy/modules/apps/mono.te 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mono.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.2/policy/modules/apps/mono.te +--- nsaserefpolicy/policy/modules/apps/mono.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mono.te 2008-08-05 12:15:11.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -3703,20 +3489,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +optional_policy(` + xserver_xdm_rw_shm(mono_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.1/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mozilla.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.2/policy/modules/apps/mozilla.fc +--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mozilla.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) -+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) -+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) -+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) -+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) ++HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /bin @@ -3734,35 +3520,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.1/policy/modules/apps/mozilla.if ---- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mozilla.if 2008-07-28 08:47:56.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.2/policy/modules/apps/mozilla.if +--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mozilla.if 2008-08-05 16:28:26.000000000 -0400 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` type mozilla_conf_t, mozilla_exec_t; -+ type user_mozilla_home_t, user_mozilla_tmp_t; ++ type mozilla_home_t, mozilla_tmp_t; ') -+ gen_tunable(browser_confine_$1,false) -+ gen_tunable(browser_write_$1_data,false) ++ gen_tunable(browser_confine_$1, false) ++ gen_tunable(browser_write_$1_data, false) ######################################## # -@@ -45,20 +48,26 @@ - application_domain($1_mozilla_t,mozilla_exec_t) +@@ -45,20 +48,24 @@ + application_domain($1_mozilla_t, mozilla_exec_t) role $3 types $1_mozilla_t; - type $1_mozilla_home_t alias $1_mozilla_rw_t; - files_poly_member($1_mozilla_home_t) -- userdom_user_home_content($1,$1_mozilla_home_t) +- userdom_user_home_content($1, $1_mozilla_home_t) - type $1_mozilla_tmpfs_t; files_tmpfs_file($1_mozilla_tmpfs_t) -+ ifelse(`$1',`user',`',` -+ typealias user_mozilla_home_t alias $1_mozilla_home_t; -+ typealias user_mozilla_tmp_t alias $1_mozilla_tmp_t; -+ ') ++ typealias mozilla_home_t alias $1_mozilla_home_t; ++ typealias mozilla_tmp_t alias $1_mozilla_tmp_t; + + ######################################## + # @@ -3780,7 +3564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; -@@ -66,15 +75,19 @@ +@@ -66,15 +73,19 @@ allow $1_mozilla_t self:unix_stream_socket { listen accept }; # Browse the web, connect to printer allow $1_mozilla_t self:tcp_socket create_socket_perms; @@ -3795,43 +3579,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + fs_manage_tmpfs_files($1_mozilla_t) + # X access, Home files -- manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) -- manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) -- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) -+ manage_dirs_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t) -+ manage_files_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t) -+ manage_lnk_files_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t) - userdom_search_user_home_dirs($1,$1_mozilla_t) +- manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) +- manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) +- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t) ++ manage_dirs_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t) ++ manage_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t) ++ manage_lnk_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t) + userdom_search_user_home_dirs($1, $1_mozilla_t) # Mozpluggerrc -@@ -89,22 +102,47 @@ +@@ -89,22 +100,47 @@ allow $2 $1_mozilla_t:unix_stream_socket connectto; # X access, Home files -- manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) -- manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) -- manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) -- relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) -- relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) -- relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) -- -- manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) -- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) -- manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) -- manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) -- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($2,user_mozilla_home_t,user_mozilla_home_t) -+ manage_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) -+ manage_lnk_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) -+ relabel_dirs_pattern($2,user_mozilla_home_t,user_mozilla_home_t) -+ relabel_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) -+ relabel_lnk_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) +- manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) +- manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) +- manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) +- relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) +- relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) +- relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t) +- +- manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) +- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) +- manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) +- manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t) +- fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) ++ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) ++ manage_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) allow $1_mozilla_t $2:process signull; -- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + tunable_policy(`browser_confine_$1',` -+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + ',` + can_exec($2, mozilla_exec_t) + ') @@ -3842,8 +3625,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + unprivuser_manage_tmp_dirs($1_mozilla_t) + unprivuser_manage_tmp_files($1_mozilla_t) + unprivuser_manage_tmp_sockets($1_mozilla_t) -+ userdom_tmp_filetrans_user_tmp($1,$1_mozilla_t, { file dir sock_file }) -+ userdom_read_user_tmpfs_files($1,$1_mozilla_t) ++ userdom_tmp_filetrans_user_tmp($1, $1_mozilla_t, { file dir sock_file }) ++ userdom_read_user_tmpfs_files($1, $1_mozilla_t) + + ifdef(`enable_mls',`',` + fs_search_removable($1_mozilla_t) @@ -3857,16 +3640,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + unprivuser_manage_home_content_symlinks($1_mozilla_t) + unprivuser_manage_home_content_pipes($1_mozilla_t) + unprivuser_home_dir_filetrans_home_content($1_mozilla_t, { file dir lnk_file }) -+ ', ` ++ ',` + # helper apps will try to create .files -+ userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t) -+ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir) ++ userdom_dontaudit_create_user_home_content_files($1, $1_mozilla_t) ++ userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_mozilla_home_t, dir) + ') # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -112,17 +150,20 @@ - ps_process_pattern($2,$1_mozilla_t) +@@ -112,17 +148,20 @@ + ps_process_pattern($2, $1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; + kernel_read_fs_sysctls($1_mozilla_t) @@ -3888,7 +3671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Browse the web, connect to printer corenet_all_recvfrom_unlabeled($1_mozilla_t) -@@ -139,7 +180,6 @@ +@@ -139,7 +178,6 @@ corenet_tcp_connect_http_cache_port($1_mozilla_t) corenet_tcp_connect_ftp_port($1_mozilla_t) corenet_tcp_connect_ipp_port($1_mozilla_t) @@ -3896,15 +3679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. corenet_sendrecv_http_client_packets($1_mozilla_t) corenet_sendrecv_http_cache_client_packets($1_mozilla_t) corenet_sendrecv_ftp_client_packets($1_mozilla_t) -@@ -151,6 +191,7 @@ - - dev_read_urand($1_mozilla_t) - dev_read_rand($1_mozilla_t) -+ - dev_write_sound($1_mozilla_t) - dev_read_sound($1_mozilla_t) - dev_dontaudit_rw_dri($1_mozilla_t) -@@ -165,13 +206,28 @@ +@@ -165,13 +203,28 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -3933,7 +3708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. libs_use_ld_so($1_mozilla_t) libs_use_shared_libs($1_mozilla_t) -@@ -180,16 +236,8 @@ +@@ -180,16 +233,8 @@ miscfiles_read_fonts($1_mozilla_t) miscfiles_read_localization($1_mozilla_t) @@ -3941,18 +3716,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - sysnet_dns_name_resolve($1_mozilla_t) - sysnet_read_config($1_mozilla_t) - -- userdom_manage_user_home_content_dirs($1,$1_mozilla_t) -- userdom_manage_user_home_content_files($1,$1_mozilla_t) -- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t) -- userdom_manage_user_tmp_dirs($1,$1_mozilla_t) -- userdom_manage_user_tmp_files($1,$1_mozilla_t) -- userdom_manage_user_tmp_sockets($1,$1_mozilla_t) -+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) -+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) +- userdom_manage_user_home_content_dirs($1, $1_mozilla_t) +- userdom_manage_user_home_content_files($1, $1_mozilla_t) +- userdom_manage_user_home_content_symlinks($1, $1_mozilla_t) +- userdom_manage_user_tmp_dirs($1, $1_mozilla_t) +- userdom_manage_user_tmp_files($1, $1_mozilla_t) +- userdom_manage_user_tmp_sockets($1, $1_mozilla_t) ++ userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t) ++ userdom_dontaudit_use_user_terminals($1, $1_mozilla_t) - xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t) + xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -211,131 +259,8 @@ +@@ -211,131 +256,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -3983,12 +3758,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - ') - - tunable_policy(`mozilla_read_content',` -- userdom_list_user_tmp($1,$1_mozilla_t) -- userdom_read_user_tmp_files($1,$1_mozilla_t) -- userdom_read_user_tmp_symlinks($1,$1_mozilla_t) -- userdom_search_user_home_dirs($1,$1_mozilla_t) -- userdom_read_user_home_content_files($1,$1_mozilla_t) -- userdom_read_user_home_content_symlinks($1,$1_mozilla_t) +- userdom_list_user_tmp($1, $1_mozilla_t) +- userdom_read_user_tmp_files($1, $1_mozilla_t) +- userdom_read_user_tmp_symlinks($1, $1_mozilla_t) +- userdom_search_user_home_dirs($1, $1_mozilla_t) +- userdom_read_user_home_content_files($1, $1_mozilla_t) +- userdom_read_user_home_content_symlinks($1, $1_mozilla_t) - - ifdef(`enable_mls',`',` - fs_search_removable($1_mozilla_t) @@ -4000,10 +3775,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_removable($1_mozilla_t) - fs_dontaudit_read_removable_files($1_mozilla_t) -- userdom_dontaudit_list_user_tmp($1,$1_mozilla_t) -- userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) -- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t) -- userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t) +- userdom_dontaudit_list_user_tmp($1, $1_mozilla_t) +- userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t) +- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) +- userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && read_default_t',` @@ -4018,22 +3793,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - tunable_policy(`mozilla_read_content && read_untrusted_content',` - files_list_tmp($1_mozilla_t) - files_list_home($1_mozilla_t) -- userdom_search_user_home_dirs($1,$1_mozilla_t) +- userdom_search_user_home_dirs($1, $1_mozilla_t) - -- userdom_list_user_untrusted_content($1,$1_mozilla_t) -- userdom_read_user_untrusted_content_files($1,$1_mozilla_t) -- userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t) -- userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t) -- userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t) -- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t) +- userdom_list_user_untrusted_content($1, $1_mozilla_t) +- userdom_read_user_untrusted_content_files($1, $1_mozilla_t) +- userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t) +- userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t) +- userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t) +- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t) - ',` - files_dontaudit_list_tmp($1_mozilla_t) - files_dontaudit_list_home($1_mozilla_t) -- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t) -- userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t) -- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t) -- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t) -- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t) +- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) +- userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t) +- userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t) +- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t) +- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t) - ') - - # Save web pages @@ -4066,27 +3841,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - tunable_policy(`write_untrusted_content',` - files_search_home($1_mozilla_t) - userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t) -- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file) -- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir) +- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file) +- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir) - -- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t) -- userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir }) -- userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir }) +- userdom_manage_user_untrusted_content_files($1, $1_mozilla_t) +- userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir }) +- userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir }) - ',` - files_dontaudit_list_home($1_mozilla_t) - files_dontaudit_list_tmp($1_mozilla_t) - -- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t) -- userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t) -- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t) -- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t) +- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t) +- userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t) +- userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t) +- userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t) - + optional_policy(` + alsa_read_rw_config($1_mozilla_t) ') optional_policy(` -@@ -350,57 +275,48 @@ +@@ -350,57 +272,48 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -4094,22 +3869,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` - dbus_system_bus_client_template($1_mozilla,$1_mozilla_t) -- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) -+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client_template($1_mozilla, $1_mozilla_t) +- dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t) ++# dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t) + ') + + optional_policy(` +- gnome_stream_connect_gconf_template($1, $1_mozilla_t) + networkmanager_dbus_chat($1_mozilla_t) ') optional_policy(` -- gnome_stream_connect_gconf_template($1,$1_mozilla_t) +- java_domtrans_user_javaplugin($1, $1_mozilla_t) + gnome_exec_gconf($1_mozilla_t) ') optional_policy(` -- java_domtrans_user_javaplugin($1, $1_mozilla_t) +- lpd_domtrans_user_lpr($1, $1_mozilla_t) + java_plugin_per_role_template($1, $1_mozilla_t, $1_r) ') @@ -4118,24 +3894,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +# ') + optional_policy(` - lpd_domtrans_user_lpr($1,$1_mozilla_t) - ') - - optional_policy(` - mplayer_domtrans_user_mplayer($1, $1_mozilla_t) - mplayer_read_user_home_files($1, $1_mozilla_t) -+ nsplugin_domtrans_user($1, $1_mozilla_t) -+ nsplugin_domtrans_user_config($1, $1_mozilla_t) ++ lpd_domtrans_user_lpr($1, $1_mozilla_t) ') optional_policy(` - nscd_socket_use($1_mozilla_t) -+ mplayer_domtrans_user_mplayer($1, $1_mozilla_t) -+ mplayer_read_user_home_files($1, $1_mozilla_t) ++ nsplugin_domtrans_user($1, $1_mozilla_t) ++ nsplugin_domtrans_user_config($1, $1_mozilla_t) ') optional_policy(` - thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) +- thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ++ mplayer_domtrans_mplayer($1, $1_mozilla_t) ++ mplayer_read_user_home_files($1, $1_mozilla_t) ') - ifdef(`TODO',` @@ -4152,44 +3925,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - # support (is this possible?). - - # GNOME integration -- optional_policy(` + optional_policy(` - gnome_application($1_mozilla, $1) - gnome_file_dialog($1_mozilla, $1) - ') -- ') ++ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) + ') ++ ') ######################################## -@@ -430,11 +346,11 @@ +@@ -430,11 +343,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` - type $1_mozilla_home_t; -+ type user_mozilla_home_t; ++ type mozilla_home_t; ') - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file read_file_perms; -+ allow $2 user_mozilla_home_t:dir list_dir_perms; -+ allow $2 user_mozilla_home_t:file read_file_perms; ++ allow $2 mozilla_home_t:dir list_dir_perms; ++ allow $2 mozilla_home_t:file read_file_perms; ') ######################################## -@@ -464,11 +380,10 @@ +@@ -464,11 +377,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` - type $1_mozilla_home_t; -+ type user_mozilla_home_t; ++ type mozilla_home_t; ') - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file write; -+ write_files_pattern($2, user_mozilla_home_t, user_mozilla_home_t) ++ write_files_pattern($2, mozilla_home_t, mozilla_home_t) ') ######################################## -@@ -573,3 +488,27 @@ +@@ -573,3 +485,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -4217,9 +3992,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + + allow $2 $1_mozilla_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.1/policy/modules/apps/mozilla.te ---- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mozilla.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.2/policy/modules/apps/mozilla.te +--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mozilla.te 2008-08-05 16:18:59.000000000 -0400 @@ -6,15 +6,18 @@ # Declarations # @@ -4229,7 +4004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. -## Control mozilla content access -##

-## --gen_tunable(mozilla_read_content,false) +-gen_tunable(mozilla_read_content, false) - type mozilla_conf_t; files_config_file(mozilla_conf_t) @@ -4237,27 +4012,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. type mozilla_exec_t; application_executable_file(mozilla_exec_t) + -+type user_mozilla_home_t alias user_mozilla_rw_t; -+files_poly_member(user_mozilla_home_t) -+userdom_user_home_content(user,user_mozilla_home_t) ++type mozilla_home_t alias user_mozilla_rw_t; ++files_poly_member(mozilla_home_t) ++userdom_user_home_content(user, mozilla_home_t) + -+type user_mozilla_tmp_t; -+files_tmp_file(user_mozilla_tmp_t) ++type mozilla_tmp_t; ++files_tmp_file(mozilla_tmp_t) + -+typealias user_mozilla_home_t alias unconfined_mozilla_home_t; -+typealias user_mozilla_tmp_t alias unconfined_mozilla_tmp_t; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.1/policy/modules/apps/mplayer.fc ---- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mplayer.fc 2008-07-25 12:35:13.000000000 -0400 ++typealias mozilla_home_t alias unconfined_mozilla_home_t; ++typealias mozilla_tmp_t alias unconfined_mozilla_tmp_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.2/policy/modules/apps/mplayer.fc +--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mplayer.fc 2008-08-05 12:15:11.000000000 -0400 @@ -10,4 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) -+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.1/policy/modules/apps/mplayer.if ---- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mplayer.if 2008-07-25 12:35:13.000000000 -0400 ++HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.2/policy/modules/apps/mplayer.if +--- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mplayer.if 2008-08-05 12:15:11.000000000 -0400 @@ -34,7 +34,8 @@ # template(`mplayer_per_role_template',` @@ -4268,33 +4043,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. ') ######################################## -@@ -50,9 +51,9 @@ - application_domain($1_mplayer_t,mplayer_exec_t) +@@ -50,9 +51,7 @@ + application_domain($1_mplayer_t, mplayer_exec_t) role $3 types $1_mplayer_t; - type $1_mplayer_home_t alias $1_mplayer_rw_t; - files_poly_member($1_mplayer_home_t) - userdom_user_home_content($1,$1_mplayer_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_mplayer_home_t alias $1_mplayer_home_t; -+ ') ++ typealias mplayer_home_t alias $1_mplayer_home_t; type $1_mplayer_tmpfs_t; files_tmpfs_file($1_mplayer_tmpfs_t) -@@ -62,9 +63,9 @@ +@@ -62,9 +61,9 @@ # mencoder local policy # -- manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) -- manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) -- manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) -+ manage_dirs_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t) -+ manage_files_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t) -+ manage_lnk_files_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t) +- manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) +- manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) +- manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t) ++ manage_dirs_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t) ++ manage_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t) ++ manage_lnk_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t) # Read global config allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms; -@@ -200,7 +201,7 @@ +@@ -200,7 +199,7 @@ ') tunable_policy(`write_untrusted_content',` @@ -4303,39 +4076,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. ') # Save encoded files -@@ -255,9 +256,9 @@ +@@ -255,9 +254,9 @@ allow $1_mplayer_t self:fifo_file rw_fifo_file_perms; allow $1_mplayer_t self:sem create_sem_perms; -- manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) -- manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) -- manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) -+ manage_dirs_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t) -+ manage_files_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t) -+ manage_lnk_files_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t) - userdom_search_user_home_dirs($1,$1_mplayer_t) +- manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) +- manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) +- manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t) ++ manage_dirs_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t) ++ manage_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t) ++ manage_lnk_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t) + userdom_search_user_home_dirs($1, $1_mplayer_t) - manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t) -@@ -272,12 +273,12 @@ - read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t) + manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t) +@@ -272,12 +271,12 @@ + read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t) # Home access -- manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -- manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -- manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -- relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -- relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -- relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -+ manage_dirs_pattern($2,user_mplayer_home_t,user_mplayer_home_t) -+ manage_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) -+ manage_lnk_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) -+ relabel_dirs_pattern($2,user_mplayer_home_t,user_mplayer_home_t) -+ relabel_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) -+ relabel_lnk_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) +- manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) +- manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) +- manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) +- relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) +- relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) +- relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) ++ manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t) ++ manage_files_pattern($2, mplayer_home_t, mplayer_home_t) ++ manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) ++ relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t) ++ relabel_files_pattern($2, mplayer_home_t, mplayer_home_t) ++ relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t) # domain transition domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) -@@ -307,6 +308,7 @@ +@@ -307,6 +306,7 @@ dev_write_sound_mixer($1_mplayer_t) # RTC clock dev_read_realtime_clock($1_mplayer_t) @@ -4343,17 +4116,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. # Access to DVD/CD/V4L storage_raw_read_removable_device($1_mplayer_t) -@@ -340,6 +342,7 @@ - userdom_read_user_tmp_symlinks($1,$1_mplayer_t) - userdom_read_user_home_content_files($1,$1_mplayer_t) - userdom_read_user_home_content_symlinks($1,$1_mplayer_t) -+ userdom_write_user_tmp_sockets($1,$1_mplayer_t) +@@ -340,6 +340,7 @@ + userdom_read_user_tmp_symlinks($1, $1_mplayer_t) + userdom_read_user_home_content_files($1, $1_mplayer_t) + userdom_read_user_home_content_symlinks($1, $1_mplayer_t) ++ userdom_write_user_tmp_sockets($1, $1_mplayer_t) - xserver_user_x_domain_template($1,$1_mplayer,$1_mplayer_t,$1_mplayer_tmpfs_t) + xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t) -@@ -469,7 +472,9 @@ +@@ -467,9 +468,11 @@ + ## + ## # - template(`mplayer_domtrans_user_mplayer',` +-template(`mplayer_domtrans_user_mplayer',` ++template(`mplayer_domtrans_mplayer',` gen_require(` - type $1_mplayer_t, mplayer_exec_t; + type mplayer_exec_t; @@ -4361,8 +4137,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + ') - domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t) -@@ -477,6 +482,25 @@ + domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) +@@ -477,6 +480,25 @@ ######################################## ## @@ -4388,31 +4164,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. ## Read mplayer per user homedir ## ## -@@ -502,8 +526,8 @@ +@@ -502,8 +524,8 @@ # template(`mplayer_read_user_home_files',` gen_require(` - type $1_mplayer_home_t; -+ type user_mplayer_home_t; ++ type mplayer_home_t; ') -- read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) -+ read_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) +- read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) ++ read_files_pattern($2, mplayer_home_t, mplayer_home_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.1/policy/modules/apps/mplayer.te ---- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/mplayer.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.2/policy/modules/apps/mplayer.te +--- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/mplayer.te 2008-08-05 12:15:11.000000000 -0400 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) application_executable_file(mplayer_exec_t) + -+type user_mplayer_home_t alias user_mplayer_rw_t; -+userdom_user_home_content(user,user_mplayer_home_t) ++type mplayer_home_t alias user_mplayer_rw_t; ++userdom_user_home_content(user, mplayer_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.1/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.2/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/nsplugin.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/nsplugin.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,8 @@ + +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) @@ -4422,9 +4198,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.1/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.2/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/nsplugin.if 2008-07-29 16:19:32.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/nsplugin.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,290 @@ + +## policy for nsplugin @@ -4464,9 +4240,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + type nsplugin_rw_t; + ') + -+ manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t) -+ manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) -+ manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + +####################################### @@ -4588,8 +4364,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + + nsplugin_per_role_template_notrans($1, $2, $3) + -+ domtrans_pattern($2,nsplugin_exec_t,nsplugin_t) -+ domtrans_pattern($2,nsplugin_config_exec_t,nsplugin_config_t) ++ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) ++ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) +') + +####################################### @@ -4625,7 +4401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + type nsplugin_t; + ') + -+ domtrans_pattern($2,nsplugin_exec_t, nsplugin_t) ++ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) +') +####################################### +## @@ -4660,7 +4436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + type nsplugin_config_t; + ') + -+ domtrans_pattern($2,nsplugin_config_exec_t,nsplugin_config_t) ++ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) +') + +######################################## @@ -4716,12 +4492,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + + can_exec($1, nsplugin_rw_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.1/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.2/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/nsplugin.te 2008-07-29 15:22:55.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/nsplugin.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,217 @@ + -+policy_module(nsplugin,1.0.0) ++policy_module(nsplugin, 1.0.0) + +######################################## +# @@ -4733,7 +4509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +## Allow nsplugin code to execmem/execstack +##

+## -+gen_tunable(allow_nsplugin_execmem,false) ++gen_tunable(allow_nsplugin_execmem, false) + +type nsplugin_exec_t; +application_executable_file(nsplugin_exec_t) @@ -4749,7 +4525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +type nsplugin_home_t; +files_poly_member(nsplugin_home_t) -+userdom_user_home_content(user,nsplugin_home_t) ++userdom_user_home_content(user, nsplugin_home_t) +typealias nsplugin_home_t alias user_nsplugin_home_t; + +type nsplugin_t; @@ -4937,16 +4713,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +optional_policy(` + mozilla_read_user_home_files(user, nsplugin_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.1/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.2/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/openoffice.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/openoffice.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.1/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.2/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/openoffice.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/openoffice.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,102 @@ +## Openoffice + @@ -5030,13 +4806,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + + type $1_openoffice_t; + domain_type($1_openoffice_t) -+ domain_entry_file($1_openoffice_t,openoffice_exec_t) ++ domain_entry_file($1_openoffice_t, openoffice_exec_t) + role $3 types $1_openoffice_t; + + domain_interactive_fd($1_openoffice_t) + + userdom_unpriv_usertype($1, $1_openoffice_t) -+ userdom_exec_user_home_content_files($1,$1_openoffice_t) ++ userdom_exec_user_home_content_files($1, $1_openoffice_t) + + allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; + @@ -5050,12 +4826,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + + fs_dontaudit_rw_tmpfs_files($1_openoffice_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.1/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.2/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/apps/openoffice.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/openoffice.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,14 @@ + -+policy_module(openoffice,1.0.0) ++policy_module(openoffice, 1.0.0) + +######################################## +# @@ -5064,21 +4840,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + +type openoffice_t; +type openoffice_exec_t; -+application_domain(openoffice_t,openoffice_exec_t) ++application_domain(openoffice_t, openoffice_exec_t) + + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.1/policy/modules/apps/podsleuth.fc ---- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/podsleuth.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.2/policy/modules/apps/podsleuth.fc +--- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/podsleuth.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.1/policy/modules/apps/podsleuth.if ---- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/podsleuth.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.2/policy/modules/apps/podsleuth.if +--- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/podsleuth.if 2008-08-05 12:15:11.000000000 -0400 @@ -16,4 +16,38 @@ ') @@ -5118,10 +4894,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut + dontaudit podsleuth_t $3:chr_file rw_term_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.1/policy/modules/apps/podsleuth.te ---- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/podsleuth.te 2008-07-25 12:35:13.000000000 -0400 -@@ -11,28 +11,62 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.2/policy/modules/apps/podsleuth.te +--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/podsleuth.te 2008-08-05 12:25:25.000000000 -0400 +@@ -11,24 +11,55 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -5145,14 +4921,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut +allow podsleuth_t self:tcp_socket create_stream_socket_perms; +allow podsleuth_t self:udp_socket create_socket_perms; --kernel_read_system_state(podsleuth_t) + kernel_read_system_state(podsleuth_t) + +corecmd_exec_bin(podsleuth_t) +corenet_tcp_connect_http_port(podsleuth_t) - ++ dev_read_urand(podsleuth_t) -+kernel_read_system_state(podsleuth_t) -+ files_read_etc_files(podsleuth_t) +fs_mount_dos_fs(podsleuth_t) @@ -5162,39 +4937,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut +fs_search_dos(podsleuth_t) + +allow podsleuth_t podsleuth_tmp_t:dir mounton; -+manage_files_pattern(podsleuth_t,podsleuth_tmp_t,podsleuth_tmp_t) -+files_tmp_filetrans(podsleuth_t,podsleuth_tmp_t,{ file dir }) -+manage_dirs_pattern(podsleuth_t,podsleuth_tmp_t,podsleuth_tmp_t) ++manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) ++files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) ++manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) + -+manage_dirs_pattern(podsleuth_t,podsleuth_cache_t,podsleuth_cache_t) -+manage_files_pattern(podsleuth_t,podsleuth_cache_t,podsleuth_cache_t) -+files_var_filetrans(podsleuth_t,podsleuth_cache_t,{ file dir }) ++manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) ++manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) ++files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) + +storage_raw_rw_fixed_disk(podsleuth_t) + libs_use_ld_so(podsleuth_t) libs_use_shared_libs(podsleuth_t) --miscfiles_read_localization(podsleuth_t) +sysnet_dns_name_resolve(podsleuth_t) - --dbus_system_bus_client_template(podsleuth, podsleuth_t) -- --mono_exec(podsleuth_t) -+miscfiles_read_localization(podsleuth_t) - --hal_dbus_chat(podsleuth_t) -+dbus_system_bus_client_template(podsleuth,podsleuth_t) -+optional_policy(` -+ hal_dbus_chat(podsleuth_t) -+') + -+optional_policy(` -+ mono_exec(podsleuth_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.1/policy/modules/apps/qemu.if ---- nsaserefpolicy/policy/modules/apps/qemu.if 2008-07-10 14:13:44.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-08-01 08:42:09.000000000 -0400 + miscfiles_read_localization(podsleuth_t) + + dbus_system_bus_client_template(podsleuth, podsleuth_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.2/policy/modules/apps/qemu.if +--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/qemu.if 2008-08-05 16:22:04.000000000 -0400 @@ -104,7 +104,71 @@ ######################################## @@ -5329,23 +5092,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if - # - # Local Policy - # -- ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) ++ ++ type $1_image_t; ++ virt_image($1_image_t) + - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; -+ type $1_tmpfs_t; -+ files_tmpfs_file($1_tmpfs_t) -+ -+ type $1_image_t; -+ virt_image($1_image_t) -+ -+ manage_dirs_pattern($1, $1_image_t, $1_image_t) -+ manage_files_pattern($1, $1_image_t, $1_image_t) -+ read_lnk_files_pattern($1, $1_image_t, $1_image_t) -+ rw_blk_files_pattern($1, $1_image_t, $1_image_t) ++ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) ++ manage_files_pattern($1_t, $1_image_t, $1_image_t) ++ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) ++ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) @@ -5386,13 +5148,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if - libs_use_shared_libs($1_t) - - miscfiles_read_localization($1_t) +- +- sysnet_read_config($1_t) + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) +') -- sysnet_read_config($1_t) +-# optional_policy(` +-# samba_domtrans_smb($1_t) +-# ') +######################################## +## +## Set the schedule on qemu. @@ -5408,16 +5174,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if + type qemu_t; + ') --# optional_policy(` --# samba_domtrans_smb($1_t) --# ') -+ allow $1 qemu_t:process setsched; -+') - - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) ++ allow $1 qemu_t:process setsched; + ') + +- optional_policy(` +- xserver_stream_connect_xdm_xserver($1_t) +- xserver_read_xdm_tmp_files($1_t) +- xserver_read_xdm_pid($1_t) +-# xserver_xdm_rw_shm($1_t) +######################################## +## +## Execute qemu_exec_t @@ -5449,23 +5217,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if + gen_require(` + type qemu_exec_t; ') - -- optional_policy(` -- xserver_stream_connect_xdm_xserver($1_t) -- xserver_read_xdm_tmp_files($1_t) -- xserver_read_xdm_pid($1_t) --# xserver_xdm_rw_shm($1_t) -- ') -+ read_lnk_files_pattern($1,qemu_exec_t,qemu_exec_t) -+ domain_transition_pattern($1,qemu_exec_t,$2) ++ ++ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) ++ domain_transition_pattern($1, qemu_exec_t, $2) + + allow $3 $1:fd use; + allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:process sigchld; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.1/policy/modules/apps/qemu.te ---- nsaserefpolicy/policy/modules/apps/qemu.te 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/qemu.te 2008-08-01 08:11:51.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.2/policy/modules/apps/qemu.te +--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/qemu.te 2008-08-05 12:15:11.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -5602,9 +5364,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te ######################################## # # qemu_unconfined local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.1/policy/modules/apps/screen.fc ---- nsaserefpolicy/policy/modules/apps/screen.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/screen.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.2/policy/modules/apps/screen.fc +--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/screen.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,7 +1,7 @@ # # /home @@ -5614,9 +5376,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f # # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.1/policy/modules/apps/screen.if ---- nsaserefpolicy/policy/modules/apps/screen.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/screen.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.2/policy/modules/apps/screen.if +--- nsaserefpolicy/policy/modules/apps/screen.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/screen.if 2008-08-05 12:15:11.000000000 -0400 @@ -35,6 +35,7 @@ template(`screen_per_role_template',` gen_require(` @@ -5638,15 +5400,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i type $1_screen_var_run_t; files_pid_file($1_screen_var_run_t) @@ -81,9 +83,9 @@ - filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) - files_pid_filetrans($1_screen_t,screen_dir_t,dir) + filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) + files_pid_filetrans($1_screen_t, screen_dir_t, dir) - allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; -- read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) -- read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) +- read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t) +- read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t) + allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms; -+ read_files_pattern($1_screen_t,user_screen_ro_home_t,user_screen_ro_home_t) -+ read_lnk_files_pattern($1_screen_t,user_screen_ro_home_t,user_screen_ro_home_t) ++ read_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t) ++ read_lnk_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t) allow $1_screen_t $2:process signal; @@ -5654,57 +5416,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i allow $2 $1_screen_t:process signal; allow $1_screen_t $2:process signal; -- manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) -- manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) -- manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) -- relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) -- relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) -- relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) -+ manage_dirs_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) -+ manage_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) -+ manage_lnk_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) -+ relabel_dirs_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) -+ relabel_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) -+ relabel_lnk_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) +- manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) +- manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) +- manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) +- relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) +- relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) +- relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t) ++ manage_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) ++ manage_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) ++ manage_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) ++ relabel_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) ++ relabel_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) ++ relabel_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t) kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.1/policy/modules/apps/screen.te ---- nsaserefpolicy/policy/modules/apps/screen.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/screen.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.2/policy/modules/apps/screen.te +--- nsaserefpolicy/policy/modules/apps/screen.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/screen.te 2008-08-05 12:15:11.000000000 -0400 @@ -11,3 +11,7 @@ type screen_exec_t; application_executable_file(screen_exec_t) + +type user_screen_ro_home_t; -+userdom_user_home_content(user,user_screen_ro_home_t) -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.5.1/policy/modules/apps/slocate.te ---- nsaserefpolicy/policy/modules/apps/slocate.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/slocate.te 2008-07-25 12:35:13.000000000 -0400 -@@ -47,6 +47,7 @@ - fs_getattr_all_fs(locate_t) - fs_getattr_all_files(locate_t) - fs_list_all(locate_t) -+fs_list_inotifyfs(locate_t) - - # getpwnam - auth_use_nsswitch(locate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.1/policy/modules/apps/thunderbird.fc ---- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/thunderbird.fc 2008-07-25 12:35:13.000000000 -0400 ++userdom_user_home_content(user, user_screen_ro_home_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.2/policy/modules/apps/thunderbird.fc +--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/thunderbird.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.1/policy/modules/apps/thunderbird.if ---- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/thunderbird.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.2/policy/modules/apps/thunderbird.if +--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/thunderbird.if 2008-08-05 12:15:11.000000000 -0400 @@ -43,9 +43,9 @@ - application_domain($1_thunderbird_t,thunderbird_exec_t) + application_domain($1_thunderbird_t, thunderbird_exec_t) role $3 types $1_thunderbird_t; - type $1_thunderbird_home_t alias $1_thunderbird_rw_t; @@ -5720,33 +5471,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; # Access ~/.thunderbird -- manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) -- manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) -- manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) -+ manage_dirs_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t) -+ manage_files_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t) -+ manage_lnk_files_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t) - userdom_search_user_home_dirs($1,$1_thunderbird_t) - - manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) +- manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) +- manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) +- manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t) ++ manage_dirs_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t) ++ manage_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t) ++ manage_lnk_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t) + userdom_search_user_home_dirs($1, $1_thunderbird_t) + + manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t) @@ -87,13 +87,13 @@ ps_process_pattern($2,$1_thunderbird_t) # Access ~/.thunderbird -- manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) -- manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) -- manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) -- -- relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) -- relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) -- relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) -+ manage_dirs_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) -+ manage_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) -+ manage_lnk_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) -+ -+ relabel_dirs_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) -+ relabel_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) -+ relabel_lnk_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) +- manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) +- manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) +- manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) +- +- relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) +- relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) +- relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t) ++ manage_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) ++ manage_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) ++ manage_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) ++ ++ relabel_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) ++ relabel_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) ++ relabel_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t) # Allow netstat kernel_read_network_state($1_thunderbird_t) @@ -5754,31 +5505,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb miscfiles_read_fonts($1_thunderbird_t) miscfiles_read_localization($1_thunderbird_t) -- userdom_manage_user_tmp_dirs($1,$1_thunderbird_t) -- userdom_read_user_tmp_files($1,$1_thunderbird_t) -- userdom_write_user_tmp_sockets($1,$1_thunderbird_t) -- userdom_manage_user_tmp_sockets($1,$1_thunderbird_t) +- userdom_manage_user_tmp_dirs($1, $1_thunderbird_t) + unprivuser_manage_tmp_dirs($1_thunderbird_t) -+ userdom_read_user_tmp_files($1, $1_thunderbird_t) -+ userdom_write_user_tmp_sockets($1, $1_thunderbird_t) + userdom_read_user_tmp_files($1, $1_thunderbird_t) + userdom_write_user_tmp_sockets($1, $1_thunderbird_t) +- userdom_manage_user_tmp_sockets($1, $1_thunderbird_t) + unprivuser_manage_tmp_sockets($1_thunderbird_t) # .kde/....gtkrc - userdom_read_user_home_content_files($1,$1_thunderbird_t) + userdom_read_user_home_content_files($1, $1_thunderbird_t) @@ -294,8 +294,8 @@ files_search_home($1_thunderbird_t) - files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file) - files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir) -- userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t) + files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file) + files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir) +- userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t) - userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t) + unprivuser_manage_untrusted_content_files($1_thunderbird_t) + unprivuser_manage_untrusted_content_tmp_files($1_thunderbird_t) - userdom_user_home_dir_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir }) + userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) + userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) ',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.1/policy/modules/apps/thunderbird.te ---- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/thunderbird.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.2/policy/modules/apps/thunderbird.te +--- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/thunderbird.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,3 +8,7 @@ type thunderbird_exec_t; @@ -5787,9 +5536,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb +type user_thunderbird_home_t alias user_thunderbird_rw_t; +userdom_user_home_content(user, user_thunderbird_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.1/policy/modules/apps/tvtime.if ---- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/tvtime.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.2/policy/modules/apps/tvtime.if +--- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/tvtime.if 2008-08-05 12:15:11.000000000 -0400 @@ -35,6 +35,7 @@ template(`tvtime_per_role_template',` gen_require(` @@ -5799,11 +5548,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i ######################################## @@ -46,12 +47,10 @@ - application_domain($1_tvtime_t,tvtime_exec_t) + application_domain($1_tvtime_t, tvtime_exec_t) role $3 types $1_tvtime_t; - type $1_tvtime_home_t alias $1_tvtime_rw_t; -- userdom_user_home_content($1,$1_tvtime_home_t) +- userdom_user_home_content($1, $1_tvtime_home_t) - files_poly_member($1_tvtime_home_t) - - type $1_tvtime_tmp_t; @@ -5819,60 +5568,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; # X access, Home files -- manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) -- manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) -- manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) -- userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir) -- -- manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t) -- manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t) -- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir }) -+ manage_dirs_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t) -+ manage_files_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t) -+ manage_lnk_files_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t) -+ userdom_user_home_dir_filetrans($1,$1_tvtime_t,user_tvtime_home_t,dir) -+ -+ manage_dirs_pattern($1_tvtime_t,user_tvtime_tmp_t,user_tvtime_tmp_t) -+ manage_files_pattern($1_tvtime_t,user_tvtime_tmp_t,user_tvtime_tmp_t) -+ files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t,{ file dir }) - - manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) - manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) +- manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) +- manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) +- manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t) +- userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir) +- +- manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t) +- manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t) +- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir }) ++ manage_dirs_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t) ++ manage_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t) ++ manage_lnk_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t) ++ userdom_user_home_dir_filetrans($1, $1_tvtime_t, user_tvtime_home_t, dir) ++ ++ manage_dirs_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t) ++ manage_files_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t) ++ files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t, { file dir }) + + manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) + manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t) @@ -86,12 +85,12 @@ domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t) # X access, Home files -- manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) -- manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) -- manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) -- relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) -- relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) -- relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) -+ manage_dirs_pattern($2,user_tvtime_home_t,user_tvtime_home_t) -+ manage_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) -+ manage_lnk_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) -+ relabel_dirs_pattern($2,user_tvtime_home_t,user_tvtime_home_t) -+ relabel_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) -+ relabel_lnk_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) +- manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) +- manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) +- manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) +- relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) +- relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) +- relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t) ++ manage_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t) ++ manage_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) ++ manage_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) ++ relabel_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t) ++ relabel_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) ++ relabel_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t) # Allow the user domain to signal/ps. ps_process_pattern($2,$1_tvtime_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.1/policy/modules/apps/tvtime.te ---- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/tvtime.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.2/policy/modules/apps/tvtime.te +--- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/tvtime.te 2008-08-05 12:15:11.000000000 -0400 @@ -11,3 +11,9 @@ type tvtime_dir_t; files_pid_file(tvtime_dir_t) + +type user_tvtime_home_t alias user_tvtime_rw_t; -+userdom_user_home_content(user,user_tvtime_home_t) ++userdom_user_home_content(user, user_tvtime_home_t) + +type user_tvtime_tmp_t; +files_tmp_file(user_tvtime_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.1/policy/modules/apps/uml.fc ---- nsaserefpolicy/policy/modules/apps/uml.fc 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/uml.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.2/policy/modules/apps/uml.fc +--- nsaserefpolicy/policy/modules/apps/uml.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/uml.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,7 +1,7 @@ # # HOME_DIR/ @@ -5882,22 +5631,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc s # # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.if serefpolicy-3.5.1/policy/modules/apps/usernetctl.if ---- nsaserefpolicy/policy/modules/apps/usernetctl.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/usernetctl.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.if serefpolicy-3.5.2/policy/modules/apps/usernetctl.if +--- nsaserefpolicy/policy/modules/apps/usernetctl.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/usernetctl.if 2008-08-05 12:15:11.000000000 -0400 @@ -63,4 +63,9 @@ optional_policy(` - modutils_run_insmod(usernetctl_t,$2,$3) + modutils_run_insmod(usernetctl_t, $2, $3) ') + + + optional_policy(` -+ ppp_run(usernetctl_t,$2,$3) ++ ppp_run(usernetctl_t, $2, $3) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.5.1/policy/modules/apps/usernetctl.te ---- nsaserefpolicy/policy/modules/apps/usernetctl.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/usernetctl.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.5.2/policy/modules/apps/usernetctl.te +--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/usernetctl.te 2008-08-05 12:15:11.000000000 -0400 @@ -49,15 +49,21 @@ fs_search_auto_mountpoints(usernetctl_t) @@ -5920,9 +5669,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetc optional_policy(` hostname_exec(usernetctl_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.1/policy/modules/apps/vmware.fc ---- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/vmware.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.2/policy/modules/apps/vmware.fc +--- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/vmware.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -5936,7 +5685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f # # /etc -@@ -21,31 +21,25 @@ +@@ -21,32 +21,26 @@ /usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) @@ -5964,39 +5713,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f /usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) --/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -- + /usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + -/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) -+/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) - +- ifdef(`distro_gentoo',` /opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -@@ -62,7 +56,8 @@ - /opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) + /opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +@@ -63,6 +57,7 @@ ') --/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) + /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) - --/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) --/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) -+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) -+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) + /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) + /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.1/policy/modules/apps/vmware.if ---- nsaserefpolicy/policy/modules/apps/vmware.if 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/vmware.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.2/policy/modules/apps/vmware.if +--- nsaserefpolicy/policy/modules/apps/vmware.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/vmware.if 2008-08-05 12:15:11.000000000 -0400 @@ -47,11 +47,8 @@ - domain_entry_file($1_vmware_t,vmware_exec_t) + domain_entry_file($1_vmware_t, vmware_exec_t) role $3 types $1_vmware_t; - type $1_vmware_conf_t; -- userdom_user_home_content($1,$1_vmware_conf_t) +- userdom_user_home_content($1, $1_vmware_conf_t) - - type $1_vmware_file_t; -- userdom_user_home_content($1,$1_vmware_file_t) +- userdom_user_home_content($1, $1_vmware_file_t) + typealias vmware_home_t alias $1_vmware_file_t; + typealias vmware_home_t alias $1_vmware_conf_t; @@ -6010,27 +5755,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i - allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms; - # VMWare disks -- manage_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t) -- manage_lnk_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t) -+ manage_files_pattern($1_vmware_t,vmware_home_t,vmware_home_t) -+ manage_lnk_files_pattern($1_vmware_t,vmware_home_t,vmware_home_t) +- manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t) +- manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t) ++ manage_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t) ++ manage_lnk_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t) allow $1_vmware_t $1_vmware_tmp_t:file execute; - manage_dirs_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.1/policy/modules/apps/vmware.te ---- nsaserefpolicy/policy/modules/apps/vmware.te 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/vmware.te 2008-07-25 12:35:13.000000000 -0400 + manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.2/policy/modules/apps/vmware.te +--- nsaserefpolicy/policy/modules/apps/vmware.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/vmware.te 2008-08-05 12:15:11.000000000 -0400 @@ -10,14 +10,14 @@ type vmware_exec_t; corecmd_executable_file(vmware_exec_t) +type vmware_home_t; -+userdom_user_home_content(user,vmware_home_t) ++userdom_user_home_content(user, vmware_home_t) + # VMWare host programs type vmware_host_t; type vmware_host_exec_t; - init_daemon_domain(vmware_host_t,vmware_host_exec_t) + init_daemon_domain(vmware_host_t, vmware_host_exec_t) -type vmware_log_t; -logging_log_file(vmware_log_t) @@ -6057,19 +5802,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; allow vmware_host_t self:rawip_socket create_socket_perms; -@@ -45,8 +48,10 @@ - manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) - files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file }) +@@ -48,6 +51,8 @@ + manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) + logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) --manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) --logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) -+manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t) -+logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir }) -+ +files_search_home(vmware_host_t) - ++ kernel_read_kernel_sysctls(vmware_host_t) kernel_list_proc(vmware_host_t) + kernel_read_proc_symlinks(vmware_host_t) @@ -98,8 +103,6 @@ sysadm_dontaudit_search_home_dirs(vmware_host_t) @@ -6094,9 +5835,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.1/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/wine.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.2/policy/modules/apps/wine.if +--- nsaserefpolicy/policy/modules/apps/wine.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/wine.if 2008-08-05 12:15:11.000000000 -0400 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; @@ -6136,7 +5877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if + + type $1_wine_t; + domain_type($1_wine_t) -+ domain_entry_file($1_wine_t,wine_exec_t) ++ domain_entry_file($1_wine_t, wine_exec_t) + role $3 types $1_wine_t; + + domain_interactive_fd($1_wine_t) @@ -6151,13 +5892,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if + xserver_xdm_rw_shm($1_wine_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.1/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/wine.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.2/policy/modules/apps/wine.te +--- nsaserefpolicy/policy/modules/apps/wine.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/wine.te 2008-08-05 12:15:11.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; - application_domain(wine_t,wine_exec_t) + application_domain(wine_t, wine_exec_t) +role system_r types wine_t; ######################################## @@ -6171,55 +5912,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te unconfined_domain_noaudit(wine_t) files_execmod_all_files(wine_t) -- optional_policy(` -- hal_dbus_chat(wine_t) -- ') +') + -+optional_policy(` -+ hal_dbus_chat(wine_t) -+') + optional_policy(` + hal_dbus_chat(wine_t) + ') + +optional_policy(` + xserver_xdm_rw_shm(wine_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.1/policy/modules/apps/wireshark.if ---- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/wireshark.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.2/policy/modules/apps/wireshark.if +--- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/apps/wireshark.if 2008-08-05 12:15:11.000000000 -0400 @@ -134,7 +134,7 @@ sysnet_read_config($1_wireshark_t) -- userdom_manage_user_home_content_files($1,$1_wireshark_t) +- userdom_manage_user_home_content_files($1, $1_wireshark_t) + unprivuser_manage_home_content_files($1_wireshark_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_wireshark_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-07-10 11:38:44.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc 2008-07-30 15:57:01.000000000 -0400 -@@ -7,11 +7,11 @@ - /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) -- - # - # /dev - # -@@ -97,7 +97,6 @@ - - /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) --/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - - ifdef(`distro_gentoo',` - /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -129,14 +128,14 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.2/policy/modules/kernel/corecommands.fc +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-05 12:24:07.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/corecommands.fc 2008-08-05 13:51:04.000000000 -0400 +@@ -129,6 +129,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6228,16 +5945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # - /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) --/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) - -+/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -184,12 +183,11 @@ +@@ -184,10 +185,8 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6249,19 +5957,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -231,7 +229,6 @@ - /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) --/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -292,3 +289,13 @@ +@@ -292,3 +291,13 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6275,20 +5972,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.1/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.if 2008-08-01 08:34:00.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.2/policy/modules/kernel/corecommands.if +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/corecommands.if 2008-08-05 12:15:11.000000000 -0400 @@ -894,6 +894,7 @@ - read_lnk_files_pattern($1,bin_t,bin_t) - can_exec($1,chroot_exec_t) + read_lnk_files_pattern($1, bin_t, bin_t) + can_exec($1, chroot_exec_t) + allow $1 self:capability sys_chroot; ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in 2008-08-01 11:17:33.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.2/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/corenetwork.te.in 2008-08-05 12:15:11.000000000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -6380,14 +6077,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene + network_port(vnc, tcp,5900,s0) +# Reserve 100 ports for vnc/virt machines -+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0) ++portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) +network_port(whois, tcp,43,s0, udp,43,s0) network_port(wccp, udp,2048,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.1/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/devices.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.2/policy/modules/kernel/devices.fc +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/devices.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -6507,17 +6204,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.1/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/devices.if 2008-07-29 14:41:01.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.2/policy/modules/kernel/devices.if +--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/devices.if 2008-08-05 12:15:11.000000000 -0400 @@ -65,7 +65,7 @@ - relabelfrom_dirs_pattern($1,device_t,device_node) - relabelfrom_files_pattern($1,device_t,device_node) -- relabelfrom_lnk_files_pattern($1,device_t,device_node) -+ relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node }) - relabelfrom_fifo_files_pattern($1,device_t,device_node) - relabelfrom_sock_files_pattern($1,device_t,device_node) + relabelfrom_dirs_pattern($1, device_t, device_node) + relabelfrom_files_pattern($1, device_t, device_node) +- relabelfrom_lnk_files_pattern($1, device_t, device_node) ++ relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) + relabelfrom_fifo_files_pattern($1, device_t, device_node) + relabelfrom_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1,device_t,{ device_t device_node }) @@ -167,6 +167,25 @@ @@ -6536,7 +6233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t; + ') + -+ manage_dirs_pattern($1,device_t,device_t) ++ manage_dirs_pattern($1, device_t, device_t) +') + + @@ -6579,7 +6276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, cpu_device_t; + ') + -+ setattr_chr_files_pattern($1,device_t,cpu_device_t) ++ setattr_chr_files_pattern($1, device_t, cpu_device_t) +') + +######################################## @@ -6604,7 +6301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, null_device_t; + ') + -+ getattr_chr_files_pattern($1,device_t,null_device_t) ++ getattr_chr_files_pattern($1, device_t, null_device_t) +') + +######################################## @@ -6622,7 +6319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, null_device_t; + ') + -+ setattr_chr_files_pattern($1,device_t,null_device_t) ++ setattr_chr_files_pattern($1, device_t, null_device_t) +') + +######################################## @@ -6647,7 +6344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type usb_device_t; + ') + -+ read_chr_files_pattern($1,device_t,usb_device_t) ++ read_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## @@ -6691,7 +6388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, kvm_device_t; + ') + -+ getattr_chr_files_pattern($1,device_t,kvm_device_t) ++ getattr_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## @@ -6709,7 +6406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, kvm_device_t; + ') + -+ setattr_chr_files_pattern($1,device_t,kvm_device_t) ++ setattr_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## @@ -6727,7 +6424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, kvm_device_t; + ') + -+ read_chr_files_pattern($1,device_t,kvm_device_t) ++ read_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## @@ -6745,7 +6442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, kvm_device_t; + ') + -+ rw_chr_files_pattern($1,device_t,kvm_device_t) ++ rw_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## @@ -6773,7 +6470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, autofs_device_t; + ') + -+ getattr_chr_files_pattern($1,device_t,autofs_device_t) ++ getattr_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## @@ -6810,7 +6507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, autofs_device_t; + ') + -+ setattr_chr_files_pattern($1,device_t,autofs_device_t) ++ setattr_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## @@ -6847,7 +6544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, autofs_device_t; + ') + -+ rw_chr_files_pattern($1,device_t,autofs_device_t) ++ rw_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## @@ -6865,7 +6562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, netcontrol_device_t; + ') + -+ getattr_chr_files_pattern($1,device_t,netcontrol_device_t) ++ getattr_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## @@ -6883,7 +6580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, netcontrol_device_t; + ') + -+ read_chr_files_pattern($1,device_t,netcontrol_device_t) ++ read_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## @@ -6901,7 +6598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, netcontrol_device_t; + ') + -+ rw_chr_files_pattern($1,device_t,netcontrol_device_t) ++ rw_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## @@ -6920,7 +6617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, qemu_device_t; + ') + -+ getattr_chr_files_pattern($1,device_t,qemu_device_t) ++ getattr_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## @@ -6939,7 +6636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, qemu_device_t; + ') + -+ setattr_chr_files_pattern($1,device_t,qemu_device_t) ++ setattr_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## @@ -6957,7 +6654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, qemu_device_t; + ') + -+ read_chr_files_pattern($1,device_t,qemu_device_t) ++ read_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## @@ -6975,11 +6672,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + type device_t, qemu_device_t; + ') + -+ rw_chr_files_pattern($1,device_t,qemu_device_t) ++ rw_chr_files_pattern($1, device_t, qemu_device_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.1/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/devices.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.2/policy/modules/kernel/devices.te +--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/devices.te 2008-08-05 12:15:11.000000000 -0400 @@ -32,6 +32,12 @@ type apm_bios_t; dev_node(apm_bios_t) @@ -7045,9 +6742,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # Type for /dev/pmu # type power_device_t; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.1/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/domain.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.2/policy/modules/kernel/domain.if +--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/domain.if 2008-08-05 12:15:11.000000000 -0400 @@ -1247,18 +1247,34 @@ ## ## @@ -7086,9 +6783,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.1/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/domain.te 2008-07-28 08:36:20.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.2/policy/modules/kernel/domain.te +--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/domain.te 2008-08-05 12:15:11.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -7143,12 +6840,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +optional_policy(` + cron_dontaudit_write_system_job_tmp_files(domain) + cron_rw_pipes(domain) -+ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + cron_dontaudit_rw_tcp_sockets(domain) +') +') + -+ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + dbus_dontaudit_system_bus_rw_tcp_sockets(domain) +') + @@ -7169,9 +6866,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.1/policy/modules/kernel/files.fc ---- nsaserefpolicy/policy/modules/kernel/files.fc 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/files.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.2/policy/modules/kernel/files.fc +--- nsaserefpolicy/policy/modules/kernel/files.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/files.fc 2008-08-05 12:15:11.000000000 -0400 @@ -32,6 +32,7 @@ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> @@ -7180,9 +6877,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # /emul -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.1/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/files.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.2/policy/modules/kernel/files.if +--- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/files.if 2008-08-05 16:25:47.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -7195,7 +6892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. files_type($1) ') -@@ -1266,6 +1271,24 @@ +@@ -1303,6 +1308,24 @@ ######################################## ## @@ -7220,7 +6917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Unmount a rootfs filesystem. ## ## -@@ -1852,6 +1875,26 @@ +@@ -1889,6 +1912,26 @@ ######################################## ## @@ -7238,8 +6935,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + ') + + allow $1 etcfile:dir list_dir_perms; -+ read_files_pattern($1,etcfile,etcfile) -+ read_lnk_files_pattern($1,etcfile,etcfile) ++ read_files_pattern($1, etcfile, etcfile) ++ read_lnk_files_pattern($1, etcfile, etcfile) +') + +######################################## @@ -7247,7 +6944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write generic files in /etc. ## ## -@@ -2187,6 +2230,49 @@ +@@ -2224,6 +2267,49 @@ ######################################## ## @@ -7297,7 +6994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -2707,6 +2793,24 @@ +@@ -2744,6 +2830,24 @@ ######################################## ## @@ -7314,7 +7011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + type mnt_t; + ') + -+ read_files_pattern($1,mnt_t,mnt_t) ++ read_files_pattern($1, mnt_t, mnt_t) +') + +######################################## @@ -7322,16 +7019,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete symbolic links in /mnt. ## ## -@@ -3357,6 +3461,8 @@ - delete_lnk_files_pattern($1,tmpfile,tmpfile) - delete_fifo_files_pattern($1,tmpfile,tmpfile) - delete_sock_files_pattern($1,tmpfile,tmpfile) +@@ -3394,6 +3498,8 @@ + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) ') ######################################## -@@ -3510,6 +3616,24 @@ +@@ -3471,6 +3577,47 @@ + + ######################################## + ## ++## Delete generic directories in /usr in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_usr_dirs',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ delete_dirs_pattern($1, usr_t, usr_t) ++') ++ ++######################################## ++## ++## Delete generic files in /usr in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_usr_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ delete_files_pattern($1, usr_t, usr_t) ++ delete_lnk_files_pattern($1, usr_t, usr_t) ++ delete_fifo_files_pattern($1, usr_t, usr_t) ++ delete_sock_files_pattern($1, usr_t, usr_t) ++ delete_blk_files_pattern($1, usr_t, usr_t) ++ delete_chr_files_pattern($1, usr_t, usr_t) ++') ++ ++######################################## ++## + ## Get the attributes of files in /usr. + ## + ## +@@ -3547,6 +3694,24 @@ ######################################## ## @@ -7356,7 +7101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Relabel a file to the type used in /usr. ## ## -@@ -4724,12 +4848,14 @@ +@@ -4761,12 +4926,14 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7372,9 +7117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -4768,3 +4894,53 @@ +@@ -4787,3 +4954,53 @@ - allow $1 { file_type -security_file_type }:dir manage_dir_perms; + typeattribute $1 files_unconfined_type; ') + +######################################## @@ -7423,13 +7168,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + ') + + allow $1 default_t:dir create; -+ filetrans_pattern($1,root_t,default_t,dir) ++ filetrans_pattern($1, root_t, default_t, dir) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.1/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/files.te 2008-07-25 12:35:13.000000000 -0400 -@@ -50,11 +50,15 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.2/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/files.te 2008-08-05 14:13:15.000000000 -0400 +@@ -52,11 +52,14 @@ # # etc_t is the type of the system etc directories. # @@ -7442,11 +7187,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; +typealias etc_t alias gconf_etc_t; -+typealias etc_t alias hplip_etc_t; # # etc_runtime_t is the type of various -@@ -172,6 +176,7 @@ +@@ -174,6 +177,7 @@ # type var_run_t; files_pid_file(var_run_t) @@ -7454,7 +7198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # var_spool_t is the type of /var/spool -@@ -195,10 +200,7 @@ +@@ -197,10 +201,7 @@ # # Rules for all tmp file types # @@ -7466,9 +7210,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.1/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/filesystem.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.2/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/filesystem.if 2008-08-05 12:15:11.000000000 -0400 @@ -310,6 +310,25 @@ ######################################## @@ -7488,7 +7232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + + ') + -+ rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t) ++ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +') +######################################## +## @@ -7524,8 +7268,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy attribute noxattrfs; ') -+ list_dirs_pattern($1,noxattrfs,noxattrfs) - read_files_pattern($1,noxattrfs,noxattrfs) ++ list_dirs_pattern($1, noxattrfs, noxattrfs) + read_files_pattern($1, noxattrfs, noxattrfs) ') @@ -779,6 +817,25 @@ @@ -7573,7 +7317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + type cifs_t; + ') + -+ append_files_pattern($1,cifs_t,cifs_t) ++ append_files_pattern($1, cifs_t, cifs_t) +') + +######################################## @@ -7619,7 +7363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + type dosfs_t; + ') + -+ manage_dirs_pattern($1,dosfs_t,dosfs_t) ++ manage_dirs_pattern($1, dosfs_t, dosfs_t) +') + +######################################## @@ -7661,24 +7405,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -1721,7 +1855,7 @@ - - read_fifo_files_pattern($1,nfs_t,nfs_t) - ') -- -+# - ######################################## - ## - ## Read directories of RPC file system pipes. -@@ -1741,7 +1875,7 @@ - - ') - --######################################## -+####################################### - ## - ## Search directories of RPC file system pipes. - ## @@ -1984,6 +2118,47 @@ ######################################## @@ -7698,7 +7424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + type nfs_t; + ') + -+ append_files_pattern($1,nfs_t,nfs_t) ++ append_files_pattern($1, nfs_t, nfs_t) +') + +######################################## @@ -7753,7 +7479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + ') + + allow $1 removable_t:dir list_dir_perms; -+ rw_blk_files_pattern($1,removable_t,removable_t) ++ rw_blk_files_pattern($1, removable_t, removable_t) +') + +######################################## @@ -7770,8 +7496,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## @@ -3626,3 +3822,123 @@ - relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) - relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) + relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') + +######################################## @@ -7851,7 +7577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + type fusefs_t; + ') + -+ manage_files_pattern($1,fusefs_t,fusefs_t) ++ manage_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## @@ -7870,7 +7596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + ') + + allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1,fusefs_t,fusefs_t) ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) +') + + @@ -7893,9 +7619,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + + dontaudit $1 fusefs_t:file manage_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.1/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-07-10 11:38:44.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/filesystem.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.2/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/filesystem.te 2008-08-05 12:15:11.000000000 -0400 @@ -21,7 +21,6 @@ # Use xattrs for the following filesystem types. @@ -7924,9 +7650,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.1/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/kernel.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.2/policy/modules/kernel/kernel.if +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/kernel.if 2008-08-05 12:15:11.000000000 -0400 @@ -1198,6 +1198,7 @@ ') @@ -7968,9 +7694,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.1/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-07-10 11:38:44.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/kernel.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.2/policy/modules/kernel/kernel.te +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/kernel.te 2008-08-05 12:15:11.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8004,9 +7730,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.1/policy/modules/kernel/selinux.if ---- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/selinux.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.2/policy/modules/kernel/selinux.if +--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/selinux.if 2008-08-05 12:15:11.000000000 -0400 @@ -164,6 +164,7 @@ type security_t; ') @@ -8125,9 +7851,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.1/policy/modules/kernel/selinux.te ---- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/selinux.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.2/policy/modules/kernel/selinux.te +--- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/selinux.te 2008-08-05 12:15:11.000000000 -0400 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; @@ -8148,9 +7874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.1/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/storage.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.2/policy/modules/kernel/storage.fc +--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/storage.fc 2008-08-05 12:15:11.000000000 -0400 @@ -13,6 +13,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -8167,9 +7893,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.5.1/policy/modules/kernel/storage.if ---- nsaserefpolicy/policy/modules/kernel/storage.if 2008-06-12 23:25:02.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/storage.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.5.2/policy/modules/kernel/storage.if +--- nsaserefpolicy/policy/modules/kernel/storage.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/storage.if 2008-08-05 12:15:11.000000000 -0400 @@ -81,6 +81,26 @@ ######################################## @@ -8197,9 +7923,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.1/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/terminal.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.2/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-04 16:39:51.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/kernel/terminal.if 2008-08-05 12:15:11.000000000 -0400 @@ -525,11 +525,13 @@ interface(`term_use_generic_ptys',` gen_require(` @@ -8226,14 +7952,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.1/policy/modules/roles/guest.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.2/policy/modules/roles/guest.fc --- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/guest.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/guest.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.1/policy/modules/roles/guest.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.2/policy/modules/roles/guest.if --- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/guest.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/guest.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,161 @@ +## Least privledge terminal user role + @@ -8396,9 +8122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.i + read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) + read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.1/policy/modules/roles/guest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.2/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/guest.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/guest.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,44 @@ + +policy_module(guest, 1.0.0) @@ -8430,8 +8156,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t + type xguest_mozilla_t; + ') + -+ dbus_chat_user_bus(xguest,xguest_mozilla_t) -+ dbus_connectto_user_bus(xguest,xguest_mozilla_t) ++ dbus_chat_user_bus(xguest, xguest_mozilla_t) ++ dbus_connectto_user_bus(xguest, xguest_mozilla_t) +') + + @@ -8444,14 +8170,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t + + domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.1/policy/modules/roles/logadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.2/policy/modules/roles/logadm.fc --- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/logadm.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/logadm.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.1/policy/modules/roles/logadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.2/policy/modules/roles/logadm.if --- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/logadm.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/logadm.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,44 @@ +## Audit administrator role + @@ -8497,12 +8223,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm. +template(`logadm_role_change_to_template',` + userdom_role_change_template(logadm, $1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.1/policy/modules/roles/logadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.2/policy/modules/roles/logadm.te --- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/logadm.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/logadm.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,20 @@ + -+policy_module(logadm,1.0.0) ++policy_module(logadm, 1.0.0) + +######################################## +# @@ -8521,23 +8247,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm. +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.5.1/policy/modules/roles/secadm.te ---- nsaserefpolicy/policy/modules/roles/secadm.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/roles/secadm.te 2008-07-25 12:35:13.000000000 -0400 -@@ -48,6 +48,10 @@ - ') - - optional_policy(` -+ dmesg_exec(secadm_t) -+') -+ -+optional_policy(` - netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.1/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/roles/staff.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.2/policy/modules/roles/staff.te +--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/staff.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,18 +8,34 @@ role staff_r; @@ -8567,7 +8279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') + +optional_policy(` -+ postgresql_userdom_template(staff,staff_t,staff_r) ++ postgresql_userdom_template(staff, staff_t, staff_r) +') + +optional_policy(` @@ -8579,7 +8291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t ') +optional_policy(` -+ usernetctl_run(staff_t,staff_r,{ staff_devpts_t staff_tty_device_t }) ++ usernetctl_run(staff_t, staff_r, { staff_devpts_t staff_tty_device_t }) +') + +optional_policy(` @@ -8589,9 +8301,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +optional_policy(` + webadm_role_change_template(staff) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.1/policy/modules/roles/sysadm.if ---- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/roles/sysadm.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.2/policy/modules/roles/sysadm.if +--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/sysadm.if 2008-08-05 12:15:11.000000000 -0400 @@ -334,10 +334,10 @@ # interface(`sysadm_getattr_home_dirs',` @@ -8751,11 +8463,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ######################################## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.1/policy/modules/roles/unprivuser.if ---- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/roles/unprivuser.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.2/policy/modules/roles/unprivuser.if +--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-05 11:15:32.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/unprivuser.if 2008-08-05 12:15:11.000000000 -0400 @@ -62,6 +62,26 @@ - files_home_filetrans($1,user_home_dir_t,dir) + files_home_filetrans($1, user_home_dir_t, dir) ') + @@ -8775,7 +8487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + type user_home_dir_t; + ') + -+ filetrans_pattern($1,user_home_dir_t,$2, $3) ++ filetrans_pattern($1, user_home_dir_t, $2, $3) +') + ######################################## @@ -8789,86 +8501,73 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu allow $1 user_home_dir_t:dir search_dir_perms; ') -@@ -126,8 +147,7 @@ - - ######################################## - ## --## Create, read, write, and delete generic user --## home directories. -+## Don't audit list on the user home subdirectory. - ## - ## - ## -@@ -135,19 +155,17 @@ - ## - ## +@@ -177,11 +198,29 @@ # --interface(`unprivuser_manage_home_dirs',` -+interface(`unprivuser_dontaudit_list_home_dirs',` - gen_require(` -- type user_home_dir_t; -+ type user_home_t; - ') - -- files_search_home($1) -- allow $1 user_home_dir_t:dir manage_dir_perms; -+ dontaudit $1 user_home_t:dir list_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## subdirectories of generic user -+## Create, read, write, and delete generic user - ## home directories. - ## - ## -@@ -156,13 +174,13 @@ - ## - ## - # --interface(`unprivuser_manage_home_content_dirs',` -+interface(`unprivuser_manage_home_dirs',` + interface(`unprivuser_manage_home_content_dirs',` gen_require(` - type user_home_dir_t, user_home_t; -+ type user_home_dir_t; ++ attribute user_home_dir_type, user_home_type; ') files_search_home($1) -- manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t) -+ allow $1 user_home_dir_t:dir manage_dir_perms; +- manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ manage_dirs_pattern($1, { user_home_dir_type user_home_type }, user_home_type) ++') ++ ++######################################## ++## ++## Don't audit list on the user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unprivuser_dontaudit_list_home_dirs',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ dontaudit $1 user_home_t:dir list_dir_perms; ') ######################################## -@@ -206,8 +224,7 @@ - - ######################################## - ## --## Mmap of generic user --## home files. -+## Read link files in generic user home directories. - ## - ## - ## -@@ -215,13 +232,13 @@ - ## - ## +@@ -236,11 +275,30 @@ # --interface(`unprivuser_mmap_home_content_files',` -+interface(`unprivuser_read_home_content_symlinks',` + interface(`unprivuser_mmap_home_content_files',` gen_require(` - type user_home_t; -+ type user_home_t, user_home_dir_t; ++ attribute user_home_type; ') files_search_home($1) - allow $1 user_home_t:file execute; -+ read_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ++ allow $1 user_home_type:file execute; ++') ++ ++######################################## ++## ++## Read link files in generic user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unprivuser_read_home_content_symlinks',` ++ gen_require(` ++ type user_home_t, user_home_dir_t; ++ ') ++ ++ files_search_home($1) ++ read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ') ######################################## -@@ -323,3 +340,555 @@ - manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) +@@ -342,3 +400,515 @@ + manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ') +######################################## @@ -8961,27 +8660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + ') + + files_search_tmp($1) -+ manage_sock_files_pattern($1,user_tmp_t,user_tmp_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories in -+## unprivileged users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_manage_home_content_dirs',` -+ gen_require(` -+ attribute user_home_dir_type, user_home_type; -+ ') -+ -+ files_search_home($1) -+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## @@ -9079,26 +8758,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + +######################################## +## -+## Mmap of unpriv user -+## home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unprivuser_mmap_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ allow $1 user_home_type:file execute; -+') -+ -+######################################## -+## +## unlink all unprivileged users files in /tmp +## +## @@ -9162,7 +8821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + ') + + files_search_tmp($1) -+ manage_dirs_pattern($1,user_tmp_t,user_tmp_t) ++ manage_dirs_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## @@ -9198,7 +8857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + ') + + files_search_tmp($1) -+ manage_fifo_files_pattern($1,user_tmp_t,user_tmp_t) ++ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## @@ -9231,7 +8890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + type user_untrusted_content_t; + ') + -+ manage_files_pattern($1,user_untrusted_content_t,user_untrusted_content_t) ++ manage_files_pattern($1, user_untrusted_content_t, user_untrusted_content_t) +') + +######################################## @@ -9264,7 +8923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + type user_untrusted_content_tmp_t; + ') + -+ manage_files_pattern($1,user_untrusted_content_tmp_t,user_untrusted_content_tmp_t) ++ manage_files_pattern($1, user_untrusted_content_tmp_t, user_untrusted_content_tmp_t) +') + +######################################## @@ -9308,7 +8967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + ') + + fs_search_tmpfs($1) -+ read_files_pattern($1,user_tmpfs_t,user_tmpfs_t) ++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +') + +######################################## @@ -9337,8 +8996,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + + fs_search_tmpfs($1) + allow $1 user_tmpfs_t:dir list_dir_perms; -+ delete_files_pattern($1,user_tmpfs_t,user_tmpfs_t) -+ read_lnk_files_pattern($1,user_tmpfs_t,user_tmpfs_t) ++ delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +') + +######################################## @@ -9359,7 +9018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + + files_search_home($1) + allow $1 user_home_type:dir list_dir_perms; -+ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ++ append_files_pattern($1, { user_home_dir_type user_home_type }, user_home_type) + tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files($1) + ') @@ -9423,9 +9082,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + ') +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.1/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/roles/unprivuser.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.2/policy/modules/roles/unprivuser.te +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-08-05 11:15:32.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/unprivuser.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,3 +13,23 @@ userdom_unpriv_user_template(user) @@ -9439,7 +9098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu +') + +optional_policy(` -+ postgresql_userdom_template(user,user_t,user_r) ++ postgresql_userdom_template(user, user_t, user_r) +') + +optional_policy(` @@ -9450,14 +9109,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + setroubleshoot_dontaudit_stream_connect(user_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.1/policy/modules/roles/webadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.2/policy/modules/roles/webadm.fc --- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/webadm.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/webadm.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1 @@ +# No webadm file contexts. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.1/policy/modules/roles/webadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.2/policy/modules/roles/webadm.if --- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/webadm.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/webadm.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,44 @@ +## Policy for webadm role + @@ -9503,9 +9162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm. +template(`webadm_role_change_to_template',` + userdom_role_change_template(webadm, $1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.1/policy/modules/roles/webadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.2/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/webadm.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/webadm.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,65 @@ + +policy_module(webadm, 1.0.0) @@ -9515,14 +9174,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm. +## Allow webadm to read files in users home directories +##

+## -+gen_tunable(webadm_read_user_files,false) ++gen_tunable(webadm_read_user_files, false) + +## +##

+## Allow webadm to manage files in users home directories +##

+## -+gen_tunable(webadm_manage_user_files,false) ++gen_tunable(webadm_manage_user_files, false) + +######################################## +# @@ -9572,14 +9231,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm. + unprivuser_write_tmp_files(webadm_t) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.1/policy/modules/roles/xguest.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.2/policy/modules/roles/xguest.fc --- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/xguest.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/xguest.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.1/policy/modules/roles/xguest.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.2/policy/modules/roles/xguest.if --- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/xguest.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/xguest.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,161 @@ +## Least privledge X Windows user role + @@ -9742,9 +9401,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) + read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.1/policy/modules/roles/xguest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.2/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/roles/xguest.te 2008-07-29 15:23:35.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/roles/xguest.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,83 @@ + +policy_module(xguest, 1.0.0) @@ -9754,21 +9413,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. +## Allow xguest users to mount removable media +##

+## -+gen_tunable(xguest_mount_media,false) ++gen_tunable(xguest_mount_media, false) + +## +##

+## Allow xguest to configure Network Manager +##

+## -+gen_tunable(xguest_connect_network,false) ++gen_tunable(xguest_connect_network, false) + +## +##

+## Allow xguest to use blue tooth devices +##

+## -+gen_tunable(xguest_use_bluetooth,false) ++gen_tunable(xguest_use_bluetooth, false) + +######################################## +# @@ -9829,9 +9488,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + ') +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.1/policy/modules/services/aide.if ---- nsaserefpolicy/policy/modules/services/aide.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/aide.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.2/policy/modules/services/aide.if +--- nsaserefpolicy/policy/modules/services/aide.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/aide.if 2008-08-05 12:15:11.000000000 -0400 @@ -70,9 +70,11 @@ allow $1 aide_t:process { ptrace signal_perms }; ps_process_pattern($1, aide_t) @@ -9846,9 +9505,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide - manage_files_pattern($1, aide_log_t, aide_log_t) + manage_all_pattern($1, aide_log_t, aide_log_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-3.5.1/policy/modules/services/amavis.fc ---- nsaserefpolicy/policy/modules/services/amavis.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/amavis.fc 2008-07-29 11:14:34.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-3.5.2/policy/modules/services/amavis.fc +--- nsaserefpolicy/policy/modules/services/amavis.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/amavis.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,6 +3,7 @@ /etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0) @@ -9863,9 +9522,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) + +/etc/rc.d/init.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.5.1/policy/modules/services/amavis.if ---- nsaserefpolicy/policy/modules/services/amavis.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/amavis.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.5.2/policy/modules/services/amavis.if +--- nsaserefpolicy/policy/modules/services/amavis.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/amavis.if 2008-08-05 12:15:11.000000000 -0400 @@ -189,6 +189,25 @@ ######################################## @@ -9884,7 +9543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav + type amavis_script_exec_t; + ') + -+ init_script_domtrans_spec($1,amavis_script_exec_t) ++ init_script_domtrans_spec($1, amavis_script_exec_t) +') + +######################################## @@ -9935,9 +9594,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav - manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t) + manage_all_pattern($1, amavis_var_run_t, amavis_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.1/policy/modules/services/amavis.te ---- nsaserefpolicy/policy/modules/services/amavis.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/amavis.te 2008-07-29 11:14:53.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.2/policy/modules/services/amavis.te +--- nsaserefpolicy/policy/modules/services/amavis.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/amavis.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,7 +13,7 @@ # configuration files @@ -9965,10 +9624,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav + # configuration files allow amavis_t amavis_etc_t:dir list_dir_perms; - read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.1/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apache.fc 2008-07-25 12:35:13.000000000 -0400 + read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.2/policy/modules/services/apache.fc +--- nsaserefpolicy/policy/modules/services/apache.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/apache.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,10 +1,10 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -10006,7 +9665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -48,11 +49,14 @@ +@@ -48,6 +49,7 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -10014,6 +9673,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +@@ -51,8 +53,10 @@ + /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) @@ -10040,13 +9703,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) +#viewvc file context -+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t, s0) ++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.1/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apache.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.2/policy/modules/services/apache.if +--- nsaserefpolicy/policy/modules/services/apache.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/apache.if 2008-08-05 12:15:11.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10058,7 +9721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') - # allow write access to public file transfer - # services files. -- gen_tunable(allow_httpd_$1_script_anon_write,false) +- gen_tunable(allow_httpd_$1_script_anon_write, false) - #This type is for webpages - type httpd_$1_content_t, httpdcontent; # customizable @@ -10108,10 +9771,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the script process to search the cgi directory, and users directory - allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; + allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_$1_script_t,httpd_$1_content_t,httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_t,httpd_$1_content_t) ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t) + append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) @@ -10119,30 +9782,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - - allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; - read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) - read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) - -- manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) +- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) + allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t) -+ append_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t) ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + -+ manage_dirs_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) ++ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) @@ -10161,9 +9824,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:file entrypoint; - -- manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) -- manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) -- manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent) +- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - can_exec(httpd_$1_script_t, httpdcontent) - ') - @@ -10173,35 +9836,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` -- manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - - allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - - allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -+ manage_dirs_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) -+ rw_sock_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t) +- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) ++ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + + allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t) -+ append_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t) ++ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + + allow httpd_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) ++ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -151,9 +133,13 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -10216,7 +9879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; -@@ -177,48 +163,6 @@ +@@ -177,50 +163,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') @@ -10232,10 +9895,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_tcp_connect_postgresql_port(httpd_$1_script_t) -- corenet_tcp_connect_mysqld_port(httpd_$1_script_t) -- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t) -- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') @@ -10262,10 +9921,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - mta_send_mail(httpd_$1_script_t) - ') - +- optional_policy(` +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_$1_script_t) +- ') +- ') +- optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -269,72 +213,77 @@ +@@ -229,10 +171,6 @@ + + optional_policy(` + postgresql_unpriv_client(httpd_$1_script_t) +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_$1_script_t) +- ') + ') + + optional_policy(` +@@ -275,72 +213,77 @@ template(`apache_per_role_template', ` gen_require(` attribute httpdcontent, httpd_script_domains; @@ -10281,6 +9957,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + type httpd_user_content_t; + type httpd_user_script_exec_t; + type httpd_user_htaccess_t; ++ ') ++ ++ ++ ifelse(`$1',`user',`',` ++ typealias httpd_user_content_t alias httpd_$1_script_t; ++ typealias httpd_user_content_ra_t alias httpd_$1_script_ra_t; ++ typealias httpd_user_content_rw_t alias httpd_$1_script_rw_t; ++ typealias httpd_user_content_t alias httpd_$1_script_ro_t; ++ typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t; ++ typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t; ') - apache_content_template($1) @@ -10300,76 +9986,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - - allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom }; - -- manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -- -- manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- -- manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -- -- manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -- manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -- manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -- relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -- relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -- relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -+ ifelse(`$1',`user',`',` -+ typealias httpd_user_content_t alias httpd_$1_script_t; -+ typealias httpd_user_content_ra_t alias httpd_$1_script_ra_t; -+ typealias httpd_user_content_rw_t alias httpd_$1_script_rw_t; -+ typealias httpd_user_content_t alias httpd_$1_script_ro_t; -+ typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t; -+ typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t; -+ ') -+ -+ +- manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- +- manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- +- manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- +- manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) +- manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) +- manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) +- relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) +- relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) +- relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) + role $3 types httpd_user_script_t; + + allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; + + allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; + -+ manage_dirs_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t) -+ manage_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t) -+ manage_lnk_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t) -+ relabel_dirs_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t) -+ relabel_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t) -+ relabel_lnk_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t) -+ -+ manage_dirs_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ manage_files_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ manage_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ relabel_dirs_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ relabel_files_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ relabel_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ -+ manage_dirs_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t) -+ manage_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t) -+ manage_lnk_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t) -+ relabel_dirs_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t) -+ relabel_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t) -+ relabel_lnk_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t) -+ -+ manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ manage_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ manage_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ manage_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ relabel_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ relabel_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ relabel_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ ++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ manage_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ manage_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ relabel_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ relabel_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ relabel_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ ++ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context @@ -10389,14 +10065,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - userdom_search_user_home_dirs($1,httpd_t) - userdom_search_user_home_dirs($1,httpd_suexec_t) - userdom_search_user_home_dirs($1,httpd_$1_script_t) -+ userdom_search_user_home_dirs(user,httpd_t) -+ userdom_search_user_home_dirs(user,httpd_suexec_t) -+ userdom_search_user_home_dirs(user,httpd_user_script_t) -+ userdom_search_user_home_dirs(user,httpd_sys_script_t) ++ userdom_search_user_home_dirs(user, httpd_t) ++ userdom_search_user_home_dirs(user, httpd_suexec_t) ++ userdom_search_user_home_dirs(user, httpd_user_script_t) ++ userdom_search_user_home_dirs(user, httpd_sys_script_t) ') ') -@@ -356,12 +305,11 @@ +@@ -362,12 +305,11 @@ # template(`apache_read_user_scripts',` gen_require(` @@ -10405,15 +10081,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') - - allow $2 httpd_$1_script_exec_t:dir list_dir_perms; -- read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -- read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) +- read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t) + allow $2 httpd_user_script_exec_t:dir list_dir_perms; -+ read_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ read_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ read_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ read_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ') ######################################## -@@ -382,12 +330,12 @@ +@@ -388,12 +330,12 @@ # template(`apache_read_user_content',` gen_require(` @@ -10422,23 +10098,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') - allow $2 httpd_$1_content_t:dir list_dir_perms; -- read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) -- read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) +- read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) +- read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t) + allow $2 httpd_user_content_t:dir list_dir_perms; -+ read_files_pattern($2,httpd_user_content_t,httpd_user_content_t) -+ read_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t) ++ read_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ read_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ') ######################################## -@@ -765,6 +713,7 @@ +@@ -771,6 +713,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; -+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t) ++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## -@@ -832,6 +781,32 @@ +@@ -838,6 +781,32 @@ ######################################## ## @@ -10459,11 +10135,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + ') + + files_search_tmp($1) -+ delete_dirs_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t) -+ delete_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t) -+ delete_lnk_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t) -+ delete_fifo_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t) -+ delete_sock_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t) ++ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) +') + +######################################## @@ -10471,7 +10147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Execute all web scripts in the system ## script domain. ## -@@ -845,12 +820,16 @@ +@@ -851,12 +820,16 @@ # sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` @@ -10490,16 +10166,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -936,7 +915,7 @@ +@@ -942,7 +915,7 @@ type httpd_squirrelmail_t; ') - allow $1 httpd_squirrelmail_t:file { getattr read }; -+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t) ++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') ######################################## -@@ -1027,16 +1006,16 @@ +@@ -1033,16 +1006,16 @@ # interface(`apache_manage_all_user_content',` gen_require(` @@ -10507,23 +10183,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + type httpd_user_content_t, httpd_user_script_exec_t; ') -- manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type) -- manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type) -- manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type) -+ manage_dirs_pattern($1,httpd_user_content_t,httpd_user_content_t) -+ manage_files_pattern($1,httpd_user_content_t,httpd_user_content_t) -+ manage_lnk_files_pattern($1,httpd_user_content_t,httpd_user_content_t) +- manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) +- manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) +- manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ manage_dirs_pattern($1, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t) ++ manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) -- manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) -- manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) -- manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) -+ manage_dirs_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ manage_files_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t) -+ manage_lnk_files_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t) +- manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) +- manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) +- manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ++ manage_dirs_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) ') ######################################## -@@ -1092,3 +1071,144 @@ +@@ -1098,3 +1071,144 @@ allow httpd_t $1:process signal; ') @@ -10581,7 +10257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + type httpd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,httpd_script_exec_t) ++ init_script_domtrans_spec($1, httpd_script_exec_t) +') + +######################################## @@ -10633,23 +10309,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + miscfiles_manage_public_files($1) + + files_search_etc($1) -+ manage_all_pattern($1,httpd_config_t) ++ manage_all_pattern($1, httpd_config_t) + + logging_search_logs($1) -+ manage_all_pattern($1,httpd_log_t) ++ manage_all_pattern($1, httpd_log_t) + -+ manage_all_pattern($1,httpd_modules_t) ++ manage_all_pattern($1, httpd_modules_t) + -+ manage_all_pattern($1,httpd_lock_t) ++ manage_all_pattern($1, httpd_lock_t) + files_lock_filetrans($1, httpd_lock_t, file) + -+ manage_all_pattern($1,httpd_var_run_t) -+ files_pid_filetrans($1,httpd_var_run_t, file) ++ manage_all_pattern($1, httpd_var_run_t) ++ files_pid_filetrans($1, httpd_var_run_t, file) + + kernel_search_proc($1) + allow $1 httpd_t:dir list_dir_perms; + ps_process_pattern($1, httpd_t) -+ read_lnk_files_pattern($1,httpd_t,httpd_t) ++ read_lnk_files_pattern($1, httpd_t, httpd_t) + + manage_all_pattern($1, httpdcontent) + manage_all_pattern($1, httpd_script_exec_type) @@ -10661,16 +10337,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + manage_all_pattern($1, httpd_suexec_tmp_t) + files_tmp_filetrans($1, httpd_tmp_t, { file dir }) + -+ifdef(`TODO', ` ++ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t ) + seutil_setsebool_per_role_template($1, httpd, $3) + allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; + allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.1/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.2/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/apache.te 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10688,15 +10364,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## Allow httpd scripts and modules execmem/execstack ##

## --gen_tunable(allow_httpd_mod_auth_pam,false) -+gen_tunable(httpd_execmem,false) +-gen_tunable(allow_httpd_mod_auth_pam, false) ++gen_tunable(httpd_execmem, false) + +## +##

+## Allow Apache to communicate with avahi service via dbus +##

+## -+gen_tunable(allow_httpd_dbus_avahi,false) ++gen_tunable(allow_httpd_dbus_avahi, false) ## ##

@@ -10708,38 +10384,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## Allow http daemon to send mail +##

+## -+gen_tunable(httpd_can_sendmail,false) ++gen_tunable(httpd_can_sendmail, false) + +## +##

+## Allow HTTPD scripts and modules to connect to the network ##

## - gen_tunable(httpd_can_network_connect,false) + gen_tunable(httpd_can_network_connect, false) @@ -109,14 +125,33 @@ ## - gen_tunable(httpd_unified,false) + gen_tunable(httpd_unified, false) +## +##

+## Allow httpd to access nfs file systems +##

+## -+gen_tunable(httpd_use_nfs,false) ++gen_tunable(httpd_use_nfs, false) + +## +##

+## Allow httpd to access cifs file systems +##

+## -+gen_tunable(httpd_use_cifs,false) ++gen_tunable(httpd_use_cifs, false) + +## +##

+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. +##

+## -+gen_tunable(allow_httpd_sys_script_anon_write,false) ++gen_tunable(allow_httpd_sys_script_anon_write, false) + attribute httpdcontent; -attribute httpd_user_content_type; @@ -10777,7 +10453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') +apache_content_template(user) -+userdom_user_home_content(user,httpd_user_content_t) ++userdom_user_home_content(user, httpd_user_content_t) +typealias httpd_user_content_t alias httpd_unconfined_content_t; + ######################################## @@ -10792,9 +10468,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t self:fd use; @@ -249,6 +294,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; - mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) - read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) -+read_lnk_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) + mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) ++read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. @@ -10826,13 +10502,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them -+manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) -+manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) -+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_content_rw_t,{ dir file lnk_file sock_file fifo_file }) ++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,25 +401,50 @@ +@@ -351,18 +401,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -10851,26 +10527,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## Allow Apache to use mod_auth_pam +##

+## -+gen_tunable(allow_httpd_mod_auth_pam,false) ++gen_tunable(allow_httpd_mod_auth_pam, false) + - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) - ') ++') + +## +##

+## Allow Apache to use mod_auth_pam +##

+## -+gen_tunable(allow_httpd_mod_auth_ntlm_winbind,false) ++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` -+ tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + samba_domtrans_winbind_helper(httpd_t) -+ ') + ') ') - tunable_policy(`httpd_can_network_connect',` +@@ -370,6 +435,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -10895,7 +10571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; -+ filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file }) ++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') + @@ -10903,9 +10579,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + miscfiles_manage_public_files(httpd_sys_script_t) +') -- manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent) -- manage_files_pattern(httpd_t,httpdcontent,httpdcontent) -- manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent) +- manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) +- manage_files_pattern(httpd_t, httpdcontent, httpdcontent) +- manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) @@ -10948,7 +10624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` - kerberos_use(httpd_t) - kerberos_read_kdc_config(httpd_t) -+ dbus_system_bus_client_template(httpd,httpd_t) ++ dbus_system_bus_client_template(httpd, httpd_t) + tunable_policy(`allow_httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') @@ -10958,7 +10634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -454,19 +550,13 @@ +@@ -454,18 +550,13 @@ ') optional_policy(` @@ -10967,8 +10643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_rw_db_sockets(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` -- corenet_tcp_connect_mysqld_port(httpd_t) -- corenet_sendrecv_mysqld_client_packets(httpd_t) +- mysql_tcp_connect(httpd_t) - ') + mysql_read_config(httpd_t) ') @@ -10979,7 +10654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -476,6 +566,12 @@ +@@ -475,6 +566,12 @@ openca_kill(httpd_t) ') @@ -10992,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -483,6 +579,7 @@ +@@ -482,6 +579,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -11000,7 +10675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -491,6 +588,7 @@ +@@ -490,6 +588,7 @@ ') optional_policy(` @@ -11008,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -520,9 +618,28 @@ +@@ -519,9 +618,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -11022,7 +10697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + type httpd_unconfined_script_t; + type httpd_unconfined_script_exec_t; + domain_type(httpd_unconfined_script_t) -+ domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) ++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + @@ -11037,7 +10712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -552,22 +669,27 @@ +@@ -551,22 +669,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11071,8 +10746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -591,6 +713,8 @@ - manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) +@@ -590,6 +713,8 @@ + manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) @@ -11080,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -599,9 +723,7 @@ +@@ -598,9 +723,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -11091,7 +10766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -634,12 +756,21 @@ +@@ -633,12 +756,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -11100,7 +10775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t) +read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) + -+domain_entry_file(httpd_sys_script_t,httpd_sys_content_t) ++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t) @@ -11116,7 +10791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -648,6 +779,12 @@ +@@ -647,6 +779,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -11129,7 +10804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -665,10 +802,6 @@ +@@ -664,10 +802,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11140,7 +10815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -678,7 +811,8 @@ +@@ -677,7 +811,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -11149,8 +10824,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +apache_append_squirrelmail_data(httpd_sys_script_t) allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; - read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -692,19 +826,44 @@ + read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -691,12 +826,15 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11162,14 +10837,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs',` - userdom_read_unpriv_users_home_content_files(httpd_sys_script_t) -+tunable_policy(`httpd_use_nfs', ` ++tunable_policy(`httpd_use_nfs',` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) ') --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` - fs_read_nfs_files(httpd_sys_script_t) + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -704,6 +842,28 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11190,7 +10864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + + -+tunable_policy(`httpd_use_cifs', ` ++tunable_policy(`httpd_use_cifs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') @@ -11198,7 +10872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -717,10 +876,10 @@ +@@ -716,10 +876,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11213,16 +10887,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -728,6 +887,8 @@ +@@ -727,6 +887,8 @@ # httpd_rotatelogs local policy # +allow httpd_rotatelogs_t self:capability dac_override; + - manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t) + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -742,3 +903,48 @@ +@@ -741,3 +903,48 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -11252,9 +10926,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + -+manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t) -+manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t) -+files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir }) ++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) + +files_search_var_lib(httpd_bugzilla_script_t) + @@ -11271,18 +10945,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.1/policy/modules/services/apcupsd.fc ---- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apcupsd.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.2/policy/modules/services/apcupsd.fc +--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/apcupsd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -13,3 +13,5 @@ /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + +/etc/rc.d/init.d/apcupsd -- gen_context(system_u:object_r:apcupsd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.5.1/policy/modules/services/apcupsd.if ---- nsaserefpolicy/policy/modules/services/apcupsd.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apcupsd.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.5.2/policy/modules/services/apcupsd.if +--- nsaserefpolicy/policy/modules/services/apcupsd.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/apcupsd.if 2008-08-05 12:15:11.000000000 -0400 @@ -90,10 +90,102 @@ ## ## @@ -11293,7 +10967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; ') - domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t) + domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) ') + +######################################## @@ -11331,7 +11005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu + type apcupsd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,apcupsd_script_exec_t) ++ init_script_domtrans_spec($1, apcupsd_script_exec_t) +') + +######################################## @@ -11376,20 +11050,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,apcupsd_tmp_t) ++ manage_all_pattern($1, apcupsd_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,apcupsd_log_t) ++ manage_all_pattern($1, apcupsd_log_t) + + files_list_var($1) -+ manage_all_pattern($1,apcupsd_lock_t) ++ manage_all_pattern($1, apcupsd_lock_t) + + files_list_pids($1) -+ manage_all_pattern($1,apcupsd_var_run_t) ++ manage_all_pattern($1, apcupsd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.5.1/policy/modules/services/apcupsd.te ---- nsaserefpolicy/policy/modules/services/apcupsd.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apcupsd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.5.2/policy/modules/services/apcupsd.te +--- nsaserefpolicy/policy/modules/services/apcupsd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/apcupsd.te 2008-08-05 12:15:11.000000000 -0400 @@ -22,6 +22,9 @@ type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) @@ -11412,32 +11086,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu optional_policy(` hostname_exec(apcupsd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.5.1/policy/modules/services/apm.te ---- nsaserefpolicy/policy/modules/services/apm.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apm.te 2008-07-25 12:35:13.000000000 -0400 -@@ -191,6 +191,10 @@ - dbus_stub(apmd_t) - - optional_policy(` -+ consolekit_dbus_chat(apmd_t) -+ ') -+ -+ optional_policy(` - networkmanager_dbus_chat(apmd_t) - ') - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.1/policy/modules/services/arpwatch.fc ---- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/arpwatch.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.2/policy/modules/services/arpwatch.fc +--- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/arpwatch.fc 2008-08-05 12:15:11.000000000 -0400 @@ -9,3 +9,5 @@ # /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) + +/etc/rc.d/init.d/arpwatch -- gen_context(system_u:object_r:arpwatch_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.1/policy/modules/services/arpwatch.if ---- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/arpwatch.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.2/policy/modules/services/arpwatch.if +--- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/arpwatch.if 2008-08-05 12:15:11.000000000 -0400 @@ -90,3 +90,73 @@ dontaudit $1 arpwatch_t:packet_socket { read write }; @@ -11459,7 +11119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw + type arpwatch_script_exec_t; + ') + -+ init_script_domtrans_spec($1,arpwatch_script_exec_t) ++ init_script_domtrans_spec($1, arpwatch_script_exec_t) +') + +######################################## @@ -11503,18 +11163,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,arpwatch_tmp_t) ++ manage_all_pattern($1, arpwatch_tmp_t) + + files_list_var($1) -+ manage_all_pattern($1,arpwatch_data_t) ++ manage_all_pattern($1, arpwatch_data_t) + + files_list_pids($1) -+ manage_all_pattern($1,arpwatch_var_run_t) ++ manage_all_pattern($1, arpwatch_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.1/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/arpwatch.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.2/policy/modules/services/arpwatch.te +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/arpwatch.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,6 +19,9 @@ type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) @@ -11525,17 +11185,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.1/policy/modules/services/asterisk.fc ---- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/asterisk.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.2/policy/modules/services/asterisk.fc +--- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/asterisk.fc 2008-08-05 12:15:11.000000000 -0400 @@ -6,3 +6,4 @@ /var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) /var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) /var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) +/etc/rc.d/init.d/asterisk -- gen_context(system_u:object_r:asterisk_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.1/policy/modules/services/asterisk.if ---- nsaserefpolicy/policy/modules/services/asterisk.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/asterisk.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.2/policy/modules/services/asterisk.if +--- nsaserefpolicy/policy/modules/services/asterisk.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/asterisk.if 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,83 @@ ## Asterisk IP telephony server + @@ -11555,7 +11215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + type asterisk_script_exec_t; + ') + -+ init_script_domtrans_spec($1,asterisk_script_exec_t) ++ init_script_domtrans_spec($1, asterisk_script_exec_t) +') + +######################################## @@ -11602,27 +11262,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,asterisk_tmp_t) ++ manage_all_pattern($1, asterisk_tmp_t) + + files_list_etc($1) -+ manage_all_pattern($1,asterisk_etc_t) ++ manage_all_pattern($1, asterisk_etc_t) + + logging_list_logs($1) -+ manage_all_pattern($1,asterisk_log_t) ++ manage_all_pattern($1, asterisk_log_t) + + files_list_spool($1) -+ manage_all_pattern($1,asterisk_spool_t) ++ manage_all_pattern($1, asterisk_spool_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,asterisk_var_lib_t) ++ manage_all_pattern($1, asterisk_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,asterisk_var_run_t) ++ manage_all_pattern($1, asterisk_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.1/policy/modules/services/asterisk.te ---- nsaserefpolicy/policy/modules/services/asterisk.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/asterisk.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.2/policy/modules/services/asterisk.te +--- nsaserefpolicy/policy/modules/services/asterisk.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/asterisk.te 2008-08-05 12:15:11.000000000 -0400 @@ -31,6 +31,9 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -11633,9 +11293,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.5.1/policy/modules/services/automount.fc ---- nsaserefpolicy/policy/modules/services/automount.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/automount.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.5.2/policy/modules/services/automount.fc +--- nsaserefpolicy/policy/modules/services/automount.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/automount.fc 2008-08-05 12:15:11.000000000 -0400 @@ -12,4 +12,7 @@ # /var # @@ -11645,9 +11305,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto + +/etc/rc.d/init.d/autofs -- gen_context(system_u:object_r:automount_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.1/policy/modules/services/automount.if ---- nsaserefpolicy/policy/modules/services/automount.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/automount.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.2/policy/modules/services/automount.if +--- nsaserefpolicy/policy/modules/services/automount.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/automount.if 2008-08-05 12:15:11.000000000 -0400 @@ -74,3 +74,109 @@ dontaudit $1 automount_tmp_t:dir getattr; @@ -11706,7 +11366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto + type automount_script_exec_t; + ') + -+ init_script_domtrans_spec($1,automount_script_exec_t) ++ init_script_domtrans_spec($1, automount_script_exec_t) +') + +######################################## @@ -11750,17 +11410,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto + allow $2 system_r; + + files_list_var($1) -+ manage_all_pattern($1,automount_lock_t) ++ manage_all_pattern($1, automount_lock_t) + + files_list_tmp($1) -+ manage_all_pattern($1,automount_tmp_t) ++ manage_all_pattern($1, automount_tmp_t) + + files_list_pids($1) -+ manage_all_pattern($1,automount_var_run_t) ++ manage_all_pattern($1, automount_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.1/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/automount.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.2/policy/modules/services/automount.te +--- nsaserefpolicy/policy/modules/services/automount.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/automount.te 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,9 @@ files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) @@ -11781,12 +11441,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto allow automount_t automount_lock_t:file manage_file_perms; @@ -52,7 +53,8 @@ - files_root_filetrans(automount_t,automount_tmp_t,dir) + files_root_filetrans(automount_t, automount_tmp_t, dir) - manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) --files_pid_filetrans(automount_t,automount_var_run_t,file) -+manage_fifo_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) -+files_pid_filetrans(automount_t,automount_var_run_t,{ file fifo_file }) + manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +-files_pid_filetrans(automount_t, automount_var_run_t, file) ++manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) ++files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) kernel_read_kernel_sysctls(automount_t) kernel_read_irq_sysctls(automount_t) @@ -11854,9 +11514,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.1/policy/modules/services/avahi.fc ---- nsaserefpolicy/policy/modules/services/avahi.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/avahi.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.2/policy/modules/services/avahi.fc +--- nsaserefpolicy/policy/modules/services/avahi.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/avahi.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,3 +3,7 @@ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) @@ -11865,9 +11525,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah + +/etc/rc.d/init.d/avahi -- gen_context(system_u:object_r:avahi_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.1/policy/modules/services/avahi.if ---- nsaserefpolicy/policy/modules/services/avahi.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/avahi.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.2/policy/modules/services/avahi.if +--- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/avahi.if 2008-08-05 12:15:11.000000000 -0400 @@ -57,3 +57,64 @@ dontaudit $1 avahi_var_run_t:dir search_dir_perms; @@ -11889,7 +11549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah + type avahi_script_exec_t; + ') + -+ init_script_domtrans_spec($1,avahi_script_exec_t) ++ init_script_domtrans_spec($1, avahi_script_exec_t) +') + +######################################## @@ -11931,11 +11591,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah + allow $2 system_r; + + files_list_pids($1) -+ manage_all_pattern($1,avahi_var_run_t) ++ manage_all_pattern($1, avahi_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.1/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/avahi.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.2/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/avahi.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,6 +13,9 @@ type avahi_var_run_t; files_pid_file(avahi_var_run_t) @@ -11959,22 +11619,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah dbus_connect_system_bus(avahi_t) init_dbus_chat_script(avahi_t) -+ dbus_system_domain(avahi_t,avahi_exec_t) ++ dbus_system_domain(avahi_t, avahi_exec_t) ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.1/policy/modules/services/bind.fc ---- nsaserefpolicy/policy/modules/services/bind.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bind.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.2/policy/modules/services/bind.fc +--- nsaserefpolicy/policy/modules/services/bind.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bind.fc 2008-08-05 12:15:11.000000000 -0400 @@ -49,3 +49,5 @@ /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ') + +/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.1/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bind.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.2/policy/modules/services/bind.if +--- nsaserefpolicy/policy/modules/services/bind.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bind.if 2008-08-05 12:15:11.000000000 -0400 @@ -254,3 +254,94 @@ interface(`bind_udp_chat_named',` refpolicywarn(`$0($*) has been deprecated.') @@ -11996,7 +11656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind + type bind_script_exec_t; + ') + -+ init_script_domtrans_spec($1,bind_script_exec_t) ++ init_script_domtrans_spec($1, bind_script_exec_t) +') + +######################################## @@ -12052,29 +11712,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,named_tmp_t) ++ manage_all_pattern($1, named_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,named_log_t) ++ manage_all_pattern($1, named_log_t) + + files_list_etc($1) -+ manage_all_pattern($1,named_conf_t) ++ manage_all_pattern($1, named_conf_t) + -+ manage_all_pattern($1,named_cache_t) -+ manage_all_pattern($1,named_zone_t) -+ manage_all_pattern($1,dnssec_t) ++ manage_all_pattern($1, named_cache_t) ++ manage_all_pattern($1, named_zone_t) ++ manage_all_pattern($1, dnssec_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,named_var_lib_t) ++ manage_all_pattern($1, named_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,named_var_run_t) ++ manage_all_pattern($1, named_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.1/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bind.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.2/policy/modules/services/bind.te +--- nsaserefpolicy/policy/modules/services/bind.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bind.te 2008-08-05 12:15:11.000000000 -0400 @@ -53,6 +53,9 @@ - init_system_domain(ndc_t,ndc_exec_t) + init_system_domain(ndc_t, ndc_exec_t) role system_r types ndc_t; +type named_script_exec_t; @@ -12116,9 +11776,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind corenet_sendrecv_rndc_client_packets(ndc_t) domain_use_interactive_fds(ndc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.1/policy/modules/services/bitlbee.fc ---- nsaserefpolicy/policy/modules/services/bitlbee.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bitlbee.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.2/policy/modules/services/bitlbee.fc +--- nsaserefpolicy/policy/modules/services/bitlbee.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bitlbee.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) @@ -12126,9 +11786,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + + +/etc/rc.d/init.d/bitlbee -- gen_context(system_u:object_r:bitlbee_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.5.1/policy/modules/services/bitlbee.if ---- nsaserefpolicy/policy/modules/services/bitlbee.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bitlbee.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.5.2/policy/modules/services/bitlbee.if +--- nsaserefpolicy/policy/modules/services/bitlbee.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bitlbee.if 2008-08-05 12:15:11.000000000 -0400 @@ -20,3 +20,70 @@ allow $1 bitlbee_conf_t:file { read getattr }; ') @@ -12150,7 +11810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + type bitlbee_script_exec_t; + ') + -+ init_script_domtrans_spec($1,bitlbee_script_exec_t) ++ init_script_domtrans_spec($1, bitlbee_script_exec_t) +') + +######################################## @@ -12200,9 +11860,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.5.1/policy/modules/services/bitlbee.te ---- nsaserefpolicy/policy/modules/services/bitlbee.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bitlbee.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.5.2/policy/modules/services/bitlbee.te +--- nsaserefpolicy/policy/modules/services/bitlbee.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bitlbee.te 2008-08-05 12:15:11.000000000 -0400 @@ -17,6 +17,12 @@ type bitlbee_var_t; files_type(bitlbee_var_t) @@ -12226,8 +11886,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl bitlbee_read_config(bitlbee_t) +# tmp files -+manage_files_pattern(bitlbee_t,bitlbee_tmp_t,bitlbee_tmp_t) -+files_tmp_filetrans(bitlbee_t,bitlbee_tmp_t,file) ++manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) ++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) + # user account information is read and edited at runtime; give the usual # r/w access to bitlbee_var_t @@ -12254,9 +11914,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl sysnet_dns_name_resolve(bitlbee_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.1/policy/modules/services/bluetooth.fc ---- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bluetooth.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.2/policy/modules/services/bluetooth.fc +--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bluetooth.fc 2008-08-05 12:15:11.000000000 -0400 @@ -22,3 +22,8 @@ # /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) @@ -12266,10 +11926,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue +/etc/rc.d/init.d/bluetooth -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) +/etc/rc.d/init.d/dund -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) +/etc/rc.d/init.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.1/policy/modules/services/bluetooth.if ---- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bluetooth.if 2008-07-25 12:35:13.000000000 -0400 -@@ -227,3 +227,88 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.2/policy/modules/services/bluetooth.if +--- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bluetooth.if 2008-08-05 14:07:07.000000000 -0400 +@@ -226,3 +226,88 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; ') @@ -12290,7 +11950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue + type bluetooth_script_exec_t; + ') + -+ init_script_domtrans_spec($1,bluetooth_script_exec_t) ++ init_script_domtrans_spec($1, bluetooth_script_exec_t) +') + +######################################## @@ -12339,28 +11999,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,bluetooth_tmp_t) ++ manage_all_pattern($1, bluetooth_tmp_t) + + files_list_var($1) -+ manage_all_pattern($1,bluetooth_lock_t) ++ manage_all_pattern($1, bluetooth_lock_t) + + files_list_etc($1) -+ manage_all_pattern($1,bluetooth_conf_t) -+ manage_all_pattern($1,bluetooth_conf_rw_t) ++ manage_all_pattern($1, bluetooth_conf_t) ++ manage_all_pattern($1, bluetooth_conf_rw_t) + + files_list_spool($1) -+ manage_all_pattern($1,bluetooth_spool_t) ++ manage_all_pattern($1, bluetooth_spool_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,bluetooth_var_lib_t) ++ manage_all_pattern($1, bluetooth_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,bluetooth_var_run_t) ++ manage_all_pattern($1, bluetooth_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.1/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/bluetooth.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.2/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/bluetooth.te 2008-08-05 12:15:11.000000000 -0400 @@ -32,19 +32,22 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -12403,7 +12063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue libs_use_ld_so(bluetooth_t) libs_use_shared_libs(bluetooth_t) -@@ -117,21 +123,20 @@ +@@ -117,11 +123,9 @@ miscfiles_read_localization(bluetooth_t) miscfiles_read_fonts(bluetooth_t) @@ -12416,35 +12076,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue sysadm_dontaudit_use_ptys(bluetooth_t) sysadm_dontaudit_search_home_dirs(bluetooth_t) +@@ -126,12 +130,13 @@ + sysadm_dontaudit_search_home_dirs(bluetooth_t) + optional_policy(` -- dbus_system_bus_client_template(bluetooth,bluetooth_t) +- dbus_system_bus_client_template(bluetooth, bluetooth_t) - dbus_connect_system_bus(bluetooth_t) + cups_dbus_chat(bluetooth_t) ') optional_policy(` - nis_use_ypbind(bluetooth_t) -+ dbus_system_bus_client_template(bluetooth,bluetooth_t) ++ dbus_system_bus_client_template(bluetooth, bluetooth_t) + dbus_connect_system_bus(bluetooth_t) -+ dbus_system_domain(bluetooth_t,bluetooth_exec_t) ++ dbus_system_domain(bluetooth_t, bluetooth_exec_t) ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.fc serefpolicy-3.5.1/policy/modules/services/canna.fc ---- nsaserefpolicy/policy/modules/services/canna.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/canna.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.fc serefpolicy-3.5.2/policy/modules/services/canna.fc +--- nsaserefpolicy/policy/modules/services/canna.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/canna.fc 2008-08-05 12:15:11.000000000 -0400 @@ -20,3 +20,5 @@ /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) /var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) + +/etc/rc.d/init.d/canna -- gen_context(system_u:object_r:canna_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.5.1/policy/modules/services/canna.if ---- nsaserefpolicy/policy/modules/services/canna.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/canna.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.5.2/policy/modules/services/canna.if +--- nsaserefpolicy/policy/modules/services/canna.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/canna.if 2008-08-05 12:15:11.000000000 -0400 @@ -18,3 +18,74 @@ files_search_pids($1) - stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t) + stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t) ') + +######################################## @@ -12463,7 +12126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann + type canna_script_exec_t; + ') + -+ init_script_domtrans_spec($1,canna_script_exec_t) ++ init_script_domtrans_spec($1, canna_script_exec_t) +') + +######################################## @@ -12507,19 +12170,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann + allow $2 system_r; + + logging_list_logs($1) -+ manage_all_pattern($1,canna_log_t) ++ manage_all_pattern($1, canna_log_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,canna_var_lib_t) ++ manage_all_pattern($1, canna_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,canna_var_run_t) ++ manage_all_pattern($1, canna_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.5.1/policy/modules/services/canna.te ---- nsaserefpolicy/policy/modules/services/canna.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/canna.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.5.2/policy/modules/services/canna.te +--- nsaserefpolicy/policy/modules/services/canna.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/canna.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,6 +19,9 @@ type canna_var_run_t; files_pid_file(canna_var_run_t) @@ -12530,9 +12193,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.1/policy/modules/services/clamav.fc ---- nsaserefpolicy/policy/modules/services/clamav.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/clamav.fc 2008-07-30 15:27:51.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.2/policy/modules/services/clamav.fc +--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/clamav.fc 2008-08-05 12:15:11.000000000 -0400 @@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) @@ -12557,9 +12220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/etc/rc.d/init.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.1/policy/modules/services/clamav.if ---- nsaserefpolicy/policy/modules/services/clamav.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/clamav.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.2/policy/modules/services/clamav.if +--- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/clamav.if 2008-08-05 12:15:11.000000000 -0400 @@ -38,6 +38,27 @@ ######################################## @@ -12580,7 +12243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + + logging_search_logs($1) + allow $1 clamav_log_t:dir list_dir_perms; -+ append_files_pattern($1,clamav_log_t,clamav_log_t) ++ append_files_pattern($1, clamav_log_t, clamav_log_t) +') + +######################################## @@ -12590,7 +12253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ## @@ -91,3 +112,116 @@ - domtrans_pattern($1,clamscan_exec_t,clamscan_t) + domtrans_pattern($1, clamscan_exec_t, clamscan_t) ') + +######################################## @@ -12608,7 +12271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + type clamscan_exec_t; + ') + -+ can_exec($1,clamscan_exec_t) ++ can_exec($1, clamscan_exec_t) + +') + @@ -12628,7 +12291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + type clamd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,clamd_script_exec_t) ++ init_script_domtrans_spec($1, clamd_script_exec_t) +') + +######################################## @@ -12686,28 +12349,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,clamd_tmp_t) ++ manage_all_pattern($1, clamd_tmp_t) + + files_list_etc($1) -+ manage_all_pattern($1,clamd_etc_t) ++ manage_all_pattern($1, clamd_etc_t) + + logging_list_logs($1) -+ manage_all_pattern($1,clamd_var_log_t) ++ manage_all_pattern($1, clamd_var_log_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,clamd_var_lib_t) ++ manage_all_pattern($1, clamd_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,clamd_var_run_t) ++ manage_all_pattern($1, clamd_var_run_t) + -+ manage_all_pattern($1,clamscan_tmp_t) ++ manage_all_pattern($1, clamscan_tmp_t) + -+ manage_all_pattern($1,freshclam_var_log_t) ++ manage_all_pattern($1, freshclam_var_log_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.1/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/clamav.te 2008-07-30 15:31:06.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.2/policy/modules/services/clamav.te +--- nsaserefpolicy/policy/modules/services/clamav.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/clamav.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,7 +13,7 @@ # configuration files @@ -12775,9 +12438,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.1/policy/modules/services/consolekit.fc ---- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/consolekit.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.2/policy/modules/services/consolekit.fc +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/consolekit.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -12785,9 +12448,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.1/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/consolekit.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.2/policy/modules/services/consolekit.if +--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/consolekit.if 2008-08-05 12:15:11.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -12813,9 +12476,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.1/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/consolekit.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.2/policy/modules/services/consolekit.te +--- nsaserefpolicy/policy/modules/services/consolekit.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/consolekit.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -12830,13 +12493,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; -+manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t) -+logging_log_filetrans(consolekit_t,consolekit_log_t, file) ++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) ++logging_log_filetrans(consolekit_t, consolekit_log_t, file) + -+manage_dirs_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) - manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) --files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) -+files_pid_filetrans(consolekit_t,consolekit_var_run_t, { file dir }) ++manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) + manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) ++files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) kernel_read_system_state(consolekit_t) @@ -12877,19 +12540,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) + -+optional_policy(` -+ cron_read_system_job_lib_files(consolekit_t) -+') -+ optional_policy(` - dbus_system_bus_client_template(consolekit, consolekit_t) - dbus_connect_system_bus(consolekit_t) ++ cron_read_system_job_lib_files(consolekit_t) ++') + ++optional_policy(` + dbus_system_domain(consolekit_t, consolekit_exec_t) + optional_policy(` -+ hal_dbus_chat(consolekit_t) + hal_dbus_chat(consolekit_t) + ') - -- hal_dbus_chat(consolekit_t) ++ + optional_policy(` + rpm_dbus_chat(consolekit_t) + ') @@ -12931,18 +12593,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + fs_dontaudit_rw_cifs_files(consolekit_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.1/policy/modules/services/courier.fc ---- nsaserefpolicy/policy/modules/services/courier.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/courier.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.2/policy/modules/services/courier.fc +--- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/courier.fc 2008-08-05 12:15:11.000000000 -0400 @@ -19,3 +19,5 @@ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) + +/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.5.1/policy/modules/services/courier.if ---- nsaserefpolicy/policy/modules/services/courier.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/courier.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.5.2/policy/modules/services/courier.if +--- nsaserefpolicy/policy/modules/services/courier.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/courier.if 2008-08-05 12:15:11.000000000 -0400 @@ -123,3 +123,77 @@ domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) @@ -13021,9 +12683,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour + + allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.1/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/courier.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.2/policy/modules/services/courier.te +--- nsaserefpolicy/policy/modules/services/courier.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/courier.te 2008-08-05 12:15:11.000000000 -0400 @@ -9,7 +9,10 @@ courier_domain_template(authdaemon) @@ -13059,9 +12721,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.1/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cron.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.2/policy/modules/services/cron.fc +--- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cron.fc 2008-08-05 12:15:11.000000000 -0400 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -13076,9 +12738,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.1/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cron.if 2008-07-28 08:31:37.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.2/policy/modules/services/cron.if +--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cron.if 2008-08-05 12:15:11.000000000 -0400 @@ -35,39 +35,23 @@ # template(`cron_per_role_template',` @@ -13103,7 +12765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + corecmd_shell_entry_type($1_t) type $1_crontab_t; - application_domain($1_crontab_t,crontab_exec_t) + application_domain($1_crontab_t, crontab_exec_t) role $3 types $1_crontab_t; - type $1_crontab_tmp_t; @@ -13188,18 +12850,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron - - miscfiles_read_localization($1_crond_t) - -- userdom_manage_user_tmp_files($1,$1_crond_t) -- userdom_manage_user_tmp_symlinks($1,$1_crond_t) -- userdom_manage_user_tmp_pipes($1,$1_crond_t) -- userdom_manage_user_tmp_sockets($1,$1_crond_t) +- userdom_manage_user_tmp_files($1, $1_crond_t) +- userdom_manage_user_tmp_symlinks($1, $1_crond_t) +- userdom_manage_user_tmp_pipes($1, $1_crond_t) +- userdom_manage_user_tmp_sockets($1, $1_crond_t) - # Run scripts in user home directory and access shared libs. -- userdom_exec_user_home_content_files($1,$1_crond_t) +- userdom_exec_user_home_content_files($1, $1_crond_t) - # Access user files and dirs. -# userdom_manage_user_home_subdir_dirs($1,$1_crond_t) -- userdom_manage_user_home_content_files($1,$1_crond_t) -- userdom_manage_user_home_content_symlinks($1,$1_crond_t) -- userdom_manage_user_home_content_pipes($1,$1_crond_t) -- userdom_manage_user_home_content_sockets($1,$1_crond_t) +- userdom_manage_user_home_content_files($1, $1_crond_t) +- userdom_manage_user_home_content_symlinks($1, $1_crond_t) +- userdom_manage_user_home_content_pipes($1, $1_crond_t) +- userdom_manage_user_home_content_sockets($1, $1_crond_t) -# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set) + allow crond_t $1_t:process transition; + dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh }; @@ -13260,21 +12922,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + auth_domtrans_chk_passwd($1_crontab_t) # crontab shows up in user ps - ps_process_pattern($2,$1_crontab_t) + ps_process_pattern($2, $1_crontab_t) @@ -206,9 +101,6 @@ # Allow crond to read those crontabs in cron spool. allow crond_t $1_cron_spool_t:file manage_file_perms; - allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms; -- files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file) +- files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file) - # create files in /var/spool/cron - manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t) - filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file) + manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t) + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file) @@ -227,27 +119,32 @@ # Run helper programs as the user domain - corecmd_bin_domtrans($1_crontab_t,$2) - corecmd_shell_domtrans($1_crontab_t,$2) + corecmd_bin_domtrans($1_crontab_t, $2) + corecmd_shell_domtrans($1_crontab_t, $2) + allow $2 $1_crontab_t:process sigchld; domain_use_interactive_fds($1_crontab_t) @@ -13294,15 +12956,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config($1_crontab_t) -- userdom_manage_user_tmp_dirs($1,$1_crontab_t) -- userdom_manage_user_tmp_files($1,$1_crontab_t) +- userdom_manage_user_tmp_dirs($1, $1_crontab_t) +- userdom_manage_user_tmp_files($1, $1_crontab_t) + unprivuser_manage_tmp_dirs($1_crontab_t) + unprivuser_manage_tmp_files($1_crontab_t) # Access terminals. - userdom_use_user_terminals($1,$1_crontab_t) + userdom_use_user_terminals($1, $1_crontab_t) # Read user crontabs - userdom_read_user_home_content_files($1,$1_crontab_t) -+ userdom_transition_user_tmp($1,$1_crontab_t, { lnk_file file dir fifo_file }) + userdom_read_user_home_content_files($1, $1_crontab_t) ++ userdom_transition_user_tmp($1, $1_crontab_t, { lnk_file file dir fifo_file }) tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator @@ -13445,9 +13107,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.1/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cron.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.2/policy/modules/services/cron.te +--- nsaserefpolicy/policy/modules/services/cron.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cron.te 2008-08-05 14:09:58.000000000 -0400 @@ -12,14 +12,6 @@ ## @@ -13456,7 +13118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron -## for restoring file contexts. -##

-## --gen_tunable(cron_can_relabel,false) +-gen_tunable(cron_can_relabel, false) - -## -##

@@ -13510,11 +13172,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron -allow crond_t cron_spool_t:dir rw_dir_perms; -allow crond_t cron_spool_t:file read_file_perms; -+manage_files_pattern(crond_t,cron_spool_t,cron_spool_t) ++manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t) - manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t) - files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir }) + manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) + manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) + files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) -allow crond_t system_cron_spool_t:dir list_dir_perms; -allow crond_t system_cron_spool_t:file read_file_perms; @@ -13549,17 +13211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -163,9 +170,6 @@ - mta_send_mail(crond_t) - - ifdef(`distro_debian',` -- # pam_limits is used -- allow crond_t self:process setrlimit; -- - optional_policy(` - # Debian logcheck has the home dir set to its cache - logwatch_search_cache_dir(crond_t) -@@ -180,21 +184,45 @@ +@@ -180,21 +187,45 @@ ') ') @@ -13606,23 +13258,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -236,6 +264,9 @@ +@@ -236,6 +267,9 @@ allow system_crond_t cron_var_lib_t:file manage_file_perms; - files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) + files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file) +allow system_crond_t cron_var_run_t:file manage_file_perms; -+files_pid_filetrans(system_crond_t,cron_var_run_t,file) ++files_pid_filetrans(system_crond_t, cron_var_run_t, file) + allow system_crond_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are -@@ -267,9 +298,13 @@ - filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) - files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) +@@ -267,9 +301,13 @@ + filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file }) + files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file) +# var/lib files for system_crond +files_search_var_lib(system_crond_t) -+manage_files_pattern(system_crond_t,system_crond_var_lib_t,system_crond_var_lib_t) ++manage_files_pattern(system_crond_t, system_crond_var_lib_t, system_crond_var_lib_t) + # Read from /var/spool/cron. allow system_crond_t cron_spool_t:dir list_dir_perms; @@ -13631,7 +13283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -323,7 +358,8 @@ +@@ -323,7 +361,8 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -13641,7 +13293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron auth_use_nsswitch(system_crond_t) -@@ -333,6 +369,7 @@ +@@ -333,6 +372,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -13649,7 +13301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -348,18 +385,6 @@ +@@ -348,18 +388,6 @@ ') ') @@ -13668,7 +13320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Needed for certwatch apache_exec_modules(system_crond_t) -@@ -383,6 +408,14 @@ +@@ -383,6 +411,14 @@ ') optional_policy(` @@ -13683,7 +13335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron mrtg_append_create_logs(system_crond_t) ') -@@ -415,8 +448,7 @@ +@@ -415,8 +451,7 @@ ') optional_policy(` @@ -13693,7 +13345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -424,15 +456,12 @@ +@@ -424,15 +459,12 @@ ') optional_policy(` @@ -13714,10 +13366,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + userdom_priveleged_home_dir_manager(system_crond_t) ') -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.1/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cups.fc 2008-07-30 11:32:44.000000000 -0400 -@@ -8,24 +8,28 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.2/policy/modules/services/cups.fc +--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cups.fc 2008-08-05 14:15:21.000000000 -0400 +@@ -8,6 +8,7 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13725,8 +13377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) -- +@@ -16,16 +17,21 @@ /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) @@ -13751,7 +13402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +37,7 @@ +@@ -33,7 +39,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13760,7 +13411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -50,3 +54,13 @@ +@@ -50,3 +56,13 @@ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -13774,9 +13425,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.1/policy/modules/services/cups.if ---- nsaserefpolicy/policy/modules/services/cups.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cups.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.2/policy/modules/services/cups.if +--- nsaserefpolicy/policy/modules/services/cups.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cups.if 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -13794,7 +13445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + type cupsd_t; + ') + -+ domtrans_pattern(cupsd_t,$2, $1) ++ domtrans_pattern(cupsd_t, $2, $1) + + allow cupsd_t $1:process signal; + allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; @@ -13836,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ## @@ -247,3 +290,99 @@ files_search_pids($1) - stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t) + stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) ') + +######################################## @@ -13855,7 +13506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + type cups_script_exec_t; + ') + -+ init_script_domtrans_spec($1,cups_script_exec_t) ++ init_script_domtrans_spec($1, cups_script_exec_t) +') + +######################################## @@ -13907,55 +13558,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,cups_tmp_t) ++ manage_all_pattern($1, cups_tmp_t) + -+ manage_all_pattern($1,cups_lpd_tmp_t) ++ manage_all_pattern($1, cups_lpd_tmp_t) + + files_list_etc($1) -+ manage_all_pattern($1,cups_etc_t) ++ manage_all_pattern($1, cups_etc_t) + -+ manage_all_pattern($1,ptal_etc_t) ++ manage_all_pattern($1, ptal_etc_t) + + files_list_spool($1) -+ manage_all_pattern($1,cups_spool_t) ++ manage_all_pattern($1, cups_spool_t) + + logging_list_logs($1) -+ manage_all_pattern($1,cups_log_t) ++ manage_all_pattern($1, cups_log_t) + + files_list_pids($1) -+ manage_all_pattern($1,cups_var_run_t) ++ manage_all_pattern($1, cups_var_run_t) + -+ manage_all_pattern($1,ptal_var_run_t) ++ manage_all_pattern($1, ptal_var_run_t) + -+ manage_all_pattern($1,cups_config_var_run_t) ++ manage_all_pattern($1, cups_config_var_run_t) + -+ manage_all_pattern($1,cups_lpd_var_run_t) ++ manage_all_pattern($1, cups_lpd_var_run_t) + -+ manage_all_pattern($1,hplip_var_run_t) ++ manage_all_pattern($1, hplip_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.1/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cups.te 2008-07-25 12:35:13.000000000 -0400 -@@ -43,14 +43,13 @@ - - type cupsd_var_run_t; - files_pid_file(cupsd_var_run_t) --mls_trusted_object(cupsd_var_run_t) - +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.2/policy/modules/services/cups.te +--- nsaserefpolicy/policy/modules/services/cups.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cups.te 2008-08-05 14:17:56.000000000 -0400 +@@ -48,6 +48,9 @@ type hplip_t; type hplip_exec_t; - init_daemon_domain(hplip_t,hplip_exec_t) -- --type hplip_etc_t; --files_config_file(hplip_etc_t) + init_daemon_domain(hplip_t, hplip_exec_t) +# For CUPS to run as a backend +cups_backend(hplip_t, hplip_exec_t) -+domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t) ++domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - type hplip_var_run_t; - files_pid_file(hplip_var_run_t) -@@ -65,12 +64,27 @@ + type hplip_etc_t; + files_config_file(hplip_etc_t) +@@ -65,6 +68,19 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) @@ -13975,15 +13618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') - - ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) -+ -+ mls_trusted_object(cupsd_var_run_t) - ') - - ######################################## -@@ -79,13 +93,14 @@ +@@ -79,13 +95,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) @@ -14001,7 +13636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -104,7 +119,7 @@ +@@ -104,7 +121,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -14009,9 +13644,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read; - manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -116,13 +131,19 @@ - manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) + manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -116,6 +133,13 @@ + manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) +# This whole section needs to be moved to a smbspool policy @@ -14022,17 +13657,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + allow cupsd_t cupsd_var_run_t:dir setattr; - manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) - manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) - files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) + manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +@@ -123,6 +147,7 @@ + + read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) --read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t) -- +allow cupsd_t hplip_t:process sigkill; allow cupsd_t hplip_var_run_t:file { read getattr }; - stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) -@@ -149,32 +170,35 @@ + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) +@@ -149,32 +174,35 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -14072,7 +13707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) -@@ -186,7 +210,7 @@ +@@ -186,7 +214,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -14081,7 +13716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +219,16 @@ +@@ -195,15 +223,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -14102,7 +13737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +244,22 @@ +@@ -219,17 +248,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -14123,14 +13758,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups lpd_relabel_spool(cupsd_t) + + mls_trusted_object(cupsd_var_run_t) -+ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) ++ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) ') optional_policy(` -@@ -242,12 +272,21 @@ +@@ -242,12 +276,21 @@ optional_policy(` - dbus_system_bus_client_template(cupsd,cupsd_t) + dbus_system_bus_client_template(cupsd, cupsd_t) + dbus_send_system_bus(cupsd_t) userdom_dbus_send_all_users(cupsd_t) @@ -14149,7 +13784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -263,6 +302,10 @@ +@@ -263,6 +306,10 @@ ') optional_policy(` @@ -14160,7 +13795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -326,6 +369,7 @@ +@@ -326,6 +373,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -14168,7 +13803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -353,16 +397,16 @@ +@@ -353,6 +401,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -14176,19 +13811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_dontaudit_search_config(cupsd_config_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) -- --cups_stream_connect(cupsd_config_t) -+sysadm_dontaudit_search_home_dirs(cupsd_config_t) - - lpd_read_config(cupsd_config_t) - --sysadm_dontaudit_search_home_dirs(cupsd_config_t) -+cups_stream_connect(cupsd_config_t) - - ifdef(`distro_redhat',` - init_getattr_script_files(cupsd_config_t) -@@ -373,6 +417,10 @@ +@@ -373,6 +422,10 @@ ') optional_policy(` @@ -14199,7 +13822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -388,6 +436,7 @@ +@@ -388,6 +441,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -14207,7 +13830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -500,15 +549,10 @@ +@@ -500,7 +554,7 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -14216,15 +13839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cups_stream_connect(hplip_t) --allow hplip_t hplip_etc_t:dir list_dir_perms; --read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) --read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) --files_search_etc(hplip_t) -- - manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) - files_pid_filetrans(hplip_t,hplip_var_run_t,file) - -@@ -538,14 +582,14 @@ +@@ -538,7 +592,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -14234,33 +13849,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) - - # for python - corecmd_exec_bin(hplip_t) -- - domain_use_interactive_fds(hplip_t) - - files_read_etc_files(hplip_t) -@@ -562,11 +606,16 @@ - sysnet_read_config(hplip_t) - +@@ -564,11 +619,17 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) -+sysadm_dontaudit_search_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) -lpd_read_config(cupsd_t) +lpd_read_config(hplip_t) +lpd_manage_spool(hplip_t) --sysadm_dontaudit_search_home_dirs(hplip_t) -+optional_policy(` -+ dbus_system_bus_client_template(hplip,hplip_t) -+ dbus_connect_system_bus(hplip_t) -+') + sysadm_dontaudit_search_home_dirs(hplip_t) optional_policy(` ++ dbus_system_bus_client_template(hplip, hplip_t) ++ dbus_connect_system_bus(hplip_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(hplip_t) -@@ -647,3 +696,45 @@ + ') + +@@ -647,3 +708,45 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -14306,9 +13914,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + +sysadm_dontaudit_read_home_content_files(cups_pdf_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.5.1/policy/modules/services/cvs.fc ---- nsaserefpolicy/policy/modules/services/cvs.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cvs.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.5.2/policy/modules/services/cvs.fc +--- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cvs.fc 2008-08-05 12:15:11.000000000 -0400 @@ -5,3 +5,6 @@ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) @@ -14316,12 +13924,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. +#CVSWeb file context +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.5.1/policy/modules/services/cvs.if ---- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cvs.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.5.2/policy/modules/services/cvs.if +--- nsaserefpolicy/policy/modules/services/cvs.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cvs.if 2008-08-05 12:15:11.000000000 -0400 @@ -36,3 +36,70 @@ - can_exec($1,cvs_exec_t) + can_exec($1, cvs_exec_t) ') + +######################################## @@ -14340,7 +13948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. + type cvs_script_exec_t; + ') + -+ init_script_domtrans_spec($1,cvs_script_exec_t) ++ init_script_domtrans_spec($1, cvs_script_exec_t) +') + +######################################## @@ -14382,17 +13990,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,cvs_tmp_t) ++ manage_all_pattern($1, cvs_tmp_t) + -+ manage_all_pattern($1,cvs_data_t) ++ manage_all_pattern($1, cvs_data_t) + + files_list_pids($1) -+ manage_all_pattern($1,cvs_var_run_t) ++ manage_all_pattern($1, cvs_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.1/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cvs.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.2/policy/modules/services/cvs.te +--- nsaserefpolicy/policy/modules/services/cvs.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cvs.te 2008-08-05 12:15:11.000000000 -0400 @@ -28,6 +28,9 @@ type cvs_var_run_t; files_pid_file(cvs_var_run_t) @@ -14440,22 +14048,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. +apache_content_template(cvs) + +read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) -+manage_dirs_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t) -+manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t) ++manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) -optional_policy(` - nscd_socket_use(cvs_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.1/policy/modules/services/cyphesis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.2/policy/modules/services/cyphesis.fc --- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/cyphesis.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cyphesis.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.5.1/policy/modules/services/cyphesis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.5.2/policy/modules/services/cyphesis.if --- nsaserefpolicy/policy/modules/services/cyphesis.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/cyphesis.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cyphesis.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,19 @@ +##

policy for cyphesis + @@ -14474,13 +14082,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph + type cyphesis_t, cyphesis_exec_t; + ') + -+ domtrans_pattern($1,cyphesis_exec_t,cyphesis_t) ++ domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.5.1/policy/modules/services/cyphesis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.5.2/policy/modules/services/cyphesis.te --- nsaserefpolicy/policy/modules/services/cyphesis.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/cyphesis.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cyphesis.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,92 @@ -+policy_module(cyphesis,1.0.0) ++policy_module(cyphesis, 1.0.0) + +######################################## +# @@ -14518,15 +14126,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph +corecmd_getattr_bin_files(cyphesis_t) + +manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) -+logging_log_filetrans(cyphesis_t,cyphesis_log_t,file) ++logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) + +# DAN > Does cyphesis really create a sock_file in /tmp? Why? +allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; -+files_tmp_filetrans(cyphesis_t,cyphesis_tmp_t,file) ++files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) + +manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -+files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file }) ++files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file }) + +dev_read_urand(cyphesis_t) + @@ -14557,7 +14165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph +# cyphesis wants to talk to avahi via dbus +optional_policy(` + -+ dbus_system_bus_client_template(cyphesis,cyphesis_t) ++ dbus_system_bus_client_template(cyphesis, cyphesis_t) + + optional_policy(` + avahi_dbus_chat(cyphesis_t) @@ -14572,21 +14180,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph + kerberos_use(cyphesis_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.5.1/policy/modules/services/cyrus.fc ---- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cyrus.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.5.2/policy/modules/services/cyrus.fc +--- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cyrus.fc 2008-08-05 12:15:11.000000000 -0400 @@ -2,3 +2,5 @@ /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) + +/etc/rc.d/init.d/cyrus -- gen_context(system_u:object_r:cyrus_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-3.5.1/policy/modules/services/cyrus.if ---- nsaserefpolicy/policy/modules/services/cyrus.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cyrus.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-3.5.2/policy/modules/services/cyrus.if +--- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cyrus.if 2008-08-05 12:15:11.000000000 -0400 @@ -39,3 +39,74 @@ files_search_var_lib($1) - stream_connect_pattern($1,cyrus_var_lib_t,cyrus_var_lib_t,cyrus_t) + stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) ') + +######################################## @@ -14605,7 +14213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru + type cyrus_script_exec_t; + ') + -+ init_script_domtrans_spec($1,cyrus_script_exec_t) ++ init_script_domtrans_spec($1, cyrus_script_exec_t) +') + +######################################## @@ -14655,13 +14263,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru + manage_all_pattern($1, cyrus_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,cyrus_var_run_t) ++ manage_all_pattern($1, cyrus_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.1/policy/modules/services/cyrus.te ---- nsaserefpolicy/policy/modules/services/cyrus.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cyrus.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.2/policy/modules/services/cyrus.te +--- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/cyrus.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,6 +19,9 @@ type cyrus_var_run_t; files_pid_file(cyrus_var_run_t) @@ -14681,9 +14289,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.1/policy/modules/services/dbus.fc ---- nsaserefpolicy/policy/modules/services/dbus.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dbus.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.2/policy/modules/services/dbus.fc +--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dbus.fc 2008-08-05 12:15:11.000000000 -0400 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) @@ -14694,9 +14302,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.1/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dbus.if 2008-07-28 08:37:05.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.2/policy/modules/services/dbus.if +--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dbus.if 2008-08-05 12:15:11.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -14706,7 +14314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ############################## @@ -64,8 +65,6 @@ - domain_entry_file($1_dbusd_t,system_dbusd_exec_t) + domain_entry_file($1_dbusd_t, system_dbusd_exec_t) role $3 types $1_dbusd_t; - type $1_dbusd_$1_t; @@ -14736,7 +14344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + allow $2 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) + read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) @@ -102,10 +105,9 @@ files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) @@ -14828,7 +14436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus files_search_var_lib($2) @@ -223,6 +241,10 @@ files_search_pids($2) - stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) + stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($2) + + optional_policy(` @@ -14961,13 +14569,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + ') + + domain_type($1) -+ domain_entry_file($1,$2) ++ domain_entry_file($1, $2) + + role system_r types $1; + -+ domtrans_pattern(system_dbusd_t,$2,$1) ++ domtrans_pattern(system_dbusd_t, $2, $1) + -+ dbus_system_bus_client_template($1,$1) ++ dbus_system_bus_client_template($1, $1) + dbus_connect_system_bus($1) + +') @@ -14990,9 +14598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + allow $1 system_dbusd_t:tcp_socket { read write }; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.1/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dbus.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.2/policy/modules/services/dbus.te +--- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dbus.te 2008-08-05 12:15:11.000000000 -0400 @@ -9,9 +9,10 @@ # # Delcarations @@ -15016,11 +14624,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus files_pid_file(system_dbusd_var_run_t) +ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(system_dbusd_t,system_dbusd_exec_t,s0 - mcs_systemhigh) ++ init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` -+ init_ranged_daemon_domain(system_dbusd_t,system_dbusd_exec_t,s0 - mls_systemhigh) ++ init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mls_systemhigh) + mls_fd_use_all_levels(system_dbusd_t) + mls_rangetrans_target(system_dbusd_t) + mls_file_read_all_levels(system_dbusd_t) @@ -15043,11 +14651,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; -+can_exec(system_dbusd_t,system_dbusd_exec_t) ++can_exec(system_dbusd_t, system_dbusd_exec_t) + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t) - read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t) + read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) @@ -65,6 +80,8 @@ fs_getattr_all_fs(system_dbusd_t) @@ -15113,9 +14721,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_xdm_rw_shm(unconfined_dbusd_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.1/policy/modules/services/dcc.if ---- nsaserefpolicy/policy/modules/services/dcc.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dcc.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.2/policy/modules/services/dcc.if +--- nsaserefpolicy/policy/modules/services/dcc.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dcc.if 2008-08-05 12:15:11.000000000 -0400 @@ -72,6 +72,24 @@ ######################################## @@ -15141,9 +14749,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. ## Execute dcc_client in the dcc_client domain, and ## allow the specified role the dcc_client domain. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.1/policy/modules/services/dcc.te ---- nsaserefpolicy/policy/modules/services/dcc.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dcc.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.2/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dcc.te 2008-08-05 12:15:11.000000000 -0400 @@ -105,6 +105,8 @@ files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) @@ -15238,11 +14846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dccd_t) libs_use_shared_libs(dccd_t) -@@ -273,14 +267,9 @@ - sysnet_dns_name_resolve(dccd_t) - - userdom_dontaudit_use_unpriv_user_fds(dccd_t) -- +@@ -277,10 +271,6 @@ sysadm_dontaudit_search_home_dirs(dccd_t) optional_policy(` @@ -15253,7 +14857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. seutil_sigchld_newrole(dccd_t) ') -@@ -336,6 +325,8 @@ +@@ -336,6 +326,8 @@ fs_getattr_all_fs(dccifd_t) fs_search_auto_mountpoints(dccifd_t) @@ -15262,7 +14866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dccifd_t) libs_use_shared_libs(dccifd_t) -@@ -343,18 +334,10 @@ +@@ -343,11 +335,7 @@ miscfiles_read_localization(dccifd_t) @@ -15274,6 +14878,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. sysadm_dontaudit_search_home_dirs(dccifd_t) optional_policy(` +@@ -351,10 +339,6 @@ + sysadm_dontaudit_search_home_dirs(dccifd_t) + + optional_policy(` - nscd_socket_use(dccifd_t) -') - @@ -15281,7 +14889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. seutil_sigchld_newrole(dccifd_t) ') -@@ -409,6 +392,8 @@ +@@ -409,6 +393,8 @@ fs_getattr_all_fs(dccm_t) fs_search_auto_mountpoints(dccm_t) @@ -15290,7 +14898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dccm_t) libs_use_shared_libs(dccm_t) -@@ -416,18 +401,10 @@ +@@ -416,11 +402,7 @@ miscfiles_read_localization(dccm_t) @@ -15302,6 +14910,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. sysadm_dontaudit_search_home_dirs(dccm_t) optional_policy(` +@@ -424,10 +406,6 @@ + sysadm_dontaudit_search_home_dirs(dccm_t) + + optional_policy(` - nscd_socket_use(dccm_t) -') - @@ -15309,18 +14921,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. seutil_sigchld_newrole(dccm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.fc serefpolicy-3.5.1/policy/modules/services/ddclient.fc ---- nsaserefpolicy/policy/modules/services/ddclient.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ddclient.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.fc serefpolicy-3.5.2/policy/modules/services/ddclient.fc +--- nsaserefpolicy/policy/modules/services/ddclient.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ddclient.fc 2008-08-05 12:15:11.000000000 -0400 @@ -9,3 +9,5 @@ /var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) /var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) /var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +/etc/rc.d/init.d/ddclient -- gen_context(system_u:object_r:ddclient_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.5.1/policy/modules/services/ddclient.if ---- nsaserefpolicy/policy/modules/services/ddclient.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ddclient.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.5.2/policy/modules/services/ddclient.if +--- nsaserefpolicy/policy/modules/services/ddclient.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ddclient.if 2008-08-05 12:15:11.000000000 -0400 @@ -18,3 +18,81 @@ corecmd_search_bin($1) domtrans_pattern($1, ddclient_exec_t, ddclient_t) @@ -15342,7 +14954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddcl + type ddclient_script_exec_t; + ') + -+ init_script_domtrans_spec($1,ddclient_script_exec_t) ++ init_script_domtrans_spec($1, ddclient_script_exec_t) +') + +######################################## @@ -15388,26 +15000,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddcl + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,ddclient_etc_t) ++ manage_all_pattern($1, ddclient_etc_t) + + files_list_var($1) -+ manage_all_pattern($1,ddclient_var_t) ++ manage_all_pattern($1, ddclient_var_t) + + logging_list_logs($1) -+ manage_all_pattern($1,ddclient_log_t) ++ manage_all_pattern($1, ddclient_log_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,ddclient_var_lib_t) ++ manage_all_pattern($1, ddclient_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,ddclient_var_run_t) ++ manage_all_pattern($1, ddclient_var_run_t) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.5.1/policy/modules/services/ddclient.te ---- nsaserefpolicy/policy/modules/services/ddclient.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ddclient.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.5.2/policy/modules/services/ddclient.te +--- nsaserefpolicy/policy/modules/services/ddclient.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ddclient.te 2008-08-05 12:15:11.000000000 -0400 @@ -11,7 +11,7 @@ - init_daemon_domain(ddclient_t,ddclient_exec_t) + init_daemon_domain(ddclient_t, ddclient_exec_t) type ddclient_etc_t; -files_type(ddclient_etc_t) @@ -15425,9 +15037,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddcl ######################################## # # Declarations -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.1/policy/modules/services/dhcp.fc ---- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dhcp.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.2/policy/modules/services/dhcp.fc +--- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dhcp.fc 2008-08-05 12:15:11.000000000 -0400 @@ -5,3 +5,6 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) @@ -15435,9 +15047,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp + +/etc/rc.d/init.d/dhcpd -- gen_context(system_u:object_r:dhcpd_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.1/policy/modules/services/dhcp.if ---- nsaserefpolicy/policy/modules/services/dhcp.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dhcp.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.2/policy/modules/services/dhcp.if +--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dhcp.if 2008-08-05 12:15:11.000000000 -0400 @@ -19,3 +19,71 @@ sysnet_search_dhcp_state($1) allow $1 dhcpd_state_t:file setattr; @@ -15459,7 +15071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp + type dhcpd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,dhcpd_script_exec_t) ++ init_script_domtrans_spec($1, dhcpd_script_exec_t) +') + +######################################## @@ -15503,16 +15115,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,dhcpd_tmp_t) ++ manage_all_pattern($1, dhcpd_tmp_t) + -+ manage_all_pattern($1,dhcpd_state_t) ++ manage_all_pattern($1, dhcpd_state_t) + + files_list_pids($1) -+ manage_all_pattern($1,dhcpd_var_run_t) ++ manage_all_pattern($1, dhcpd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.1/policy/modules/services/dhcp.te ---- nsaserefpolicy/policy/modules/services/dhcp.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dhcp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.2/policy/modules/services/dhcp.te +--- nsaserefpolicy/policy/modules/services/dhcp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dhcp.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,18 +19,20 @@ type dhcpd_var_run_t; files_pid_file(dhcpd_var_run_t) @@ -15553,7 +15165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp libs_use_ld_so(dhcpd_t) libs_use_shared_libs(dhcpd_t) -@@ -95,11 +100,9 @@ +@@ -95,7 +100,6 @@ miscfiles_read_localization(dhcpd_t) @@ -15561,11 +15173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -- - sysadm_dontaudit_search_home_dirs(dhcpd_t) - - ifdef(`distro_gentoo',` -@@ -117,14 +120,6 @@ +@@ -117,14 +121,6 @@ ') optional_policy(` @@ -15580,9 +15188,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp seutil_sigchld_newrole(dhcpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.5.1/policy/modules/services/dictd.fc ---- nsaserefpolicy/policy/modules/services/dictd.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dictd.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.5.2/policy/modules/services/dictd.fc +--- nsaserefpolicy/policy/modules/services/dictd.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dictd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -4,3 +4,6 @@ /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) @@ -15590,9 +15198,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) + +/etc/rc.d/init.d/dictd -- gen_context(system_u:object_r:dictd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.if serefpolicy-3.5.1/policy/modules/services/dictd.if ---- nsaserefpolicy/policy/modules/services/dictd.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dictd.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.if serefpolicy-3.5.2/policy/modules/services/dictd.if +--- nsaserefpolicy/policy/modules/services/dictd.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dictd.if 2008-08-05 12:15:11.000000000 -0400 @@ -14,3 +14,73 @@ interface(`dictd_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -15614,7 +15222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict + type dictd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,dictd_script_exec_t) ++ init_script_domtrans_spec($1, dictd_script_exec_t) +') + +######################################## @@ -15658,18 +15266,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,dictd_etc_t) ++ manage_all_pattern($1, dictd_etc_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,dictd_var_lib_t) ++ manage_all_pattern($1, dictd_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,dictd_var_run_t) ++ manage_all_pattern($1, dictd_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.5.1/policy/modules/services/dictd.te ---- nsaserefpolicy/policy/modules/services/dictd.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dictd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.5.2/policy/modules/services/dictd.te +--- nsaserefpolicy/policy/modules/services/dictd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dictd.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,12 @@ type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) @@ -15687,15 +15295,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict allow dictd_t dictd_var_lib_t:dir list_dir_perms; allow dictd_t dictd_var_lib_t:file read_file_perms; -+manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t) -+files_pid_filetrans(dictd_t,dictd_var_run_t,file) ++manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) ++files_pid_filetrans(dictd_t, dictd_var_run_t, file) + kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.1/policy/modules/services/dnsmasq.fc ---- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dnsmasq.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.2/policy/modules/services/dnsmasq.fc +--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dnsmasq.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,7 @@ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) @@ -15704,9 +15312,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + +/etc/rc.d/init.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.1/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dnsmasq.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.2/policy/modules/services/dnsmasq.if +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dnsmasq.if 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,125 @@ ## dnsmasq DNS forwarder and DHCP server + @@ -15728,7 +15336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1,dnsmasq_exec_t, dnsmasq_t) ++ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) +') + +######################################## @@ -15747,7 +15355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + type dnsmasq_script_exec_t; + ') + -+ init_script_domtrans_spec($1,dnsmasq_script_exec_t) ++ init_script_domtrans_spec($1, dnsmasq_script_exec_t) +') + +######################################## @@ -15828,14 +15436,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + allow $2 system_r; + + files_list_var_lib($1) -+ manage_all_pattern($1,dnsmasq_lease_t) ++ manage_all_pattern($1, dnsmasq_lease_t) + + files_list_pids($1) -+ manage_all_pattern($1,dnsmasq_var_run_t) ++ manage_all_pattern($1, dnsmasq_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.1/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dnsmasq.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.2/policy/modules/services/dnsmasq.te +--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dnsmasq.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,9 @@ type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) @@ -15863,7 +15471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) - manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t) + manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) @@ -56,7 +59,7 @@ corenet_udp_bind_all_nodes(dnsmasq_t) corenet_tcp_bind_dns_port(dnsmasq_t) @@ -15881,9 +15489,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +optional_policy(` + virt_manage_lib_files(dnsmasq_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.1/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dovecot.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.2/policy/modules/services/dovecot.fc +--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dovecot.fc 2008-08-05 12:15:11.000000000 -0400 @@ -17,23 +17,24 @@ ifdef(`distro_debian', ` @@ -15914,9 +15522,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.1/policy/modules/services/dovecot.if ---- nsaserefpolicy/policy/modules/services/dovecot.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dovecot.if 2008-07-30 16:47:19.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.2/policy/modules/services/dovecot.if +--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dovecot.if 2008-08-05 12:15:11.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## @@ -15956,7 +15564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + -+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t) ++ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) +') + +####################################### @@ -15986,7 +15594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + type dovecot_script_exec_t; + ') + -+ init_script_domtrans_spec($1,dovecot_script_exec_t) ++ init_script_domtrans_spec($1, dovecot_script_exec_t) +') + +######################################## @@ -16035,37 +15643,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,dovecot_etc_t) ++ manage_all_pattern($1, dovecot_etc_t) + + logging_list_logs($1) -+ manage_all_pattern($1,dovecot_log_t) ++ manage_all_pattern($1, dovecot_log_t) + + files_list_spool($1) -+ manage_all_pattern($1,dovecot_spool_t) ++ manage_all_pattern($1, dovecot_spool_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,dovecot_var_lib_t) ++ manage_all_pattern($1, dovecot_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,dovecot_var_run_t) ++ manage_all_pattern($1, dovecot_var_run_t) + -+ manage_all_pattern($1,dovecot_cert_t) ++ manage_all_pattern($1, dovecot_cert_t) + -+ manage_all_pattern($1,dovecot_passwd_t) ++ manage_all_pattern($1, dovecot_passwd_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.1/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dovecot.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.2/policy/modules/services/dovecot.te +--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/dovecot.te 2008-08-05 12:15:11.000000000 -0400 @@ -15,6 +15,12 @@ - domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) + domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; +type dovecot_deliver_t; +type dovecot_deliver_exec_t; +domain_type(dovecot_deliver_t) -+domain_entry_file(dovecot_deliver_t,dovecot_deliver_exec_t) ++domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) +role system_r types dovecot_deliver_t; + type dovecot_cert_t; @@ -16132,8 +15740,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; -+manage_dirs_pattern(dovecot_auth_t,dovecot_auth_tmp_t,dovecot_auth_tmp_t) -+manage_files_pattern(dovecot_auth_t,dovecot_auth_tmp_t,dovecot_auth_tmp_t) ++manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) ++manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) + +# log files @@ -16141,7 +15749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) + # Allow dovecot to create and read SSL parameters file - manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t) + manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) files_search_var_lib(dovecot_t) +files_read_var_symlinks(dovecot_t) @@ -16220,9 +15828,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + mta_manage_spool(dovecot_deliver_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.1/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/exim.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.2/policy/modules/services/exim.if +--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/exim.if 2008-08-05 12:15:11.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -16250,19 +15858,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## Allow the specified domain to append ## exim log files. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.1/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/exim.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.2/policy/modules/services/exim.te +--- nsaserefpolicy/policy/modules/services/exim.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/exim.te 2008-08-05 14:26:27.000000000 -0400 @@ -21,9 +21,20 @@ ## - gen_tunable(exim_manage_user_files,false) + gen_tunable(exim_manage_user_files, false) +## +##

+## Allow exim to connect to databases (postgres, mysql) +##

+## -+gen_tunable(exim_can_connect_db,false) ++gen_tunable(exim_can_connect_db, false) + type exim_t; type exim_exec_t; @@ -16297,7 +15905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim can_exec(exim_t,exim_exec_t) -@@ -66,29 +82,39 @@ +@@ -66,12 +82,15 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) @@ -16314,26 +15922,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim corenet_tcp_sendrecv_all_if(exim_t) corenet_tcp_sendrecv_all_nodes(exim_t) corenet_tcp_sendrecv_all_ports(exim_t) - corenet_tcp_bind_all_nodes(exim_t) - corenet_tcp_bind_smtp_port(exim_t) - corenet_tcp_bind_amavisd_send_port(exim_t) --corenet_tcp_connect_auth_port(exim_t) +@@ -82,6 +101,8 @@ corenet_tcp_connect_smtp_port(exim_t) --corenet_tcp_connect_ldap_port(exim_t) -+corenet_tcp_sendrecv_smtp_port(exim_t) -+corenet_sendrecv_smtp_server_packets(exim_t) -+corenet_sendrecv_all_client_packets(exim_t) -+ -+corenet_tcp_connect_auth_port(exim_t) + corenet_tcp_connect_ldap_port(exim_t) corenet_tcp_connect_inetd_child_port(exim_t) -+corenet_tcp_sendrecv_auth_port(exim_t) - --dev_read_rand(exim_t) --dev_read_urand(exim_t) +# connect to spamassassin +corenet_tcp_connect_spamd_port(exim_t) -+corenet_tcp_sendrecv_spamd_port(exim_t) + dev_read_rand(exim_t) + dev_read_urand(exim_t) +@@ -89,6 +110,8 @@ # Init script handling domain_use_interactive_fds(exim_t) @@ -16342,25 +15940,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim files_read_etc_files(exim_t) auth_use_nsswitch(exim_t) -@@ -99,23 +125,99 @@ +@@ -99,23 +122,81 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) +miscfiles_read_certs(exim_t) -sysnet_dns_name_resolve(exim_t) -- --unprivuser_dontaudit_search_home_dirs(exim_t) +fs_getattr_xattr_fs(exim_t) + unprivuser_dontaudit_search_home_dirs(exim_t) + mta_read_aliases(exim_t) -mta_rw_spool(exim_t) -- --sysadm_dontaudit_search_home_dirs(exim_t) +mta_read_config(exim_t) +mta_manage_spool(exim_t) +mta_mailserver_delivery(exim_t) + sysadm_dontaudit_search_home_dirs(exim_t) + tunable_policy(`exim_read_user_files',` - userdom_read_unpriv_users_home_content_files(exim_t) - userdom_read_unpriv_users_tmp_files(exim_t) @@ -16377,10 +15975,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + unprivuser_write_tmp_files(exim_t) +') + -+# TLS sessions need entropy -+dev_read_urand(exim_t) -+dev_read_rand(exim_t) -+ +tunable_policy(`exim_can_connect_db',` + corenet_tcp_connect_mysqld_port(exim_t) + corenet_sendrecv_mysqld_client_packets(exim_t) @@ -16397,8 +15991,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +optional_policy(` + tunable_policy(`exim_can_connect_db',` + postgresql_stream_connect(exim_t) -+ ') - ') ++') ++') + +optional_policy(` + kerberos_keytab_template(exim, exim_t) @@ -16426,8 +16020,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + cyrus_stream_connect(exim_t) +') + -+# receipt & validation -+ +optional_policy(` + clamav_domtrans_clamscan(exim_t) + clamav_stream_connect(exim_t) @@ -16436,26 +16028,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +optional_policy(` + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) -+') -+ -+# Debian uses a template based config generator which generates config -+# files under /var -+ifdef(`distro_debian',` -+ type exim_var_lib_t; -+ files_config_file(exim_var_lib_t) -+ exim_read_lib(exim_t) -+ -+ type exim_lib_update_t; -+ type exim_lib_update_exec_t; -+ init_domain(exim_lib_update_t, exim_lib_update_exec_t) -+ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t) -+ exim_read_lib(exim_lib_update_t) -+ exim_manage_var_lib(exim_lib_update_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.1/policy/modules/services/fail2ban.fc ---- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/fail2ban.fc 2008-07-25 12:35:13.000000000 -0400 + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.2/policy/modules/services/fail2ban.fc +--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/fail2ban.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,3 +1,7 @@ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) @@ -16464,9 +16040,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/etc/rc.d/init.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.1/policy/modules/services/fail2ban.if ---- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/fail2ban.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.2/policy/modules/services/fail2ban.if +--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/fail2ban.if 2008-08-05 12:15:11.000000000 -0400 @@ -78,3 +78,68 @@ files_search_pids($1) allow $1 fail2ban_var_run_t:file read_file_perms; @@ -16488,7 +16064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + type fail2ban_script_exec_t; + ') + -+ init_script_domtrans_spec($1,fail2ban_script_exec_t) ++ init_script_domtrans_spec($1, fail2ban_script_exec_t) +') + +######################################## @@ -16531,14 +16107,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + allow $2 system_r; + + logging_list_logs($1) -+ manage_all_pattern($1,fail2ban_log_t) ++ manage_all_pattern($1, fail2ban_log_t) + + files_list_pids($1) -+ manage_all_pattern($1,fail2ban_var_run_t) ++ manage_all_pattern($1, fail2ban_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.1/policy/modules/services/fail2ban.te ---- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/fail2ban.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.2/policy/modules/services/fail2ban.te +--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/fail2ban.te 2008-08-05 12:15:11.000000000 -0400 @@ -18,6 +18,9 @@ type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -16559,13 +16135,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail # log files allow fail2ban_t fail2ban_log_t:dir setattr; @@ -33,8 +36,9 @@ - logging_log_filetrans(fail2ban_t,fail2ban_log_t,file) + logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) # pid file -+manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) - manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) --files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file) -+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file }) ++manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) ++files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file }) kernel_read_system_state(fail2ban_t) @@ -16609,26 +16185,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail iptables_domtrans(fail2ban_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.1/policy/modules/services/fetchmail.if ---- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/fetchmail.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.2/policy/modules/services/fetchmail.if +--- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/fetchmail.if 2008-08-05 14:27:23.000000000 -0400 @@ -21,10 +21,10 @@ ps_process_pattern($1, fetchmail_t) files_list_etc($1) - manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t) -+ manage_all_pattern($1,fetchmail_etc_t) ++ manage_all_pattern($1, fetchmail_etc_t) - manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t) -+ manage_all_pattern($1,fetchmail_uidl_cache_t) ++ manage_all_pattern($1, fetchmail_uidl_cache_t) files_list_pids($1) - manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t) -+ manage_all_pattern($1,fetchmail_var_run_t) ++ manage_all_pattern($1, fetchmail_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.1/policy/modules/services/fetchmail.te ---- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/fetchmail.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.2/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/fetchmail.te 2008-08-05 12:15:11.000000000 -0400 @@ -14,7 +14,7 @@ files_pid_file(fetchmail_var_run_t) @@ -16649,9 +16225,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc seutil_sigchld_newrole(fetchmail_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.5.1/policy/modules/services/ftp.fc ---- nsaserefpolicy/policy/modules/services/ftp.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ftp.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.5.2/policy/modules/services/ftp.fc +--- nsaserefpolicy/policy/modules/services/ftp.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ftp.fc 2008-08-05 12:15:11.000000000 -0400 @@ -27,3 +27,6 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) @@ -16659,24 +16235,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + +/etc/rc.d/init.d/vsftpd -- gen_context(system_u:object_r:ftp_script_exec_t,s0) +/etc/rc.d/init.d/proftpd -- gen_context(system_u:object_r:ftp_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.5.1/policy/modules/services/ftp.if ---- nsaserefpolicy/policy/modules/services/ftp.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ftp.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.5.2/policy/modules/services/ftp.if +--- nsaserefpolicy/policy/modules/services/ftp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ftp.if 2008-08-05 12:15:11.000000000 -0400 @@ -28,11 +28,13 @@ type ftpd_t; ') -- userdom_manage_user_home_content_files($1,ftpd_t) -- userdom_manage_user_home_content_symlinks($1,ftpd_t) -- userdom_manage_user_home_content_sockets($1,ftpd_t) -- userdom_manage_user_home_content_pipes($1,ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) +- userdom_manage_user_home_content_files($1, ftpd_t) +- userdom_manage_user_home_content_symlinks($1, ftpd_t) +- userdom_manage_user_home_content_sockets($1, ftpd_t) +- userdom_manage_user_home_content_pipes($1, ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file }) + tunable_policy(`ftp_home_dir',` + unprivuser_manage_home_content_files(ftpd_t) + unprivuser_manage_home_content_symlinks(ftpd_t) + unprivuser_manage_home_content_sockets(ftpd_t) + unprivuser_manage_home_content_pipes(ftpd_t) -+ unprivuser_home_dir_filetrans_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) ++ unprivuser_home_dir_filetrans_home_content(ftpd_t, { dir file lnk_file sock_file fifo_file }) + ') ') @@ -16702,7 +16278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + type ftp_script_exec_t; + ') + -+ init_script_domtrans_spec($1,ftp_script_exec_t) ++ init_script_domtrans_spec($1, ftp_script_exec_t) +') + +######################################## @@ -16757,28 +16333,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + miscfiles_manage_public_files($1) + + files_list_tmp($1) -+ manage_all_pattern($1,ftp_tmp_t) ++ manage_all_pattern($1, ftp_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,ftp_log_t) ++ manage_all_pattern($1, ftp_log_t) + -+ manage_all_pattern($1,xferlog_t) ++ manage_all_pattern($1, xferlog_t) + + files_list_etc($1) -+ manage_all_pattern($1,ftp_etc_t) ++ manage_all_pattern($1, ftp_etc_t) + + files_list_var($1) -+ manage_all_pattern($1,ftp_lock_t) ++ manage_all_pattern($1, ftp_lock_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,ftp_var_lib_t) ++ manage_all_pattern($1, ftp_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,ftp_var_run_t) ++ manage_all_pattern($1, ftp_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.1/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ftp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.2/policy/modules/services/ftp.te +--- nsaserefpolicy/policy/modules/services/ftp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ftp.te 2008-08-05 12:15:11.000000000 -0400 @@ -75,6 +75,9 @@ type xferlog_t; logging_log_file(xferlog_t) @@ -16790,14 +16366,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. # # ftpd local policy @@ -106,9 +109,10 @@ - manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) - fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) - manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) - manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) --files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) -+files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} ) ++manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +-files_pid_filetrans(ftpd_t, ftpd_var_run_t, file) ++files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) # proftpd requires the client side to bind a socket so that # it can stat the socket to perform access control decisions, @@ -16842,15 +16418,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.1/policy/modules/services/gamin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.2/policy/modules/services/gamin.fc --- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/gamin.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/gamin.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.1/policy/modules/services/gamin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.2/policy/modules/services/gamin.if --- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/gamin.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/gamin.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,57 @@ + +## policy for gamin @@ -16871,7 +16447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami + type gamin_exec_t; + ') + -+ domtrans_pattern($1,gamin_exec_t,gamin_t) ++ domtrans_pattern($1, gamin_exec_t, gamin_t) +') + +######################################## @@ -16889,7 +16465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami + type gamin_exec_t; + ') + -+ can_exec($1,gamin_exec_t) ++ can_exec($1, gamin_exec_t) +') + +######################################## @@ -16909,11 +16485,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami + + allow $1 gamin_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.1/policy/modules/services/gamin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.2/policy/modules/services/gamin.te --- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/gamin.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/gamin.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,39 @@ -+policy_module(gamin,1.0.0) ++policy_module(gamin, 1.0.0) + +######################################## +# @@ -16952,16 +16528,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami + +miscfiles_read_localization(gamin_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.1/policy/modules/services/gnomeclock.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.2/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/gnomeclock.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/gnomeclock.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.1/policy/modules/services/gnomeclock.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.2/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/gnomeclock.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/gnomeclock.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,75 @@ + +## policy for gnomeclock @@ -16982,7 +16558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + type gnomeclock_exec_t; + ') + -+ domtrans_pattern($1,gnomeclock_exec_t,gnomeclock_t) ++ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + + @@ -17038,11 +16614,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.1/policy/modules/services/gnomeclock.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.2/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/gnomeclock.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/gnomeclock.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,55 @@ -+policy_module(gnomeclock,1.0.0) ++policy_module(gnomeclock, 1.0.0) +######################################## +# +# Declarations @@ -17097,40 +16673,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + polkit_read_lib(gnomeclock_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.1/policy/modules/services/hal.fc ---- nsaserefpolicy/policy/modules/services/hal.fc 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/hal.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -16,15 +16,14 @@ - - /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) - --/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) - /var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) -+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) - --/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) --/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) - /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) - /var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -+/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -+/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) - /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) -- - ifdef(`distro_gentoo',` - /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.1/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/hal.if 2008-07-25 12:35:13.000000000 -0400 -@@ -195,7 +195,7 @@ - ## - ## - ## --## Domain allowed access. -+## Domain to not audit - ## - ## - # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.2/policy/modules/services/hal.if +--- nsaserefpolicy/policy/modules/services/hal.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/hal.if 2008-08-05 14:29:29.000000000 -0400 @@ -302,3 +302,42 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; @@ -17170,13 +16715,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. + ') + kernel_search_proc($1) + allow $1 hald_t:dir list_dir_perms; -+ read_files_pattern($1,hald_t,hald_t) -+ read_lnk_files_pattern($1,hald_t,hald_t) ++ read_files_pattern($1, hald_t, hald_t) ++ read_lnk_files_pattern($1, hald_t, hald_t) + dontaudit $1 hald_t:process ptrace; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.1/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/hal.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.2/policy/modules/services/hal.te +--- nsaserefpolicy/policy/modules/services/hal.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/hal.te 2008-08-05 14:31:25.000000000 -0400 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17187,53 +16732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local policy -@@ -82,9 +85,9 @@ - manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) - manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) - --manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) -+manage_dirs_pattern(hald_t,hald_var_run_t,hald_var_run_t) - manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t) --files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) -+files_pid_filetrans(hald_t,hald_var_run_t,{ dir file }) - - kernel_read_system_state(hald_t) - kernel_read_network_state(hald_t) -@@ -121,7 +124,6 @@ - dev_setattr_generic_usb_dev(hald_t) - dev_setattr_usbfs_files(hald_t) - dev_rw_power_management(hald_t) --dev_read_raw_memory(hald_t) - # hal is now execing pm-suspend - dev_rw_sysfs(hald_t) - dev_read_video_dev(hald_t) -@@ -159,6 +161,8 @@ - selinux_compute_relabel_context(hald_t) - selinux_compute_user_contexts(hald_t) - -+dev_read_raw_memory(hald_t) -+ - storage_raw_read_removable_device(hald_t) - storage_raw_write_removable_device(hald_t) - storage_raw_read_fixed_disk(hald_t) -@@ -170,14 +174,14 @@ - - auth_use_nsswitch(hald_t) - --fstools_getattr_swap_files(hald_t) -- - init_domtrans_script(hald_t) - init_read_utmp(hald_t) - #hal runs shutdown, probably need a shutdown domain - init_rw_utmp(hald_t) - init_telinit(hald_t) - -+fstools_getattr_swap_files(hald_t) -+ - libs_use_ld_so(hald_t) - libs_use_shared_libs(hald_t) - libs_exec_ld_so(hald_t) -@@ -280,6 +284,12 @@ +@@ -280,6 +283,12 @@ ') optional_policy(` @@ -17246,20 +16745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. rpc_search_nfs_state_data(hald_t) ') -@@ -317,9 +327,9 @@ - manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t) - files_search_var_lib(hald_acl_t) - --manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) --manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) --files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) -+manage_dirs_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t) -+manage_files_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t) -+files_pid_filetrans(hald_acl_t,hald_var_run_t,{ dir file }) - - corecmd_exec_bin(hald_acl_t) - -@@ -344,13 +354,22 @@ +@@ -344,13 +353,22 @@ libs_use_ld_so(hald_acl_t) libs_use_shared_libs(hald_acl_t) @@ -17282,54 +16768,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; allow hald_mac_t hald_t:unix_stream_socket connectto; -@@ -359,13 +378,16 @@ - manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) - files_search_var_lib(hald_mac_t) - --kernel_read_system_state(hald_mac_t) -- - dev_read_raw_memory(hald_mac_t) - dev_write_raw_memory(hald_mac_t) +@@ -366,6 +384,9 @@ dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) +files_read_etc_files(hald_mac_t) + -+kernel_read_system_state(hald_mac_t) -+ +auth_use_nsswitch(hald_mac_t) libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -@@ -419,4 +441,4 @@ +@@ -419,4 +440,4 @@ # This is caused by a bug in hald and PolicyKit. # Should be removed when this is fixed -#cron_read_system_job_lib_files(hald_t) +cron_read_system_job_lib_files(hald_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.5.1/policy/modules/services/inetd.if ---- nsaserefpolicy/policy/modules/services/inetd.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/inetd.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.5.2/policy/modules/services/inetd.if +--- nsaserefpolicy/policy/modules/services/inetd.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/inetd.if 2008-08-05 12:15:11.000000000 -0400 @@ -115,6 +115,10 @@ allow $1 inetd_t:tcp_socket rw_stream_socket_perms; allow $1 inetd_t:udp_socket rw_socket_perms; + + optional_policy(` -+ stunnel_service_domain($1,$2) ++ stunnel_service_domain($1, $2) + ') ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.1/policy/modules/services/inetd.te ---- nsaserefpolicy/policy/modules/services/inetd.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/inetd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.2/policy/modules/services/inetd.te +--- nsaserefpolicy/policy/modules/services/inetd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/inetd.te 2008-08-05 12:15:11.000000000 -0400 @@ -30,6 +30,10 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) +ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh) ++ init_ranged_daemon_domain(inetd_t, inetd_exec_t,s0 - mcs_systemhigh) +') + ######################################## @@ -17368,40 +16845,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet + files_search_home(inetd_child_t) - manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) + manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) @@ -227,3 +237,7 @@ optional_policy(` unconfined_domain(inetd_child_t) ') + +optional_policy(` -+ inetd_service_domain(inetd_child_t,bin_t) ++ inetd_service_domain(inetd_child_t, bin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.1/policy/modules/services/inn.fc ---- nsaserefpolicy/policy/modules/services/inn.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/inn.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.2/policy/modules/services/inn.fc +--- nsaserefpolicy/policy/modules/services/inn.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/inn.fc 2008-08-05 12:15:11.000000000 -0400 @@ -64,3 +64,5 @@ /var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) /var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) + +/etc/rc.d/init.d/innd -- gen_context(system_u:object_r:innd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.5.1/policy/modules/services/inn.if ---- nsaserefpolicy/policy/modules/services/inn.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/inn.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.5.2/policy/modules/services/inn.if +--- nsaserefpolicy/policy/modules/services/inn.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/inn.if 2008-08-05 12:15:11.000000000 -0400 @@ -54,8 +54,7 @@ ') logging_rw_generic_log_dirs($1) - allow $1 innd_log_t:dir search; - allow $1 innd_log_t:file manage_file_perms; -+ manage_files_pattern($1, innd_log_t,innd_log_t) ++ manage_files_pattern($1, innd_log_t, innd_log_t) ') ######################################## @@ -176,3 +175,80 @@ corecmd_search_bin($1) - domtrans_pattern($1,innd_exec_t,innd_t) + domtrans_pattern($1, innd_exec_t, innd_t) ') + +######################################## @@ -17420,7 +16897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. + type innd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,innd_script_exec_t) ++ init_script_domtrans_spec($1, innd_script_exec_t) +') + +######################################## @@ -17466,23 +16943,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,innd_etc_t) ++ manage_all_pattern($1, innd_etc_t) + + logging_list_logs($1) -+ manage_all_pattern($1,innd_log_t) ++ manage_all_pattern($1, innd_log_t) + + files_list_spool($1) -+ manage_all_pattern($1,news_spool_t) ++ manage_all_pattern($1, news_spool_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,innd_var_lib_t) ++ manage_all_pattern($1, innd_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,innd_var_run_t) ++ manage_all_pattern($1, innd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.5.1/policy/modules/services/inn.te ---- nsaserefpolicy/policy/modules/services/inn.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/inn.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.5.2/policy/modules/services/inn.te +--- nsaserefpolicy/policy/modules/services/inn.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/inn.te 2008-08-05 12:15:11.000000000 -0400 @@ -22,7 +22,10 @@ files_pid_file(innd_var_run_t) @@ -17495,17 +16972,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.5.1/policy/modules/services/jabber.fc ---- nsaserefpolicy/policy/modules/services/jabber.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/jabber.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.5.2/policy/modules/services/jabber.fc +--- nsaserefpolicy/policy/modules/services/jabber.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/jabber.fc 2008-08-05 12:15:11.000000000 -0400 @@ -2,3 +2,4 @@ /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/etc/rc.d/init.d/jabber -- gen_context(system_u:object_r:jabber_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.5.1/policy/modules/services/jabber.if ---- nsaserefpolicy/policy/modules/services/jabber.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/jabber.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.5.2/policy/modules/services/jabber.if +--- nsaserefpolicy/policy/modules/services/jabber.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/jabber.if 2008-08-05 12:15:11.000000000 -0400 @@ -13,3 +13,73 @@ interface(`jabber_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -17527,7 +17004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb + type jabber_script_exec_t; + ') + -+ init_script_domtrans_spec($1,jabber_script_exec_t) ++ init_script_domtrans_spec($1, jabber_script_exec_t) +') + +######################################## @@ -17571,18 +17048,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb + allow $2 system_r; + + logging_list_logs($1) -+ manage_all_pattern($1,jabber_log_t) ++ manage_all_pattern($1, jabber_log_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,jabber_var_lib_t) ++ manage_all_pattern($1, jabber_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,jabber_var_run_t) ++ manage_all_pattern($1, jabber_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.5.1/policy/modules/services/jabber.te ---- nsaserefpolicy/policy/modules/services/jabber.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/jabber.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.5.2/policy/modules/services/jabber.te +--- nsaserefpolicy/policy/modules/services/jabber.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/jabber.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,6 +19,9 @@ type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) @@ -17593,9 +17070,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.1/policy/modules/services/kerberos.fc ---- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/kerberos.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.2/policy/modules/services/kerberos.fc +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/kerberos.fc 2008-08-05 12:15:11.000000000 -0400 @@ -13,6 +13,14 @@ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) @@ -17611,9 +17088,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +/etc/rc.d/init.d/krb524d -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc.d/init.d/kpropd -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc.d/init.d/krb5kdc -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.5.1/policy/modules/services/kerberos.if ---- nsaserefpolicy/policy/modules/services/kerberos.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/kerberos.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.5.2/policy/modules/services/kerberos.if +--- nsaserefpolicy/policy/modules/services/kerberos.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/kerberos.if 2008-08-05 14:33:10.000000000 -0400 @@ -23,6 +23,25 @@ ######################################## @@ -17632,7 +17109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + type kpropd_exec_t; + ') + -+ domtrans_pattern($1,kpropd_exec_t,kpropd_t) ++ domtrans_pattern($1, kpropd_exec_t, kpropd_t) +') + +######################################## @@ -17640,7 +17117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ## Use kerberos services ## ## -@@ -43,7 +62,14 @@ +@@ -42,7 +61,14 @@ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -17655,7 +17132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -61,11 +87,7 @@ +@@ -60,11 +86,7 @@ corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) @@ -17667,7 +17144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb optional_policy(` tunable_policy(`allow_kerberos',` pcscd_stream_connect($1) -@@ -154,6 +176,32 @@ +@@ -153,6 +175,32 @@ ######################################## ## @@ -17700,7 +17177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## -@@ -169,6 +217,175 @@ +@@ -168,6 +216,175 @@ ') files_search_etc($1) @@ -17772,7 +17249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + type kerberos_script_exec_t; + ') + -+ init_script_domtrans_spec($1,kerberos_script_exec_t) ++ init_script_domtrans_spec($1, kerberos_script_exec_t) +') + +######################################## @@ -17790,7 +17267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + type kpropd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,kpropd_script_exec_t) ++ init_script_domtrans_spec($1, kpropd_script_exec_t) +') + +######################################## @@ -17851,39 +17328,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + role_transition $2 kpropd_script_exec_t system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,kadmind_tmp_t) ++ manage_all_pattern($1, kadmind_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,kadmind_log_t) ++ manage_all_pattern($1, kadmind_log_t) + + files_list_spool($1) -+ manage_all_pattern($1,kadmind_spool_t) ++ manage_all_pattern($1, kadmind_spool_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,kadmind_var_lib_t) ++ manage_all_pattern($1, kadmind_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,kadmind_var_run_t) ++ manage_all_pattern($1, kadmind_var_run_t) + -+ manage_all_pattern($1,krb5_conf_t) ++ manage_all_pattern($1, krb5_conf_t) + -+ manage_all_pattern($1,krb5_keytab_t) ++ manage_all_pattern($1, krb5_keytab_t) + -+ manage_all_pattern($1,krb5kdc_principal_t) ++ manage_all_pattern($1, krb5kdc_principal_t) + -+ manage_all_pattern($1,krb5kdc_tmp_t) ++ manage_all_pattern($1, krb5kdc_tmp_t) + -+ manage_all_pattern($1,krb5kdc_var_run_t) ++ manage_all_pattern($1, krb5kdc_var_run_t) -+ manage_all_pattern($1,krb5_host_rcache_t) ++ manage_all_pattern($1, krb5_host_rcache_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.1/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/kerberos.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.2/policy/modules/services/kerberos.te +--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/kerberos.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,7 @@ type kadmind_t; type kadmind_exec_t; - init_daemon_domain(kadmind_t,kadmind_exec_t) + init_daemon_domain(kadmind_t, kadmind_exec_t) +domain_obj_id_change_exemption(kadmind_t) type kadmind_log_t; @@ -17901,7 +17378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb @@ -44,6 +48,7 @@ type krb5kdc_t; type krb5kdc_exec_t; - init_daemon_domain(krb5kdc_t,krb5kdc_exec_t) + init_daemon_domain(krb5kdc_t, krb5kdc_exec_t) +domain_obj_id_change_exemption(krb5kdc_t) type krb5kdc_log_t; @@ -17936,7 +17413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kadmind_t self:unix_dgram_socket { connect create write }; allow kadmind_t self:tcp_socket connected_stream_socket_perms; @@ -77,7 +95,9 @@ - read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t) + read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit kadmind_t krb5kdc_conf_t:file { write setattr }; -allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; @@ -17996,13 +17473,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow krb5kdc_t self:tcp_socket create_stream_socket_perms; allow krb5kdc_t self:udp_socket create_socket_perms; @@ -166,6 +194,8 @@ - read_files_pattern(krb5kdc_t,krb5kdc_conf_t,krb5kdc_conf_t) + read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; +allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; + allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; - logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file) + logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) @@ -216,6 +246,9 @@ files_read_usr_symlinks(krb5kdc_t) @@ -18075,16 +17552,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +sysnet_dns_name_resolve(kpropd_t) + +kerberos_use(kpropd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.5.1/policy/modules/services/kerneloops.fc ---- nsaserefpolicy/policy/modules/services/kerneloops.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/kerneloops.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.5.2/policy/modules/services/kerneloops.fc +--- nsaserefpolicy/policy/modules/services/kerneloops.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/kerneloops.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,3 @@ /usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) + +/etc/rc.d/init.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.1/policy/modules/services/kerneloops.if ---- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/kerneloops.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.2/policy/modules/services/kerneloops.if +--- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/kerneloops.if 2008-08-05 12:15:11.000000000 -0400 @@ -21,6 +21,24 @@ ######################################## @@ -18102,7 +17579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern + type kerneloops_script_exec_t; + ') + -+ init_script_domtrans_spec($1,kerneloops_script_exec_t) ++ init_script_domtrans_spec($1, kerneloops_script_exec_t) +') + +######################################## @@ -18142,9 +17619,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern + allow $2 system_r; + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.1/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/kerneloops.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.2/policy/modules/services/kerneloops.te +--- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/kerneloops.te 2008-08-05 12:15:11.000000000 -0400 @@ -10,6 +10,9 @@ type kerneloops_exec_t; init_daemon_domain(kerneloops_t, kerneloops_exec_t) @@ -18164,18 +17641,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern corenet_all_recvfrom_unlabeled(kerneloops_t) corenet_all_recvfrom_netlabel(kerneloops_t) corenet_tcp_sendrecv_all_if(kerneloops_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.5.1/policy/modules/services/ldap.fc ---- nsaserefpolicy/policy/modules/services/ldap.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ldap.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.5.2/policy/modules/services/ldap.fc +--- nsaserefpolicy/policy/modules/services/ldap.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ldap.fc 2008-08-05 12:15:11.000000000 -0400 @@ -14,3 +14,5 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) + +/etc/rc.d/init.d/ldap -- gen_context(system_u:object_r:ldap_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.5.1/policy/modules/services/ldap.if ---- nsaserefpolicy/policy/modules/services/ldap.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ldap.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.5.2/policy/modules/services/ldap.if +--- nsaserefpolicy/policy/modules/services/ldap.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ldap.if 2008-08-05 12:15:11.000000000 -0400 @@ -73,3 +73,80 @@ allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; @@ -18197,7 +17674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap + type ldap_script_exec_t; + ') + -+ init_script_domtrans_spec($1,ldap_script_exec_t) ++ init_script_domtrans_spec($1, ldap_script_exec_t) +') + +######################################## @@ -18243,23 +17720,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,slapd_tmp_t) ++ manage_all_pattern($1, slapd_tmp_t) + -+ manage_all_pattern($1,slapd_replog_t) ++ manage_all_pattern($1, slapd_replog_t) + + files_list_etc($1) -+ manage_all_pattern($1,slapd_etc_t) ++ manage_all_pattern($1, slapd_etc_t) + -+ manage_all_pattern($1,slapd_lock_t) ++ manage_all_pattern($1, slapd_lock_t) + + files_list_pids($1) -+ manage_all_pattern($1,slapd_var_run_t) ++ manage_all_pattern($1, slapd_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.1/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ldap.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.2/policy/modules/services/ldap.te +--- nsaserefpolicy/policy/modules/services/ldap.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ldap.te 2008-08-05 12:15:11.000000000 -0400 @@ -31,6 +31,9 @@ type slapd_var_run_t; files_pid_file(slapd_var_run_t) @@ -18279,9 +17756,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.1/policy/modules/services/lpd.fc ---- nsaserefpolicy/policy/modules/services/lpd.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/lpd.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.2/policy/modules/services/lpd.fc +--- nsaserefpolicy/policy/modules/services/lpd.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/lpd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -22,11 +22,14 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) @@ -18297,23 +17774,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. +/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.1/policy/modules/services/mailman.fc ---- nsaserefpolicy/policy/modules/services/mailman.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mailman.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.2/policy/modules/services/mailman.fc +--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mailman.fc 2008-08-05 12:15:11.000000000 -0400 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.1/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mailman.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.2/policy/modules/services/mailman.if +--- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mailman.if 2008-08-05 12:15:11.000000000 -0400 @@ -211,6 +211,7 @@ type mailman_data_t; ') -+ manage_dirs_pattern($1,mailman_data_t,mailman_data_t) - manage_files_pattern($1,mailman_data_t,mailman_data_t) ++ manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) ') @@ -252,6 +253,25 @@ @@ -18334,7 +17811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + type mailman_log_t; + ') + -+ read_files_pattern($1,mailman_log_t,mailman_log_t) ++ read_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### @@ -18342,9 +17819,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ## Append to mailman logs. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.1/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mailman.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.2/policy/modules/services/mailman.te +--- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mailman.te 2008-08-05 14:34:44.000000000 -0400 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -18374,30 +17851,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ifdef(`TODO',` optional_policy(` -@@ -99,11 +105,12 @@ - # for su - seutil_dontaudit_search_config(mailman_queue_t) - --su_exec(mailman_queue_t) -- +@@ -104,6 +110,7 @@ # some of the following could probably be changed to dontaudit, someone who # knows mailman well should test this out and send the changes sysadm_search_home_dirs(mailman_queue_t) +sysadm_getattr_home_dirs(mailman_queue_t) -+ -+su_exec(mailman_queue_t) optional_policy(` - cron_system_entry(mailman_queue_t,mailman_queue_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.1/policy/modules/services/mailscanner.fc + cron_system_entry(mailman_queue_t, mailman_queue_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.2/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/mailscanner.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mailscanner.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.1/policy/modules/services/mailscanner.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.2/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/mailscanner.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mailscanner.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + @@ -18436,7 +17906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + ') + + files_search_spool($1) -+ read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) ++ read_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) +') + +######################################## @@ -18456,20 +17926,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + ') + + files_search_spool($1) -+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) ++ manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.1/policy/modules/services/mailscanner.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.2/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/mailscanner.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mailscanner.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,5 @@ + -+policy_module(mailscanner,1.0.0) ++policy_module(mailscanner, 1.0.0) + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.1/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mta.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.2/policy/modules/services/mta.fc +--- nsaserefpolicy/policy/modules/services/mta.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mta.fc 2008-08-05 12:15:11.000000000 -0400 @@ -11,6 +11,7 @@ /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18486,9 +17956,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. -#ifdef(`postfix.te', `', ` -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.1/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mta.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.2/policy/modules/services/mta.if +--- nsaserefpolicy/policy/modules/services/mta.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mta.if 2008-08-05 12:15:11.000000000 -0400 @@ -133,6 +133,15 @@ sendmail_create_log($1_mail_t) ') @@ -18506,23 +17976,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### @@ -199,7 +208,7 @@ - userdom_use_user_terminals($1,mta_user_agent) + userdom_use_user_terminals($1, mta_user_agent) # Create dead.letter in user home directories. - userdom_manage_user_home_content_files($1,$1_mail_t) -- userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file) -+ unprivuser_home_dir_filetrans_home_content($1_mail_t,file) + userdom_manage_user_home_content_files($1, $1_mail_t) +- userdom_user_home_dir_filetrans_user_home_content($1, $1_mail_t, file) ++ unprivuser_home_dir_filetrans_home_content($1_mail_t, file) # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir - userdom_manage_user_home_content_dirs($1,mailserver_delivery) + userdom_manage_user_home_content_dirs($1, mailserver_delivery) @@ -207,7 +216,7 @@ - userdom_manage_user_home_content_symlinks($1,mailserver_delivery) - userdom_manage_user_home_content_pipes($1,mailserver_delivery) - userdom_manage_user_home_content_sockets($1,mailserver_delivery) -- userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) -+ unprivuser_home_dir_filetrans_home_content(mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) + userdom_manage_user_home_content_symlinks($1, mailserver_delivery) + userdom_manage_user_home_content_pipes($1, mailserver_delivery) + userdom_manage_user_home_content_sockets($1, mailserver_delivery) +- userdom_user_home_dir_filetrans_user_home_content($1, mailserver_delivery, { dir file lnk_file fifo_file sock_file }) ++ unprivuser_home_dir_filetrans_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) # Read user temporary files. - userdom_read_user_tmp_files($1,$1_mail_t) - userdom_dontaudit_append_user_tmp_files($1,$1_mail_t) + userdom_read_user_tmp_files($1, $1_mail_t) + userdom_dontaudit_append_user_tmp_files($1, $1_mail_t) @@ -220,6 +229,11 @@ fs_manage_cifs_symlinks($1_mail_t) ') @@ -18580,11 +18050,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## @@ -385,11 +435,13 @@ allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1,mail_spool_t,mail_spool_t) - read_files_pattern($1,mail_spool_t,mail_spool_t) -+ append_files_pattern($1,mail_spool_t,mail_spool_t) - create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) - read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) + create_files_pattern($1, mail_spool_t, mail_spool_t) + read_files_pattern($1, mail_spool_t, mail_spool_t) ++ append_files_pattern($1, mail_spool_t, mail_spool_t) + create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) optional_policy(` dovecot_manage_spool($1) @@ -18666,7 +18136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + ') + + files_search_spool($1) -+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ++ read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) +') + +######################################## @@ -18674,9 +18144,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Create, read, write, and delete ## mail queue files. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.1/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mta.te 2008-07-30 09:59:10.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.2/policy/modules/services/mta.te +--- nsaserefpolicy/policy/modules/services/mta.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mta.te 2008-08-05 12:15:11.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -18713,8 +18183,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + +can_exec(system_mail_t, mailclient_exec_type) - read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) -+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) + read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) ++read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + +files_read_all_tmp_files(system_mail_t) @@ -18789,7 +18259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. @@ -113,10 +153,6 @@ # compatability for old default main.cf - postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) ') - - optional_policy(` @@ -18840,9 +18310,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.1/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/munin.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.2/policy/modules/services/munin.fc +--- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/munin.fc 2008-08-05 12:15:11.000000000 -0400 @@ -6,6 +6,9 @@ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -18855,9 +18325,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + +/etc/rc.d/init.d/munin-node -- gen_context(system_u:object_r:munin_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.1/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/munin.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.2/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/munin.if 2008-08-05 12:15:11.000000000 -0400 @@ -80,3 +80,105 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; @@ -18881,7 +18351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + + logging_search_logs($1) + allow $1 munin_log_t:dir list_dir_perms; -+ append_files_pattern($1,munin_log_t,munin_log_t) ++ append_files_pattern($1, munin_log_t, munin_log_t) +') + +######################################## @@ -18900,7 +18370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + type munin_script_exec_t; + ') + -+ init_script_domtrans_spec($1,munin_script_exec_t) ++ init_script_domtrans_spec($1, munin_script_exec_t) +') + +######################################## @@ -18947,26 +18417,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,munin_tmp_t) ++ manage_all_pattern($1, munin_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,munin_log_t) ++ manage_all_pattern($1, munin_log_t) + + files_list_etc($1) -+ manage_all_pattern($1,munin_etc_t) ++ manage_all_pattern($1, munin_etc_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,munin_var_lib_t) ++ manage_all_pattern($1, munin_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,munin_var_run_t) ++ manage_all_pattern($1, munin_var_run_t) + + manage_all_pattern($1, httpd_munin_content_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.1/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/munin.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.2/policy/modules/services/munin.te +--- nsaserefpolicy/policy/modules/services/munin.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/munin.te 2008-08-05 12:15:11.000000000 -0400 @@ -25,26 +25,33 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -18992,20 +18462,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +can_exec(munin_t, munin_exec_t) allow munin_t munin_etc_t:dir list_dir_perms; - read_files_pattern(munin_t,munin_etc_t,munin_etc_t) - read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) + read_files_pattern(munin_t, munin_etc_t, munin_etc_t) + read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) files_search_etc(munin_t) -allow munin_t munin_log_t:file manage_file_perms; --logging_log_filetrans(munin_t,munin_log_t,file) +-logging_log_filetrans(munin_t, munin_log_t, file) +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +manage_files_pattern(munin_t, munin_log_t, munin_log_t) -+logging_log_filetrans(munin_t,munin_log_t,{ file dir }) ++logging_log_filetrans(munin_t, munin_log_t, { file dir }) - manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) - manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) + manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) + manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) @@ -61,9 +68,11 @@ - files_pid_filetrans(munin_t,munin_var_run_t,file) + files_pid_filetrans(munin_t, munin_var_run_t, file) kernel_read_system_state(munin_t) -kernel_read_kernel_sysctls(munin_t) @@ -19092,31 +18562,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.1/policy/modules/services/mysql.fc ---- nsaserefpolicy/policy/modules/services/mysql.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mysql.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.2/policy/modules/services/mysql.fc +--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mysql.fc 2008-08-05 12:15:11.000000000 -0400 @@ -22,3 +22,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.1/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mysql.if 2008-07-25 12:35:13.000000000 -0400 -@@ -32,9 +32,11 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.2/policy/modules/services/mysql.if +--- nsaserefpolicy/policy/modules/services/mysql.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mysql.if 2008-08-05 14:49:19.000000000 -0400 +@@ -53,9 +53,11 @@ interface(`mysql_stream_connect',` gen_require(` type mysqld_t, mysqld_var_run_t; + type mysqld_db_t; ') - stream_connect_pattern($1,mysqld_var_run_t,mysqld_var_run_t,mysqld_t) + stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') ######################################## -@@ -157,3 +159,74 @@ +@@ -178,3 +180,71 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; ') @@ -19136,7 +18606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + type mysqld_script_exec_t; + ') + -+ init_script_domtrans_spec($1,mysqld_script_exec_t) ++ init_script_domtrans_spec($1, mysqld_script_exec_t) +') + +######################################## @@ -19163,17 +18633,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +interface(`mysql_admin',` + + gen_require(` -+ type mysqld_t; -+ type mysqld_var_run_t; -+ type mysqld_tmp_t; -+ type mysqld_db_t; -+ type mysqld_etc_t; -+ type mysqld_log_t; ++ type mysqld_t, mysqld_var_run_t; ++ type mysqld_tmp_t, mysqld_db_t; ++ type mysqld_etc_t, mysqld_log_t; + type mysqld_script_exec_t; + ') + -+ allow $1 mysqld_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, mysqld_t, mysqld_t) ++ allow $1 mysqld_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, mysqld_t) + + # Allow $1 to restart the apache service + mysql_script_domtrans($1) @@ -19181,19 +18648,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + role_transition $2 mysqld_script_exec_t system_r; + allow $2 system_r; + -+ manage_all_pattern($1,mysqld_var_run_t) ++ manage_all_pattern($1, mysqld_var_run_t) + -+ manage_all_pattern($1,mysqld_db_t) ++ manage_all_pattern($1, mysqld_db_t) + -+ manage_all_pattern($1,mysqld_etc_t) ++ manage_all_pattern($1, mysqld_etc_t) + -+ manage_all_pattern($1,mysqld_log_t) ++ manage_all_pattern($1, mysqld_log_t) + -+ manage_all_pattern($1,mysqld_tmp_t) ++ manage_all_pattern($1, mysqld_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.1/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mysql.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.2/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/mysql.te 2008-08-05 14:41:18.000000000 -0400 @@ -25,6 +25,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -19214,19 +18681,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; -@@ -54,9 +58,9 @@ - manage_files_pattern(mysqld_t,mysqld_tmp_t,mysqld_tmp_t) - files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) - --manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) --manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) --files_pid_filetrans(mysqld_t, mysqld_var_run_t,{ file sock_file }) -+manage_files_pattern(mysqld_t,mysqld_var_run_t,mysqld_var_run_t) -+manage_sock_files_pattern(mysqld_t,mysqld_var_run_t,mysqld_var_run_t) -+files_pid_filetrans(mysqld_t,mysqld_var_run_t,file) - - kernel_read_system_state(mysqld_t) - kernel_read_kernel_sysctls(mysqld_t) @@ -79,6 +83,7 @@ fs_getattr_all_fs(mysqld_t) @@ -19235,9 +18689,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq domain_use_interactive_fds(mysqld_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.1/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nagios.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.2/policy/modules/services/nagios.fc +--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nagios.fc 2008-08-05 12:15:11.000000000 -0400 @@ -4,13 +4,17 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -19260,9 +18714,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/etc/rc.d/init.d/nagios -- gen_context(system_u:object_r:nagios_script_exec_t,s0) +/etc/rc.d/init.d/nrpe -- gen_context(system_u:object_r:nagios_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.1/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nagios.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.2/policy/modules/services/nagios.if +--- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nagios.if 2008-08-05 14:44:11.000000000 -0400 @@ -44,7 +44,7 @@ ######################################## @@ -19272,7 +18726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ## a domain transition. ## ## -@@ -53,29 +53,91 @@ +@@ -53,29 +53,87 @@ ## ## # @@ -19283,8 +18737,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + type nrpe_t, nrpe_exec_t; ') -- domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t) -+ domtrans_pattern($1,nrpe_exec_t,nrpe_t) +- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) ++ domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') ######################################## @@ -19305,7 +18759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + type nagios_script_exec_t; + ') + -+ init_script_domtrans_spec($1,nagios_script_exec_t) ++ init_script_domtrans_spec($1, nagios_script_exec_t) +') + +######################################## @@ -19334,21 +18788,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +interface(`nagios_admin',` gen_require(` - type nrpe_t, nrpe_exec_t; -+ type nagios_t; -+ type nrpe_t; ++ type nagios_t, nrpe_t; ++ type nagios_tmp_t, nagios_log_t; ++ type nagios_etc_t, nrpe_etc_t; ++ type nagios_spool_t, nagios_var_run_t; + type nagios_script_exec_t; -+ type nagios_tmp_t; -+ type nagios_log_t; -+ type nagios_etc_t; -+ type nrpe_etc_t; -+ type nagios_spool_t; -+ type nagios_var_run_t; ') -- domtrans_pattern($1,nrpe_exec_t,nrpe_t) -+ allow $1 nagios_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, nagios_t, nagios_t) -+ +- domtrans_pattern($1, nrpe_exec_t, nrpe_t) ++ allow $1 nagios_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nagios_t) ++ + # Allow nagios_t to restart the apache service + nagios_script_domtrans($1) + domain_system_change_exemption($1) @@ -19356,25 +18806,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,nagios_tmp_t) ++ manage_all_pattern($1, nagios_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,nagios_log_t) ++ manage_all_pattern($1, nagios_log_t) + + files_list_etc($1) -+ manage_all_pattern($1,nagios_etc_t) ++ manage_all_pattern($1, nagios_etc_t) + + files_list_spool($1) -+ manage_all_pattern($1,nagios_spool_t) ++ manage_all_pattern($1, nagios_spool_t) + + files_list_pids($1) -+ manage_all_pattern($1,nagios_var_run_t) ++ manage_all_pattern($1, nagios_var_run_t) + -+ manage_all_pattern($1,nrpe_etc_t) ++ manage_all_pattern($1, nrpe_etc_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.1/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nagios.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.2/policy/modules/services/nagios.te +--- nsaserefpolicy/policy/modules/services/nagios.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nagios.te 2008-08-05 12:15:11.000000000 -0400 @@ -10,10 +10,6 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -19477,9 +18927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.1/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/networkmanager.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.2/policy/modules/services/networkmanager.fc +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/networkmanager.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,7 +1,13 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -19494,54 +18944,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) +/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.1/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/networkmanager.if 2008-07-25 12:35:13.000000000 -0400 -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Read and write NetworkManager UDP sockets. -+## Read and write NetworkManager packet sockets. - ## - ## - ## -@@ -11,17 +11,17 @@ - ## - # - # cjp: added for named. --interface(`networkmanager_rw_udp_sockets',` -+interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; - ') - -- allow $1 NetworkManager_t:udp_socket { read write }; -+ allow $1 NetworkManager_t:packet_socket { read write }; - ') - - ######################################## - ## --## Read and write NetworkManager packet sockets. -+## Read and write NetworkManager UDP sockets. - ## - ## - ## -@@ -30,12 +30,12 @@ - ## - # - # cjp: added for named. --interface(`networkmanager_rw_packet_sockets',` -+interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; - ') - -- allow $1 NetworkManager_t:packet_socket { read write }; -+ allow $1 NetworkManager_t:udp_socket { read write }; - ') - - ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.2/policy/modules/services/networkmanager.if +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/networkmanager.if 2008-08-05 14:46:12.000000000 -0400 @@ -97,3 +97,58 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; @@ -19601,12 +19006,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + files_search_pids($1) + allow $1 NetworkManager_var_run_t:file read_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.1/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/networkmanager.te 2008-07-25 16:05:06.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.2/policy/modules/services/networkmanager.te +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/networkmanager.te 2008-08-05 12:15:11.000000000 -0400 @@ -10,9 +10,16 @@ type NetworkManager_exec_t; - init_daemon_domain(NetworkManager_t,NetworkManager_exec_t) + init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) @@ -19634,11 +19039,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; @@ -38,10 +45,14 @@ - manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) + manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) -+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) -+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) ++manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) ++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) @@ -19694,9 +19099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -- dbus_system_bus_client_template(NetworkManager,NetworkManager_t) +- dbus_system_bus_client_template(NetworkManager, NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) -+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) ++ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) ') optional_policy(` @@ -19717,7 +19122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -156,22 +178,29 @@ +@@ -156,19 +178,25 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -19734,26 +19139,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw - udev_read_db(NetworkManager_t) + rpm_read_db(NetworkManager_t) + rpm_dontaudit_manage_db(NetworkManager_t) -+') -+ -+optional_policy(` -+ seutil_sigchld_newrole(NetworkManager_t) ') optional_policy(` - # Read gnome-keyring - unconfined_read_home_content_files(NetworkManager_t) ++ seutil_sigchld_newrole(NetworkManager_t) ++') ++ ++optional_policy(` + udev_read_db(NetworkManager_t) ') optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_signal(NetworkManager_t) - ') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.1/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nis.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.2/policy/modules/services/nis.fc +--- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nis.fc 2008-08-05 12:15:11.000000000 -0400 @@ -4,9 +4,14 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) @@ -19769,9 +19170,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/etc/rc.d/init.d/yppasswd -- gen_context(system_u:object_r:nis_script_exec_t,s0) +/etc/rc.d/init.d/ypserv -- gen_context(system_u:object_r:nis_script_exec_t,s0) +/etc/rc.d/init.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.1/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nis.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.2/policy/modules/services/nis.if +--- nsaserefpolicy/policy/modules/services/nis.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nis.if 2008-08-05 14:51:00.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19818,9 +19219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. ## Execute ypbind in the ypbind domain. ## ## -@@ -244,3 +263,93 @@ +@@ -244,3 +263,89 @@ corecmd_search_bin($1) - domtrans_pattern($1,ypxfr_exec_t,ypxfr_t) + domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) ') + +######################################## @@ -19839,7 +19240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + type nis_script_exec_t; + ') + -+ init_script_domtrans_spec($1,nis_script_exec_t) ++ init_script_domtrans_spec($1, nis_script_exec_t) +') + +######################################## @@ -19866,29 +19267,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +# +interface(`nis_admin',` + gen_require(` -+ type ypbind_t; -+ type yppasswdd_t; -+ type ypserv_t; -+ type ypxfr_t; -+ type nis_script_exec_t; -+ type ypbind_tmp_t; -+ type ypserv_tmp_t; -+ type ypserv_conf_t; ++ type ypbind_t, yppasswdd_t; ++ type ypserv_t, ypxfr_t; ++ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; ++ type nis_script_exec_t; + ') + -+ allow $1 ypbind_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, ypbind_t, ypbind_t) -+ -+ allow $1 yppasswdd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, yppasswdd_t, yppasswdd_t) ++ allow $1 ypbind_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypbind_t) + -+ allow $1 ypserv_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, ypserv_t, ypserv_t) ++ allow $1 yppasswdd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, yppasswdd_t) + -+ allow $1 ypxfr_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, ypxfr_t, ypxfr_t) ++ allow $1 ypserv_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypserv_t) + ++ allow $1 ypxfr_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypxfr_t) ++ + # Allow ypbind_t to restart the apache service + nis_script_domtrans($1) + domain_system_change_exemption($1) @@ -19896,28 +19293,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,ypbind_tmp_t) ++ manage_all_pattern($1, ypbind_tmp_t) + + files_list_pids($1) -+ manage_all_pattern($1,ypbind_var_run_t) ++ manage_all_pattern($1, ypbind_var_run_t) + -+ manage_all_pattern($1,yppasswdd_var_run_t) ++ manage_all_pattern($1, yppasswdd_var_run_t) + + files_list_etc($1) -+ manage_all_pattern($1,ypserv_conf_t) ++ manage_all_pattern($1, ypserv_conf_t) + -+ manage_all_pattern($1,ypserv_tmp_t) ++ manage_all_pattern($1, ypserv_tmp_t) + -+ manage_all_pattern($1,ypserv_var_run_t) ++ manage_all_pattern($1, ypserv_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.1/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nis.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.2/policy/modules/services/nis.te +--- nsaserefpolicy/policy/modules/services/nis.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nis.te 2008-08-05 12:15:11.000000000 -0400 @@ -44,6 +44,9 @@ type ypxfr_exec_t; - init_daemon_domain(ypxfr_t,ypxfr_exec_t) + init_daemon_domain(ypxfr_t, ypxfr_exec_t) +type nis_script_exec_t; +init_script_type(nis_script_exec_t) @@ -19934,7 +19331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + +optional_policy(` -+ dbus_system_bus_client_template(ypbind,ypbind_t) ++ dbus_system_bus_client_template(ypbind, ypbind_t) + dbus_connect_system_bus(ypbind_t) + init_dbus_chat_script(ypbind_t) + @@ -19983,18 +19380,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.1/policy/modules/services/nscd.fc ---- nsaserefpolicy/policy/modules/services/nscd.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nscd.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.2/policy/modules/services/nscd.fc +--- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nscd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.1/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nscd.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.2/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nscd.if 2008-08-05 14:53:26.000000000 -0400 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` @@ -20011,9 +19408,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd - + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) - stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) dontaudit $1 nscd_var_run_t:file { getattr read }; -@@ -204,3 +203,68 @@ +@@ -204,3 +203,66 @@ role $2 types nscd_t; dontaudit nscd_t $3:chr_file rw_term_perms; ') @@ -20033,7 +19430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + type nscd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,nscd_script_exec_t) ++ init_script_domtrans_spec($1, nscd_script_exec_t) +') + +######################################## @@ -20060,14 +19457,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +# +interface(`nscd_admin',` + gen_require(` -+ type nscd_t; ++ type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_script_exec_t; -+ type nscd_log_t; -+ type nscd_var_run_t; + ') + -+ allow $1 nscd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, nscd_t, nscd_t) ++ allow $1 nscd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nscd_t) + + # Allow nscd_t to restart the apache service + nscd_script_domtrans($1) @@ -20076,15 +19471,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + allow $2 system_r; + + logging_list_logs($1) -+ manage_all_pattern($1,nscd_log_t) ++ manage_all_pattern($1, nscd_log_t) + + files_list_pids($1) -+ manage_all_pattern($1,nscd_var_run_t) ++ manage_all_pattern($1, nscd_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.1/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/nscd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.2/policy/modules/services/nscd.te +--- nsaserefpolicy/policy/modules/services/nscd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/nscd.te 2008-08-05 12:15:11.000000000 -0400 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) @@ -20112,8 +19507,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd allow nscd_t self:udp_socket create_socket_perms; @@ -50,6 +53,8 @@ - manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) - files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) + manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +can_exec(nscd_t, nscd_exec_t) + @@ -20180,9 +19575,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.5.1/policy/modules/services/ntp.fc ---- nsaserefpolicy/policy/modules/services/ntp.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ntp.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.5.2/policy/modules/services/ntp.fc +--- nsaserefpolicy/policy/modules/services/ntp.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ntp.fc 2008-08-05 12:15:11.000000000 -0400 @@ -17,3 +17,8 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) @@ -20192,12 +19587,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.1/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ntp.if 2008-07-25 12:35:13.000000000 -0400 -@@ -53,3 +53,76 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.2/policy/modules/services/ntp.if +--- nsaserefpolicy/policy/modules/services/ntp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ntp.if 2008-08-05 14:54:54.000000000 -0400 +@@ -53,3 +53,72 @@ corecmd_search_bin($1) - domtrans_pattern($1,ntpdate_exec_t,ntpd_t) + domtrans_pattern($1, ntpdate_exec_t, ntpd_t) ') + +######################################## @@ -20215,7 +19610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. + type ntpd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,ntpd_script_exec_t) ++ init_script_domtrans_spec($1, ntpd_script_exec_t) +') + +######################################## @@ -20242,17 +19637,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. +# +interface(`ntp_admin',` + gen_require(` -+ type ntp_t; ++ type ntp_t, ntp_tmp_t, ntp_log_t; ++ type ntp_key_t, ntp_var_lib_t, ntp_var_run_t; + type ntp_script_exec_t; -+ type ntp_tmp_t; -+ type ntp_log_t; -+ type ntp_key_t; -+ type ntp_var_lib_t; -+ type ntp_var_run_t; + ') + + allow $1 ntp_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, ntp_t, ntp_t) ++ ps_process_pattern($1, ntp_t) + + # Allow ntp_t to restart the apache service + ntp_script_domtrans($1) @@ -20261,23 +19652,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,ntp_tmp_t) ++ manage_all_pattern($1, ntp_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,ntp_log_t) ++ manage_all_pattern($1, ntp_log_t) + -+ manage_all_pattern($1,ntp_key_t) ++ manage_all_pattern($1, ntp_key_t) + + files_list_pids($1) -+ manage_all_pattern($1,ntp_var_run_t) ++ manage_all_pattern($1, ntp_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.1/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ntp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.2/policy/modules/services/ntp.te +--- nsaserefpolicy/policy/modules/services/ntp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ntp.te 2008-08-05 12:15:11.000000000 -0400 @@ -25,6 +25,12 @@ type ntpdate_exec_t; - init_system_domain(ntpd_t,ntpdate_exec_t) + init_system_domain(ntpd_t, ntpdate_exec_t) +type ntpd_key_t; +files_type(ntpd_key_t) @@ -20303,11 +19694,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) -+read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) ++read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + # for some reason it creates a file in /tmp - manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) - manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) + manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) + manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) @@ -82,6 +91,8 @@ fs_getattr_all_fs(ntpd_t) @@ -20345,9 +19736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. logrotate_exec(ntpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oav.te serefpolicy-3.5.1/policy/modules/services/oav.te ---- nsaserefpolicy/policy/modules/services/oav.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/oav.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oav.te serefpolicy-3.5.2/policy/modules/services/oav.te +--- nsaserefpolicy/policy/modules/services/oav.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/oav.te 2008-08-05 12:15:11.000000000 -0400 @@ -12,7 +12,7 @@ # cjp: may be collapsable to etc_t @@ -20358,7 +19749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oav. type oav_update_var_lib_t; files_type(oav_update_var_lib_t) @@ -22,7 +22,7 @@ - init_daemon_domain(scannerdaemon_t,scannerdaemon_exec_t) + init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t) type scannerdaemon_etc_t; -files_type(scannerdaemon_etc_t) @@ -20366,18 +19757,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oav. type scannerdaemon_log_t; logging_log_file(scannerdaemon_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.1/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/oddjob.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.2/policy/modules/services/oddjob.fc +--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/oddjob.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.1/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/oddjob.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.2/policy/modules/services/oddjob.if +--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/oddjob.if 2008-08-05 12:15:11.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -20388,7 +19779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ######################################## @@ -84,3 +85,34 @@ - domtrans_pattern($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t) + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) ') + +######################################## @@ -20421,9 +19812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj + role $2 types oddjob_mkhomedir_t; + dontaudit oddjob_mkhomedir_t $3:chr_file rw_term_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.1/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/oddjob.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.2/policy/modules/services/oddjob.te +--- nsaserefpolicy/policy/modules/services/oddjob.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/oddjob.te 2008-08-05 12:15:11.000000000 -0400 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -20441,7 +19832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(oddjob_t,oddjob_exec_t,s0 - mcs_systemhigh) ++ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) +') + # pid files @@ -20483,21 +19874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj # Add/remove user home directories unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openca.te serefpolicy-3.5.1/policy/modules/services/openca.te ---- nsaserefpolicy/policy/modules/services/openca.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/openca.te 2008-07-25 12:35:13.000000000 -0400 -@@ -18,7 +18,7 @@ - - # /etc/openca standard files - type openca_etc_t; --files_type(openca_etc_t) -+files_config_file(openca_etc_t) - - # /etc/openca template files - type openca_etc_in_t; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.5.1/policy/modules/services/openvpn.fc ---- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/openvpn.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.5.2/policy/modules/services/openvpn.fc +--- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/openvpn.fc 2008-08-05 12:15:11.000000000 -0400 @@ -11,5 +11,7 @@ # # /var @@ -20507,12 +19886,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) + +/etc/rc.d/init.d/openvpn -- gen_context(system_u:object_r:openvpn_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.1/policy/modules/services/openvpn.if ---- nsaserefpolicy/policy/modules/services/openvpn.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/openvpn.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.2/policy/modules/services/openvpn.if +--- nsaserefpolicy/policy/modules/services/openvpn.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/openvpn.if 2008-08-05 12:15:11.000000000 -0400 @@ -90,3 +90,74 @@ - read_files_pattern($1,openvpn_etc_t,openvpn_etc_t) - read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t) + read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) + read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) ') + +######################################## @@ -20531,7 +19910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + type openvpn_script_exec_t; + ') + -+ init_script_domtrans_spec($1,openvpn_script_exec_t) ++ init_script_domtrans_spec($1, openvpn_script_exec_t) +') + +######################################## @@ -20575,19 +19954,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,openvpn_etc_t) ++ manage_all_pattern($1, openvpn_etc_t) + + logging_list_logs($1) -+ manage_all_pattern($1,openvpn_var_log_t) ++ manage_all_pattern($1, openvpn_var_log_t) + + files_list_pids($1) -+ manage_all_pattern($1,openvpn_var_run_t) ++ manage_all_pattern($1, openvpn_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.1/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/openvpn.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.2/policy/modules/services/openvpn.te +--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/openvpn.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,7 +8,7 @@ ## @@ -20596,7 +19975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open +## Allow openvpn service access to users home directories ##

## - gen_tunable(openvpn_enable_homedirs,false) + gen_tunable(openvpn_enable_homedirs, false) @@ -20,7 +20,7 @@ # configuration files @@ -20625,12 +20004,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -47,6 +50,7 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms; - read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) - read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) -+can_exec(openvpn_t,openvpn_etc_t) + read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) + read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) ++can_exec(openvpn_t, openvpn_etc_t) allow openvpn_t openvpn_var_log_t:file manage_file_perms; - logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) + logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) @@ -77,6 +81,7 @@ corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) @@ -20652,9 +20031,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + unconfined_use_terminals(openvpn_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.1/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/pegasus.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.2/policy/modules/services/pegasus.te +--- nsaserefpolicy/policy/modules/services/pegasus.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/pegasus.te 2008-08-05 12:15:11.000000000 -0400 @@ -96,13 +96,12 @@ auth_use_nsswitch(pegasus_t) @@ -20671,7 +20050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) -@@ -118,11 +117,9 @@ +@@ -118,7 +117,6 @@ miscfiles_read_localization(pegasus_t) @@ -20679,13 +20058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -- - sysadm_dontaudit_search_home_dirs(pegasus_t) - - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.1/policy/modules/services/polkit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.2/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/polkit.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/polkit.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -20696,9 +20071,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.1/policy/modules/services/polkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.2/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/polkit.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/polkit.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,208 @@ + +## policy for polkit_auth @@ -20719,7 +20094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + type polkit_auth_exec_t; + ') + -+ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t) ++ domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) +') + +######################################## @@ -20779,7 +20154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + type polkit_grant_exec_t; + ') + -+ domtrans_pattern($1,polkit_grant_exec_t,polkit_grant_t) ++ domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) +') + +######################################## @@ -20798,7 +20173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + type polkit_resolve_exec_t; + ') + -+ domtrans_pattern($1,polkit_resolve_exec_t,polkit_resolve_t) ++ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) +') + +######################################## @@ -20908,11 +20283,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + polkit_read_lib($2) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.1/policy/modules/services/polkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.2/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/polkit.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/polkit.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,221 @@ -+policy_module(polkit_auth,1.0.0) ++policy_module(polkit_auth, 1.0.0) + +######################################## +# @@ -20977,9 +20352,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file -+manage_dirs_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t) -+manage_files_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t) -+files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir }) ++manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) ++manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) ++files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) + +optional_policy(` + dbus_system_domain(polkit_t, polkit_exec_t) @@ -21020,9 +20395,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file -+manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) -+manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) -+files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir }) ++manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) ++manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) ++files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) + +unprivuser_append_home_content_files(polkit_auth_t) +unprivuser_dontaudit_read_home_content_files(polkit_auth_t) @@ -21068,7 +20443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + +polkit_domtrans_auth(polkit_grant_t) + -+manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t) ++manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) + +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) +userdom_read_all_users_state(polkit_grant_t) @@ -21133,21 +20508,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +optional_policy(` + unconfined_ptrace(polkit_resolve_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.5.1/policy/modules/services/portslave.te ---- nsaserefpolicy/policy/modules/services/portslave.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/portslave.te 2008-07-25 12:35:13.000000000 -0400 -@@ -12,7 +12,7 @@ - init_daemon_domain(portslave_t,portslave_exec_t) - - type portslave_etc_t; --files_type(portslave_etc_t) -+files_config_file(portslave_etc_t) - - type portslave_lock_t; - files_lock_file(portslave_lock_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.1/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postfix.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.2/policy/modules/services/postfix.fc +--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postfix.fc 2008-08-05 12:15:11.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21172,9 +20535,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.1/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postfix.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.2/policy/modules/services/postfix.if +--- nsaserefpolicy/policy/modules/services/postfix.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postfix.if 2008-08-05 12:15:11.000000000 -0400 @@ -211,9 +211,8 @@ type postfix_etc_t; ') @@ -21214,7 +20577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + ') + + allow $1 postfix_private_t:dir list_dir_perms; -+ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t) ++ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') + + @@ -21241,7 +20604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + ') + + files_search_spool($1) -+ manage_files_pattern($1,postfix_spool_t, postfix_spool_t) ++ manage_files_pattern($1, postfix_spool_t, postfix_spool_t) +') + +######################################## @@ -21249,9 +20612,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.1/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postfix.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.2/policy/modules/services/postfix.te +--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postfix.te 2008-08-05 14:59:12.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -21262,7 +20625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +## +##

+## -+gen_tunable(allow_postfix_local_write_mail_spool,false) ++gen_tunable(allow_postfix_local_write_mail_spool, false) + attribute postfix_user_domains; # domains that transition to the @@ -21280,7 +20643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) -+tunable_policy(`allow_postfix_local_write_mail_spool', ` ++tunable_policy(`allow_postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') + @@ -21290,7 +20653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post @@ -34,6 +46,7 @@ type postfix_map_t; type postfix_map_exec_t; - application_domain(postfix_map_t,postfix_map_exec_t) + application_domain(postfix_map_t, postfix_map_exec_t) +role system_r types postfix_map_t; type postfix_map_tmp_t; @@ -21332,13 +20695,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -+manage_dirs_pattern(postfix_master_t,postfix_var_lib_t,postfix_var_lib_t) -+manage_files_pattern(postfix_master_t,postfix_var_lib_t,postfix_var_lib_t) ++manage_dirs_pattern(postfix_master_t, postfix_var_lib_t, postfix_var_lib_t) ++manage_files_pattern(postfix_master_t, postfix_var_lib_t, postfix_var_lib_t) +files_search_var_lib(postfix_master_t) + # allow access to deferred queue and allow removing bogus incoming entries - manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t) - manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t) + manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) @@ -181,12 +195,17 @@ mta_rw_aliases(postfix_master_t) @@ -21431,11 +20794,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; +allow postfix_pipe_t self:process setrlimit; - write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) + write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) @@ -398,6 +431,12 @@ - rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) + rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + @@ -21483,17 +20846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -539,9 +590,6 @@ - # connect to master process - stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) - --# Connect to policy server --corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) -- - # for prng_exch - allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; - allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -564,6 +612,10 @@ +@@ -564,6 +615,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -21504,27 +20857,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix virtual local policy -@@ -579,7 +631,7 @@ +@@ -579,7 +634,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process --stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t) -+stream_connect_pattern(postfix_virtual_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) +-stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t) ++stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.2/policy/modules/services/postfixpolicyd.fc +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postfixpolicyd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,3 +3,5 @@ /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) + +/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.2/policy/modules/services/postfixpolicyd.if +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postfixpolicyd.if 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,68 @@ ## Postfix policy server + @@ -21544,7 +20897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postfix_policyd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) ++ init_script_domtrans_spec($1, postfix_policyd_script_exec_t) +') + +######################################## @@ -21587,16 +20940,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,postfix_policyd_conf_t) ++ manage_all_pattern($1, postfix_policyd_conf_t) + + files_list_pids($1) -+ manage_all_pattern($1,postfix_policyd_var_run_t) ++ manage_all_pattern($1, postfix_policyd_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.2/policy/modules/services/postfixpolicyd.te +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postfixpolicyd.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,9 @@ type postfix_policyd_var_run_t; files_pid_file(postfix_policyd_var_run_t) @@ -21607,9 +20960,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Local Policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.1/policy/modules/services/postgresql.fc ---- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postgresql.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.2/policy/modules/services/postgresql.fc +--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postgresql.fc 2008-08-05 12:15:11.000000000 -0400 @@ -34,6 +34,7 @@ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) @@ -21624,10 +20977,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.1/policy/modules/services/postgresql.if ---- nsaserefpolicy/policy/modules/services/postgresql.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postgresql.if 2008-07-25 12:35:13.000000000 -0400 -@@ -374,3 +374,72 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.2/policy/modules/services/postgresql.if +--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postgresql.if 2008-08-05 15:03:34.000000000 -0400 +@@ -372,3 +372,70 @@ typeattribute $1 sepgsql_unconfined_type; ') @@ -21647,7 +21000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postgresql_script_exec_t; + ') + -+ init_script_domtrans_spec($1,postgresql_script_exec_t) ++ init_script_domtrans_spec($1, postgresql_script_exec_t) +') + +######################################## @@ -21673,16 +21026,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +# +interface(`postgresql_admin',` + gen_require(` -+ type postgresql_t; -+ type postgresql_var_run_t; -+ type postgresql_tmp_t; -+ type postgresql_db_t; -+ type postgresql_etc_t; -+ type postgresql_log_t; ++ type postgresql_t, postgresql_var_run_t; ++ type postgresql_tmp_t, postgresql_db_t; ++ type postgresql_etc_t, postgresql_log_t; ++ type postgresql_script_exec_t; + ') + -+ allow $1 postgresql_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postgresql_t, postgresql_t) ++ allow $1 postgresql_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postgresql_t) + + # Allow $1 to restart the apache service + postgresql_script_domtrans($1) @@ -21690,19 +21041,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role_transition $2 postgresql_script_exec_t system_r; + allow $2 system_r; + -+ manage_all_pattern($1,postgresql_var_run_t) ++ manage_all_pattern($1, postgresql_var_run_t) + -+ manage_all_pattern($1,postgresql_db_t) ++ manage_all_pattern($1, postgresql_db_t) + -+ manage_all_pattern($1,postgresql_etc_t) ++ manage_all_pattern($1, postgresql_etc_t) + -+ manage_all_pattern($1,postgresql_log_t) ++ manage_all_pattern($1, postgresql_log_t) + -+ manage_all_pattern($1,postgresql_tmp_t) ++ manage_all_pattern($1, postgresql_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.1/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postgresql.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.2/policy/modules/services/postgresql.te +--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postgresql.te 2008-08-05 15:05:02.000000000 -0400 @@ -44,6 +44,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -21713,27 +21064,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # database clients attribute attribute sepgsql_client_type; attribute sepgsql_unconfined_type; -@@ -87,14 +90,14 @@ - type sepgsql_table_t; - postgresql_table_object(sepgsql_table_t) - --type sepgsql_trusted_proc_exec_t; --postgresql_procedure_object(sepgsql_trusted_proc_exec_t) -+type sepgsql_trusted_proc_t; -+postgresql_procedure_object(sepgsql_trusted_proc_t) - - # Trusted Procedure Domain --type sepgsql_trusted_proc_t; --domain_type(sepgsql_trusted_proc_t) --postgresql_unconfined(sepgsql_trusted_proc_t) --role system_r types sepgsql_trusted_proc_t; -+type sepgsql_trusted_domain_t; -+domain_type(sepgsql_trusted_domain_t) -+postgresql_unconfined(sepgsql_trusted_domain_t) -+role system_r types sepgsql_trusted_domain_t; - - ######################################## - # @@ -186,6 +189,7 @@ fs_getattr_all_fs(postgresql_t) @@ -21742,9 +21072,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post selinux_get_enforce_mode(postgresql_t) selinux_validate_context(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.1/policy/modules/services/postgrey.fc ---- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postgrey.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.2/policy/modules/services/postgrey.fc +--- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postgrey.fc 2008-08-05 12:15:11.000000000 -0400 @@ -7,3 +7,7 @@ /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) @@ -21753,10 +21083,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/etc/rc.d/init.d/postgrey -- gen_context(system_u:object_r:postgrey_script_exec_t,s0) + +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.1/policy/modules/services/postgrey.if ---- nsaserefpolicy/policy/modules/services/postgrey.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postgrey.if 2008-07-25 12:35:13.000000000 -0400 -@@ -12,10 +12,82 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.2/policy/modules/services/postgrey.if +--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postgrey.if 2008-08-05 15:06:33.000000000 -0400 +@@ -12,10 +12,80 @@ # interface(`postgrey_stream_connect',` gen_require(` @@ -21786,7 +21116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postgrey_script_exec_t; + ') + -+ init_script_domtrans_spec($1,postgrey_script_exec_t) ++ init_script_domtrans_spec($1, postgrey_script_exec_t) +') + +######################################## @@ -21813,15 +21143,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +# +interface(`postgrey_admin',` + gen_require(` -+ type postgrey_t; ++ type postgrey_t, postgrey_etc_t; ++ type postgrey_var_lib_t, postgrey_var_run_t; + type postgrey_script_exec_t; -+ type postgrey_etc_t; -+ type postgrey_var_lib_t; -+ type postgrey_var_run_t; + ') + -+ allow $1 postgrey_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postgrey_t, postgrey_t) ++ allow $1 postgrey_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postgrey_t) + + # Allow postgrey_t to restart the apache service + postgrey_script_domtrans($1) @@ -21840,9 +21168,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.1/policy/modules/services/postgrey.te ---- nsaserefpolicy/policy/modules/services/postgrey.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/postgrey.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.2/policy/modules/services/postgrey.te +--- nsaserefpolicy/policy/modules/services/postgrey.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/postgrey.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,26 +13,38 @@ type postgrey_etc_t; files_config_file(postgrey_etc_t) @@ -21872,16 +21200,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +allow postgrey_t self:fifo_file create_fifo_file_perms; allow postgrey_t postgrey_etc_t:dir list_dir_perms; - read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) - read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) + read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) + read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t) -+manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) -+manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) -+manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) -+manage_sock_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) ++manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) ++manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) ++manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) ++manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + - manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t) - files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) + manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) + files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) @@ -86,6 +98,11 @@ ') @@ -21895,18 +21223,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post seutil_sigchld_newrole(postgrey_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.1/policy/modules/services/ppp.fc ---- nsaserefpolicy/policy/modules/services/ppp.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ppp.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.2/policy/modules/services/ppp.fc +--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ppp.fc 2008-08-05 12:15:11.000000000 -0400 @@ -33,3 +33,5 @@ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) + +/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.1/policy/modules/services/ppp.if ---- nsaserefpolicy/policy/modules/services/ppp.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ppp.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.2/policy/modules/services/ppp.if +--- nsaserefpolicy/policy/modules/services/ppp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ppp.if 2008-08-05 12:15:11.000000000 -0400 @@ -309,33 +309,36 @@ type pppd_etc_rw_t, pppd_var_run_t; @@ -21938,7 +21266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. - manage_files_pattern($1, pppd_secret_t, pppd_secret_t) + manage_all_pattern($1, pppd_secret_t, pppd_secret_t) + -+ manage_all_pattern($1,pppd_script_exec_t) ++ manage_all_pattern($1, pppd_script_exec_t) files_list_pids($1) - manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) @@ -21953,9 +21281,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. - manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) + manage_all_pattern($1, pptp_var_run_t, pptp_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.1/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ppp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.2/policy/modules/services/ppp.te +--- nsaserefpolicy/policy/modules/services/ppp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ppp.te 2008-08-05 12:15:11.000000000 -0400 @@ -116,7 +116,7 @@ kernel_read_kernel_sysctls(pppd_t) @@ -21982,7 +21310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -+ dbus_system_domain(pppd_t,pppd_exec_t) ++ dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` + networkmanager_dbus_chat(pppd_t) @@ -21993,35 +21321,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. hostname_exec(pptp_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.1/policy/modules/services/prelude.fc ---- nsaserefpolicy/policy/modules/services/prelude.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/prelude.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -1,11 +1,17 @@ --/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) -+ -+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0) - - /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) --/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) - --/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) -+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.2/policy/modules/services/prelude.fc +--- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/prelude.fc 2008-08-05 15:09:56.000000000 -0400 +@@ -9,3 +9,10 @@ --/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) -+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) - -+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) --/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) + /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) ++ +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) +/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) + +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.1/policy/modules/services/prelude.if ---- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/prelude.if 2008-07-25 12:35:13.000000000 -0400 ++/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.2/policy/modules/services/prelude.if +--- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/prelude.if 2008-08-05 15:12:44.000000000 -0400 +@@ -6,7 +6,7 @@ + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # @@ -42,7 +42,7 @@ ## ## @@ -22087,7 +21412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + type prelude_script_exec_t; + ') + -+ init_script_domtrans_spec($1,prelude_script_exec_t) ++ init_script_domtrans_spec($1, prelude_script_exec_t) +') + +######################################## @@ -22105,7 +21430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + type prelude_lml_script_exec_t; + ') + -+ init_script_domtrans_spec($1,prelude_lml_script_exec_t) ++ init_script_domtrans_spec($1, prelude_lml_script_exec_t) +') + +######################################## @@ -22172,9 +21497,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + manage_all_pattern($1, prelude_lml_tmp_t) + manage_all_pattern($1, prelude_lml_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.1/policy/modules/services/prelude.te ---- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/prelude.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.2/policy/modules/services/prelude.te +--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/prelude.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,12 +19,31 @@ type prelude_var_lib_t; files_type(prelude_var_lib_t) @@ -22258,17 +21583,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +allow prelude_lml_t self:unix_stream_socket connectto; + +files_list_tmp(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t) -+manage_files_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t) ++manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) ++manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) + +files_search_spool(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t) -+manage_files_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t) ++manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) ++manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) + +files_search_var_lib(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t) -+manage_files_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t) ++manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) ++manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) + +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) @@ -22331,9 +21656,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel optional_policy(` mysql_search_db(httpd_prewikka_script_t) mysql_stream_connect(httpd_prewikka_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.1/policy/modules/services/privoxy.fc ---- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/privoxy.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.2/policy/modules/services/privoxy.fc +--- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/privoxy.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,6 +1,10 @@ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) @@ -22345,9 +21670,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv + +/etc/rc.d/init.d/privoxy -- gen_context(system_u:object_r:privoxy_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.1/policy/modules/services/privoxy.if ---- nsaserefpolicy/policy/modules/services/privoxy.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/privoxy.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.2/policy/modules/services/privoxy.if +--- nsaserefpolicy/policy/modules/services/privoxy.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/privoxy.if 2008-08-05 12:15:11.000000000 -0400 @@ -2,6 +2,25 @@ ######################################## @@ -22366,7 +21691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv + type privoxy_script_exec_t; + ') + -+ init_script_domtrans_spec($1,privoxy_script_exec_t) ++ init_script_domtrans_spec($1, privoxy_script_exec_t) +') + +######################################## @@ -22383,28 +21708,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv allow $1 privoxy_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, privoxy_t) -+ + + # Allow privoxy_t to restart the apache service + privoxy_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 privoxy_script_exec_t system_r; + allow $2 system_r; - ++ logging_list_logs($1) - manage_files_pattern($1, privoxy_log_t, privoxy_log_t) -+ manage_all_pattern($1,privoxy_log_t) ++ manage_all_pattern($1, privoxy_log_t) files_list_etc($1) - manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t) -+ manage_all_pattern($1,privoxy_etc_rw_t) ++ manage_all_pattern($1, privoxy_etc_rw_t) files_list_pids($1) - manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t) -+ manage_all_pattern($1,privoxy_var_run_t) ++ manage_all_pattern($1, privoxy_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.1/policy/modules/services/privoxy.te ---- nsaserefpolicy/policy/modules/services/privoxy.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/privoxy.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.2/policy/modules/services/privoxy.te +--- nsaserefpolicy/policy/modules/services/privoxy.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/privoxy.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,6 +19,9 @@ type privoxy_var_run_t; files_pid_file(privoxy_var_run_t) @@ -22423,21 +21748,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv corenet_tcp_connect_tor_port(privoxy_t) corenet_sendrecv_http_cache_client_packets(privoxy_t) corenet_sendrecv_http_cache_server_packets(privoxy_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.1/policy/modules/services/procmail.fc ---- nsaserefpolicy/policy/modules/services/procmail.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/procmail.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.2/policy/modules/services/procmail.fc +--- nsaserefpolicy/policy/modules/services/procmail.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/procmail.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,2 +1,5 @@ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.1/policy/modules/services/procmail.if ---- nsaserefpolicy/policy/modules/services/procmail.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/procmail.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.2/policy/modules/services/procmail.if +--- nsaserefpolicy/policy/modules/services/procmail.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/procmail.if 2008-08-05 12:15:11.000000000 -0400 @@ -39,3 +39,41 @@ corecmd_search_bin($1) - can_exec($1,procmail_exec_t) + can_exec($1, procmail_exec_t) ') + +######################################## @@ -22477,9 +21802,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc + files_search_tmp($1) + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.1/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/procmail.te 2008-07-30 16:18:46.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.2/policy/modules/services/procmail.te +--- nsaserefpolicy/policy/modules/services/procmail.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/procmail.te 2008-08-05 12:15:11.000000000 -0400 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -22497,10 +21822,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +# Write log to /var/log/procmail.log or /var/log/procmail/.* +allow procmail_t procmail_log_t:dir setattr; -+create_files_pattern(procmail_t,procmail_log_t,procmail_log_t) -+append_files_pattern(procmail_t,procmail_log_t,procmail_log_t) -+read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t) -+logging_log_filetrans(procmail_t,procmail_log_t, { file dir }) ++create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) ++append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) ++read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) ++logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) + allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -22572,9 +21897,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +optional_policy(` + mailscanner_read_spool(procmail_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.1/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/pyzor.fc 2008-07-30 08:49:44.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.2/policy/modules/services/pyzor.fc +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/pyzor.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,9 +1,12 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) @@ -22589,9 +21914,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) + +/etc/rc.d/init.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.1/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/pyzor.if 2008-07-30 08:49:16.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.2/policy/modules/services/pyzor.if +--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/pyzor.if 2008-08-05 12:15:11.000000000 -0400 @@ -25,16 +25,16 @@ # template(`pyzor_per_role_template',` @@ -22609,16 +21934,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo - manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) -+ manage_dirs_pattern(pyzor_t,pyzor_home_t,pyzor_home_t) -+ manage_files_pattern(pyzor_t,pyzor_home_t,pyzor_home_t) -+ manage_lnk_files_pattern(pyzor_t,pyzor_home_t,pyzor_home_t) -+ userdom_user_home_dir_filetrans($1,pyzor_t,pyzor_home_t,{ dir file lnk_file }) ++ manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) ++ manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) ++ manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) ++ userdom_user_home_dir_filetrans($1, pyzor_t, pyzor_home_t, { dir file lnk_file }) ') ######################################## @@ -94,3 +94,78 @@ corecmd_search_bin($1) - can_exec($1,pyzor_exec_t) + can_exec($1, pyzor_exec_t) ') + +######################################## @@ -22637,7 +21962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + type pyzord_script_exec_t; + ') + -+ init_script_domtrans_spec($1,pyzord_script_exec_t) ++ init_script_domtrans_spec($1, pyzord_script_exec_t) +') + +######################################## @@ -22682,45 +22007,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,pyzor_tmp_t) ++ manage_all_pattern($1, pyzor_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,pyzord_log_t) ++ manage_all_pattern($1, pyzord_log_t) + + files_list_etc($1) -+ manage_all_pattern($1,pyzor_etc_t) ++ manage_all_pattern($1, pyzor_etc_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,pyzor_var_lib_t) ++ manage_all_pattern($1, pyzor_var_lib_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.1/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/pyzor.te 2008-07-30 09:40:12.000000000 -0400 -@@ -6,27 +6,66 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.2/policy/modules/services/pyzor.te +--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/pyzor.te 2008-08-05 12:15:11.000000000 -0400 +@@ -6,6 +6,37 @@ # Declarations # --type pyzor_t; --type pyzor_exec_t; --application_domain(pyzor_t,pyzor_exec_t) --role system_r types pyzor_t; -- --type pyzord_t; --type pyzord_exec_t; --domain_type(pyzord_t) --init_daemon_domain(pyzord_t,pyzord_exec_t) -- --type pyzor_etc_t; --files_type(pyzor_etc_t) - --type pyzord_log_t; --logging_log_file(pyzord_log_t) ++ +ifdef(`distro_redhat',` - --type pyzor_tmp_t; --files_tmp_file(pyzor_tmp_t) ++ + gen_require(` + type spamc_t; + type spamc_exec_t; @@ -22747,53 +22056,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + typealias spamd_etc_t alias pyzor_etc_t; + typealias spamc_home_t alias pyzor_home_t; + -+', ` -+ -+ type pyzor_t; -+ type pyzor_exec_t; -+ application_domain(pyzor_t,pyzor_exec_t) -+ role system_r types pyzor_t; -+ -+ type pyzord_t; -+ type pyzord_exec_t; -+ domain_type(pyzord_t) -+ init_daemon_domain(pyzord_t,pyzord_exec_t) ++',` + -+ type pyzor_etc_t; + type pyzor_t; + type pyzor_exec_t; + application_domain(pyzor_t, pyzor_exec_t) +@@ -17,7 +48,7 @@ + init_daemon_domain(pyzord_t, pyzord_exec_t) + + type pyzor_etc_t; +-files_type(pyzor_etc_t) + files_config_file(pyzor_etc_t) -+ -+ type pyzord_log_t; -+ logging_log_file(pyzord_log_t) -+ -+ type pyzor_tmp_t; -+ files_tmp_file(pyzor_tmp_t) --type pyzor_var_lib_t; --files_type(pyzor_var_lib_t) -+ type pyzor_var_lib_t; -+ files_type(pyzor_var_lib_t) -+ + type pyzord_log_t; + logging_log_file(pyzord_log_t) +@@ -28,6 +59,14 @@ + type pyzor_var_lib_t; + files_type(pyzor_var_lib_t) + + type pyzor_home_t; -+ userdom_user_home_content(user,pyzor_home_t) ++ userdom_user_home_content(user, pyzor_home_t) + + type pyzord_script_exec_t; + init_script_type(pyzord_script_exec_t) + +') - ++ ######################################## # -@@ -39,8 +78,8 @@ - read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t) - files_search_var_lib(pyzor_t) - --manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t) --manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t) -+manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -+manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) - files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) - - kernel_read_kernel_sysctls(pyzor_t) + # Pyzor local policy @@ -68,6 +107,8 @@ miscfiles_read_localization(pyzor_t) @@ -22817,9 +22108,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.1/policy/modules/services/qmail.te ---- nsaserefpolicy/policy/modules/services/qmail.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/qmail.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.2/policy/modules/services/qmail.te +--- nsaserefpolicy/policy/modules/services/qmail.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/qmail.te 2008-08-05 12:15:11.000000000 -0400 @@ -14,7 +14,7 @@ qmail_child_domain_template(qmail_clean, qmail_start_t) @@ -22865,8 +22156,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai # # qmail-lspawn local policy @@ -155,6 +167,10 @@ - manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) - rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) + manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) + rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) +corecmd_exec_bin(qmail_queue_t) + @@ -22886,18 +22177,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.5.1/policy/modules/services/radius.fc ---- nsaserefpolicy/policy/modules/services/radius.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/radius.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.5.2/policy/modules/services/radius.fc +--- nsaserefpolicy/policy/modules/services/radius.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/radius.fc 2008-08-05 12:15:11.000000000 -0400 @@ -20,3 +20,5 @@ /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) /var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) + +/etc/rc.d/init.d/radiusd -- gen_context(system_u:object_r:radius_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.5.1/policy/modules/services/radius.if ---- nsaserefpolicy/policy/modules/services/radius.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/radius.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.5.2/policy/modules/services/radius.if +--- nsaserefpolicy/policy/modules/services/radius.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/radius.if 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,25 @@ ######################################## @@ -22916,7 +22207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi + type radius_script_exec_t; + ') + -+ init_script_domtrans_spec($1,radius_script_exec_t) ++ init_script_domtrans_spec($1, radius_script_exec_t) +') + +######################################## @@ -22959,9 +22250,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi - manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t) + manage_all_pattern($1, radiusd_var_run_t, radiusd_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.1/policy/modules/services/radius.te ---- nsaserefpolicy/policy/modules/services/radius.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/radius.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.2/policy/modules/services/radius.te +--- nsaserefpolicy/policy/modules/services/radius.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/radius.te 2008-08-05 15:15:41.000000000 -0400 @@ -25,6 +25,9 @@ type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -22985,7 +22276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi -allow radiusd_t self:netlink_route_socket r_netlink_socket_perms; allow radiusd_t radiusd_etc_t:dir list_dir_perms; - read_files_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_t) + read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) @@ -86,9 +88,6 @@ fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -23007,18 +22298,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi libs_use_ld_so(radiusd_t) libs_use_shared_libs(radiusd_t) libs_exec_lib_files(radiusd_t) -@@ -107,10 +110,7 @@ +@@ -107,8 +110,6 @@ miscfiles_read_localization(radiusd_t) miscfiles_read_certs(radiusd_t) -sysnet_read_config(radiusd_t) - userdom_dontaudit_use_unpriv_user_fds(radiusd_t) -- - sysadm_dontaudit_search_home_dirs(radiusd_t) - sysadm_dontaudit_getattr_home_dirs(radiusd_t) -@@ -123,7 +123,9 @@ + sysadm_dontaudit_search_home_dirs(radiusd_t) +@@ -123,7 +124,9 @@ ') optional_policy(` @@ -23029,17 +22318,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.fc serefpolicy-3.5.1/policy/modules/services/radvd.fc ---- nsaserefpolicy/policy/modules/services/radvd.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/radvd.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.fc serefpolicy-3.5.2/policy/modules/services/radvd.fc +--- nsaserefpolicy/policy/modules/services/radvd.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/radvd.fc 2008-08-05 12:15:11.000000000 -0400 @@ -5,3 +5,4 @@ /var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) /var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) +/etc/rc.d/init.d/radvd -- gen_context(system_u:object_r:radvd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.if serefpolicy-3.5.1/policy/modules/services/radvd.if ---- nsaserefpolicy/policy/modules/services/radvd.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/radvd.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.if serefpolicy-3.5.2/policy/modules/services/radvd.if +--- nsaserefpolicy/policy/modules/services/radvd.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/radvd.if 2008-08-05 12:15:11.000000000 -0400 @@ -2,6 +2,25 @@ ######################################## @@ -23058,7 +22347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv + type radvd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,radvd_script_exec_t) ++ init_script_domtrans_spec($1, radvd_script_exec_t) +') + +######################################## @@ -23075,24 +22364,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv allow $1 radvd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, radvd_t) -+ + + # Allow radvd_t to restart the apache service + radvd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 radvd_script_exec_t system_r; + allow $2 system_r; - ++ files_list_etc($1) - manage_files_pattern($1, radvd_etc_t, radvd_etc_t) -+ manage_all_pattern($1,radvd_etc_t) ++ manage_all_pattern($1, radvd_etc_t) files_list_pids($1) - manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t) -+ manage_all_pattern($1,radvd_var_run_t) ++ manage_all_pattern($1, radvd_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.5.1/policy/modules/services/radvd.te ---- nsaserefpolicy/policy/modules/services/radvd.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/radvd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.5.2/policy/modules/services/radvd.te +--- nsaserefpolicy/policy/modules/services/radvd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/radvd.te 2008-08-05 12:15:11.000000000 -0400 @@ -15,6 +15,9 @@ type radvd_etc_t; files_config_file(radvd_etc_t) @@ -23111,18 +22400,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv allow radvd_t radvd_etc_t:file read_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.1/policy/modules/services/razor.fc ---- nsaserefpolicy/policy/modules/services/razor.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/razor.fc 2008-07-30 08:48:46.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.2/policy/modules/services/razor.fc +--- nsaserefpolicy/policy/modules/services/razor.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/razor.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.1/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/razor.if 2008-07-30 08:48:07.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.2/policy/modules/services/razor.if +--- nsaserefpolicy/policy/modules/services/razor.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/razor.if 2008-08-05 12:15:11.000000000 -0400 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -23137,7 +22426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo - type $1_razor_home_t alias $1_razor_rw_t; - files_poly_member($1_razor_home_t) -- userdom_user_home_content($1,$1_razor_home_t) +- userdom_user_home_content($1, $1_razor_home_t) - - type $1_razor_tmp_t; - files_tmp_file($1_razor_tmp_t) @@ -23150,33 +22439,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; -- manage_dirs_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) -- manage_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) -- manage_lnk_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t) -- userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir) -+ manage_dirs_pattern($1_razor_t, razor_home_t,razor_home_t) -+ manage_files_pattern($1_razor_t, razor_home_t,razor_home_t) -+ manage_lnk_files_pattern($1_razor_t, razor_home_t,razor_home_t) -+ userdom_user_home_dir_filetrans($1,$1_razor_t,razor_home_t,dir) - - manage_dirs_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t) - manage_files_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t) +- manage_dirs_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) +- manage_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) +- manage_lnk_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t) +- userdom_user_home_dir_filetrans($1, $1_razor_t, $1_razor_home_t, dir) ++ manage_dirs_pattern($1_razor_t, razor_home_t, razor_home_t) ++ manage_files_pattern($1_razor_t, razor_home_t, razor_home_t) ++ manage_lnk_files_pattern($1_razor_t, razor_home_t, razor_home_t) ++ userdom_user_home_dir_filetrans($1, $1_razor_t, razor_home_t, dir) + + manage_dirs_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t) + manage_files_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t) @@ -170,12 +167,12 @@ domtrans_pattern($2, razor_exec_t, $1_razor_t) -- manage_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t) -- manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t) -- manage_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) -- relabel_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t) -- relabel_files_pattern($2,$1_razor_home_t,$1_razor_home_t) -- relabel_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) -+ manage_dirs_pattern($2,razor_home_t,razor_home_t) -+ manage_files_pattern($2,razor_home_t,razor_home_t) -+ manage_lnk_files_pattern($2,razor_home_t,razor_home_t) -+ relabel_dirs_pattern($2,razor_home_t,razor_home_t) -+ relabel_files_pattern($2,razor_home_t,razor_home_t) -+ relabel_lnk_files_pattern($2,razor_home_t,razor_home_t) +- manage_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t) +- manage_files_pattern($2, $1_razor_home_t, $1_razor_home_t) +- manage_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t) +- relabel_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t) +- relabel_files_pattern($2, $1_razor_home_t, $1_razor_home_t) +- relabel_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t) ++ manage_dirs_pattern($2, razor_home_t, razor_home_t) ++ manage_files_pattern($2, razor_home_t, razor_home_t) ++ manage_lnk_files_pattern($2, razor_home_t, razor_home_t) ++ relabel_dirs_pattern($2, razor_home_t, razor_home_t) ++ relabel_files_pattern($2, razor_home_t, razor_home_t) ++ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) logging_send_syslog_msg($1_razor_t) @@ -23219,8 +22508,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + + files_search_home($2) + allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_files_pattern($2,razor_home_t,razor_home_t) -+ read_lnk_files_pattern($2,razor_home_t,razor_home_t) ++ manage_files_pattern($2, razor_home_t, razor_home_t) ++ read_lnk_files_pattern($2, razor_home_t, razor_home_t) +') + +######################################## @@ -23242,9 +22531,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.1/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/razor.te 2008-07-30 09:20:07.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.2/policy/modules/services/razor.te +--- nsaserefpolicy/policy/modules/services/razor.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/razor.te 2008-08-05 12:15:11.000000000 -0400 @@ -6,21 +6,51 @@ # Declarations # @@ -23269,12 +22558,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + typealias spamd_etc_t alias razor_etc_t; + typealias spamassassin_home_t alias razor_home_t; + -+', ` ++',` + type razor_t; type razor_exec_t; domain_type(razor_t) - domain_entry_file(razor_t,razor_exec_t) + domain_entry_file(razor_t, razor_exec_t) role system_r types razor_t; -type razor_etc_t; @@ -23290,7 +22579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +files_config_file(razor_etc_t) + +type razor_home_t; -+userdom_user_home_content(user,razor_home_t) ++userdom_user_home_content(user, razor_home_t) + +type razor_tmp_t; +files_tmp_file(razor_tmp_t) @@ -23300,9 +22589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo razor_common_domain_template(razor) ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.5.1/policy/modules/services/rdisc.if ---- nsaserefpolicy/policy/modules/services/rdisc.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rdisc.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.5.2/policy/modules/services/rdisc.if +--- nsaserefpolicy/policy/modules/services/rdisc.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rdisc.if 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -23322,11 +22611,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + type rdisc_script_exec_t; + ') + -+ init_script_domtrans_spec($1,rdisc_script_exec_t) ++ init_script_domtrans_spec($1, rdisc_script_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.te serefpolicy-3.5.1/policy/modules/services/rdisc.te ---- nsaserefpolicy/policy/modules/services/rdisc.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rdisc.te 2008-08-01 12:03:39.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.te serefpolicy-3.5.2/policy/modules/services/rdisc.te +--- nsaserefpolicy/policy/modules/services/rdisc.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rdisc.te 2008-08-05 12:15:11.000000000 -0400 @@ -45,6 +45,8 @@ libs_use_ld_so(rdisc_t) libs_use_shared_libs(rdisc_t) @@ -23336,9 +22625,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis logging_send_syslog_msg(rdisc_t) sysnet_read_config(rdisc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.5.1/policy/modules/services/remotelogin.te ---- nsaserefpolicy/policy/modules/services/remotelogin.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/remotelogin.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.5.2/policy/modules/services/remotelogin.te +--- nsaserefpolicy/policy/modules/services/remotelogin.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/remotelogin.te 2008-08-05 12:15:11.000000000 -0400 @@ -85,6 +85,7 @@ miscfiles_read_localization(remote_login_t) @@ -23347,31 +22636,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo userdom_use_unpriv_users_fds(remote_login_t) userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.1/policy/modules/services/rhgb.te ---- nsaserefpolicy/policy/modules/services/rhgb.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rhgb.te 2008-07-25 12:35:13.000000000 -0400 -@@ -92,6 +92,7 @@ - term_getattr_pty_fs(rhgb_t) - - init_write_initctl(rhgb_t) -+init_chat(rhgb_t) - - libs_use_ld_so(rhgb_t) - libs_use_shared_libs(rhgb_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.1/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ricci.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.2/policy/modules/services/ricci.te +--- nsaserefpolicy/policy/modules/services/ricci.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ricci.te 2008-08-05 12:15:11.000000000 -0400 @@ -443,6 +443,7 @@ - create_files_pattern(ricci_modstorage_t,ricci_modstorage_lock_t,ricci_modstorage_lock_t) - files_lock_filetrans(ricci_modstorage_t,ricci_modstorage_lock_t,file) + create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t) + files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file) +corecmd_exec_shell(ricci_modstorage_t) corecmd_exec_bin(ricci_modstorage_t) dev_read_sysfs(ricci_modstorage_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.1/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rlogin.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.2/policy/modules/services/rlogin.te +--- nsaserefpolicy/policy/modules/services/rlogin.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rlogin.te 2008-08-05 12:15:11.000000000 -0400 @@ -94,8 +94,8 @@ remotelogin_signal(rlogind_t) @@ -23383,18 +22661,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.1/policy/modules/services/roundup.fc ---- nsaserefpolicy/policy/modules/services/roundup.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/roundup.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.2/policy/modules/services/roundup.fc +--- nsaserefpolicy/policy/modules/services/roundup.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/roundup.fc 2008-08-05 12:15:11.000000000 -0400 @@ -7,3 +7,5 @@ # /var # /var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) + +/etc/rc.d/init.d/roundup -- gen_context(system_u:object_r:roundup_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.1/policy/modules/services/roundup.if ---- nsaserefpolicy/policy/modules/services/roundup.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/roundup.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.2/policy/modules/services/roundup.if +--- nsaserefpolicy/policy/modules/services/roundup.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/roundup.if 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,66 @@ ## Roundup Issue Tracking System policy + @@ -23414,7 +22692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun + type roundup_script_exec_t; + ') + -+ init_script_domtrans_spec($1,roundup_script_exec_t) ++ init_script_domtrans_spec($1, roundup_script_exec_t) +') + +######################################## @@ -23457,14 +22735,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun + allow $2 system_r; + + files_list_var_lib($1) -+ manage_all_pattern($1,roundup_var_lib_t) ++ manage_all_pattern($1, roundup_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,roundup_var_run_t) ++ manage_all_pattern($1, roundup_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.1/policy/modules/services/roundup.te ---- nsaserefpolicy/policy/modules/services/roundup.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/roundup.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.2/policy/modules/services/roundup.te +--- nsaserefpolicy/policy/modules/services/roundup.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/roundup.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,9 @@ type roundup_var_lib_t; files_type(roundup_var_lib_t) @@ -23475,9 +22753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.1/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rpc.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.2/policy/modules/services/rpc.if +--- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rpc.if 2008-08-05 12:15:11.000000000 -0400 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -23508,7 +22786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. + type rpcd_t, rpcd_exec_t; + ') + -+ domtrans_pattern($1,rpcd_exec_t,rpcd_t) ++ domtrans_pattern($1, rpcd_exec_t, rpcd_t) +') + +######################################## @@ -23516,11 +22794,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## Read NFS exported content. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.1/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rpc.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.2/policy/modules/services/rpc.te +--- nsaserefpolicy/policy/modules/services/rpc.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rpc.te 2008-08-05 12:15:11.000000000 -0400 @@ -23,7 +23,7 @@ - gen_tunable(allow_nfsd_anon_write,false) + gen_tunable(allow_nfsd_anon_write, false) type exports_t; -files_type(exports_t) @@ -23598,7 +22876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`nfs_export_all_ro',` @@ -149,6 +166,7 @@ - manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) + manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) +kernel_read_system_state(gssd_t) @@ -23630,20 +22908,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.1/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.2/policy/modules/services/rpcbind.fc +--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rpcbind.fc 2008-08-05 12:15:11.000000000 -0400 @@ -5,3 +5,5 @@ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) + +/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.1/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.2/policy/modules/services/rpcbind.if +--- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rpcbind.if 2008-08-05 12:15:11.000000000 -0400 @@ -95,3 +95,68 @@ - manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) + manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) files_search_var_lib($1) ') + @@ -23663,7 +22941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb + type rpcbind_script_exec_t; + ') + -+ init_script_domtrans_spec($1,rpcbind_script_exec_t) ++ init_script_domtrans_spec($1, rpcbind_script_exec_t) +') + +######################################## @@ -23706,14 +22984,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb + allow $2 system_r; + + files_list_var_lib($1) -+ manage_all_pattern($1,rpcbind_var_lib_t) ++ manage_all_pattern($1, rpcbind_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,rpcbind_var_run_t) ++ manage_all_pattern($1, rpcbind_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.1/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.2/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rpcbind.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,16 +16,21 @@ type rpcbind_var_lib_t; files_type(rpcbind_var_lib_t) @@ -23736,18 +23014,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb +dontaudit rpcbind_t self:udp_socket listen; allow rpcbind_t self:tcp_socket create_stream_socket_perms; - manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) + manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) @@ -37,6 +42,7 @@ - manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) +kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) corenet_all_recvfrom_unlabeled(rpcbind_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.1/policy/modules/services/rshd.te ---- nsaserefpolicy/policy/modules/services/rshd.te 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rshd.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.2/policy/modules/services/rshd.te +--- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rshd.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,7 +16,7 @@ # # Local policy @@ -23809,9 +23087,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.1/policy/modules/services/rsync.fc ---- nsaserefpolicy/policy/modules/services/rsync.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rsync.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.2/policy/modules/services/rsync.fc +--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rsync.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,2 +1,6 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) @@ -23819,9 +23097,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) + +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.1/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rsync.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.2/policy/modules/services/rsync.te +--- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rsync.te 2008-08-05 12:15:11.000000000 -0400 @@ -31,6 +31,9 @@ type rsync_data_t; files_type(rsync_data_t) @@ -23854,8 +23132,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn logging_send_syslog_msg(rsync_t) -logging_dontaudit_search_logs(rsync_t) -+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) -+logging_log_filetrans(rsync_t,rsync_log_t,file) ++manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) ++logging_log_filetrans(rsync_t, rsync_log_t, file) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -23867,18 +23145,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn fs_read_noxattr_fs_files(rsync_t) auth_read_all_files_except_shadow(rsync_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.5.1/policy/modules/services/rwho.fc ---- nsaserefpolicy/policy/modules/services/rwho.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rwho.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.5.2/policy/modules/services/rwho.fc +--- nsaserefpolicy/policy/modules/services/rwho.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rwho.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,3 +3,5 @@ /var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) /var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) + +/etc/rc.d/init.d/rwhod -- gen_context(system_u:object_r:rwho_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.5.1/policy/modules/services/rwho.if ---- nsaserefpolicy/policy/modules/services/rwho.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rwho.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.5.2/policy/modules/services/rwho.if +--- nsaserefpolicy/policy/modules/services/rwho.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rwho.if 2008-08-05 12:15:11.000000000 -0400 @@ -118,6 +118,25 @@ ######################################## @@ -23897,7 +23175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho + type rwho_script_exec_t; + ') + -+ init_script_domtrans_spec($1,rwho_script_exec_t) ++ init_script_domtrans_spec($1, rwho_script_exec_t) +') + +######################################## @@ -23923,15 +23201,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho + logging_list_logs($1) - manage_files_pattern($1, rwho_log_t, rwho_log_t) -+ manage_all_pattern($1,rwho_log_t) ++ manage_all_pattern($1, rwho_log_t) files_list_spool($1) - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) -+ manage_all_pattern($1,rwho_spool_t) ++ manage_all_pattern($1, rwho_spool_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.5.1/policy/modules/services/rwho.te ---- nsaserefpolicy/policy/modules/services/rwho.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/rwho.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.5.2/policy/modules/services/rwho.te +--- nsaserefpolicy/policy/modules/services/rwho.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/rwho.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,9 @@ type rwho_spool_t; files_type(rwho_spool_t) @@ -23942,9 +23220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho ######################################## # # rwho local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.1/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/samba.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.2/policy/modules/services/samba.fc +--- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/samba.fc 2008-08-05 12:15:11.000000000 -0400 @@ -15,6 +15,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) @@ -23953,7 +23231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -@@ -47,3 +48,12 @@ +@@ -47,3 +48,11 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -23965,26 +23243,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.1/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/samba.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.2/policy/modules/services/samba.if +--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-05 11:15:32.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/samba.if 2008-08-05 12:15:11.000000000 -0400 @@ -33,12 +33,12 @@ ') tunable_policy(`samba_enable_home_dirs',` -- userdom_manage_user_home_content_dirs($1,smbd_t) -- userdom_manage_user_home_content_files($1,smbd_t) -- userdom_manage_user_home_content_symlinks($1,smbd_t) -- userdom_manage_user_home_content_sockets($1,smbd_t) -- userdom_manage_user_home_content_pipes($1,smbd_t) -- userdom_user_home_dir_filetrans_user_home_content($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) +- userdom_manage_user_home_content_dirs($1, smbd_t) +- userdom_manage_user_home_content_files($1, smbd_t) +- userdom_manage_user_home_content_symlinks($1, smbd_t) +- userdom_manage_user_home_content_sockets($1, smbd_t) +- userdom_manage_user_home_content_pipes($1, smbd_t) +- userdom_user_home_dir_filetrans_user_home_content($1, smbd_t, { dir file lnk_file sock_file fifo_file }) + unprivuser_manage_home_content_dirs(smbd_t) + unprivuser_manage_home_content_files(smbd_t) + unprivuser_manage_home_content_symlinks(smbd_t) + unprivuser_manage_home_content_sockets(smbd_t) + unprivuser_manage_home_content_pipes(smbd_t) -+ unprivuser_home_dir_filetrans_home_content(smbd_t,{ dir file lnk_file sock_file fifo_file }) ++ unprivuser_home_dir_filetrans_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) ') ') @@ -23998,7 +23275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1,smbd_exec_t,smbd_t) ++ domtrans_pattern($1, smbd_exec_t, smbd_t) +') + +######################################## @@ -24032,7 +23309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1,samba_net_exec_t,samba_unconfined_net_t) ++ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) +') + +######################################## @@ -24108,21 +23385,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb @@ -348,6 +437,7 @@ files_search_var($1) files_search_var_lib($1) - manage_files_pattern($1,samba_var_t,samba_var_t) -+ manage_lnk_files_pattern($1,samba_var_t,samba_var_t) + manage_files_pattern($1, samba_var_t, samba_var_t) ++ manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## @@ -420,6 +510,7 @@ ') - domtrans_pattern($1,winbind_helper_exec_t,winbind_helper_t) + domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_helper_t:process signal; ') ######################################## -@@ -503,3 +594,221 @@ - stream_connect_pattern($1,winbind_tmp_t,winbind_tmp_t,winbind_t) +@@ -503,3 +594,214 @@ + stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ') ') + @@ -24149,7 +23426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + # This type is used for executable scripts files + type samba_$1_script_exec_t; + corecmd_shell_entry_type(samba_$1_script_t) -+ domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t) ++ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; @@ -24191,7 +23468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + type smbcontrol_exec_t; + ') + -+ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t) ++ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) +') + + @@ -24242,7 +23519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + type samba_script_exec_t; + ') + -+ init_script_domtrans_spec($1,samba_script_exec_t) ++ init_script_domtrans_spec($1, samba_script_exec_t) +') + +######################################## @@ -24269,28 +23546,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +# +interface(`samba_admin',` + gen_require(` -+ type nmbd_t; -+ type nmbd_var_run_t; -+ type smbd_t; ++ type nmbd_t, nmbd_var_run_t; ++ type smbd_t, smbd_tmp_t; + type smbd_script_exec_t; -+ type smbd_tmp_t; -+ type samba_log_t; -+ type smbd_spool_t; -+ type samba_var_t; -+ type smbd_var_run_t; -+ type samba_etc_t; -+ type samba_share_t; ++ type smbd_spool_t, smbd_var_run_t; ++ ++ type samba_log_t, samba_var_t; ++ type samba_etc_t, samba_share_t; + type samba_secrets_t; + -+ type swat_var_run_t; -+ type swat_tmp_t; ++ type swat_var_run_t, swat_tmp_t; + -+ type winbind_var_run_t; -+ type winbind_tmp_t; ++ type winbind_var_run_t, winbind_tmp_t; + type winbind_log_t; + -+ type samba_unconfined_script_t; -+ type samba_unconfined_script_exec_t; ++ type samba_unconfined_script_t, samba_unconfined_script_exec_t; + ') + + allow $1 smbd_t:process { ptrace signal_perms getattr }; @@ -24343,24 +23613,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + manage_all_pattern($1, samba_unconfined_script_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.1/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/samba.te 2008-07-29 15:51:47.000000000 -0400 -@@ -59,6 +59,13 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.2/policy/modules/services/samba.te +--- nsaserefpolicy/policy/modules/services/samba.te 2008-08-05 11:15:32.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/samba.te 2008-08-05 15:18:37.000000000 -0400 +@@ -66,6 +66,13 @@ ## - gen_tunable(samba_share_nfs,false) + gen_tunable(samba_share_nfs, false) +## +##

+## Allow samba to export ntfs/fusefs volumes. +##

+## -+gen_tunable(samba_share_fusefs,false) ++gen_tunable(samba_share_fusefs, false) + type nmbd_t; type nmbd_exec_t; - init_daemon_domain(nmbd_t,nmbd_exec_t) -@@ -73,11 +80,9 @@ + init_daemon_domain(nmbd_t, nmbd_exec_t) +@@ -80,11 +87,9 @@ logging_log_file(samba_log_t) type samba_net_t; @@ -24368,13 +23638,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb -role system_r types samba_net_t; - type samba_net_exec_t; --domain_entry_file(samba_net_t,samba_net_exec_t) +-domain_entry_file(samba_net_t, samba_net_exec_t) +role system_r types samba_net_t; +application_domain(samba_net_t, samba_net_exec_t) type samba_net_tmp_t; files_tmp_file(samba_net_tmp_t) -@@ -139,6 +144,14 @@ +@@ -146,6 +151,14 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -24389,7 +23659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Samba net local policy -@@ -193,7 +206,10 @@ +@@ -200,7 +213,10 @@ miscfiles_read_localization(samba_net_t) @@ -24400,7 +23670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` kerberos_use(samba_net_t) -@@ -203,7 +219,7 @@ +@@ -210,7 +226,7 @@ # # smbd Local policy # @@ -24409,7 +23679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -213,7 +229,7 @@ +@@ -220,7 +236,7 @@ allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; @@ -24418,49 +23688,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -221,10 +237,8 @@ +@@ -228,10 +244,8 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr }; --create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) -+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t) - manage_files_pattern(smbd_t,samba_log_t,samba_log_t) +-create_dirs_pattern(smbd_t, samba_log_t, samba_log_t) ++manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) + manage_files_pattern(smbd_t, samba_log_t, samba_log_t) -allow smbd_t samba_log_t:dir setattr; -dontaudit smbd_t samba_log_t:dir remove_name; allow smbd_t samba_net_tmp_t:file getattr; -@@ -234,6 +248,7 @@ - manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t) - manage_files_pattern(smbd_t,samba_share_t,samba_share_t) - manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t) +@@ -241,6 +255,7 @@ + manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) + manage_files_pattern(smbd_t, samba_share_t, samba_share_t) + manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) +allow smbd_t samba_share_t:filesystem getattr; - manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t) - manage_files_pattern(smbd_t,samba_var_t,samba_var_t) -@@ -251,7 +266,7 @@ - manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) - files_pid_filetrans(smbd_t,smbd_var_run_t,file) + manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) + manage_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -258,7 +273,7 @@ + manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + files_pid_filetrans(smbd_t, smbd_var_run_t, file) -allow smbd_t winbind_var_run_t:sock_file { read write getattr }; +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -316,10 +331,11 @@ - miscfiles_read_localization(smbd_t) - miscfiles_read_public_files(smbd_t) +@@ -328,6 +343,8 @@ -+sysadm_dontaudit_search_home_dirs(smbd_t) - userdom_dontaudit_use_unpriv_user_fds(smbd_t) - userdom_use_unpriv_users_fds(smbd_t) + sysadm_dontaudit_search_home_dirs(smbd_t) --sysadm_dontaudit_search_home_dirs(smbd_t) +term_use_ptmx(smbd_t) - ++ ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) -@@ -341,6 +357,25 @@ + files_dontaudit_getattr_boot_dirs(smbd_t) +@@ -348,6 +365,25 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -24473,7 +23739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) -+', ` ++',` + fs_search_fusefs_dirs(smbd_t) +') + @@ -24486,7 +23752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -392,7 +427,7 @@ +@@ -405,7 +441,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -24495,17 +23761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -404,8 +439,7 @@ - read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) - - manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) --append_files_pattern(nmbd_t,samba_log_t,samba_log_t) --allow nmbd_t samba_log_t:file unlink; -+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t) - - read_files_pattern(nmbd_t,samba_log_t,samba_log_t) - create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -440,6 +474,7 @@ +@@ -452,6 +488,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -24513,7 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -524,6 +559,7 @@ +@@ -536,6 +573,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -24521,7 +23777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -548,28 +584,37 @@ +@@ -560,28 +598,37 @@ userdom_use_all_users_fds(smbmount_t) @@ -24555,9 +23811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow swat_t nmbd_t:process { signal signull }; +allow swat_t nmbd_var_run_t:file { lock read unlink }; - rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) + rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) - append_files_pattern(swat_t,samba_log_t,samba_log_t) + append_files_pattern(swat_t, samba_log_t, samba_log_t) -allow swat_t smbd_exec_t:file execute ; - @@ -24565,10 +23821,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb - allow swat_t smbd_var_run_t:file read; - manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -579,7 +624,9 @@ - manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) - files_pid_filetrans(swat_t,swat_var_run_t,file) + manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) +@@ -591,7 +638,9 @@ + manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) + files_pid_filetrans(swat_t, swat_var_run_t, file) -allow swat_t winbind_exec_t:file execute; +can_exec(swat_t, winbind_exec_t) @@ -24577,7 +23833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -604,10 +651,12 @@ +@@ -616,10 +665,12 @@ dev_read_urand(swat_t) @@ -24590,7 +23846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -616,6 +665,7 @@ +@@ -628,6 +679,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -24598,34 +23854,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -633,6 +683,17 @@ +@@ -645,6 +697,17 @@ kerberos_use(swat_t) ') +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) + -+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) -+create_files_pattern(swat_t,samba_log_t,samba_log_t) ++manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) ++create_files_pattern(swat_t, samba_log_t, samba_log_t) + -+manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t) ++manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) + -+manage_files_pattern(swat_t,samba_var_t,samba_var_t) ++manage_files_pattern(swat_t, samba_var_t, samba_var_t) +files_list_var_lib(swat_t) + ######################################## # # Winbind local policy -@@ -681,6 +742,8 @@ - manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) - files_pid_filetrans(winbind_t,winbind_var_run_t,file) +@@ -687,13 +750,15 @@ + + manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) + manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) ++manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) + + manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + files_pid_filetrans(winbind_t, winbind_var_run_t, file) +corecmd_exec_bin(winbind_t) + kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -767,8 +830,13 @@ +@@ -780,8 +845,13 @@ miscfiles_read_localization(winbind_helper_t) optional_policy(` @@ -24639,7 +23903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -777,6 +845,14 @@ +@@ -790,6 +860,14 @@ # optional_policy(` @@ -24648,13 +23912,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + unconfined_domain(samba_unconfined_net_t) + role system_r types samba_unconfined_net_t; + -+ manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t) -+ filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file) ++ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) ++ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -793,3 +869,37 @@ +@@ -806,3 +884,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -24692,18 +23956,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.5.1/policy/modules/services/sasl.fc ---- nsaserefpolicy/policy/modules/services/sasl.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/sasl.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.5.2/policy/modules/services/sasl.fc +--- nsaserefpolicy/policy/modules/services/sasl.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/sasl.fc 2008-08-05 12:15:11.000000000 -0400 @@ -8,3 +8,5 @@ # /var # /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) + +/etc/rc.d/init.d/sasl -- gen_context(system_u:object_r:sasl_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.5.1/policy/modules/services/sasl.if ---- nsaserefpolicy/policy/modules/services/sasl.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/sasl.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.5.2/policy/modules/services/sasl.if +--- nsaserefpolicy/policy/modules/services/sasl.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/sasl.if 2008-08-05 12:15:11.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## @@ -24722,7 +23986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl + type saslauthd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,saslauthd_script_exec_t) ++ init_script_domtrans_spec($1, saslauthd_script_exec_t) +') + +######################################## @@ -24730,14 +23994,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl ## All of the rules required to administrate ## an sasl environment ## -@@ -33,17 +52,22 @@ - # +@@ -34,14 +53,21 @@ interface(`sasl_admin',` gen_require(` -- type saslauthd_t; -- type saslauthd_tmp_t; -- type saslauthd_var_run_t; -+ type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; + type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; + type saslauthd_script_exec_t; ') @@ -24752,15 +24012,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl + files_list_tmp($1) - manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t) -+ manage_all_pattern($1,saslauthd_tmp_t) ++ manage_all_pattern($1, saslauthd_tmp_t) files_list_pids($1) - manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t) -+ manage_all_pattern($1,saslauthd_var_run_t) ++ manage_all_pattern($1, saslauthd_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.1/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/sasl.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.2/policy/modules/services/sasl.te +--- nsaserefpolicy/policy/modules/services/sasl.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/sasl.te 2008-08-05 12:15:11.000000000 -0400 @@ -23,6 +23,9 @@ type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) @@ -24791,12 +24051,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.1/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/sendmail.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.2/policy/modules/services/sendmail.if +--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/sendmail.if 2008-08-05 12:15:11.000000000 -0400 @@ -149,3 +149,104 @@ - logging_log_filetrans($1,sendmail_log_t,file) + logging_log_filetrans($1, sendmail_log_t, file) ') + +######################################## @@ -24845,7 +24105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + type unconfined_sendmail_t, sendmail_exec_t; + ') + -+ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t) ++ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + +######################################## @@ -24899,15 +24159,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.1/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/sendmail.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.2/policy/modules/services/sendmail.te +--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/sendmail.te 2008-08-05 12:15:11.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +type unconfined_sendmail_t; -+application_domain(unconfined_sendmail_t,sendmail_exec_t) ++application_domain(unconfined_sendmail_t, sendmail_exec_t) +role system_r types unconfined_sendmail_t; + ######################################## @@ -25059,18 +24319,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.1/policy/modules/services/setroubleshoot.fc ---- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/setroubleshoot.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.2/policy/modules/services/setroubleshoot.fc +--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/setroubleshoot.fc 2008-08-05 12:15:11.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/etc/rc.d/init.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.1/policy/modules/services/setroubleshoot.if ---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/setroubleshoot.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.2/policy/modules/services/setroubleshoot.if +--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/setroubleshoot.if 2008-08-05 12:15:11.000000000 -0400 @@ -16,14 +16,13 @@ ') @@ -25114,7 +24374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + type setroubleshoot_script_exec_t; + ') + -+ init_script_domtrans_spec($1,setroubleshoot_script_exec_t) ++ init_script_domtrans_spec($1, setroubleshoot_script_exec_t) +') + +######################################## @@ -25158,19 +24418,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + allow $2 system_r; + + logging_list_logs($1) -+ manage_all_pattern($1,setroubleshoot_log_t) ++ manage_all_pattern($1, setroubleshoot_log_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,setroubleshoot_var_lib_t) ++ manage_all_pattern($1, setroubleshoot_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,setroubleshoot_var_run_t) ++ manage_all_pattern($1, setroubleshoot_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.1/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/setroubleshoot.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.2/policy/modules/services/setroubleshoot.te +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/setroubleshoot.te 2008-08-05 12:15:11.000000000 -0400 @@ -22,13 +22,16 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -25246,21 +24506,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr optional_policy(` dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) -+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t) ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.fc serefpolicy-3.5.1/policy/modules/services/smartmon.fc ---- nsaserefpolicy/policy/modules/services/smartmon.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/smartmon.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.fc serefpolicy-3.5.2/policy/modules/services/smartmon.fc +--- nsaserefpolicy/policy/modules/services/smartmon.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/smartmon.fc 2008-08-05 12:15:11.000000000 -0400 @@ -8,3 +8,4 @@ # /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) +/etc/rc.d/init.d/smartd -- gen_context(system_u:object_r:fsdaemon_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.5.1/policy/modules/services/smartmon.if ---- nsaserefpolicy/policy/modules/services/smartmon.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/smartmon.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.5.2/policy/modules/services/smartmon.if +--- nsaserefpolicy/policy/modules/services/smartmon.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/smartmon.if 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,25 @@ ######################################## @@ -25279,7 +24539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar + type fsdaemon_script_exec_t; + ') + -+ init_script_domtrans_spec($1,fsdaemon_script_exec_t) ++ init_script_domtrans_spec($1, fsdaemon_script_exec_t) +') + +######################################## @@ -25305,15 +24565,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar + files_list_tmp($1) - manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t) -+ manage_all_pattern($1,fsdaemon_tmp_t) ++ manage_all_pattern($1, fsdaemon_tmp_t) files_list_pids($1) - manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t) -+ manage_all_pattern($1,fsdaemon_var_run_t) ++ manage_all_pattern($1, fsdaemon_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.1/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/smartmon.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.2/policy/modules/services/smartmon.te +--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/smartmon.te 2008-08-05 12:15:11.000000000 -0400 @@ -16,6 +16,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -25331,8 +24591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar allow fsdaemon_t self:udp_socket create_socket_perms; +allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms; - manage_dirs_pattern(fsdaemon_t,fsdaemon_tmp_t,fsdaemon_tmp_t) - manage_files_pattern(fsdaemon_t,fsdaemon_tmp_t,fsdaemon_tmp_t) + manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) + manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) @@ -62,6 +67,7 @@ fs_search_auto_mountpoints(fsdaemon_t) @@ -25353,9 +24613,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar sysadm_dontaudit_search_home_dirs(fsdaemon_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.1/policy/modules/services/snmp.fc ---- nsaserefpolicy/policy/modules/services/snmp.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/snmp.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.2/policy/modules/services/snmp.fc +--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/snmp.fc 2008-08-05 12:15:11.000000000 -0400 @@ -17,3 +17,6 @@ /var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) @@ -25363,9 +24623,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp + +/etc/rc.d/init.d/snmpd -- gen_context(system_u:object_r:snmp_script_exec_t,s0) +/etc/rc.d/init.d/snmptrapd -- gen_context(system_u:object_r:snmp_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.1/policy/modules/services/snmp.if ---- nsaserefpolicy/policy/modules/services/snmp.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/snmp.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.2/policy/modules/services/snmp.if +--- nsaserefpolicy/policy/modules/services/snmp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/snmp.if 2008-08-05 12:15:11.000000000 -0400 @@ -87,6 +87,25 @@ ######################################## @@ -25384,7 +24644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp + type snmpd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,snmpd_script_exec_t) ++ init_script_domtrans_spec($1, snmpd_script_exec_t) +') + +######################################## @@ -25426,19 +24686,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp + logging_list_logs($1) - manage_files_pattern($1, snmpd_log_t, snmpd_log_t) -+ manage_all_pattern($1,snmpd_log_t) ++ manage_all_pattern($1, snmpd_log_t) files_list_var_lib($1) - manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ manage_all_pattern($1,snmpd_var_lib_t) ++ manage_all_pattern($1, snmpd_var_lib_t) files_list_pids($1) - manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t) -+ manage_all_pattern($1,snmpd_var_run_t) ++ manage_all_pattern($1, snmpd_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.1/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/snmp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.2/policy/modules/services/snmp.te +--- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/snmp.te 2008-08-05 12:15:11.000000000 -0400 @@ -18,12 +18,16 @@ type snmpd_var_lib_t; files_type(snmpd_var_lib_t) @@ -25500,34 +24760,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.5.1/policy/modules/services/snort.fc ---- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/snort.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.5.2/policy/modules/services/snort.fc +--- nsaserefpolicy/policy/modules/services/snort.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/snort.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,6 +1,10 @@ +/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) --/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) -+/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) + /etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) -/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) +/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) --/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) -+/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) + /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) + +/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.1/policy/modules/services/snort.if ---- nsaserefpolicy/policy/modules/services/snort.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/snort.if 2008-07-25 12:35:13.000000000 -0400 -@@ -1 +1,95 @@ --## Snort network intrusion detection system -+## SELinux policy for Snort IDS -+## -+##

-+## Applies SELinux security to Snort IDS -+##

-+## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.2/policy/modules/services/snort.if +--- nsaserefpolicy/policy/modules/services/snort.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/snort.if 2008-08-05 15:22:56.000000000 -0400 +@@ -1 +1,91 @@ + ## Snort network intrusion detection system + +######################################## +## @@ -25589,13 +24841,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor +# +interface(`snort_admin',` + gen_require(` -+ type snort_t, snort_var_run_t, snort_script_exec_t, snort_etc_t, snort_log_t; ++ type snort_t, snort_var_run_t, snort_log_t; ++ type snort_script_exec_t; + ') + -+ allow $1 snort_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, snort_t, snort_t) -+ -+ manage_all_pattern($1, snort_etc_t) ++ allow $1 snort_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, snort_t) ++ ++ manage_all_pattern($1, snort_etc_t) + manage_all_pattern($1, snort_var_run_t) + manage_all_pattern($1, snort_log_t) +') @@ -25617,19 +24870,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor + + allow $1 snort_t:process signal; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.1/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/snort.te 2008-07-25 12:35:13.000000000 -0400 -@@ -8,10 +8,13 @@ - - type snort_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.2/policy/modules/services/snort.te +--- nsaserefpolicy/policy/modules/services/snort.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/snort.te 2008-08-05 12:15:11.000000000 -0400 +@@ -10,8 +10,11 @@ type snort_exec_t; --init_daemon_domain(snort_t,snort_exec_t) -+init_daemon_domain(snort_t, snort_exec_t) -+ + init_daemon_domain(snort_t, snort_exec_t) + +type snort_script_exec_t; +init_script_type(snort_script_exec_t) - ++ type snort_etc_t; -files_type(snort_etc_t) +files_config_file(snort_etc_t) @@ -25668,9 +24918,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor seutil_sigchld_newrole(snort_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.1/policy/modules/services/soundserver.fc ---- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/soundserver.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.2/policy/modules/services/soundserver.fc +--- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/soundserver.fc 2008-08-05 12:15:11.000000000 -0400 @@ -7,4 +7,8 @@ /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) @@ -25680,9 +24930,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) + +/etc/rc.d/init.d/nasd -- gen_context(system_u:object_r:soundd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.1/policy/modules/services/soundserver.if ---- nsaserefpolicy/policy/modules/services/soundserver.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/soundserver.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.2/policy/modules/services/soundserver.if +--- nsaserefpolicy/policy/modules/services/soundserver.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/soundserver.if 2008-08-05 12:15:11.000000000 -0400 @@ -13,3 +13,74 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -25704,7 +24954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun + type soundd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,soundd_script_exec_t) ++ init_script_domtrans_spec($1, soundd_script_exec_t) +') + +######################################## @@ -25748,43 +24998,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,soundd_tmp_t) ++ manage_all_pattern($1, soundd_tmp_t) + + files_list_etc($1) -+ manage_all_pattern($1,soundd_etc_t) ++ manage_all_pattern($1, soundd_etc_t) + + files_list_pids($1) -+ manage_all_pattern($1,soundd_var_run_t) ++ manage_all_pattern($1, soundd_var_run_t) +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.1/policy/modules/services/soundserver.te ---- nsaserefpolicy/policy/modules/services/soundserver.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/soundserver.te 2008-07-25 12:35:13.000000000 -0400 -@@ -10,9 +10,6 @@ - type soundd_exec_t; - init_daemon_domain(soundd_t,soundd_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.2/policy/modules/services/soundserver.te +--- nsaserefpolicy/policy/modules/services/soundserver.te 2008-08-05 15:30:46.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/soundserver.te 2008-08-05 15:25:35.000000000 -0400 +@@ -11,7 +11,7 @@ + init_daemon_domain(soundd_t, soundd_exec_t) --type soundd_etc_t alias etc_soundd_t; + type soundd_etc_t alias etc_soundd_t; -files_type(soundd_etc_t) -- ++files_config_file(soundd_etc_t) + type soundd_state_t; files_type(soundd_state_t) - -@@ -26,21 +23,30 @@ +@@ -26,21 +26,28 @@ type soundd_var_run_t; files_pid_file(soundd_var_run_t) -+type soundd_etc_t; -+files_config_file(soundd_etc_t) -+ +type soundd_script_exec_t; +init_script_type(soundd_script_exec_t) + ######################################## # --# Declarations -+# sound server local policy + # Declarations # +allow soundd_t self:capability dac_override; @@ -25802,27 +25047,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun -allow soundd_t soundd_etc_t:dir list_dir_perms; -allow soundd_t soundd_etc_t:file read_file_perms; -allow soundd_t soundd_etc_t:lnk_file { getattr read }; -+read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t) ++read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) ++read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) - manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t) - manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t) -@@ -55,8 +61,10 @@ - manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) - fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) + manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) +@@ -55,8 +62,10 @@ + manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) + fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) - manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) --files_pid_filetrans(soundd_t,soundd_var_run_t,file) -+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) -+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir }) ++manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) + manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) +-files_pid_filetrans(soundd_t, soundd_var_run_t, file) ++manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) ++files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) -@@ -96,10 +104,13 @@ - sysnet_read_config(soundd_t) - - userdom_dontaudit_use_unpriv_user_fds(soundd_t) -- +@@ -100,6 +109,10 @@ sysadm_dontaudit_search_home_dirs(soundd_t) optional_policy(` @@ -25833,9 +25075,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun seutil_sigchld_newrole(soundd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.1/policy/modules/services/spamassassin.fc ---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.fc 2008-07-30 09:34:51.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.2/policy/modules/services/spamassassin.fc +--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/spamassassin.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,16 +1,22 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25862,9 +25104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.1/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.if 2008-08-01 12:25:22.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.2/policy/modules/services/spamassassin.if +--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/spamassassin.if 2008-08-05 15:26:28.000000000 -0400 @@ -34,10 +34,10 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. @@ -25883,18 +25125,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam # - type $1_spamc_t; -- application_domain($1_spamc_t,spamc_exec_t) +- application_domain($1_spamc_t, spamc_exec_t) - role $3 types $1_spamc_t; - - type $1_spamc_tmp_t; - files_tmp_file($1_spamc_tmp_t) - - type $1_spamassassin_t; -- application_domain($1_spamassassin_t,spamassassin_exec_t) +- application_domain($1_spamassassin_t, spamassassin_exec_t) - role $3 types $1_spamassassin_t; - - type $1_spamassassin_home_t alias $1_spamassassin_rw_t; -- userdom_user_home_content($1,$1_spamassassin_home_t) +- userdom_user_home_content($1, $1_spamassassin_home_t) - files_poly_member($1_spamassassin_home_t) - - type $1_spamassassin_tmp_t; @@ -25920,8 +25162,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - allow $1_spamc_t self:tcp_socket create_stream_socket_perms; - allow $1_spamc_t self:udp_socket create_socket_perms; - -- manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) -- manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) +- manage_dirs_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t) +- manage_files_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t) - files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) - - # Allow connecting to a local spamd @@ -25989,7 +25231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - - optional_policy(` - # Allow connection to spamd socket above -- evolution_stream_connect($1,$1_spamc_t) +- evolution_stream_connect($1, $1_spamc_t) - ') - - optional_policy(` @@ -26023,32 +25265,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - allow $1_spamassassin_t self:msgq create_msgq_perms; - allow $1_spamassassin_t self:msg { send receive }; - -- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) +- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - -- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) -- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) +- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t) +- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t) - files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) - -- manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) +- relabel_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) +- relabel_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) +- relabel_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t) - - domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) - -- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) +- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t) +- userdom_user_home_dir_filetrans($1, spamd_t, $1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) - - kernel_read_kernel_sysctls($1_spamassassin_t) - @@ -26070,39 +25312,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - files_list_home($1_spamassassin_t) - files_read_usr_files($1_spamassassin_t) - files_dontaudit_search_var($1_spamassassin_t) -+ typealias spamc_t alias $1_spamc_t; -+ role $3 types spamc_t; - +- - libs_use_ld_so($1_spamassassin_t) - libs_use_shared_libs($1_spamassassin_t) -+ typealias spamassassin_t alias $1_spamassassin_t; -+ role $3 types spamassassin_t; - +- - logging_send_syslog_msg($1_spamassassin_t) -+ typealias spamc_home_t alias $1_spamassassin_home_t; -+ typealias spamc_tmp_t alias $1_spamassassin_tmp_t; -+ typealias spamc_tmp_t alias $1_spamc_tmp_t; -+ -+ manage_dirs_pattern($2, spamc_home_t,spamc_home_t) -+ manage_files_pattern($2, spamc_home_t,spamc_home_t) -+ manage_lnk_files_pattern($2, spamc_home_t,spamc_home_t) -+ relabel_dirs_pattern($2, spamc_home_t,spamc_home_t) -+ relabel_files_pattern($2, spamc_home_t,spamc_home_t) -+ relabel_lnk_files_pattern($2, spamc_home_t,spamc_home_t) - +- - miscfiles_read_localization($1_spamassassin_t) - - # cjp: this could probably be removed - seutil_read_config($1_spamassassin_t) - - sysnet_dns_name_resolve($1_spamassassin_t) -- ++ typealias spamc_t alias $1_spamc_t; ++ role $3 types spamc_t; + - userdom_use_unpriv_users_fds($1_spamassassin_t) - userdom_search_user_home_dirs($1,$1_spamassassin_t) - # cjp: this really should just be the - # terminal specific to the role - userdom_use_unpriv_users_ptys($1_spamassassin_t) -- ++ typealias spamassassin_t alias $1_spamassassin_t; ++ role $3 types spamassassin_t; + - # this should probably be removed: - tunable_policy(`read_default_t',` - files_list_default($1_spamassassin_t) @@ -26136,7 +25368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - userdom_manage_user_home_content_files($1,spamd_t) - userdom_manage_user_home_content_symlinks($1,spamd_t) - ') -- ++ typealias spamc_home_t alias $1_spamassassin_home_t; ++ typealias spamc_tmp_t alias $1_spamassassin_tmp_t; ++ typealias spamc_tmp_t alias $1_spamc_tmp_t; ++ ++ manage_dirs_pattern($2, spamc_home_t, spamc_home_t) ++ manage_files_pattern($2, spamc_home_t, spamc_home_t) ++ manage_lnk_files_pattern($2, spamc_home_t, spamc_home_t) ++ relabel_dirs_pattern($2, spamc_home_t, spamc_home_t) ++ relabel_files_pattern($2, spamc_home_t, spamc_home_t) ++ relabel_lnk_files_pattern($2, spamc_home_t, spamc_home_t) + - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_spamassassin_t) - fs_manage_nfs_files($1_spamassassin_t) @@ -26151,7 +25393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - - optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp -- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file }) +- evolution_home_filetrans($1, spamd_t, spamd_tmp_t, { file sock_file }) - ') - - optional_policy(` @@ -26180,20 +25422,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + type spamc_exec_t; ') -- can_exec($1,spamassassin_exec_t) -+ can_exec($1,spamc_exec_t) +- can_exec($1, spamassassin_exec_t) ++ can_exec($1, spamc_exec_t) ') -@@ -370,7 +116,7 @@ - # - interface(`spamassassin_exec_spamd',` - gen_require(` -- type spamd_exec_t; -+ type spamd_eoxec_t; - ') - - can_exec($1,spamd_exec_t) @@ -398,11 +144,66 @@ ## # @@ -26218,13 +25451,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +interface(`spamassassin_domtrans_spamc',` - gen_require(` -- type $1_spamc_t, spamc_exec_t; ++ gen_require(` + type spamc_t, spamc_exec_t; - ') - -- domtrans_pattern($2,spamc_exec_t,$1_spamc_t) -+ domtrans_pattern($1,spamc_exec_t,spamc_t) ++ ') ++ ++ domtrans_pattern($1, spamc_exec_t, spamc_t) + allow $1 spamc_exec_t:file ioctl; +') + @@ -26254,10 +25485,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +template(`spamassassin_read_user_home_files',` -+ gen_require(` + gen_require(` +- type $1_spamc_t, spamc_exec_t; + type spamassassin_home_t; -+ ') -+ + ') + +- domtrans_pattern($2, spamc_exec_t, $1_spamc_t) + allow $1 spamassassin_home_t:dir list_dir_perms; + allow $1 spamassassin_home_t:file read_file_perms; ') @@ -26269,11 +25502,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam template(`spamassassin_domtrans_user_local_client',` - gen_require(` - type $1_spamassassin_t, spamassassin_exec_t; -- ') + spamassassin_domtrans($2) -+') + ') -- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t) +- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) +######################################## +## +## Execute spamassassin in the user spamassassin domain. @@ -26299,8 +25531,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') files_search_var_lib($1) -+ list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t) - read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) ++ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') @@ -528,3 +346,133 @@ @@ -26323,7 +25555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + type spamd_t, spamd_var_run_t; + ') + -+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) ++ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + + @@ -26343,7 +25575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + type spamd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,spamd_script_exec_t) ++ init_script_domtrans_spec($1, spamd_script_exec_t) +') + +######################################## @@ -26389,19 +25621,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + allow $2 system_r; + + files_list_tmp($1) -+ manage_all_pattern($1,spamd_tmp_t) ++ manage_all_pattern($1, spamd_tmp_t) + + logging_list_logs($1) -+ manage_all_pattern($1,spamd_log_t) ++ manage_all_pattern($1, spamd_log_t) + + files_list_spool($1) -+ manage_all_pattern($1,spamd_spool_t) ++ manage_all_pattern($1, spamd_spool_t) + + files_list_var_lib($1) -+ manage_all_pattern($1,spamd_var_lib_t) ++ manage_all_pattern($1, spamd_var_lib_t) + + files_list_pids($1) -+ manage_all_pattern($1,spamd_var_run_t) ++ manage_all_pattern($1, spamd_var_run_t) +') + +######################################## @@ -26435,19 +25667,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + ') + + manage_files_pattern($1, spamc_home_t, spamc_home_t) -+ razor_manage_user_home_files(user,$1) ++ razor_manage_user_home_files(user, $1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.1/policy/modules/services/spamassassin.te ---- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.te 2008-08-01 12:22:03.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.2/policy/modules/services/spamassassin.te +--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/spamassassin.te 2008-08-05 12:15:11.000000000 -0400 @@ -21,8 +21,10 @@ - gen_tunable(spamd_enable_home_dirs,true) + gen_tunable(spamd_enable_home_dirs, true) # spamassassin client executable +type spamc_t; type spamc_exec_t; -application_executable_file(spamc_exec_t) -+application_domain(spamc_t,spamc_exec_t) ++application_domain(spamc_t, spamc_exec_t) +role system_r types spamc_t; type spamd_t; @@ -26478,7 +25710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +typealias spamc_t alias spamassassin_t; + +type spamc_home_t; -+userdom_user_home_content(user,spamc_home_t) ++userdom_user_home_content(user, spamc_home_t) +typealias spamc_home_t alias spamassassin_home_t; +typealias spamc_home_t alias user_spamassassin_home_t; + @@ -26502,17 +25734,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam allow spamd_t self:netlink_route_socket r_netlink_socket_perms; +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) -+logging_log_filetrans(spamd_t,spamd_log_t,file) ++logging_log_filetrans(spamd_t, spamd_log_t, file) + - manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t) - manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t) - files_spool_filetrans(spamd_t,spamd_spool_t, { file dir }) + manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) + manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) + files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) @@ -81,10 +104,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; --read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) -+manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) +-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) ++manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) @@ -26527,16 +25759,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - sysadm_dontaudit_search_home_dirs(spamd_t) -+manage_dirs_pattern(spamd_t, spamc_home_t,spamc_home_t) -+manage_files_pattern(spamd_t, spamc_home_t,spamc_home_t) -+manage_lnk_files_pattern(spamd_t, spamc_home_t,spamc_home_t) -+manage_fifo_files_pattern(spamd_t, spamc_home_t,spamc_home_t) -+manage_sock_files_pattern(spamd_t, spamc_home_t,spamc_home_t) -+userdom_user_home_dir_filetrans(user,spamd_t,spamc_home_t,{ dir file lnk_file sock_file fifo_file }) ++manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t) ++manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) + +optional_policy(` + # Write pid file and socket in ~/.evolution/cache/tmp -+ evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file }) ++ evolution_home_filetrans(user, spamd_t, spamd_tmp_t, { file sock_file }) +') + +tunable_policy(`spamd_enable_home_dirs',` @@ -26569,7 +25801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam razor_domtrans(spamd_t) + razor_read_lib_files(spamd_t) + tunable_policy(`spamd_enable_home_dirs',` -+ razor_manage_user_home_files(user,spamd_t) ++ razor_manage_user_home_files(user, spamd_t) + ') ') @@ -26603,15 +25835,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +allow spamc_t spamd_t:unix_stream_socket connectto; +allow spamc_t spamd_tmp_t:sock_file rw_file_perms; + -+manage_dirs_pattern(spamc_t, spamc_home_t,spamc_home_t) -+manage_files_pattern(spamc_t, spamc_home_t,spamc_home_t) -+manage_lnk_files_pattern(spamc_t, spamc_home_t,spamc_home_t) -+manage_fifo_files_pattern(spamc_t, spamc_home_t,spamc_home_t) -+manage_sock_files_pattern(spamc_t, spamc_home_t,spamc_home_t) -+userdom_user_home_dir_filetrans($1,spamc_t,spamc_home_t,{ dir file lnk_file sock_file fifo_file }) ++manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++userdom_user_home_dir_filetrans($1, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) + -+manage_dirs_pattern(spamc_t, spamc_tmp_t,spamc_tmp_t) -+manage_files_pattern(spamc_t, spamc_tmp_t,spamc_tmp_t) ++manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) ++manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) +files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(spamc_t) @@ -26620,7 +25852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +dev_read_urand(spamc_t) + +files_list_var_lib(spamc_t) -+read_files_pattern(spamc_t,spamd_var_lib_t,spamd_var_lib_t) ++read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +fs_search_auto_mountpoints(spamc_t) + @@ -26647,7 +25879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +userdom_use_unpriv_users_ptys(spamc_t) + +userdom_use_unpriv_users_fds(spamc_t) -+userdom_search_user_home_dirs(user,spamc_t) ++userdom_search_user_home_dirs(user, spamc_t) +userdom_list_user_files(user, spamc_t) +# cjp: this really should just be the +# terminal specific to the role @@ -26687,7 +25919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + +optional_policy(` + # Allow connection to spamd socket above -+ evolution_stream_connect(user,spamc_t) ++ evolution_stream_connect(user, spamc_t) +') + +optional_policy(` @@ -26696,9 +25928,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.5.1/policy/modules/services/squid.fc ---- nsaserefpolicy/policy/modules/services/squid.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/squid.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.5.2/policy/modules/services/squid.fc +--- nsaserefpolicy/policy/modules/services/squid.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/squid.fc 2008-08-05 12:15:11.000000000 -0400 @@ -12,3 +12,8 @@ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) @@ -26708,9 +25940,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + +/etc/rc.d/init.d/squid -- gen_context(system_u:object_r:squid_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.1/policy/modules/services/squid.if ---- nsaserefpolicy/policy/modules/services/squid.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/squid.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.2/policy/modules/services/squid.if +--- nsaserefpolicy/policy/modules/services/squid.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/squid.if 2008-08-05 12:15:11.000000000 -0400 @@ -131,3 +131,114 @@ interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') @@ -26751,7 +25983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + type squid_script_exec_t; + ') + -+ init_script_domtrans_spec($1,squid_script_exec_t) ++ init_script_domtrans_spec($1, squid_script_exec_t) +') + +######################################## @@ -26796,16 +26028,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + allow $2 system_r; + + files_list_etc($1) -+ manage_all_pattern($1,squid_conf_t) ++ manage_all_pattern($1, squid_conf_t) + + logging_list_logs($1) -+ manage_all_pattern($1,squid_log_t) ++ manage_all_pattern($1, squid_log_t) + + files_list_var($1) -+ manage_all_pattern($1,squid_cache_t) ++ manage_all_pattern($1, squid_cache_t) + + files_list_pids($1) -+ manage_all_pattern($1,squid_var_run_t) ++ manage_all_pattern($1, squid_var_run_t) +') + +######################################## @@ -26826,9 +26058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + allow $1 squid_t:process signal; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.1/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/squid.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.2/policy/modules/services/squid.te +--- nsaserefpolicy/policy/modules/services/squid.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/squid.te 2008-08-05 12:15:11.000000000 -0400 @@ -31,12 +31,15 @@ type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -26893,7 +26125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi - cron_use_system_job_fds(squid_t) - cron_rw_pipes(squid_t) - cron_write_system_job_pipes(squid_t) -+ cron_system_entry(squid_t,squid_exec_t) ++ cron_system_entry(squid_t, squid_exec_t) ') optional_policy(` @@ -26914,89 +26146,88 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.1/policy/modules/services/ssh.fc ---- nsaserefpolicy/policy/modules/services/ssh.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ssh.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.2/policy/modules/services/ssh.fc +--- nsaserefpolicy/policy/modules/services/ssh.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ssh.fc 2008-08-05 15:29:38.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) -+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0) ++HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.1/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ssh.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.2/policy/modules/services/ssh.if +--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ssh.if 2008-08-05 15:28:51.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; -+ type user_ssh_home_t, user_ssh_tmp_t; ++ type ssh_home_t, ssh_tmp_t; ') ############################## -@@ -47,8 +48,10 @@ - application_domain($1_ssh_t,ssh_exec_t) +@@ -47,8 +48,9 @@ + application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; - type $1_home_ssh_t; - files_type($1_home_ssh_t) -+ ifelse(`$1',`user',`',` -+ typealias user_ssh_home_t alias $1_ssh_home_t; -+ typealias user_ssh_home_t alias $1_home_ssh_t; -+ ') ++ typealias ssh_home_t alias $1_ssh_home_t; ++ typealias ssh_home_t alias $1_home_ssh_t; ++ typealias ssh_tmp_t alias $1_ssh_tmp_t; ############################## # -@@ -93,18 +96,18 @@ - ps_process_pattern($2,$1_ssh_t) +@@ -93,18 +95,18 @@ + ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config -- manage_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) -- manage_lnk_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) -- manage_sock_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) -+ manage_files_pattern($2,user_ssh_home_t,user_ssh_home_t) -+ manage_lnk_files_pattern($2,user_ssh_home_t,user_ssh_home_t) -+ manage_sock_files_pattern($2,user_ssh_home_t,user_ssh_home_t) +- manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) +- manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) +- manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) ++ manage_files_pattern($2, ssh_home_t, ssh_home_t) ++ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) ++ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) # ssh client can manage the keys and config -- manage_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) -- read_lnk_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) -+ manage_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) -+ read_lnk_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) +- manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) +- read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) ++ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) ++ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config - allow ssh_server $1_home_ssh_t:dir list_dir_perms; -- read_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t) -- read_lnk_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t) -+ allow ssh_server user_ssh_home_t:dir list_dir_perms; -+ read_files_pattern(ssh_server,user_ssh_home_t,user_ssh_home_t) -+ read_lnk_files_pattern(ssh_server,user_ssh_home_t,user_ssh_home_t) +- read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) +- read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) ++ allow ssh_server ssh_home_t:dir list_dir_perms; ++ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) ++ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) -@@ -212,7 +215,7 @@ +@@ -212,7 +214,7 @@ - ssh_basic_client_template($1,$2,$3) + ssh_basic_client_template($1, $2, $3) -- userdom_user_home_content($1,$1_home_ssh_t) -+ userdom_user_home_content($1,user_ssh_home_t) +- userdom_user_home_content($1, $1_home_ssh_t) ++ userdom_user_home_content($1, ssh_home_t) type $1_ssh_agent_t; - application_domain($1_ssh_agent_t,ssh_agent_exec_t) -@@ -240,9 +243,9 @@ - manage_sock_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t) - fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - -- manage_dirs_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) -- manage_sock_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) -- userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file }) -+ manage_dirs_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) -+ manage_sock_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) -+ userdom_user_home_dir_filetrans($1,$1_ssh_t,user_ssh_home_t,{ dir sock_file }) + application_domain($1_ssh_agent_t, ssh_agent_exec_t) +@@ -240,9 +242,9 @@ + manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) + fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +- manage_dirs_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) +- manage_sock_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) +- userdom_user_home_dir_filetrans($1, $1_ssh_t, $1_home_ssh_t, { dir sock_file }) ++ manage_dirs_pattern($1_ssh_t, ssh_home_t, ssh_home_t) ++ manage_sock_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) ++ userdom_user_home_dir_filetrans($1, $1_ssh_t, ssh_home_t, { dir sock_file }) # Allow the ssh program to communicate with ssh-agent. - stream_connect_pattern($1_ssh_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t) -@@ -413,6 +416,25 @@ + stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) +@@ -413,6 +415,25 @@ ') ') @@ -27016,13 +26247,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + ') + + corecmd_search_bin($1) -+ can_exec($1,ssh_agent_exec_t) ++ can_exec($1, ssh_agent_exec_t) +') + ####################################### ## ## The template to define a ssh server. -@@ -443,13 +465,14 @@ +@@ -443,13 +464,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -27038,7 +26269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -479,6 +502,10 @@ +@@ -479,6 +501,10 @@ corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) @@ -27049,7 +26280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. fs_dontaudit_getattr_all_fs($1_t) -@@ -506,9 +533,14 @@ +@@ -506,9 +532,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -27064,7 +26295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +549,7 @@ +@@ -517,11 +548,7 @@ optional_policy(` kerberos_use($1_t) @@ -27077,9 +26308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.1/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/ssh.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.2/policy/modules/services/ssh.te +--- nsaserefpolicy/policy/modules/services/ssh.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/ssh.te 2008-08-05 15:29:14.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -27089,21 +26320,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # ssh client executable. type ssh_exec_t; -@@ -57,6 +57,13 @@ +@@ -57,6 +57,12 @@ init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') -+type user_ssh_home_t; -+userdom_user_home_content(user,user_ssh_home_t) -+typealias user_ssh_home_t alias user_home_ssh_t; ++type ssh_home_t; ++userdom_user_home_content(user, ssh_home_t) + -+type user_ssh_tmp_t; -+files_tmp_file(user_ssh_tmp_t) ++type ssh_tmp_t; ++files_tmp_file(ssh_tmp_t) + ################################# # # sshd local policy -@@ -80,6 +87,10 @@ +@@ -80,6 +86,10 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -27114,7 +26344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -101,6 +112,14 @@ +@@ -101,6 +111,14 @@ ') optional_policy(` @@ -27129,7 +26359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -119,7 +138,11 @@ +@@ -119,7 +137,11 @@ ') optional_policy(` @@ -27142,9 +26372,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. unconfined_shell_domtrans(sshd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.5.1/policy/modules/services/stunnel.if ---- nsaserefpolicy/policy/modules/services/stunnel.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/stunnel.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.5.2/policy/modules/services/stunnel.if +--- nsaserefpolicy/policy/modules/services/stunnel.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/stunnel.if 2008-08-05 12:15:11.000000000 -0400 @@ -1 +1,25 @@ ## SSL Tunneling Proxy + @@ -27168,12 +26398,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun + type stunnel_t; + ') + -+ domtrans_pattern(stunnel_t,$2,$1) ++ domtrans_pattern(stunnel_t, $2, $1) + allow $1 stunnel_t:tcp_socket rw_socket_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.1/policy/modules/services/stunnel.te ---- nsaserefpolicy/policy/modules/services/stunnel.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/stunnel.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.2/policy/modules/services/stunnel.te +--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/stunnel.te 2008-08-05 12:15:11.000000000 -0400 @@ -20,7 +20,7 @@ ') @@ -27183,9 +26413,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun type stunnel_tmp_t; files_tmp_file(stunnel_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.1/policy/modules/services/telnet.te ---- nsaserefpolicy/policy/modules/services/telnet.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/telnet.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.2/policy/modules/services/telnet.te +--- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/telnet.te 2008-08-05 12:15:11.000000000 -0400 @@ -89,15 +89,19 @@ userdom_search_unpriv_users_home_dirs(telnetd_t) @@ -27210,26 +26440,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln + fs_manage_cifs_files(telnetd_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.5.1/policy/modules/services/tftp.if ---- nsaserefpolicy/policy/modules/services/tftp.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/tftp.if 2008-07-25 12:35:13.000000000 -0400 -@@ -21,10 +21,10 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.5.2/policy/modules/services/tftp.if +--- nsaserefpolicy/policy/modules/services/tftp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/tftp.if 2008-08-05 15:34:30.000000000 -0400 +@@ -20,10 +20,10 @@ allow $1 tftpd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, tftpd_t) - manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ manage_all_pattern($1,tftpdir_rw_t) ++ manage_all_pattern($1, tftpdir_rw_t) - manage_files_pattern($1, tftpdir_t, tftpdir_t) -+ manage_all_pattern($1,tftpdir_t) ++ manage_all_pattern($1, tftpdir_t) files_list_pids($1) - manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t) -+ manage_all_pattern($1,tftpd_var_run_t) ++ manage_all_pattern($1, tftpd_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.1/policy/modules/services/tftp.te ---- nsaserefpolicy/policy/modules/services/tftp.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/tftp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.2/policy/modules/services/tftp.te +--- nsaserefpolicy/policy/modules/services/tftp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/tftp.te 2008-08-05 12:15:11.000000000 -0400 @@ -37,7 +37,6 @@ allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms; @@ -27274,18 +26504,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp seutil_sigchld_newrole(tftpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.5.1/policy/modules/services/tor.fc ---- nsaserefpolicy/policy/modules/services/tor.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/tor.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.5.2/policy/modules/services/tor.fc +--- nsaserefpolicy/policy/modules/services/tor.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/tor.fc 2008-08-05 12:15:11.000000000 -0400 @@ -6,3 +6,5 @@ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) + +/etc/rc.d/init.d/tor -- gen_context(system_u:object_r:tor_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.5.1/policy/modules/services/tor.if ---- nsaserefpolicy/policy/modules/services/tor.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/tor.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.5.2/policy/modules/services/tor.if +--- nsaserefpolicy/policy/modules/services/tor.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/tor.if 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,25 @@ ######################################## @@ -27304,7 +26534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. + type tor_script_exec_t; + ') + -+ init_script_domtrans_spec($1,tor_script_exec_t) ++ init_script_domtrans_spec($1, tor_script_exec_t) +') + +######################################## @@ -27330,24 +26560,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. + logging_list_logs($1) - manage_files_pattern($1, tor_var_log_t, tor_var_log_t) -+ manage_all_pattern($1,tor_var_log_t) ++ manage_all_pattern($1, tor_var_log_t) files_list_etc($1) - manage_files_pattern($1, tor_etc_t, tor_etc_t) -+ manage_all_pattern($1,tor_etc_t) ++ manage_all_pattern($1, tor_etc_t) files_list_var_lib($1) - manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t) -+ manage_all_pattern($1,tor_var_lib_t) ++ manage_all_pattern($1, tor_var_lib_t) files_list_pids($1) - manage_files_pattern($1, tor_var_run_t, tor_var_run_t) -+ manage_all_pattern($1,tor_var_run_t) ++ manage_all_pattern($1, tor_var_run_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.1/policy/modules/services/tor.te ---- nsaserefpolicy/policy/modules/services/tor.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/tor.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.2/policy/modules/services/tor.te +--- nsaserefpolicy/policy/modules/services/tor.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/tor.te 2008-08-05 12:15:11.000000000 -0400 @@ -26,11 +26,15 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) @@ -27380,37 +26610,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. optional_policy(` seutil_sigchld_newrole(tor_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.5.1/policy/modules/services/uucp.if ---- nsaserefpolicy/policy/modules/services/uucp.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/uucp.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.5.2/policy/modules/services/uucp.if +--- nsaserefpolicy/policy/modules/services/uucp.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/uucp.if 2008-08-05 12:15:11.000000000 -0400 @@ -84,18 +84,18 @@ ps_process_pattern($1, uucpd_t) files_list_tmp($1) - manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t) -+ manage_all_pattern($1,uucpd_tmp_t) ++ manage_all_pattern($1, uucpd_tmp_t) logging_list_logs($1) - manage_files_pattern($1, uucpd_log_t, uucpd_log_t) -+ manage_all_pattern($1,uucpd_log_t) ++ manage_all_pattern($1, uucpd_log_t) files_list_spool($1) - manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) -+ manage_all_pattern($1,uucpd_spool_t) ++ manage_all_pattern($1, uucpd_spool_t) - manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t) -+ manage_all_pattern($1,uucpd_rw_t) ++ manage_all_pattern($1, uucpd_rw_t) - manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t) -+ manage_all_pattern($1,uucpd_ro_t) ++ manage_all_pattern($1, uucpd_ro_t) files_list_pids($1) - manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t) -+ manage_all_pattern($1,uucpd_var_run_t) ++ manage_all_pattern($1, uucpd_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.1/policy/modules/services/uucp.te ---- nsaserefpolicy/policy/modules/services/uucp.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/uucp.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.2/policy/modules/services/uucp.te +--- nsaserefpolicy/policy/modules/services/uucp.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/uucp.te 2008-08-05 12:15:11.000000000 -0400 @@ -116,6 +116,8 @@ files_read_etc_files(uux_t) @@ -27420,9 +26650,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp libs_use_ld_so(uux_t) libs_use_shared_libs(uux_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.1/policy/modules/services/virt.fc ---- nsaserefpolicy/policy/modules/services/virt.fc 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/virt.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.2/policy/modules/services/virt.fc +--- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/virt.fc 2008-08-05 12:15:11.000000000 -0400 @@ -9,3 +9,6 @@ /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -27430,10 +26660,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + +/etc/rc.d/init.d/libvirtd -- gen_context(system_u:object_r:virtd_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.1/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/virt.if 2008-08-01 08:40:25.000000000 -0400 -@@ -68,12 +68,30 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.2/policy/modules/services/virt.if +--- nsaserefpolicy/policy/modules/services/virt.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/virt.if 2008-08-05 15:38:12.000000000 -0400 +@@ -68,7 +68,7 @@ ## ## # @@ -27442,13 +26672,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt gen_require(` type virt_var_run_t; ') +@@ -78,6 +78,24 @@ -- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ ') -+ -+######################################## -+## + ######################################## + ## +## Execute virt server in the virt domain. +## +## @@ -27462,32 +26689,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + type virtd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,virtd_script_exec_t) - ') - - ######################################## -@@ -116,8 +134,7 @@ - - ######################################## - ## --## Create, read, write, and delete --## virt lib files. -+## Manage virt lib files. ++ init_script_domtrans_spec($1, virtd_script_exec_t) ++') ++ ++######################################## ++## + ## Search virt lib directories. ## ## - ## -@@ -131,9 +148,10 @@ - ') - - files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t) - ') - -+ - ######################################## - ## - ## Allow the specified domain to read virt's log files. @@ -196,6 +214,35 @@ ######################################## @@ -27532,7 +26741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) -@@ -243,10 +291,17 @@ +@@ -243,11 +291,18 @@ interface(`virt_admin',` gen_require(` type virtd_t; @@ -27541,18 +26750,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt allow $1 virtd_t:process { ptrace signal_perms }; ps_process_pattern($1, virtd_t) -+ + + # Allow virtd_t to restart the apache service + virtd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 virtd_script_exec_t system_r; + allow $2 system_r; - ++ virt_manage_pid_files($1) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.1/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/virt.te 2008-08-01 08:26:59.000000000 -0400 + virt_manage_lib_files($1) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.2/policy/modules/services/virt.te +--- nsaserefpolicy/policy/modules/services/virt.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/virt.te 2008-08-05 12:15:11.000000000 -0400 @@ -1,6 +1,8 @@ policy_module(virt, 1.0.0) @@ -27573,7 +26783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virt_log_t; logging_log_file(virt_log_t) -@@ -45,13 +45,15 @@ +@@ -45,6 +45,9 @@ type virtd_exec_t; init_daemon_domain(virtd_t, virtd_exec_t) @@ -27583,6 +26793,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## # # virtd local policy +@@ -49,9 +52,8 @@ + # + # virtd local policy # - allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; @@ -27680,15 +26893,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +optional_policy(` + unconfined_domain(virtd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.5.1/policy/modules/services/w3c.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.5.2/policy/modules/services/w3c.fc --- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/w3c.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/w3c.fc 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,2 @@ +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.5.1/policy/modules/services/w3c.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.5.2/policy/modules/services/w3c.if --- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/w3c.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/w3c.if 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,20 @@ +## W3C + @@ -27708,13 +26921,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. + type w3c_script_exec_t; + ') + -+ init_script_domtrans_spec($1,w3c_script_exec_t) ++ init_script_domtrans_spec($1, w3c_script_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.1/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.2/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/services/w3c.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/w3c.te 2008-08-05 12:15:11.000000000 -0400 @@ -0,0 +1,14 @@ -+policy_module(w3c,1.2.1) ++policy_module(w3c, 1.2.1) + +apache_content_template(w3c_validator) + @@ -27728,9 +26941,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_certs(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.1/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/xserver.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.2/policy/modules/services/xserver.fc +--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/xserver.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,13 +1,14 @@ # # HOME_DIR @@ -27801,28 +27014,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.1/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/xserver.if 2008-07-31 17:44:32.000000000 -0400 -@@ -16,7 +16,8 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.2/policy/modules/services/xserver.if +--- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/xserver.if 2008-08-05 15:42:31.000000000 -0400 +@@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; -- attribute x_server_domain; + attribute rootwindow_type; -+ attribute x_server_domain, x_server_domain_tmpfs; + attribute x_server_domain; class x_drawable all_x_drawable_perms; class x_colormap all_x_colormap_perms; - class x_screen all_x_screen_perms; -@@ -39,7 +40,7 @@ - type $1_xserver_tmp_t; - files_tmp_file($1_xserver_tmp_t) - -- type $1_xserver_tmpfs_t; -+ type $1_xserver_tmpfs_t, x_server_domain_tmpfs; - files_tmpfs_file($1_xserver_tmpfs_t) - - ############################## @@ -128,18 +129,24 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) @@ -27870,54 +27072,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -270,6 +281,12 @@ +@@ -270,6 +281,8 @@ gen_require(` type iceauth_exec_t, xauth_exec_t; attribute fonts_type, fonts_cache_type, fonts_config_type; -+ type fonts_home_t; -+ type fonts_cache_home_t; -+ type fonts_config_home_t; -+ type iceauth_home_t; -+ type xauth_home_t; -+ type xauth_tmp_t; ++ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t; ++ type iceauth_home_t, xauth_home_t, xauth_tmp_t; ') ############################## -@@ -280,35 +297,25 @@ +@@ -280,35 +293,25 @@ xserver_common_domain_template($1) role $3 types $1_xserver_t; - type $1_fonts_t, fonts_type; -- userdom_user_home_content($1,$1_fonts_t) +- userdom_user_home_content($1, $1_fonts_t) - - type $1_fonts_cache_t, fonts_cache_type; -- userdom_user_home_content($1,$1_fonts_cache_t) +- userdom_user_home_content($1, $1_fonts_cache_t) - - type $1_fonts_config_t, fonts_config_type; -- userdom_user_home_content($1,$1_fonts_cache_t) +- userdom_user_home_content($1, $1_fonts_cache_t) + typealias fonts_home_t alias $1_fonts_t; + typealias fonts_cache_home_t alias $1_fonts_cache_t; + typealias fonts_config_home_t alias $1_fonts_config_t; type $1_iceauth_t; domain_type($1_iceauth_t) - domain_entry_file($1_iceauth_t,iceauth_exec_t) + domain_entry_file($1_iceauth_t, iceauth_exec_t) role $3 types $1_iceauth_t; - type $1_iceauth_home_t alias $1_iceauth_rw_t; - files_poly_member($1_iceauth_home_t) -- userdom_user_home_content($1,$1_iceauth_home_t) +- userdom_user_home_content($1, $1_iceauth_home_t) + typealias iceauth_home_t alias $1_iceauth_rw_t; + typealias iceauth_home_t alias $1_iceauth_home_t; type $1_xauth_t; domain_type($1_xauth_t) - domain_entry_file($1_xauth_t,xauth_exec_t) + domain_entry_file($1_xauth_t, xauth_exec_t) role $3 types $1_xauth_t; - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) -- userdom_user_home_content($1,$1_xauth_home_t) +- userdom_user_home_content($1, $1_xauth_home_t) - - type $1_xauth_tmp_t; - files_tmp_file($1_xauth_tmp_t) @@ -27926,7 +27124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # -@@ -317,24 +324,24 @@ +@@ -317,24 +320,24 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) @@ -27938,41 +27136,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1_xserver_t $2:shm rw_shm_perms; -- manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) -- manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -- relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t) -- relabel_files_pattern($2,$1_fonts_t,$1_fonts_t) +- manage_dirs_pattern($2, $1_fonts_t, $1_fonts_t) +- manage_files_pattern($2, $1_fonts_t, $1_fonts_t) +- relabel_dirs_pattern($2, $1_fonts_t, $1_fonts_t) +- relabel_files_pattern($2, $1_fonts_t, $1_fonts_t) - -- manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t) -- manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) -- relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) -+ manage_dirs_pattern($2,fonts_home_t,fonts_home_t) -+ manage_files_pattern($2,fonts_home_t,fonts_home_t) -+ relabel_dirs_pattern($2,fonts_home_t,fonts_home_t) -+ relabel_files_pattern($2,fonts_home_t,fonts_home_t) +- manage_dirs_pattern($2, $1_fonts_config_t, $1_fonts_config_t) +- manage_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t) +- relabel_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t) ++ manage_dirs_pattern($2, fonts_home_t, fonts_home_t) ++ manage_files_pattern($2, fonts_home_t, fonts_home_t) ++ relabel_dirs_pattern($2, fonts_home_t, fonts_home_t) ++ relabel_files_pattern($2, fonts_home_t, fonts_home_t) + -+ manage_dirs_pattern($2,fonts_config_home_t,fonts_config_home_t) -+ manage_files_pattern($2,fonts_config_home_t,fonts_config_home_t) -+ relabel_files_pattern($2,fonts_config_home_t,fonts_config_home_t) ++ manage_dirs_pattern($2, fonts_config_home_t, fonts_config_home_t) ++ manage_files_pattern($2, fonts_config_home_t, fonts_config_home_t) ++ relabel_files_pattern($2, fonts_config_home_t, fonts_config_home_t) # For startup relabel - allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; + allow $2 fonts_cache_home_t:{ dir file } { relabelto relabelfrom }; - stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t) + stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t) -@@ -348,6 +355,8 @@ +@@ -348,6 +351,8 @@ locallogin_use_fds($1_xserver_t) + miscfiles_read_fonts($2) + - userdom_search_user_home_dirs($1,$1_xserver_t) - userdom_use_user_ttys($1,$1_xserver_t) - userdom_setattr_user_ttys($1,$1_xserver_t) -@@ -355,18 +364,12 @@ + userdom_search_user_home_dirs($1, $1_xserver_t) + userdom_use_user_ttys($1, $1_xserver_t) + userdom_setattr_user_ttys($1, $1_xserver_t) +@@ -355,18 +360,12 @@ - xserver_use_user_fonts($1,$1_xserver_t) + xserver_use_user_fonts($1, $1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) + xserver_read_xdm_xserver_tmp_files($2) @@ -27990,25 +27188,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # $1_xauth_t Local policy -@@ -375,12 +378,12 @@ +@@ -375,12 +374,12 @@ allow $1_xauth_t self:process signal; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; -- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) +- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file) + allow $1_xauth_t xauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1,$1_xauth_t,xauth_home_t,file) ++ userdom_user_home_dir_filetrans($1, $1_xauth_t, xauth_home_t, file) -- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) -- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) +- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) +- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) -+ manage_dirs_pattern($1_xauth_t,xauth_tmp_t,xauth_tmp_t) -+ manage_files_pattern($1_xauth_t,xauth_tmp_t,xauth_tmp_t) ++ manage_dirs_pattern($1_xauth_t, xauth_tmp_t, xauth_tmp_t) ++ manage_files_pattern($1_xauth_t, xauth_tmp_t, xauth_tmp_t) + files_tmp_filetrans($1_xauth_t, xauth_tmp_t, { file dir }) domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -389,11 +392,11 @@ +@@ -389,11 +388,11 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -28018,23 +27216,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $2 xauth_home_t:file { relabelfrom relabelto }; - allow xdm_t $1_xauth_home_t:file manage_file_perms; -- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) +- userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file) + allow xdm_t xauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1,xdm_t,xauth_home_t,file) ++ userdom_user_home_dir_filetrans($1, xdm_t, xauth_home_t, file) domain_use_interactive_fds($1_xauth_t) -@@ -435,16 +438,16 @@ +@@ -435,16 +434,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) - allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; -- userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file) +- userdom_user_home_dir_filetrans($1, $1_iceauth_t, $1_iceauth_home_t, file) + allow $1_iceauth_t iceauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1,$1_iceauth_t,iceauth_home_t,file) ++ userdom_user_home_dir_filetrans($1, $1_iceauth_t, iceauth_home_t, file) # allow ps to show iceauth - ps_process_pattern($2,$1_iceauth_t) + ps_process_pattern($2, $1_iceauth_t) - allow $2 $1_iceauth_home_t:file manage_file_perms; - allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; @@ -28046,7 +27244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints($1_iceauth_t) -@@ -467,34 +470,12 @@ +@@ -467,34 +466,12 @@ # # Device rules @@ -28083,7 +27281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; -@@ -610,7 +591,7 @@ +@@ -610,7 +587,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -28092,7 +27290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') allow $2 self:shm create_shm_perms; -@@ -618,8 +599,8 @@ +@@ -618,8 +595,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -28103,7 +27301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,11 +624,80 @@ +@@ -643,11 +620,80 @@ xserver_read_xdm_tmp_files($2) @@ -28111,7 +27309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - tunable_policy(`allow_write_xshm',` - allow $2 $1_xserver_t:shm rw_shm_perms; - allow $2 $1_xserver_tmpfs_t:file rw_file_perms; -+') + ') + +####################################### +## @@ -28145,7 +27343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + attribute x_domain; + type $1_xserver_t; +# type $2_input_xevent_t; - ') ++ ') + +# typeattribute $2_input_xevent_t $1_input_xevent_type; + @@ -28188,7 +27386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -662,6 +712,99 @@ +@@ -662,6 +708,99 @@ ## is the prefix for user_t). ## ## @@ -28268,8 +27466,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $2 xproperty_t:x_property { write create }; + allow $2 xselection_t:x_selection getattr; + -+# xserver_use($1,$1,$2) -+ xserver_use(xdm,$1,$2) ++# xserver_use($1, $1, $2) ++ xserver_use(xdm, $1, $2) +') + + @@ -28288,7 +27486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## ## ## The prefix of the X client domain (e.g., user -@@ -676,7 +819,7 @@ +@@ -676,7 +815,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -28297,7 +27495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -685,7 +828,6 @@ +@@ -685,7 +824,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -28305,7 +27503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -709,20 +851,22 @@ +@@ -709,20 +847,22 @@ # Declarations # @@ -28331,7 +27529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # Local Policy -@@ -740,7 +884,7 @@ +@@ -740,7 +880,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -28340,7 +27538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -749,7 +893,7 @@ +@@ -749,7 +889,7 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -28349,7 +27547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Protocol Extensions allow $3 std_xext_t:x_extension { query use }; -@@ -758,27 +902,17 @@ +@@ -758,27 +898,17 @@ # X Properties # can read and write client properties @@ -28382,7 +27580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Input # can receive own events -@@ -805,6 +939,12 @@ +@@ -805,6 +935,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -28395,7 +27593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -813,13 +953,15 @@ +@@ -813,13 +949,15 @@ # Other X Objects # can create and use cursors @@ -28411,11 +27609,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - allow $3 self:x_resource { read write }; + allow $3 $3:x_resource { read write }; + -+ xserver_common_app($1,$3) ++ xserver_common_app($1, $3) tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -879,17 +1021,17 @@ +@@ -879,17 +1017,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -28440,9 +27638,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -916,11 +1058,9 @@ +@@ -916,11 +1054,9 @@ # X object manager - xserver_common_x_domain_template($1,$2,$3) + xserver_common_x_domain_template($1, $2, $3) - # Client write xserver shm - tunable_policy(`allow_write_xshm',` @@ -28455,7 +27653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -952,26 +1092,43 @@ +@@ -952,26 +1088,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -28469,10 +27667,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + read_files_pattern($2, fonts_home_t, fonts_home_t) # Manipulate the global font cache -- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) -- manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) -+ manage_dirs_pattern($2,fonts_cache_home_t,fonts_cache_home_t) -+ manage_files_pattern($2,fonts_cache_home_t,fonts_cache_home_t) +- manage_dirs_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t) +- manage_files_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t) ++ manage_dirs_pattern($2, fonts_cache_home_t, fonts_cache_home_t) ++ manage_files_pattern($2, fonts_cache_home_t, fonts_cache_home_t) # Read per user font config - allow $2 $1_fonts_config_t:dir list_dir_perms; @@ -28480,7 +27678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $2 fonts_config_home_t:dir list_dir_perms; + allow $2 fonts_config_home_t:file read_file_perms; - userdom_search_user_home_dirs($1,$2) + userdom_search_user_home_dirs($1, $2) ') ######################################## @@ -28506,7 +27704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1005,6 +1162,73 @@ +@@ -1005,6 +1158,73 @@ ######################################## ## @@ -28580,7 +27778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1030,10 +1254,10 @@ +@@ -1030,10 +1250,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -28593,7 +27791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1219,6 +1443,25 @@ +@@ -1219,6 +1439,25 @@ ######################################## ## @@ -28611,7 +27809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + ') + + files_search_pids($1) -+ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t) ++ stream_connect_pattern($1, xserver_var_run_t, xserver_var_run_t, xdm_xserver_t) +') + +######################################## @@ -28619,15 +27817,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1516,7 @@ +@@ -1273,6 +1512,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) + create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + allow $1 xdm_tmp_t:sock_file unlink; ') ######################################## -@@ -1291,7 +1535,7 @@ +@@ -1291,7 +1531,7 @@ ') files_search_pids($1) @@ -28636,7 +27834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1314,6 +1558,24 @@ +@@ -1314,6 +1554,24 @@ ######################################## ## @@ -28661,7 +27859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1586,47 @@ +@@ -1324,15 +1582,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -28671,7 +27869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_xserver_t:process siginh; + allow xdm_t $1:process sigchld; - domtrans_pattern($1,xserver_exec_t,xdm_xserver_t) + domtrans_pattern($1, xserver_exec_t, xdm_xserver_t) ') ######################################## @@ -28710,16 +27908,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1776,7 @@ +@@ -1482,7 +1772,7 @@ type xdm_xserver_tmp_t; ') - allow $1 xdm_xserver_tmp_t:file { getattr read }; -+ read_files_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t) ++ read_files_pattern($1, xdm_xserver_tmp_t, xdm_xserver_tmp_t) ') ######################################## -@@ -1674,6 +1968,65 @@ +@@ -1674,6 +1964,65 @@ ######################################## ## @@ -28785,7 +27983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1686,8 +2039,90 @@ +@@ -1686,8 +2035,90 @@ # interface(`xserver_unconfined',` gen_require(` @@ -28812,7 +28010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + ') + + files_search_pids($1) -+ exec_files_pattern($1,xserver_var_run_t,xserver_var_run_t) ++ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## @@ -28831,7 +28029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + ') + + files_search_pids($1) -+ write_files_pattern($1,xserver_var_run_t,xserver_var_run_t) ++ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## @@ -28875,12 +28073,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') - typeattribute $1 xserver_unconfined_type; -+ read_files_pattern($1,fonts_home_t,fonts_home_t) -+ read_lnk_files_pattern($1,fonts_home_t,fonts_home_t) ++ read_files_pattern($1, fonts_home_t, fonts_home_t) ++ read_lnk_files_pattern($1, fonts_home_t, fonts_home_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.1/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/xserver.te 2008-07-30 08:17:43.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.2/policy/modules/services/xserver.te +--- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/xserver.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -28888,7 +28086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +## Allows X clients to read the x devices (keyboard/mouse) +##

+## -+gen_tunable(allow_read_x_device,true) ++gen_tunable(allow_read_x_device, true) + + +## @@ -28903,7 +28101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +## Allows XServer to execute writable memory +##

+## -+gen_tunable(allow_xserver_execmem,false) ++gen_tunable(allow_xserver_execmem, false) + +## +##

@@ -28945,19 +28143,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser logging_log_file(xserver_log_t) +type fonts_cache_home_t, fonts_cache_type; -+userdom_user_home_content(user,fonts_cache_home_t) ++userdom_user_home_content(user, fonts_cache_home_t) + +type fonts_home_t, fonts_type; -+userdom_user_home_content(user,fonts_home_t) ++userdom_user_home_content(user, fonts_home_t) + +type fonts_config_home_t, fonts_config_type; -+userdom_user_home_content(user,fonts_config_home_t) ++userdom_user_home_content(user, fonts_config_home_t) + +type iceauth_home_t; -+userdom_user_home_content(user,iceauth_home_t) ++userdom_user_home_content(user, iceauth_home_t) + +type xauth_home_t, xauth_home_type; -+userdom_user_home_content(user,xauth_home_t) ++userdom_user_home_content(user, xauth_home_t) + +type admin_xauth_home_t; +files_type(admin_xauth_home_t) @@ -28966,8 +28164,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +files_tmp_file(xauth_tmp_t) + xserver_common_domain_template(xdm) - xserver_common_x_domain_template(xdm,xdm,xdm_t) - init_system_domain(xdm_xserver_t,xserver_exec_t) + xserver_common_x_domain_template(xdm, xdm, xdm_t) + init_system_domain(xdm_xserver_t, xserver_exec_t) @@ -140,8 +183,9 @@ # XDM Local policy # @@ -28990,18 +28188,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) @@ -169,6 +215,8 @@ - manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) - manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) + manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) + manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) -+relabelfrom_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) -+relabelfrom_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) ++relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) + manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -176,15 +224,25 @@ - manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_rw_tmpfs_files(xdm_xserver_t) +fs_getattr_all_fs(xdm_t) +fs_search_inotifyfs(xdm_t) @@ -29009,20 +28207,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t) - manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) - manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) --files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) -+manage_sock_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) -+files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir }) + manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) + manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) ++manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) ++files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) +# Read machine-id +files_read_var_lib_files(xdm_t) - manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) - manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) - manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) --files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file }) -+manage_sock_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) -+files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file sock_file }) + manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) + manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) + manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) ++manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) ++files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; @@ -29033,7 +28231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t) # connect to xdm xserver over stream socket - stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) + stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) @@ -229,6 +288,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) @@ -29129,7 +28327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +# +userdom_unlink_unpriv_users_home_content_files(xdm_t) - xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) + xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) @@ -348,10 +422,12 @@ @@ -29206,22 +28404,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; -+read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t) ++read_files_pattern(xdm_xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. - manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) + manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) @@ -439,6 +547,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) -+manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t) -+manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t) -+files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir) ++manage_dirs_pattern(xdm_xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++manage_files_pattern(xdm_xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++files_var_lib_filetrans(xdm_xserver_t, xserver_var_lib_t, dir) + -+manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t) -+manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t) -+manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t) -+files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,{ dir file }) ++manage_dirs_pattern(xdm_xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_files_pattern(xdm_xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_sock_files_pattern(xdm_xserver_t, xdm_var_run_t, xdm_var_run_t) ++files_pid_filetrans(xdm_xserver_t, xserver_var_run_t, { dir file }) + # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) @@ -29247,15 +28445,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,7 +594,18 @@ +@@ -468,8 +594,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) -- hal_dbus_chat(xdm_xserver_t) + + optional_policy(` -+ hal_dbus_chat(xdm_xserver_t) -+ ') + hal_dbus_chat(xdm_xserver_t) + ') +') + +optional_policy(` @@ -29264,10 +28461,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +optional_policy(` + mono_rw_shm(xdm_xserver_t) - ') ++') optional_policy(` -@@ -481,16 +618,32 @@ + resmgr_stream_connect(xdm_t) +@@ -481,8 +618,25 @@ ') optional_policy(` @@ -29276,18 +28474,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + rpm_dontaudit_rw_shm(xdm_xserver_t) + rpm_rw_tmpfs_files(xdm_xserver_t) +') - -- ifndef(`distro_redhat',` -- allow xdm_xserver_t self:process { execheap execmem }; -- ') ++ +optional_policy(` + unconfined_rw_shm(xdm_xserver_t) + unconfined_execmem_rw_shm(xdm_xserver_t) + unconfined_rw_tmpfs_files(xdm_xserver_t) - -- ifdef(`distro_rhel4',` -- allow xdm_xserver_t self:process { execheap execmem }; -- ') ++ + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) @@ -29295,19 +28487,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + + -+tunable_policy(`allow_xserver_execmem', ` ++tunable_policy(`allow_xserver_execmem',` + allow xdm_xserver_t self:process { execheap execmem execstack }; +') -+ -+ifndef(`distro_redhat',` -+ allow xdm_xserver_t self:process { execheap execmem }; -+') -+ -+ifdef(`distro_rhel4',` -+ allow xdm_xserver_t self:process { execheap execmem }; - ') + + ifndef(`distro_redhat',` + allow xdm_xserver_t self:process { execheap execmem }; +@@ -491,7 +645,6 @@ + ifdef(`distro_rhel4',` + allow xdm_xserver_t self:process { execheap execmem }; + ') +-') ######################################## + # @@ -544,3 +697,10 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; @@ -29319,18 +28512,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow x_domain xdm_xserver_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.1/policy/modules/services/zabbix.fc ---- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/zabbix.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.2/policy/modules/services/zabbix.fc +--- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/zabbix.fc 2008-08-05 12:15:11.000000000 -0400 @@ -3,3 +3,5 @@ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) + +/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.if serefpolicy-3.5.1/policy/modules/services/zabbix.if ---- nsaserefpolicy/policy/modules/services/zabbix.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/zabbix.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.if serefpolicy-3.5.2/policy/modules/services/zabbix.if +--- nsaserefpolicy/policy/modules/services/zabbix.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/zabbix.if 2008-08-05 15:46:13.000000000 -0400 @@ -79,6 +79,25 @@ ######################################## @@ -29349,7 +28542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb + type zabbix_script_exec_t; + ') + -+ init_script_domtrans_spec($1,zabbix_script_exec_t) ++ init_script_domtrans_spec($1, zabbix_script_exec_t) +') + +######################################## @@ -29364,26 +28557,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb + type zabbix_script_exec_t; ') - allow $1 zabbix_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, zabbix_t, zabbix_t) - +- allow $1 zabbix_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, zabbix_t, zabbix_t) ++ allow $1 zabbix_t:process { ptrace signal_perms }; ++ ps_process_pattern($2, zabbix_t) ++ + # Allow zabbix_t to restart the apache service + zabbix_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 zabbix_script_exec_t system_r; + allow $2 system_r; -+ + logging_list_logs($1) - manage_files_pattern($1, zabbix_log_t, zabbix_log_t) -+ manage_all_pattern($1,zabbix_log_t) ++ manage_all_pattern($1, zabbix_log_t) files_list_pids($1) - manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t) -+ manage_all_pattern($1,zabbix_var_run_t) ++ manage_all_pattern($1, zabbix_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.5.1/policy/modules/services/zabbix.te ---- nsaserefpolicy/policy/modules/services/zabbix.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/zabbix.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.5.2/policy/modules/services/zabbix.te +--- nsaserefpolicy/policy/modules/services/zabbix.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/zabbix.te 2008-08-05 12:15:11.000000000 -0400 @@ -18,6 +18,9 @@ type zabbix_var_run_t; files_pid_file(zabbix_var_run_t) @@ -29394,9 +28589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb ######################################## # # zabbix local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.fc serefpolicy-3.5.1/policy/modules/services/zebra.fc ---- nsaserefpolicy/policy/modules/services/zebra.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/zebra.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.fc serefpolicy-3.5.2/policy/modules/services/zebra.fc +--- nsaserefpolicy/policy/modules/services/zebra.fc 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/zebra.fc 2008-08-05 12:15:11.000000000 -0400 @@ -14,3 +14,10 @@ /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) @@ -29408,10 +28603,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr +/etc/rc.d/init.d/ripd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/ripngd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/zebra -- gen_context(system_u:object_r:zebra_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.5.1/policy/modules/services/zebra.if ---- nsaserefpolicy/policy/modules/services/zebra.if 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/zebra.if 2008-07-25 12:35:13.000000000 -0400 -@@ -24,6 +24,26 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.5.2/policy/modules/services/zebra.if +--- nsaserefpolicy/policy/modules/services/zebra.if 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/zebra.if 2008-08-05 15:47:03.000000000 -0400 +@@ -24,6 +25,26 @@ ######################################## ##

@@ -29429,7 +28624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr + type zebra_script_exec_t; + ') + -+ init_script_domtrans_spec($1,zebra_script_exec_t) ++ init_script_domtrans_spec($1, zebra_script_exec_t) +') + + @@ -29438,41 +28633,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## All of the rules required to administrate ## an zebra environment ## -@@ -38,20 +58,27 @@ +@@ -38,20 +59,27 @@ gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; type zebra_conf_t, zebra_var_run_t; + type zebra_script_exec_t; ') - allow $1 zebra_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, zebra_t, zebra_t) - +- allow $1 zebra_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, zebra_t, zebra_t) ++ allow $1 zebra_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, zebra_t) ++ + # Allow zebra_t to restart the apache service + zebra_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 zebra_script_exec_t system_r; + allow $2 system_r; -+ + files_list_tmp($1) - manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t) -+ manage_all_pattern($1,zebra_tmp_t) ++ manage_all_pattern($1, zebra_tmp_t) logging_list_logs($1) - manage_files_pattern($1, zebra_log_t, zebra_log_t) -+ manage_all_pattern($1,zebra_log_t) ++ manage_all_pattern($1, zebra_log_t) files_list_etc($1) - manage_files_pattern($1, zebra_conf_t, zebra_conf_t) -+ manage_all_pattern($1,zebra_conf_t) ++ manage_all_pattern($1, zebra_conf_t) files_list_pids($1) - manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t) -+ manage_all_pattern($1,zebra_var_run_t) ++ manage_all_pattern($1, zebra_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.5.1/policy/modules/services/zebra.te ---- nsaserefpolicy/policy/modules/services/zebra.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/zebra.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.5.2/policy/modules/services/zebra.te +--- nsaserefpolicy/policy/modules/services/zebra.te 2008-08-04 16:39:56.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/services/zebra.te 2008-08-05 12:15:11.000000000 -0400 @@ -30,6 +30,9 @@ type zebra_var_run_t; files_pid_file(zebra_var_run_t) @@ -29500,9 +28697,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr kernel_read_kernel_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.1/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/application.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.2/policy/modules/system/application.te +--- nsaserefpolicy/policy/modules/system/application.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/application.te 2008-08-05 12:15:11.000000000 -0400 @@ -7,6 +7,12 @@ # Executables to be run by user attribute application_exec_type; @@ -29516,9 +28713,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.1/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/authlogin.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.2/policy/modules/system/authlogin.fc +--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/authlogin.fc 2008-08-05 12:15:11.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -29545,9 +28742,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.1/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/authlogin.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.2/policy/modules/system/authlogin.if +--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/authlogin.if 2008-08-05 12:15:11.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -29599,7 +28796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) + manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) -+ files_var_filetrans($1,auth_cache_t,dir) ++ files_var_filetrans($1, auth_cache_t, dir) + # for SSP/ProPolice dev_read_urand($1) @@ -29699,7 +28896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) ++ domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t) + dontaudit $1 shadow_t:file { getattr read }; + auth_domtrans_upd_passwd($1) ') @@ -29807,9 +29004,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + + manage_files_pattern($1, auth_cache_t, auth_cache_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.1/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/authlogin.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.2/policy/modules/system/authlogin.te +--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/authlogin.te 2008-08-05 12:15:11.000000000 -0400 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -29825,7 +29022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo role system_r types system_chkpwd_t; +# Read only version of updpwd -+domain_entry_file(system_chkpwd_t,updpwd_exec_t) ++domain_entry_file(system_chkpwd_t, updpwd_exec_t) + ######################################## # @@ -29909,9 +29106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.1/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/fstools.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.2/policy/modules/system/fstools.fc +--- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/fstools.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29925,9 +29122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.5.1/policy/modules/system/fstools.if ---- nsaserefpolicy/policy/modules/system/fstools.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/fstools.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.5.2/policy/modules/system/fstools.if +--- nsaserefpolicy/policy/modules/system/fstools.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/fstools.if 2008-08-05 12:15:11.000000000 -0400 @@ -142,3 +142,21 @@ allow $1 swapfile_t:file getattr; @@ -29950,9 +29147,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + + allow $1 fsadm_t:process signal; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.1/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/fstools.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.2/policy/modules/system/fstools.te +--- nsaserefpolicy/policy/modules/system/fstools.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/fstools.te 2008-08-05 12:15:11.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -29974,9 +29171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool +optional_policy(` + unconfined_domain(fsadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-3.5.1/policy/modules/system/getty.fc ---- nsaserefpolicy/policy/modules/system/getty.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/getty.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-3.5.2/policy/modules/system/getty.fc +--- nsaserefpolicy/policy/modules/system/getty.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/getty.fc 2008-08-05 12:15:11.000000000 -0400 @@ -8,5 +8,5 @@ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) @@ -29985,20 +29182,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. -/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0) +/var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) +/var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.5.1/policy/modules/system/getty.te ---- nsaserefpolicy/policy/modules/system/getty.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/getty.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.5.2/policy/modules/system/getty.te +--- nsaserefpolicy/policy/modules/system/getty.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/getty.te 2008-08-05 12:15:11.000000000 -0400 @@ -9,6 +9,7 @@ type getty_t; type getty_exec_t; init_domain(getty_t,getty_exec_t) -+init_system_domain(getty_t,getty_exec_t) ++init_system_domain(getty_t, getty_exec_t) domain_interactive_fd(getty_t) type getty_etc_t; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.1/policy/modules/system/hostname.te ---- nsaserefpolicy/policy/modules/system/hostname.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/hostname.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.2/policy/modules/system/hostname.te +--- nsaserefpolicy/policy/modules/system/hostname.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/hostname.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; @@ -30010,9 +29207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna role system_r types hostname_t; ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.5.1/policy/modules/system/hotplug.te ---- nsaserefpolicy/policy/modules/system/hotplug.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/hotplug.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.5.2/policy/modules/system/hotplug.te +--- nsaserefpolicy/policy/modules/system/hotplug.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/hotplug.te 2008-08-05 12:15:11.000000000 -0400 @@ -121,6 +121,7 @@ optional_policy(` # for arping used for static IP addresses on PCMCIA ethernet @@ -30021,878 +29218,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu fs_rw_tmpfs_chr_files(hotplug_t) ') files_getattr_generic_locks(hotplug_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/i serefpolicy-3.5.1/policy/modules/system/i ---- nsaserefpolicy/policy/modules/system/i 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/system/i 2008-07-25 12:39:52.000000000 -0400 -@@ -0,0 +1,865 @@ -+ -+policy_module(init, 1.11.1) -+ -+gen_require(` -+ class passwd rootok; -+') -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

-+## Enable support for upstart as the init program. -+##

-+## -+gen_tunable(init_upstart,false) -+ -+## -+##

-+## Allow all daemons the ability to read/write terminals -+##

-+## -+gen_tunable(allow_daemons_use_tty,false) -+ -+## -+##

-+## Allow all daemons to write corefiles to / -+##

-+## -+gen_tunable(allow_daemons_dump_core,false) -+ -+# used for direct running of init scripts -+# by admin domains -+attribute direct_run_init; -+attribute direct_init; -+attribute direct_init_entry; -+ -+# Mark process types as daemons -+attribute daemon; -+ -+attribute initscript; -+ -+# -+# init_t is the domain of the init process. -+# -+type init_t; -+type init_exec_t; -+domain_type(init_t) -+domain_entry_file(init_t,init_exec_t) -+kernel_domtrans_to(init_t,init_exec_t) -+role system_r types init_t; -+ -+# -+# init_var_run_t is the type for /var/run/shutdown.pid. -+# -+type init_var_run_t; -+files_pid_file(init_var_run_t) -+ -+# -+# initctl_t is the type of the named pipe created -+# by init during initialization. This pipe is used -+# to communicate with init. -+# -+type initctl_t; -+files_type(initctl_t) -+mls_trusted_object(initctl_t) -+ -+type initrc_t; -+type initrc_exec_t, initscript; -+domain_type(initrc_t) -+domain_entry_file(initrc_t,initrc_exec_t) -+role system_r types initrc_t; -+# should be part of the true block -+# of the below init_upstart tunable -+# but this has a typeattribute in it -+corecmd_shell_entry_type(initrc_t) -+ -+type initrc_devpts_t; -+term_pty(initrc_devpts_t) -+files_type(initrc_devpts_t) -+ -+type initrc_state_t; -+files_type(initrc_state_t) -+ -+type initrc_tmp_t; -+files_tmp_file(initrc_tmp_t) -+ -+type initrc_var_run_t; -+files_pid_file(initrc_var_run_t) -+ -+ifdef(`enable_mls',` -+ kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh) -+') -+ -+######################################## -+# -+# Init local policy -+# -+ -+# Use capabilities. old rule: -+allow init_t self:capability ~{ audit_control audit_write sys_module }; -+# is ~sys_module really needed? observed: -+# sys_boot -+# sys_tty_config -+# kill: now provided by domain_kill_all_domains() -+# setuid (from /sbin/shutdown) -+# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() -+ -+allow init_t self:fifo_file rw_fifo_file_perms; -+ -+# Re-exec itself -+can_exec(init_t,init_exec_t) -+ -+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; -+ -+# For /var/run/shutdown.pid. -+allow init_t init_var_run_t:file manage_file_perms; -+files_pid_filetrans(init_t,init_var_run_t,file) -+ -+allow init_t initctl_t:fifo_file manage_fifo_file_perms; -+dev_filetrans(init_t,initctl_t,fifo_file) -+fs_associate_tmpfs(initctl_t) -+ -+# Modify utmp. -+allow init_t initrc_var_run_t:file { rw_file_perms setattr }; -+ -+kernel_read_system_state(init_t) -+kernel_share_state(init_t) -+ -+fs_list_inotifyfs(init_t) -+ -+corecmd_exec_chroot(init_t) -+corecmd_exec_bin(init_t) -+ -+dev_read_sysfs(init_t) -+ -+domain_kill_all_domains(init_t) -+domain_signal_all_domains(init_t) -+domain_signull_all_domains(init_t) -+domain_sigstop_all_domains(init_t) -+domain_sigstop_all_domains(init_t) -+domain_sigchld_all_domains(init_t) -+ -+files_read_etc_files(init_t) -+files_rw_generic_pids(init_t) -+files_dontaudit_search_isid_type_dirs(init_t) -+files_manage_etc_runtime_files(init_t) -+files_etc_filetrans_etc_runtime(init_t,file) -+# Run /etc/X11/prefdm: -+files_exec_etc_files(init_t) -+# file descriptors inherited from the rootfs: -+files_dontaudit_rw_root_files(init_t) -+files_dontaudit_rw_root_chr_files(init_t) -+ -+# cjp: this may be related to /dev/log -+fs_write_ramfs_sockets(init_t) -+ -+mcs_process_set_categories(init_t) -+mcs_killall(init_t) -+ -+mls_file_read_all_levels(init_t) -+mls_file_write_all_levels(init_t) -+mls_process_write_down(init_t) -+mls_fd_use_all_levels(init_t) -+ -+selinux_set_boolean(init_t) -+ -+term_use_all_terms(init_t) -+ -+# Run init scripts. -+init_domtrans_script(init_t) -+ -+libs_use_ld_so(init_t) -+libs_use_shared_libs(init_t) -+libs_rw_ld_so_cache(init_t) -+ -+logging_send_syslog_msg(init_t) -+logging_rw_generic_logs(init_t) -+ -+seutil_read_config(init_t) -+ -+miscfiles_read_localization(init_t) -+ -+allow init_t self:process setsched; -+ -+ifdef(`distro_gentoo',` -+ allow init_t self:process { getcap setcap }; -+') -+ -+ifdef(`distro_redhat',` -+ fs_rw_tmpfs_chr_files(init_t) -+ fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) -+') -+ -+tunable_policy(`init_upstart',` -+ corecmd_shell_domtrans(init_t,initrc_t) -+',` -+ # Run the shell in the sysadm role for single-user mode. -+ # causes problems with upstart -+ sysadm_shell_domtrans(init_t) -+') -+ -+optional_policy(` -+ auth_rw_login_records(init_t) -+') -+ -+optional_policy(` -+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to -+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up -+ # the directory. But we do not want to allow this. -+ # The master process of dovecot will manage this file. -+ dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` -+ nscd_socket_use(init_t) -+') -+ -+optional_policy(` -+ unconfined_domain(init_t) -+') -+ -+######################################## -+# -+# Init script local policy -+# -+ -+allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; -+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this -+allow initrc_t self:passwd rootok; -+ -+# Allow IPC with self -+allow initrc_t self:unix_dgram_socket create_socket_perms; -+allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; -+allow initrc_t self:tcp_socket create_stream_socket_perms; -+allow initrc_t self:udp_socket create_socket_perms; -+allow initrc_t self:fifo_file rw_file_perms; -+ -+allow initrc_t initrc_devpts_t:chr_file rw_term_perms; -+term_create_pty(initrc_t,initrc_devpts_t) -+ -+init_telinit(initrc_t) -+init_chat(initrc_t) -+ -+can_exec(initrc_t,initscript) -+ -+manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) -+manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -+manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -+manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -+ -+allow initrc_t initrc_var_run_t:file manage_file_perms; -+files_pid_filetrans(initrc_t,initrc_var_run_t,file) -+ -+can_exec(initrc_t,initrc_tmp_t) -+allow initrc_t initrc_tmp_t:file manage_file_perms; -+allow initrc_t initrc_tmp_t:dir manage_dir_perms; -+files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) -+ -+init_write_initctl(initrc_t) -+ -+kernel_read_system_state(initrc_t) -+kernel_read_software_raid_state(initrc_t) -+kernel_read_network_state(initrc_t) -+kernel_read_ring_buffer(initrc_t) -+kernel_change_ring_buffer_level(initrc_t) -+kernel_clear_ring_buffer(initrc_t) -+kernel_get_sysvipc_info(initrc_t) -+kernel_read_all_sysctls(initrc_t) -+kernel_rw_all_sysctls(initrc_t) -+# for lsof which is used by alsa shutdown: -+kernel_dontaudit_getattr_message_if(initrc_t) -+ -+files_read_kernel_symbol_table(initrc_t) -+ -+corenet_all_recvfrom_unlabeled(initrc_t) -+corenet_all_recvfrom_netlabel(initrc_t) -+corenet_tcp_sendrecv_all_if(initrc_t) -+corenet_udp_sendrecv_all_if(initrc_t) -+corenet_tcp_sendrecv_all_nodes(initrc_t) -+corenet_udp_sendrecv_all_nodes(initrc_t) -+corenet_tcp_sendrecv_all_ports(initrc_t) -+corenet_udp_sendrecv_all_ports(initrc_t) -+corenet_tcp_connect_all_ports(initrc_t) -+corenet_sendrecv_all_client_packets(initrc_t) -+ -+dev_read_rand(initrc_t) -+dev_read_urand(initrc_t) -+dev_write_rand(initrc_t) -+dev_write_urand(initrc_t) -+dev_rw_sysfs(initrc_t) -+dev_list_usbfs(initrc_t) -+dev_read_framebuffer(initrc_t) -+dev_read_realtime_clock(initrc_t) -+dev_read_sound_mixer(initrc_t) -+dev_write_sound_mixer(initrc_t) -+dev_setattr_all_chr_files(initrc_t) -+dev_rw_lvm_control(initrc_t) -+dev_delete_lvm_control_dev(initrc_t) -+dev_manage_generic_symlinks(initrc_t) -+dev_manage_generic_files(initrc_t) -+# Wants to remove udev.tbl: -+dev_delete_generic_symlinks(initrc_t) -+ -+fs_register_binary_executable_type(initrc_t) -+# rhgb-console writes to ramfs -+fs_write_ramfs_pipes(initrc_t) -+# cjp: not sure why these are here; should use mount policy -+fs_mount_all_fs(initrc_t) -+fs_unmount_all_fs(initrc_t) -+fs_remount_all_fs(initrc_t) -+fs_getattr_all_fs(initrc_t) -+ -+# initrc_t needs to do a pidof which requires ptrace -+mcs_ptrace_all(initrc_t) -+mcs_killall(initrc_t) -+mcs_process_set_categories(initrc_t) -+ -+mls_file_read_all_levels(initrc_t) -+mls_file_write_all_levels(initrc_t) -+mls_process_read_up(initrc_t) -+mls_process_write_down(initrc_t) -+mls_rangetrans_source(initrc_t) -+mls_fd_share_all_levels(initrc_t) -+ -+selinux_get_enforce_mode(initrc_t) -+ -+storage_getattr_fixed_disk_dev(initrc_t) -+storage_setattr_fixed_disk_dev(initrc_t) -+storage_setattr_removable_dev(initrc_t) -+ -+term_use_all_terms(initrc_t) -+term_reset_tty_labels(initrc_t) -+ -+auth_rw_login_records(initrc_t) -+auth_setattr_login_records(initrc_t) -+auth_rw_lastlog(initrc_t) -+auth_read_pam_pid(initrc_t) -+auth_delete_pam_pid(initrc_t) -+auth_delete_pam_console_data(initrc_t) -+ -+corecmd_exec_all_executables(initrc_t) -+ -+domain_kill_all_domains(initrc_t) -+domain_signal_all_domains(initrc_t) -+domain_signull_all_domains(initrc_t) -+domain_sigstop_all_domains(initrc_t) -+domain_sigstop_all_domains(initrc_t) -+domain_sigchld_all_domains(initrc_t) -+domain_read_all_domains_state(initrc_t) -+domain_getattr_all_domains(initrc_t) -+domain_dontaudit_ptrace_all_domains(initrc_t) -+domain_getsession_all_domains(initrc_t) -+domain_use_interactive_fds(initrc_t) -+# for lsof which is used by alsa shutdown: -+domain_dontaudit_getattr_all_udp_sockets(initrc_t) -+domain_dontaudit_getattr_all_tcp_sockets(initrc_t) -+domain_dontaudit_getattr_all_dgram_sockets(initrc_t) -+domain_dontaudit_getattr_all_pipes(initrc_t) -+ -+files_getattr_all_dirs(initrc_t) -+files_getattr_all_files(initrc_t) -+files_getattr_all_symlinks(initrc_t) -+files_getattr_all_pipes(initrc_t) -+files_getattr_all_sockets(initrc_t) -+files_purge_tmp(initrc_t) -+files_delete_all_locks(initrc_t) -+files_read_all_pids(initrc_t) -+files_delete_all_pids(initrc_t) -+files_delete_all_pid_dirs(initrc_t) -+files_read_etc_files(initrc_t) -+files_manage_etc_runtime_files(initrc_t) -+files_etc_filetrans_etc_runtime(initrc_t,file) -+files_manage_generic_locks(initrc_t) -+files_exec_etc_files(initrc_t) -+files_read_usr_files(initrc_t) -+files_manage_urandom_seed(initrc_t) -+files_manage_generic_spool(initrc_t) -+# Mount and unmount file systems. -+# cjp: not sure why these are here; should use mount policy -+files_list_isid_type_dirs(initrc_t) -+files_mounton_isid_type_dirs(initrc_t) -+files_list_default(initrc_t) -+files_mounton_default(initrc_t) -+ -+auth_use_nsswitch(initrc_t) -+ -+libs_rw_ld_so_cache(initrc_t) -+libs_use_ld_so(initrc_t) -+libs_use_shared_libs(initrc_t) -+libs_exec_lib_files(initrc_t) -+ -+logging_send_syslog_msg(initrc_t) -+logging_manage_generic_logs(initrc_t) -+logging_read_all_logs(initrc_t) -+logging_append_all_logs(initrc_t) -+logging_read_audit_config(initrc_t) -+ -+miscfiles_read_localization(initrc_t) -+# slapd needs to read cert files from its initscript -+miscfiles_read_certs(initrc_t) -+ -+modutils_read_module_config(initrc_t) -+modutils_domtrans_insmod(initrc_t) -+ -+seutil_read_config(initrc_t) -+ -+userdom_read_all_users_home_content_files(initrc_t) -+ -+# Allow access to the sysadm TTYs. Note that this will give access to the -+# TTYs to any process in the initrc_t domain. Therefore, daemons and such -+# started from init should be placed in their own domain. -+sysadm_use_terms(initrc_t) -+ -+ifdef(`distro_debian',` -+ dev_setattr_generic_dirs(initrc_t) -+ -+ fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir) -+ -+ # for storing state under /dev/shm -+ fs_setattr_tmpfs_dirs(initrc_t) -+ storage_manage_fixed_disk(initrc_t) -+ storage_tmpfs_filetrans_fixed_disk(initrc_t) -+ -+ files_setattr_etc_dirs(initrc_t) -+') -+ -+ifdef(`distro_gentoo',` -+ kernel_dontaudit_getattr_core_if(initrc_t) -+ -+ # seed udev /dev -+ allow initrc_t self:process setfscreate; -+ dev_create_null_dev(initrc_t) -+ dev_create_zero_dev(initrc_t) -+ dev_create_generic_dirs(initrc_t) -+ term_create_console_dev(initrc_t) -+ -+ # unfortunately /sbin/rc does stupid tricks -+ # with /dev/.rcboot to decide if we are in -+ # early init -+ dev_create_generic_dirs(initrc_t) -+ dev_delete_generic_dirs(initrc_t) -+ -+ # needed until baselayout is fixed to have the -+ # restorecon on /dev to again be immediately after -+ # mounting tmpfs on /dev -+ fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) -+ -+ # init scripts touch this -+ clock_dontaudit_write_adjtime(initrc_t) -+ -+ # for integrated run_init to read run_init_type. -+ # happens during boot (/sbin/rc execs init scripts) -+ seutil_read_default_contexts(initrc_t) -+ -+ # /lib/rcscripts/net/system.sh rewrites resolv.conf :( -+ sysnet_create_config(initrc_t) -+ sysnet_write_config(initrc_t) -+ sysnet_setattr_config(initrc_t) -+ -+ optional_policy(` -+ arpwatch_manage_data_files(initrc_t) -+ ') -+ -+ optional_policy(` -+ dhcpd_setattr_state_files(initrc_t) -+ ') -+') -+ -+ifdef(`distro_redhat',` -+ # this is from kmodule, which should get its own policy: -+ allow initrc_t self:capability sys_admin; -+ -+ allow initrc_t self:process setfscreate; -+ -+ # Red Hat systems seem to have a stray -+ # fd open from the initrd -+ kernel_dontaudit_use_fds(initrc_t) -+ files_dontaudit_read_root_files(initrc_t) -+ -+ selinux_set_enforce_mode(initrc_t) -+ -+ # These seem to be from the initrd -+ # during device initialization: -+ dev_create_generic_dirs(initrc_t) -+ dev_rwx_zero(initrc_t) -+ dev_rx_raw_memory(initrc_t) -+ dev_wx_raw_memory(initrc_t) -+ storage_raw_read_fixed_disk(initrc_t) -+ storage_raw_write_fixed_disk(initrc_t) -+ -+ files_create_boot_flag(initrc_t) -+ files_rw_boot_symlinks(initrc_t) -+ # wants to read /.fonts directory -+ files_read_default_files(initrc_t) -+ files_mountpoint(initrc_tmp_t) -+ # Needs to cp localtime to /var dirs -+ files_write_var_dirs(initrc_t) -+ -+ fs_rw_tmpfs_chr_files(initrc_t) -+ -+ storage_manage_fixed_disk(initrc_t) -+ storage_dev_filetrans_fixed_disk(initrc_t) -+ storage_getattr_removable_dev(initrc_t) -+ -+ # readahead asks for these -+ auth_dontaudit_read_shadow(initrc_t) -+ -+ # init scripts cp /etc/localtime over other directories localtime -+ miscfiles_rw_localization(initrc_t) -+ miscfiles_setattr_localization(initrc_t) -+ miscfiles_relabel_localization(initrc_t) -+ -+ miscfiles_read_fonts(initrc_t) -+ miscfiles_read_hwdata(initrc_t) -+ -+ optional_policy(` -+ bind_manage_config_dirs(initrc_t) -+ bind_write_config(initrc_t) -+ ') -+ -+ optional_policy(` -+ #for /etc/rc.d/init.d/nfs to create /etc/exports -+ rpc_write_exports(initrc_t) -+ ') -+ -+ optional_policy(` -+ sysnet_rw_dhcp_config(initrc_t) -+ ') -+ -+ optional_policy(` -+ xserver_delete_log(initrc_t) -+ ') -+') -+ -+ifdef(`distro_suse',` -+ optional_policy(` -+ # set permissions on /tmp/.X11-unix -+ xserver_setattr_xdm_tmp_dirs(initrc_t) -+ ') -+') -+ -+domain_dontaudit_use_interactive_fds(daemon) -+ -+sysadm_dontaudit_search_home_dirs(daemon) -+ -+tunable_policy(`allow_daemons_use_tty',` -+ term_use_unallocated_ttys(daemon) -+ term_use_generic_ptys(daemon) -+ term_use_all_user_ttys(daemon) -+ term_use_all_user_ptys(daemon) -+', ` -+ term_dontaudit_use_unallocated_ttys(daemon) -+ term_dontaudit_use_generic_ptys(daemon) -+ term_dontaudit_use_all_user_ttys(daemon) -+ term_dontaudit_use_all_user_ptys(daemon) -+ ') -+ -+# system-config-services causes avc messages that should be dontaudited -+tunable_policy(`allow_daemons_dump_core',` -+ files_dump_core(daemon) -+') -+ -+optional_policy(` -+ unconfined_dontaudit_rw_pipes(daemon) -+') -+ -+optional_policy(` -+ amavis_search_lib(initrc_t) -+ amavis_setattr_pid_files(initrc_t) -+') -+ -+optional_policy(` -+ dev_rw_apm_bios(initrc_t) -+') -+ -+optional_policy(` -+ apache_read_config(initrc_t) -+ apache_list_modules(initrc_t) -+') -+ -+optional_policy(` -+ automount_exec_config(initrc_t) -+') -+ -+optional_policy(` -+ bind_read_config(initrc_t) -+ -+ # for chmod in start script -+ bind_setattr_pid_dirs(initrc_t) -+') -+ -+optional_policy(` -+ dev_read_usbfs(initrc_t) -+ bluetooth_read_config(initrc_t) -+') -+ -+optional_policy(` -+ clamav_read_config(initrc_t) -+') -+ -+optional_policy(` -+ cpucontrol_stub(initrc_t) -+ dev_getattr_cpu_dev(initrc_t) -+') -+ -+optional_policy(` -+ dev_getattr_printer_dev(initrc_t) -+ -+ cups_read_log(initrc_t) -+ cups_read_rw_config(initrc_t) -+#cups init script clears error log -+ cups_write_log(initrc_t) -+') -+ -+optional_policy(` -+ daemontools_manage_svc(initrc_t) -+') -+ -+optional_policy(` -+ dbus_connect_system_bus(initrc_t) -+ dbus_system_bus_client_template(initrc,initrc_t) -+ dbus_read_config(initrc_t) -+ -+ optional_policy(` -+ consolekit_dbus_chat(initrc_t) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(initrc_t) -+ ') -+') -+ -+optional_policy(` -+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to -+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up -+ # the directory. But we do not want to allow this. -+ # The master process of dovecot will manage this file. -+ dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` -+ ftp_read_config(initrc_t) -+') -+ -+optional_policy(` -+ gpm_setattr_gpmctl(initrc_t) -+') -+ -+optional_policy(` -+ dev_read_usbfs(initrc_t) -+ -+ # init scripts run /etc/hotplug/usb.rc -+ hotplug_read_config(initrc_t) -+ -+ modutils_read_module_deps(initrc_t) -+') -+ -+optional_policy(` -+ inn_exec_config(initrc_t) -+') -+ -+optional_policy(` -+ ipsec_read_config(initrc_t) -+ ipsec_manage_pid(initrc_t) -+') -+ -+optional_policy(` -+ kerberos_use(initrc_t) -+') -+ -+optional_policy(` -+ ldap_read_config(initrc_t) -+ ldap_list_db(initrc_t) -+') -+ -+optional_policy(` -+ loadkeys_exec(initrc_t) -+') -+ -+optional_policy(` -+ # in emergency/recovery situations use sulogin -+ locallogin_domtrans_sulogin(initrc_t) -+') -+ -+optional_policy(` -+ # This is needed to permit chown to read /var/spool/lpd/lp. -+ # This is opens up security more than necessary; this means that ANYTHING -+ # running in the initrc_t domain can read the printer spool directory. -+ # Perhaps executing /etc/rc.d/init.d/lpd should transition -+ # to domain lpd_t, instead of waiting for executing lpd. -+ lpd_list_spool(initrc_t) -+ -+ lpd_read_config(initrc_t) -+') -+ -+optional_policy(` -+ #allow initrc_t lvm_control_t:chr_file unlink; -+ -+ dev_read_lvm_control(initrc_t) -+ dev_create_generic_chr_files(initrc_t) -+ -+ lvm_read_config(initrc_t) -+') -+ -+optional_policy(` -+ mailman_list_data(initrc_t) -+ mailman_read_data_symlinks(initrc_t) -+') -+ -+optional_policy(` -+ mta_read_config(initrc_t) -+ mta_dontaudit_read_spool_symlinks(initrc_t) -+') -+ -+optional_policy(` -+ ifdef(`distro_redhat',` -+ mysql_manage_db_dirs(initrc_t) -+ ') -+ -+ mysql_stream_connect(initrc_t) -+ mysql_write_log(initrc_t) -+') -+ -+optional_policy(` -+ nis_list_var_yp(initrc_t) -+') -+ -+optional_policy(` -+ openvpn_read_config(initrc_t) -+') -+ -+optional_policy(` -+ postgresql_manage_db(initrc_t) -+ postgresql_read_config(initrc_t) -+') -+ -+optional_policy(` -+ postfix_list_spool(initrc_t) -+') -+ -+optional_policy(` -+ quota_manage_flags(initrc_t) -+') -+ -+optional_policy(` -+ raid_manage_mdadm_pid(initrc_t) -+') -+ -+optional_policy(` -+ corecmd_shell_entry_type(initrc_t) -+ fs_write_ramfs_sockets(initrc_t) -+ fs_search_ramfs(initrc_t) -+ -+ rhgb_rw_stream_sockets(initrc_t) -+ rhgb_stream_connect(initrc_t) -+') -+ -+optional_policy(` -+ rpc_read_exports(initrc_t) -+') -+ -+optional_policy(` -+ # bash tries to access a block device in the initrd -+ kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t) -+ -+ # for a bug in rm -+ files_dontaudit_write_all_pids(initrc_t) -+ -+ # bash tries ioctl for some reason -+ files_dontaudit_ioctl_all_pids(initrc_t) -+ -+ # why is this needed: -+ rpm_manage_db(initrc_t) -+ # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) -+ -+') -+ -+optional_policy(` -+ samba_rw_config(initrc_t) -+ samba_read_winbind_pid(initrc_t) -+') -+ -+optional_policy(` -+ squid_read_config(initrc_t) -+ squid_manage_logs(initrc_t) -+') -+ -+ifndef(`targeted_policy',` -+ optional_policy(` -+ # allow init scripts to su -+ su_restricted_domain_template(initrc,initrc_t,system_r) -+ ') -+') -+ -+optional_policy(` -+ ssh_dontaudit_read_server_keys(initrc_t) -+') -+ -+optional_policy(` -+ sysnet_read_dhcpc_state(initrc_t) -+') -+ -+optional_policy(` -+ udev_rw_db(initrc_t) -+') -+ -+optional_policy(` -+ uml_setattr_util_sockets(initrc_t) -+') -+ -+# Cron jobs used to start and stop services -+optional_policy(` -+ cron_rw_pipes(daemon) -+') -+ -+optional_policy(` -+ unconfined_domain(initrc_t) -+ -+ ifdef(`distro_redhat',` -+ # system-config-services causes avc messages that should be dontaudited -+ unconfined_dontaudit_rw_pipes(daemon) -+ ') -+ -+ optional_policy(` -+ mono_domtrans(initrc_t) -+ ') -+') -+ -+optional_policy(` -+ rpm_dontaudit_rw_pipes(daemon) -+') -+ -+optional_policy(` -+ vmware_read_system_config(initrc_t) -+ vmware_append_system_config(initrc_t) -+') -+ -+optional_policy(` -+ miscfiles_manage_fonts(initrc_t) -+ -+ # cjp: is this really needed? -+ xfs_read_sockets(initrc_t) -+') -+ -+optional_policy(` -+ # Set device ownerships/modes. -+ xserver_setattr_console_pipes(initrc_t) -+ -+ # init script wants to check if it needs to update windowmanagerlist -+ xserver_read_xdm_rw_config(initrc_t) -+') -+ -+optional_policy(` -+ zebra_read_config(initrc_t) -+') -+ -+unprivuser_append_home_content_files(daemon) -+unprivuser_write_tmp_files(daemon) -+logging_append_all_logs(daemon) -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.1/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/init.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.2/policy/modules/system/init.fc +--- nsaserefpolicy/policy/modules/system/init.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/init.fc 2008-08-05 12:15:11.000000000 -0400 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -30903,9 +29231,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.1/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2008-07-16 10:26:25.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/init.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.2/policy/modules/system/init.if +--- nsaserefpolicy/policy/modules/system/init.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/init.if 2008-08-05 15:52:15.000000000 -0400 @@ -211,6 +211,19 @@ kernel_dontaudit_use_fds($1) ') @@ -30916,7 +29244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + tunable_policy(`allow_daemons_use_tty',` + term_use_all_user_ttys($1) + term_use_all_user_ptys($1) -+ ', ` ++ ',` + term_dontaudit_use_all_user_ttys($1) + term_dontaudit_use_all_user_ptys($1) + ') @@ -30937,7 +29265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i files_list_etc($1) - spec_domtrans_pattern($1,initrc_exec_t,initrc_t) -+ spec_domtrans_pattern($1,initscript,initrc_t) ++ spec_domtrans_pattern($1, initscript, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; @@ -30960,7 +29288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + ') + + files_list_etc($1) -+ domtrans_pattern($1,initscript,initrc_t) ++ domtrans_pattern($1, initscript, initrc_t) + + ifdef(`enable_mcs',` + range_transition $1 initscript:process s0; @@ -30988,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i files_list_etc($1) - domtrans_pattern($1,initrc_exec_t,initrc_t) -+ domtrans_pattern($1,$2,initrc_t) ++ domtrans_pattern($1, $2, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; @@ -31031,7 +29359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i files_list_etc($1) - domain_auto_trans($1,initrc_exec_t,$2) -+ domain_auto_trans($1,initscript,$2) ++ domain_auto_trans($1, initscript, $2) ') ######################################## @@ -31059,19 +29387,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i files_list_etc($1) - can_exec($1,initrc_exec_t) -+ can_exec($1,initscript) ++ can_exec($1, initscript) ') ######################################## -@@ -941,6 +1002,7 @@ - - dontaudit $1 initrc_t:unix_stream_socket connectto; - ') -+ - ######################################## - ## - ## Send messages to init scripts over dbus. -@@ -1040,11 +1102,11 @@ +@@ -1040,11 +1101,11 @@ # interface(`init_read_script_files',` gen_require(` @@ -31085,7 +29405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1107,6 +1169,25 @@ +@@ -1107,6 +1168,25 @@ ######################################## ## @@ -31103,7 +29423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + ') + + files_search_tmp($1) -+ read_files_pattern($1,initrc_tmp_t,initrc_tmp_t) ++ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) +') + +######################################## @@ -31111,7 +29431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## Create files in a init script ## temporary data directory. ## -@@ -1262,7 +1343,7 @@ +@@ -1262,7 +1342,7 @@ type initrc_var_run_t; ') @@ -31120,9 +29440,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1283,3 +1364,113 @@ - files_search_pids($1) - allow $1 initrc_var_run_t:file manage_file_perms; +@@ -1318,3 +1398,113 @@ + ') + corenet_udp_recvfrom_labeled($1, daemon) ') + +######################################## @@ -31182,7 +29502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + ') + + typeattribute $1 initscript; -+ domain_entry_file(initrc_t,$1) ++ domain_entry_file(initrc_t, $1) + +') + @@ -31234,9 +29554,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + allow init_t $1:unix_dgram_socket sendto; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.1/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2008-07-16 10:33:56.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/init.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.2/policy/modules/system/init.te +--- nsaserefpolicy/policy/modules/system/init.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/init.te 2008-08-05 12:15:11.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -31246,14 +29566,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +## Allow all daemons the ability to read/write terminals +##

+## -+gen_tunable(allow_daemons_use_tty,false) ++gen_tunable(allow_daemons_use_tty, false) + +## +##

+## Allow all daemons to write corefiles to / +##

+## -+gen_tunable(allow_daemons_dump_core,false) ++gen_tunable(allow_daemons_dump_core, false) + # used for direct running of init scripts # by admin domains @@ -31346,7 +29666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +init_chat(initrc_t) -can_exec(initrc_t,initrc_exec_t) -+can_exec(initrc_t,initscript) ++can_exec(initrc_t, initscript) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) @@ -31372,7 +29692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + term_use_generic_ptys(daemon) + term_use_all_user_ttys(daemon) + term_use_all_user_ptys(daemon) -+', ` ++',` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) + term_dontaudit_use_all_user_ttys(daemon) @@ -31425,21 +29745,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -736,9 +790,11 @@ +@@ -736,10 +790,12 @@ squid_manage_logs(initrc_t) ') --optional_policy(` -- # allow init scripts to su -- su_restricted_domain_template(initrc,initrc_t,system_r) +ifndef(`targeted_policy',` -+ optional_policy(` -+ # allow init scripts to su -+ su_restricted_domain_template(initrc,initrc_t,system_r) -+ ') + optional_policy(` + # allow init scripts to su + su_restricted_domain_template(initrc,initrc_t,system_r) ') ++') optional_policy(` + ssh_dontaudit_read_server_keys(initrc_t) @@ -757,6 +813,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -31472,9 +29790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +unprivuser_write_tmp_files(daemon) +logging_append_all_logs(daemon) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.5.1/policy/modules/system/ipsec.if ---- nsaserefpolicy/policy/modules/system/ipsec.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/ipsec.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.5.2/policy/modules/system/ipsec.if +--- nsaserefpolicy/policy/modules/system/ipsec.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/ipsec.if 2008-08-05 12:15:11.000000000 -0400 @@ -150,6 +150,26 @@ manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t) ') @@ -31496,15 +29814,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. + ') + + files_search_pids($1) -+ write_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t) ++ write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) +') + ######################################## ## ## Execute racoon in the racoon domain. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.1/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/ipsec.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.2/policy/modules/system/ipsec.te +--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/ipsec.te 2008-08-05 12:15:11.000000000 -0400 @@ -69,8 +69,8 @@ read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) @@ -31516,9 +29834,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.5.1/policy/modules/system/iptables.te ---- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/iptables.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.5.2/policy/modules/system/iptables.if +--- nsaserefpolicy/policy/modules/system/iptables.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/iptables.if 2008-08-05 12:15:11.000000000 -0400 +@@ -49,6 +49,12 @@ + iptables_domtrans($1) + role $2 types iptables_t; + allow iptables_t $3:chr_file rw_term_perms; ++ ++ sysnet_run_ifconfig(iptables_t, $2, $3) ++ ++ optional_policy(` ++ modutils_run_insmod(iptables_t, $2, $3) ++ ') + ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.5.2/policy/modules/system/iptables.te +--- nsaserefpolicy/policy/modules/system/iptables.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/iptables.te 2008-08-05 12:15:11.000000000 -0400 @@ -48,6 +48,7 @@ fs_getattr_xattr_fs(iptables_t) @@ -31544,9 +29878,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +optional_policy(` + unconfined_rw_stream_sockets(iptables_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.5.1/policy/modules/system/iscsi.fc ---- nsaserefpolicy/policy/modules/system/iscsi.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/iscsi.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.5.2/policy/modules/system/iscsi.fc +--- nsaserefpolicy/policy/modules/system/iscsi.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/iscsi.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,5 +1,5 @@ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -31555,9 +29889,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) +/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.1/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/iscsi.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.2/policy/modules/system/iscsi.te +--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/iscsi.te 2008-08-05 12:15:11.000000000 -0400 @@ -29,7 +29,7 @@ # @@ -31575,9 +29909,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. dev_rw_sysfs(iscsid_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.1/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/libraries.fc 2008-08-01 10:49:58.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.2/policy/modules/system/libraries.fc +--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/libraries.fc 2008-08-05 15:54:36.000000000 -0400 @@ -69,8 +69,10 @@ ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -31597,18 +29931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,10 +154,6 @@ - /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - --ifdef(`distro_debian',` --/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0) --') -- - ifdef(`distro_gentoo',` - /usr/lib -l gen_context(system_u:object_r:lib_t,s0) - ') -@@ -169,6 +168,7 @@ +@@ -169,6 +172,7 @@ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31616,7 +29939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +187,7 @@ +@@ -187,6 +191,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31624,7 +29947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,7 +247,7 @@ +@@ -246,7 +251,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31633,7 +29956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,11 +292,15 @@ +@@ -291,11 +296,15 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31649,7 +29972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -308,3 +313,13 @@ +@@ -308,3 +317,13 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -31663,9 +29986,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.1/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/libraries.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.2/policy/modules/system/libraries.te +--- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/libraries.te 2008-08-05 12:15:11.000000000 -0400 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; @@ -31683,10 +30006,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar -allow ldconfig_t self:capability sys_chroot; +allow ldconfig_t self:capability { dac_override sys_chroot }; + -+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t) ++manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) -allow ldconfig_t ld_so_cache_t:file manage_file_perms; -+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t) ++manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -31732,10 +30055,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +optional_policy(` + unconfined_domain(ldconfig_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.1/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/locallogin.te 2008-07-25 12:35:13.000000000 -0400 -@@ -131,6 +131,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.2/policy/modules/system/locallogin.te +--- nsaserefpolicy/policy/modules/system/locallogin.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/locallogin.te 2008-08-05 12:15:11.000000000 -0400 +@@ -100,7 +100,6 @@ + + auth_rw_login_records(local_login_t) + auth_rw_faillog(local_login_t) +-auth_manage_pam_pid(local_login_t) + auth_manage_pam_console_data(local_login_t) + auth_domtrans_pam_console(local_login_t) + +@@ -132,6 +131,7 @@ miscfiles_read_localization(local_login_t) @@ -31743,11 +30074,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) userdom_search_all_users_home_content(local_login_t) -@@ -162,6 +163,11 @@ +@@ -163,6 +163,11 @@ fs_read_cifs_symlinks(local_login_t) ') -+tunable_policy(`allow_console_login', ` ++tunable_policy(`allow_console_login',` + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) +') @@ -31755,7 +30086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` alsa_domtrans(local_login_t) ') -@@ -191,7 +197,7 @@ +@@ -192,7 +197,7 @@ ') optional_policy(` @@ -31764,7 +30095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') optional_policy(` -@@ -240,18 +246,25 @@ +@@ -241,18 +246,25 @@ seutil_read_default_contexts(sulogin_t) auth_read_shadow(sulogin_t) @@ -31773,26 +30104,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall userdom_use_unpriv_users_fds(sulogin_t) -staff_search_home_dirs(sulogin_t) +- +ifdef(`enable_mls',` -+ sysadm_shell_domtrans(sulogin_t) -+', ` + sysadm_shell_domtrans(sulogin_t) ++',` + optional_policy(` + unconfined_shell_domtrans(sulogin_t) + ') +') - --sysadm_shell_domtrans(sulogin_t) ++ sysadm_use_ptys(sulogin_t) sysadm_search_home_dirs(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat', `define(`sulogin_no_pam')') ++ifdef(`distro_redhat',`define(`sulogin_no_pam')') ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; -@@ -266,10 +279,4 @@ +@@ -267,10 +279,4 @@ selinux_compute_user_contexts(sulogin_t) ') @@ -31803,9 +30134,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.1/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/logging.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.2/policy/modules/system/logging.fc +--- nsaserefpolicy/policy/modules/system/logging.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/logging.fc 2008-08-05 12:15:11.000000000 -0400 @@ -4,6 +4,8 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) @@ -31850,9 +30181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) + +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.1/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/logging.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.2/policy/modules/system/logging.if +--- nsaserefpolicy/policy/modules/system/logging.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/logging.if 2008-08-05 12:15:11.000000000 -0400 @@ -213,12 +213,7 @@ ## # @@ -32002,7 +30333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + type syslogd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,syslogd_script_exec_t) ++ init_script_domtrans_spec($1, syslogd_script_exec_t) +') + +######################################## @@ -32020,7 +30351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + type auditd_script_exec_t; + ') + -+ init_script_domtrans_spec($1,auditd_script_exec_t) ++ init_script_domtrans_spec($1, auditd_script_exec_t) +') + +######################################## @@ -32039,7 +30370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + type audisp_exec_t; + ') + -+ domtrans_pattern($1,audisp_exec_t,audisp_t) ++ domtrans_pattern($1, audisp_exec_t, audisp_t) +') + +######################################## @@ -32083,11 +30414,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + ') + + domain_type($1) -+ domain_entry_file($1,$2) ++ domain_entry_file($1, $2) + + role system_r types $1; + -+ domtrans_pattern(audisp_t,$2,$1) ++ domtrans_pattern(audisp_t, $2, $1) + allow $1 audisp_t:process signal; + + allow audisp_t $2:file getattr; @@ -32110,11 +30441,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + ') + + files_search_pids($1) -+ stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t) ++ stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.1/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/logging.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.2/policy/modules/system/logging.te +--- nsaserefpolicy/policy/modules/system/logging.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/logging.te 2008-08-05 15:56:51.000000000 -0400 @@ -61,10 +61,29 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -32127,7 +30458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) -+ init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh) ++ init_ranged_daemon_domain(syslogd_t, syslogd_exec_t,mls_systemhigh) ') +type audisp_t; @@ -32145,15 +30476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ######################################## # # Auditctl local policy -@@ -84,6 +103,7 @@ - kernel_read_kernel_sysctls(auditctl_t) - kernel_read_proc_symlinks(auditctl_t) - -+ - domain_read_all_domains_state(auditctl_t) - domain_use_interactive_fds(auditctl_t) - -@@ -158,11 +178,13 @@ +@@ -158,11 +177,13 @@ mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory @@ -32168,7 +30491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin sysadm_dontaudit_search_home_dirs(auditd_t) ifdef(`distro_ubuntu',` -@@ -172,6 +194,10 @@ +@@ -172,6 +193,10 @@ ') optional_policy(` @@ -32179,7 +30502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin seutil_sigchld_newrole(auditd_t) ') -@@ -209,6 +235,7 @@ +@@ -209,6 +234,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) @@ -32187,7 +30510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(klogd_t) -@@ -253,7 +280,6 @@ +@@ -253,7 +279,6 @@ dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog allow syslogd_t self:process { signal_perms setpgid }; @@ -32195,16 +30518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -263,7 +289,7 @@ - allow syslogd_t self:tcp_socket create_stream_socket_perms; - - allow syslogd_t syslog_conf_t:file read_file_perms; -- -+ - # Create and bind to /dev/log or /var/run/log. - allow syslogd_t devlog_t:sock_file manage_sock_file_perms; - files_pid_filetrans(syslogd_t,devlog_t,sock_file) -@@ -275,6 +301,9 @@ +@@ -275,6 +300,9 @@ # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; @@ -32214,7 +30528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage temporary files manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) -@@ -290,12 +319,14 @@ +@@ -290,12 +318,14 @@ manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t) files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) @@ -32229,7 +30543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin dev_filetrans(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) -@@ -328,6 +359,8 @@ +@@ -328,6 +358,8 @@ # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) @@ -32238,7 +30552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) -@@ -340,23 +373,23 @@ +@@ -340,19 +372,20 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -32261,10 +30575,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -- - sysadm_dontaudit_search_home_dirs(syslogd_t) - - ifdef(`distro_gentoo',` @@ -382,15 +415,11 @@ ') @@ -32351,9 +30661,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + +sysnet_dns_name_resolve(audisp_remote_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.1/policy/modules/system/lvm.fc ---- nsaserefpolicy/policy/modules/system/lvm.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/lvm.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.2/policy/modules/system/lvm.fc +--- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/lvm.fc 2008-08-05 12:15:11.000000000 -0400 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -32367,9 +30677,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.1/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/lvm.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.2/policy/modules/system/lvm.te +--- nsaserefpolicy/policy/modules/system/lvm.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/lvm.te 2008-08-05 12:15:11.000000000 -0400 @@ -13,6 +13,9 @@ type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -32550,20 +30860,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.5.1/policy/modules/system/miscfiles.fc ---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/miscfiles.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -11,6 +11,7 @@ - /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) - - # - # /opt -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.5.1/policy/modules/system/modutils.if ---- nsaserefpolicy/policy/modules/system/modutils.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/modutils.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.5.2/policy/modules/system/modutils.if +--- nsaserefpolicy/policy/modules/system/modutils.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/modutils.if 2008-08-05 12:15:11.000000000 -0400 @@ -66,6 +66,25 @@ ######################################## @@ -32598,9 +30897,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.1/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/modutils.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.2/policy/modules/system/modutils.te +--- nsaserefpolicy/policy/modules/system/modutils.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/modutils.te 2008-08-05 12:15:11.000000000 -0400 @@ -22,6 +22,8 @@ type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) @@ -32660,18 +30959,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti seutil_read_file_contexts(insmod_t) -ifdef(`distro_ubuntu',` -- optional_policy(` -- unconfined_domain(insmod_t) -- ') -+optional_policy(` -+ unconfined_domain(insmod_t) - ') - + optional_policy(` + unconfined_domain(insmod_t) + ') +-') ++ +term_dontaudit_use_unallocated_ttys(insmod_t) +userdom_dontaudit_search_users_home_dirs(insmod_t) +sysadm_dontaudit_search_home_dirs(insmod_t) +fs_dontaudit_use_tmpfs_chr_dev(insmod_t) -+ + if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } @@ -32741,35 +31038,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') ################################# -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.1/policy/modules/system/mount.fc ---- nsaserefpolicy/policy/modules/system/mount.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/mount.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.2/policy/modules/system/mount.fc +--- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/mount.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,6 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - --/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.1/policy/modules/system/mount.if ---- nsaserefpolicy/policy/modules/system/mount.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/mount.if 2008-07-25 12:35:13.000000000 -0400 -@@ -48,7 +48,9 @@ - + /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.2/policy/modules/system/mount.if +--- nsaserefpolicy/policy/modules/system/mount.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/mount.if 2008-08-05 16:00:04.000000000 -0400 +@@ -49,6 +49,8 @@ mount_domtrans($1) role $2 types mount_t; -- allow mount_t $3:chr_file rw_file_perms; -+ allow mount_t $1:chr_file rw_file_perms; + allow mount_t $3:chr_file rw_file_perms; + #Leaked File Descriptors + dontaudit mount_t $1:unix_stream_socket rw_socket_perms; optional_policy(` samba_run_smbmount($1, $2, $3) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.1/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/mount.te 2008-07-29 15:15:05.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.2/policy/modules/system/mount.te +--- nsaserefpolicy/policy/modules/system/mount.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/mount.te 2008-08-05 12:15:11.000000000 -0400 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -32804,7 +31098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_tmp_t:file manage_file_perms; allow mount_t mount_tmp_t:dir manage_dir_perms; -+files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) ++files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) can_exec(mount_t, mount_exec_t) @@ -32928,20 +31222,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_rw_pipes(mount_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.5.1/policy/modules/system/netlabel.te ---- nsaserefpolicy/policy/modules/system/netlabel.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/netlabel.te 2008-07-25 12:35:13.000000000 -0400 -@@ -9,6 +9,7 @@ - type netlabel_mgmt_t; - type netlabel_mgmt_exec_t; - application_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) -+role system_r types netlabel_mgmt_t; - - ######################################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.1/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/raid.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.2/policy/modules/system/raid.te +--- nsaserefpolicy/policy/modules/system/raid.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/raid.te 2008-08-05 12:15:11.000000000 -0400 @@ -19,7 +19,7 @@ # Local policy # @@ -32959,17 +31242,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -@@ -86,3 +87,7 @@ - optional_policy(` - udev_read_db(mdadm_t) - ') -+ -+optional_policy(` -+ unconfined_domain(mdadm_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.1/policy/modules/system/selinuxutil.fc ---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/selinuxutil.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.2/policy/modules/system/selinuxutil.fc +--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/selinuxutil.fc 2008-08-05 12:15:11.000000000 -0400 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -32988,35 +31263,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +# /var/lib +# +/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.1/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/selinuxutil.if 2008-07-25 12:35:13.000000000 -0400 -@@ -215,8 +215,6 @@ - seutil_domtrans_newrole($1) - role $2 types newrole_t; - allow newrole_t $3:chr_file rw_term_perms; -- -- auth_run_upd_passwd(newrole_t, $2, $3) - ') - - ######################################## -@@ -430,7 +428,6 @@ - role system_r; - ') - -- auth_run_chk_passwd(run_init_t, $2, $3) - seutil_domtrans_runinit($1) - role $2 types run_init_t; - allow run_init_t $3:chr_file rw_term_perms; -@@ -475,7 +472,6 @@ - role system_r; - ') - -- auth_run_chk_passwd(run_init_t, $2, $3) - seutil_init_script_domtrans_runinit($1) - role $2 types run_init_t; - allow run_init_t $3:chr_file rw_term_perms; -@@ -555,6 +551,59 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.2/policy/modules/system/selinuxutil.if +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/selinuxutil.if 2008-08-05 16:04:30.000000000 -0400 +@@ -555,6 +555,59 @@ ######################################## ## @@ -33035,7 +31285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + files_search_usr($1) + corecmd_search_bin($1) -+ domtrans_pattern($1,setfiles_exec_t,setfiles_mac_t) ++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) +') + +######################################## @@ -33076,7 +31326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -589,7 +638,7 @@ +@@ -589,7 +642,7 @@ type selinux_config_t; ') @@ -33085,7 +31335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ######################################## -@@ -608,7 +657,7 @@ +@@ -608,7 +661,7 @@ type selinux_config_t; ') @@ -33094,15 +31344,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu dontaudit $1 selinux_config_t:file { getattr read }; ') -@@ -700,6 +749,7 @@ +@@ -700,6 +753,7 @@ ') files_search_etc($1) -+ manage_dirs_pattern($1,selinux_config_t,selinux_config_t) ++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1,selinux_config_t,selinux_config_t) read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') -@@ -809,6 +859,28 @@ +@@ -809,6 +863,28 @@ ######################################## ## @@ -33131,25 +31381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Read and write the file_contexts files. ## ## -@@ -819,7 +891,7 @@ - # - interface(`seutil_rw_file_contexts',` - gen_require(` -- type selinux_config_t, file_context_t, default_context_t; -+ type selinux_config_t, file_context_t; - ') - - files_search_etc($1) -@@ -840,7 +912,7 @@ - # - interface(`seutil_manage_file_contexts',` - gen_require(` -- type selinux_config_t, file_context_t, default_context_t; -+ type selinux_config_t, file_context_t; - ') - - files_search_etc($1) -@@ -999,6 +1071,26 @@ +@@ -999,6 +1075,26 @@ ######################################## ## @@ -33168,7 +31400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + files_search_usr($1) + corecmd_search_bin($1) -+ domtrans_pattern($1,setsebool_exec_t,setsebool_t) ++ domtrans_pattern($1, setsebool_exec_t, setsebool_t) +') + +######################################## @@ -33176,7 +31408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1010,7 +1102,7 @@ +@@ -1010,7 +1106,7 @@ ## ## ## @@ -33185,7 +31417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1026,14 +1118,45 @@ +@@ -1026,14 +1122,45 @@ ') seutil_domtrans_semanage($1) @@ -33233,7 +31465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1145,3 +1268,260 @@ +@@ -1145,3 +1272,260 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -33277,12 +31509,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + type $1_setsebool_t; + domain_type($1_setsebool_t) -+ domain_entry_file($1_setsebool_t,setsebool_exec_t) ++ domain_entry_file($1_setsebool_t, setsebool_exec_t) + role $3 types $1_setsebool_t; + + files_search_usr($2) + corecmd_search_bin($2) -+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t) ++ domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t) + seutil_semanage_policy($1_setsebool_t) + + # Need to define per type booleans @@ -33477,7 +31709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + fs_rw_tmpfs_chr_files($1) +') + -+ifdef(`distro_redhat', ` ++ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files($1) + fs_rw_tmpfs_blk_files($1) + fs_relabel_tmpfs_blk_file($1) @@ -33494,9 +31726,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.1/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/selinuxutil.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.2/policy/modules/system/selinuxutil.te +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/selinuxutil.te 2008-08-05 12:15:11.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -33532,7 +31764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +type setfiles_mac_t; +domain_type(setfiles_mac_t) -+domain_entry_file(setfiles_mac_t,setfiles_exec_t) ++domain_entry_file(setfiles_mac_t, setfiles_exec_t) +domain_obj_id_change_exemption(setfiles_mac_t) + ######################################## @@ -33622,15 +31854,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --dev_read_urand(semanage_t) +-corecmd_exec_bin(semanage_t) +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +-dev_read_urand(semanage_t) +- -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -33655,11 +31887,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - -libs_use_ld_so(semanage_t) -libs_use_shared_libs(semanage_t) -- --locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) +-locallogin_use_fds(semanage_t) +- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) @@ -33799,57 +32031,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) -') -- --ifdef(`distro_redhat', ` -- fs_rw_tmpfs_chr_files(setfiles_t) -- fs_rw_tmpfs_blk_files(setfiles_t) -- fs_relabel_tmpfs_blk_file(setfiles_t) -- fs_relabel_tmpfs_chr_file(setfiles_t) --') +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) --ifdef(`distro_ubuntu',` -- optional_policy(` -- unconfined_domain(setfiles_t) -- ') +-ifdef(`distro_redhat', ` +- fs_rw_tmpfs_chr_files(setfiles_t) +- fs_rw_tmpfs_blk_files(setfiles_t) +- fs_relabel_tmpfs_blk_file(setfiles_t) +- fs_relabel_tmpfs_chr_file(setfiles_t) -') +######################################## +# +# Setfiles local policy +# --ifdef(`hide_broken_symptoms',` +-ifdef(`distro_ubuntu',` - optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) +- unconfined_domain(setfiles_t) - ') +-') +seutil_setfiles(setfiles_t) +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) +-ifdef(`hide_broken_symptoms',` + optional_policy(` +- udev_dontaudit_rw_dgram_sockets(setfiles_t) ++ cron_system_entry(setfiles_t, setfiles_exec_t) + ') + - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') -+optional_policy(` -+ cron_system_entry(setfiles_t, setfiles_exec_t) - ') - +-') +seutil_setfiles(setfiles_mac_t) +allow setfiles_mac_t self:capability2 mac_admin; +kernel_relabelto_unlabeled(setfiles_mac_t) -+ + optional_policy(` - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.1/policy/modules/system/setrans.if ---- nsaserefpolicy/policy/modules/system/setrans.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/setrans.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.2/policy/modules/system/setrans.if +--- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/setrans.if 2008-08-05 12:15:11.000000000 -0400 @@ -13,7 +13,6 @@ interface(`setrans_translate_context',` gen_require(` @@ -33858,9 +32088,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran ') allow $1 self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.5.1/policy/modules/system/setrans.te ---- nsaserefpolicy/policy/modules/system/setrans.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/setrans.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.5.2/policy/modules/system/setrans.te +--- nsaserefpolicy/policy/modules/system/setrans.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/setrans.te 2008-08-05 12:15:11.000000000 -0400 @@ -28,7 +28,7 @@ # @@ -33878,18 +32108,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran selinux_compute_access_vector(setrans_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.1/policy/modules/system/sysnetwork.fc ---- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/sysnetwork.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.2/policy/modules/system/sysnetwork.fc +--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/sysnetwork.fc 2008-08-05 12:15:11.000000000 -0400 @@ -57,3 +57,5 @@ ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.1/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/sysnetwork.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.2/policy/modules/system/sysnetwork.if +--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/sysnetwork.if 2008-08-05 12:15:11.000000000 -0400 @@ -553,6 +553,7 @@ type net_conf_t; ') @@ -33968,9 +32198,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + + role_transition $1 dhcpc_exec_t system_r; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.1/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/sysnetwork.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.2/policy/modules/system/sysnetwork.te +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/sysnetwork.te 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,10 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -34114,15 +32344,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet domain_use_interactive_fds(ifconfig_t) -@@ -308,7 +321,7 @@ - unconfined_domain(ifconfig_t) - ') - ') -- -+ - ifdef(`hide_broken_symptoms',` - optional_policy(` - dev_dontaudit_rw_cardmgr(ifconfig_t) @@ -324,6 +337,10 @@ ') @@ -34149,163 +32370,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/t serefpolicy-3.5.1/policy/modules/system/t ---- nsaserefpolicy/policy/modules/system/t 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.1/policy/modules/system/t 2008-07-25 12:37:38.000000000 -0400 -@@ -0,0 +1,150 @@ -+ -+policy_module(userdomain, 3.1.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

-+## Allow users to connect to PostgreSQL -+##

-+## -+ -+gen_tunable(allow_user_postgresql_connect,false) -+ -+## -+##

-+## Allow regular users direct mouse access -+##

-+## -+ -+gen_tunable(user_direct_mouse,false) -+ -+## -+##

-+## Allow user to r/w files on filesystems -+## that do not have extended attributes (FAT, CDROM, FLOPPY) -+##

-+## -+ -+gen_tunable(user_rw_noexattrfile,false) -+ -+## -+##

-+## Allow w to display everyone -+##

-+## -+ -+gen_tunable(user_ttyfile_stat,false) -+ -+# admin users terminals (tty and pty) -+attribute admin_terminal; -+ -+# users home directory -+attribute home_dir_type; -+ -+# users home directory contents -+attribute home_type; -+ -+# Executables to be run by user -+attribute user_exec_type; -+ -+# File types owned by users -+attribute user_file_type; -+ -+# The privhome attribute identifies every domain that can create files under -+# regular user home directories in the regular context (IE act on behalf of -+# a user in writing regular files) -+attribute privhome; -+ -+# all unprivileged users home directories -+attribute user_home_dir_type; -+attribute user_home_type; -+ -+# all unprivileged users ptys -+attribute user_ptynode; -+ -+# all unprivileged users tmp files -+attribute user_tmpfile; -+ -+# all unprivileged users ttys -+attribute user_ttynode; -+ -+# all user domains -+attribute userdomain; -+ -+# unprivileged user domains -+attribute unpriv_userdomain; -+attribute unpriv_process; -+ -+attribute untrusted_content_type; -+attribute untrusted_content_tmp_type; -+ -+type admin_home_t, home_type; -+files_type(admin_home_t) -+files_associate_tmp(admin_home_t) -+fs_associate_tmpfs(admin_home_t) -+files_mountpoint(admin_home_t) -+ -+type user_home_t, user_file_type, user_home_type, home_type; -+files_type(user_home_t) -+files_associate_tmp(user_home_t) -+fs_associate_tmpfs(user_home_t) -+files_mountpoint(user_home_t) -+files_poly_parent(user_home_t) -+files_poly_member(user_home_t) -+ -+# type of home directory -+type user_home_dir_t, home_dir_type, user_home_dir_type, home_type; -+files_type(user_home_dir_t) -+files_mountpoint(user_home_dir_t) -+files_associate_tmp(user_home_dir_t) -+fs_associate_tmpfs(user_home_dir_t) -+files_poly(user_home_dir_t) -+files_poly_member(user_home_dir_t) -+files_poly_parent(user_home_dir_t) -+ -+type user_tmp_t, user_file_type, user_tmpfile; -+files_tmp_file(user_tmp_t) -+ -+############################## -+# -+# User home directory file rules -+# -+ -+allow user_file_type user_home_t:filesystem associate; -+ -+# Rules used to associate a homedir as a mountpoint -+allow user_home_t self:filesystem associate; -+ -+tunable_policy(`allow_console_login', ` -+ term_use_console(userdomain) -+') -+ -+# Allow unpriv users to read system state of unpriv processes -+read_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) -+read_lnk_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) -+allow unpriv_userdomain unpriv_process:process getattr; -+dontaudit unpriv_userdomain unpriv_process:process ptrace; -+ -+ -+ -+tunable_policy(`use_nfs_home_dirs',` -+ manage_dirs_pattern(privhome, nfs_t, nfs_t) -+ manage_files_pattern(privhome, nfs_t, nfs_t) -+ manage_lnk_files_pattern(privhome, nfs_t, nfs_t) -+ manage_sock_files_pattern(privhome, nfs_t, nfs_t) -+ manage_fifo_files_pattern(privhome, nfs_t, nfs_t) -+') -+ -+ -+tunable_policy(`use_samba_home_dirs',` -+ manage_dirs_pattern(privhome, cifs_t, cifs_t) -+ manage_files_pattern(privhome, cifs_t, cifs_t) -+ manage_lnk_files_pattern(privhome, cifs_t, cifs_t) -+ manage_sock_files_pattern(privhome, cifs_t, cifs_t) -+ manage_fifo_files_pattern(privhome, cifs_t, cifs_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.1/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/udev.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.2/policy/modules/system/udev.if +--- nsaserefpolicy/policy/modules/system/udev.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/udev.if 2008-08-05 12:15:11.000000000 -0400 @@ -96,6 +96,24 @@ ######################################## @@ -34359,9 +32426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i - allow $1 udev_tdb_t:file rw_file_perms; + allow $1 udev_tbl_t:file rw_file_perms; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.1/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/udev.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.2/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/udev.te 2008-08-05 12:15:11.000000000 -0400 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) @@ -34417,10 +32484,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t +optional_policy(` xserver_read_xdm_pid(udev_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.1/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-07-16 10:26:23.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/unconfined.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -2,15 +2,28 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.2/policy/modules/system/unconfined.fc +--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/unconfined.fc 2008-08-05 12:15:11.000000000 -0400 +@@ -2,15 +2,11 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t @@ -34437,6 +32504,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ifdef(`distro_gentoo',` /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ') +@@ -14,3 +10,20 @@ + ifdef(`distro_gentoo',` + /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) + ') +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) + @@ -34454,9 +32525,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.1/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2008-07-16 10:26:23.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/unconfined.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.2/policy/modules/system/unconfined.if +--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/unconfined.if 2008-08-05 12:15:11.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -34491,12 +32562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -40,10 +40,16 @@ - domain_unconfined($1) - domain_dontaudit_read_all_domains_state($1) - domain_dontaudit_ptrace_all_domains($1) -+ - files_unconfined($1) +@@ -44,6 +44,11 @@ fs_unconfined($1) selinux_unconfined($1) @@ -34508,7 +32574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; -@@ -70,6 +76,7 @@ +@@ -70,6 +75,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -34516,7 +32582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -380,6 +387,24 @@ +@@ -380,6 +386,24 @@ ######################################## ## @@ -34541,20 +32607,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## Send generic signals to the unconfined domain. ## ## -@@ -597,7 +622,7 @@ +@@ -597,7 +621,120 @@ ######################################## ## -## Read files in unconfined users home directories. +## Allow ptrace of unconfined domain - ## - ## - ## -@@ -605,20 +630,53 @@ - ## - ## - # --interface(`unconfined_read_home_content_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; @@ -34592,37 +32657,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## +# +interface(`unconfined_execmem_rw_shm',` - gen_require(` -- type unconfined_home_dir_t, unconfined_home_t; ++ gen_require(` + type unconfined_execmem_t; - ') - -- files_search_home($1) -- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; -- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) -- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) ++ ') ++ + allow $1 unconfined_execmem_t:shm rw_shm_perms; - ') - - ######################################## - ## --## Read unconfined users temporary files. ++') ++ ++######################################## ++## +## Transition to the unconfined_execmem domain. - ## - ## - ## -@@ -626,20 +684,58 @@ - ## - ## - # --interface(`unconfined_read_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_execmem_domtrans',` + + gen_require(` + type unconfined_execmem_t, unconfined_execmem_exec_t; + ') + -+ domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t) ++ domtrans_pattern($1, unconfined_execmem_exec_t, unconfined_execmem_t) +') + +######################################## @@ -34636,23 +32694,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## +# +interface(`unconfined_use_terminals',` - gen_require(` -- type unconfined_tmp_t; ++ gen_require(` + type unconfined_devpts_t; + type unconfined_tty_device_t; - ') - -- files_search_tmp($1) -- allow $1 unconfined_tmp_t:dir list_dir_perms; -- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) -- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) ++ ') ++ + allow $1 unconfined_tty_device_t:chr_file rw_term_perms; + allow $1 unconfined_devpts_t:chr_file rw_term_perms; - ') - - ######################################## - ## --## Write unconfined users temporary files. ++') ++ ++######################################## ++## +## Do not audit attempts to use unconfined ttys and ptys. +## +## @@ -34677,44 +32729,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## ## ## -@@ -647,10 +743,143 @@ +@@ -605,20 +742,18 @@ ## ## # --interface(`unconfined_write_tmp_files',` +-interface(`unconfined_read_home_content_files',` +interface(`unconfined_set_rlimitnh',` gen_require(` -- type unconfined_tmp_t; +- type unconfined_home_dir_t, unconfined_home_t; + type unconfined_t; ') -- allow $1 unconfined_tmp_t:file { getattr write append }; +- files_search_home($1) +- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; +- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) +- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) + allow $1 unconfined_t:process rlimitinh; ') -+ -+######################################## -+## + + ######################################## + ## +-## Read unconfined users temporary files. +## Allow the specified domain to read/write to +## unconfined with a unix domain stream sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -626,31 +761,124 @@ + ## + ## + # +-interface(`unconfined_read_tmp_files',` +interface(`unconfined_rw_stream_sockets',` -+ gen_require(` + gen_require(` +- type unconfined_tmp_t; + type unconfined_t; -+ ') -+ + ') + +- files_search_tmp($1) +- allow $1 unconfined_tmp_t:dir list_dir_perms; +- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) +- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) + allow $1 unconfined_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write unconfined users temporary files. +## Read/write unconfined tmpfs files. -+## + ## +## +##

+## Read/write unconfined tmpfs files. @@ -34733,8 +32796,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + + fs_search_tmpfs($1) + allow $1 unconfined_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) -+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) ++ rw_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) ++ read_lnk_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) +') + +######################################## @@ -34746,22 +32809,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## Read/write unconfined tmpfs files. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`unconfined_write_tmp_files',` +interface(`unconfined_delete_tmpfs_files',` -+ gen_require(` + gen_require(` +- type unconfined_tmp_t; + type unconfined_tmpfs_t; -+ ') -+ + ') + +- allow $1 unconfined_tmp_t:file { getattr write append }; + fs_search_tmpfs($1) + allow $1 unconfined_tmpfs_t:dir list_dir_perms; -+ delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) -+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) -+') ++ delete_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) ++ read_lnk_files_pattern($1, unconfined_tmpfs_t, unconfined_tmpfs_t) + ') + +######################################## +## @@ -34824,9 +32890,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + userdom_role_change_template(unconfined, $1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.1/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2008-07-16 10:26:23.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/unconfined.te 2008-07-29 16:49:54.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.2/policy/modules/system/unconfined.te +--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/unconfined.te 2008-08-05 12:15:11.000000000 -0400 @@ -6,35 +6,75 @@ # Declarations # @@ -34836,21 +32902,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## Transition to confined nsplugin domains from unconfined user +##

+## -+gen_tunable(allow_unconfined_nsplugin_transition,false) ++gen_tunable(allow_unconfined_nsplugin_transition, false) + +## +##

+## Allow unconfined domain to map low memory in the kernel +##

+## -+gen_tunable(allow_unconfined_mmap_low,false) ++gen_tunable(allow_unconfined_mmap_low, false) + +## +##

+## Transition to confined qemu domains from unconfined user +##

+## -+gen_tunable(allow_unconfined_qemu_transition,false) ++gen_tunable(allow_unconfined_qemu_transition, false) + # usage in this module of types created by these # calls is not correct, however we dont currently @@ -34925,7 +32991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +optional_policy(` + nsplugin_per_role_template_notrans(unconfined, unconfined_t, unconfined_r) -+ tunable_policy(`allow_unconfined_nsplugin_transition', ` ++ tunable_policy(`allow_unconfined_nsplugin_transition',` + nsplugin_domtrans_user(unconfined, unconfined_t) + nsplugin_domtrans_user_config(unconfined, unconfined_t) + ') @@ -34962,64 +33028,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) -@@ -106,12 +149,24 @@ +@@ -106,48 +149,48 @@ ') optional_policy(` +- networkmanager_dbus_chat(unconfined_t) + gnomeclock_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ kerneloops_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` - networkmanager_dbus_chat(unconfined_t) ') optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') -+ -+ optional_policy(` -+ vpnc_dbus_chat(unconfined_t) -+ ') +- oddjob_dbus_chat(unconfined_t) +- ') ++ kerneloops_dbus_chat(unconfined_t) + ') + + optional_policy(` +- firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ networkmanager_dbus_chat(unconfined_t) ') optional_policy(` -@@ -123,11 +178,11 @@ +- ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ oddjob_dbus_chat(unconfined_t) ') optional_policy(` - inn_domtrans(unconfined_t) -+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ vpnc_dbus_chat(unconfined_t) ++ ') ') optional_policy(` - java_domtrans(unconfined_t) -+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -@@ -139,18 +194,6 @@ +- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` +- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - mono_domtrans(unconfined_t) --') -- --optional_policy(` ++ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` - mta_per_role_template(unconfined, unconfined_t, unconfined_r) --') -- --optional_policy(` ++ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) --') -- --optional_policy(` - prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') + optional_policy(` @@ -159,38 +202,46 @@ ') @@ -35027,16 +33096,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) --') ++ tunable_policy(`allow_unconfined_qemu_transition',` ++ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ ',` ++ qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') - - -optional_policy(` - pyzor_per_role_template(unconfined) -+ tunable_policy(`allow_unconfined_qemu_transition', ` -+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ ', ` -+ qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ ') + qemu_role(unconfined_r) + qemu_unconfined_role(unconfined_r) ') @@ -35096,21 +33164,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` - webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++') ++ ++optional_policy(` ++ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - wine_domtrans(unconfined_t) -+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ mono_per_role_template(unconfined, unconfined_t, unconfined_r) ++ unconfined_domain(unconfined_mono_t) ++ role system_r types unconfined_mono_t; ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) -+ mono_per_role_template(unconfined, unconfined_t, unconfined_r) -+ unconfined_domain(unconfined_mono_t) -+ role system_r types unconfined_mono_t; -+') -+ -+optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) +') + @@ -35134,21 +33202,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_dbus_chat(unconfined_execmem_t) + unconfined_dbus_connect(unconfined_execmem_t) +') - -- optional_policy(` -- hal_dbus_chat(unconfined_execmem_t) -- ') ++ +optional_policy(` + avahi_dbus_chat(unconfined_execmem_t) +') -+ -+optional_policy(` -+ hal_dbus_chat(unconfined_execmem_t) - ') + + optional_policy(` + hal_dbus_chat(unconfined_execmem_t) + ') + +optional_policy(` + xserver_xdm_rw_shm(unconfined_execmem_t) -+') + ') + +######################################## +# @@ -35161,9 +33226,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) +domain_ptrace_all_domains(unconfined_notrans_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.1/policy/modules/system/userdomain.fc ---- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/userdomain.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.2/policy/modules/system/userdomain.fc +--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/userdomain.fc 2008-08-05 12:15:11.000000000 -0400 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -35174,9 +33239,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.1/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/userdomain.if 2008-07-30 10:07:07.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.2/policy/modules/system/userdomain.if +--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/userdomain.if 2008-08-05 16:14:43.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -35222,16 +33287,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1_usertype $1_usertype:msg { send receive }; + allow $1_usertype $1_usertype:context contains; + dontaudit $1_usertype $1_usertype:socket create; -+ -+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -+ term_create_pty($1_usertype,$1_devpts_t) - allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; - term_create_pty($1_t,$1_devpts_t) -+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; ++ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; ++ term_create_pty($1_usertype, $1_devpts_t) - allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; -+ application_exec_all($1_usertype) ++ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) @@ -35241,13 +33304,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) ++ application_exec_all($1_usertype) + +- dev_dontaudit_getattr_all_blk_files($1_t) +- dev_dontaudit_getattr_all_chr_files($1_t) + files_exec_usr_files($1_t) + + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) - -- dev_dontaudit_getattr_all_blk_files($1_t) -- dev_dontaudit_getattr_all_chr_files($1_t) ++ + kernel_dontaudit_list_unlabeled($1_usertype) + kernel_dontaudit_getattr_unlabeled_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) @@ -35306,14 +33371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + dev_getattr_mtrr_dev($1_t) ++ ++ storage_rw_fuse($1_usertype) - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) -+ storage_rw_fuse($1_usertype) ++ auth_use_nsswitch($1_usertype) - sysnet_read_config($1_t) -+ auth_use_nsswitch($1_usertype) -+ + libs_use_ld_so($1_usertype) + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) @@ -35390,10 +33455,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1_t user_home_t:dir list_dir_perms; + allow $1_t user_home_t:file entrypoint; + -+ read_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) -+ read_lnk_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) -+ read_fifo_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) -+ read_sock_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) ++ read_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) ++ read_lnk_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) ++ read_fifo_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) ++ read_sock_files_pattern($1_t, { user_home_t user_home_dir_t }, user_home_t) files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` @@ -35475,17 +33540,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1_t user_home_t:file entrypoint; + + allow $1_usertype user_home_type:dir_file_class_set { relabelto relabelfrom }; -+ manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) -+ filetrans_pattern($1_usertype,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) ++ manage_dirs_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ manage_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ manage_lnk_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ manage_sock_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ manage_fifo_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ relabel_dirs_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ relabel_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ relabel_lnk_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ relabel_sock_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ relabel_fifo_files_pattern($1_usertype, { user_home_dir_t user_home_t }, user_home_type) ++ filetrans_pattern($1_usertype, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + files_list_home($1_usertype) # cjp: this should probably be removed: @@ -35537,8 +33602,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1_t) -+ tunable_policy(`allow_$1_exec_content', ` -+ can_exec($1_usertype,user_home_type) ++ tunable_policy(`allow_$1_exec_content',` ++ can_exec($1_usertype, user_home_type) + ',` + dontaudit $1_usertype user_home_type:file execute; ') @@ -35591,11 +33656,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ifelse(`$1',`user',`',` + typealias user_tmp_t alias $1_tmp_t; + ') -+ manage_dirs_pattern($1_usertype,user_tmp_t,user_tmp_t) -+ manage_files_pattern($1_usertype,user_tmp_t,user_tmp_t) -+ manage_lnk_files_pattern($1_usertype,user_tmp_t,user_tmp_t) -+ manage_sock_files_pattern($1_usertype,user_tmp_t,user_tmp_t) -+ manage_fifo_files_pattern($1_usertype,user_tmp_t,user_tmp_t) ++ manage_dirs_pattern($1_usertype, user_tmp_t, user_tmp_t) ++ manage_files_pattern($1_usertype, user_tmp_t, user_tmp_t) ++ manage_lnk_files_pattern($1_usertype, user_tmp_t, user_tmp_t) ++ manage_sock_files_pattern($1_usertype, user_tmp_t, user_tmp_t) ++ manage_fifo_files_pattern($1_usertype, user_tmp_t, user_tmp_t) + files_tmp_filetrans($1_usertype, user_tmp_t, { dir file lnk_file sock_file fifo_file }) ') @@ -35609,7 +33674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + type user_tmp_t; + ') + -+ tunable_policy(`allow_$1_exec_content', ` ++ tunable_policy(`allow_$1_exec_content',` + exec_files_pattern($1_usertype, user_tmp_t, user_tmp_t) + ') ') @@ -35633,12 +33698,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_lnk_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_sock_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_fifo_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ fs_tmpfs_filetrans($1_usertype,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++ manage_dirs_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) ++ manage_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) ++ manage_lnk_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) ++ manage_sock_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) ++ manage_fifo_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) ++ fs_tmpfs_filetrans($1_usertype, $1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ') ####################################### @@ -35674,7 +33739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,27 +522,20 @@ +@@ -531,34 +522,20 @@ ## # template(`userdom_basic_networking_template',` @@ -35684,7 +33749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - +- - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_all_if($1_t) @@ -35695,10 +33760,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) + +- corenet_all_recvfrom_labeled($1_t, $1_t) + allow $1_usertype self:tcp_socket create_stream_socket_perms; + allow $1_usertype self:udp_socket create_socket_perms; - optional_policy(` +- init_tcp_recvfrom_all_daemons($1_t) +- init_udp_recvfrom_all_daemons($1_t) +- ') +- +- optional_policy(` - ipsec_match_default_spd($1_t) - ') + corenet_all_recvfrom_unlabeled($1_usertype) @@ -35714,7 +33786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +552,33 @@ +@@ -575,30 +552,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -35764,7 +33836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -622,13 +609,7 @@ +@@ -629,13 +609,7 @@ ## ## The template for allowing the user to change roles. ## @@ -35779,7 +33851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,188 +673,202 @@ +@@ -699,188 +673,202 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -35930,107 +34002,104 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - dbus_system_bus_client_template($1,$1_t) -+ dbus_system_bus_client_template($1,$1_usertype) -+ -+ optional_policy(` -+ avahi_dbus_chat($1_usertype) -+ ') ++ dbus_system_bus_client_template($1, $1_usertype) optional_policy(` - bluetooth_dbus_chat($1_t) -+ bluetooth_dbus_chat($1_usertype) ++ avahi_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1,$1_usertype) -+ evolution_alarm_dbus_chat($1,$1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ evolution_dbus_chat($1, $1_usertype) ++ evolution_alarm_dbus_chat($1, $1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpnc_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ hal_dbus_chat($1_usertype) - ') +- ') ++ networkmanager_dbus_chat($1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ vpnc_dbus_chat($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) ++ hal_dbus_chat($1_usertype) ++ ') ') optional_policy(` - locate_read_lib_files($1_t) -+ locate_read_lib_files($1_usertype) ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') - # for running depmod as part of the kernel packaging process +- # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) -+ modutils_read_module_config($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) ++ locate_read_lib_files($1_usertype) ') - ++ # for running depmod as part of the kernel packaging process optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') -+ alsa_read_rw_config($1_usertype) ++ modutils_read_module_config($1_usertype) ') -- optional_policy(` + optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) -- ') -+ optional_policy(` -+ tunable_policy(`allow_user_postgresql_connect',` -+ postgresql_stream_connect($1_usertype) -+ ') -+ ') ++ mta_rw_spool($1_usertype) + ') -- optional_policy(` + optional_policy(` - pcscd_read_pub_files($1_t) - pcscd_stream_connect($1_t) -+ tunable_policy(`user_ttyfile_stat',` -+ term_getattr_all_user_ttys($1_usertype) ++ alsa_read_rw_config($1_usertype) ') optional_policy(` -- tunable_policy(`allow_user_postgresql_connect',` + tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) -- ') ++ postgresql_stream_connect($1_usertype) ++ ') ++ ') ++ ++ tunable_policy(`user_ttyfile_stat',` ++ term_getattr_all_user_ttys($1_usertype) + ') ++ ++ optional_policy(` + # to allow monitoring of pcmcia status + pcmcia_read_pid($1_usertype) ') @@ -36066,18 +34135,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -895,9 +890,7 @@ +@@ -902,9 +890,7 @@ ## # template(`userdom_login_user_template', ` - gen_require(` - class context contains; - ') -+ gen_tunable(allow_$1_exec_content,true) ++ gen_tunable(allow_$1_exec_content, true) userdom_base_user_template($1) -@@ -927,70 +920,72 @@ +@@ -934,70 +920,72 @@ allow $1_t self:context contains; @@ -36183,7 +34252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1024,9 +1019,6 @@ +@@ -1031,9 +1019,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -36193,7 +34262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1035,16 +1027,29 @@ +@@ -1042,12 +1027,24 @@ # # privileged home directory writers @@ -36203,15 +34272,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) -+ manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) -+ manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) -+ manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) -+ manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) -+ filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) - - optional_policy(` -- loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ manage_dirs_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) ++ manage_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) ++ manage_lnk_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) ++ manage_sock_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) ++ manage_fifo_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) ++ filetrans_pattern(privhome, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ++ ++ optional_policy(` + dbus_per_role_template($1, $1_usertype, $1_r) + dbus_system_bus_client_template($1, $1_usertype) + @@ -36221,24 +34289,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + optional_policy(` + cups_dbus_chat($1_usertype) + ') - ') -+ -+ optional_policy(` -+ loadkeys_run($1_t,$1_r,$1_tty_device_t) -+ ') -+ - ') - - ####################################### -@@ -1071,7 +1076,6 @@ - template(`userdom_restricted_xwindows_user_template',` - - userdom_restricted_user_template($1) -- - userdom_xwindows_client_template($1) ++ ') - ############################## -@@ -1080,14 +1084,16 @@ + optional_policy(` + loadkeys_run($1_t,$1_r,$1_tty_device_t) +@@ -1087,14 +1084,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -36260,7 +34315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1095,28 +1101,23 @@ +@@ -1102,28 +1101,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -36274,14 +34329,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - optional_policy(` - consolekit_dbus_chat($1_t) -- ') + apache_per_role_template($1, $1_usertype, $1_r) -+ ') + ') -- optional_policy(` + optional_policy(` - cups_dbus_chat($1_t) - ') -+ optional_policy(` + nsplugin_per_role_template($1, $1_usertype, $1_r) ') @@ -36296,7 +34349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1128,9 @@ +@@ -1134,8 +1128,7 @@ ## ## ##

@@ -36304,12 +34357,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo -## equivalent to a regular linux user. +## The template containing the most basic rules common to all users. ##

--##

-+##

+ ##

## This template creates a user domain, types, and - ## rules for the user's tty, pty, home directories, - ## tmp, and tmpfs files. -@@ -1164,7 +1164,6 @@ +@@ -1171,7 +1164,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -36317,7 +34367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1182,36 +1181,45 @@ +@@ -1189,36 +1181,45 @@ ') ') @@ -36340,7 +34390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ') optional_policy(` @@ -36351,7 +34401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ') optional_policy(` @@ -36376,7 +34426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1288,8 +1296,6 @@ +@@ -1295,8 +1296,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -36385,7 +34435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1311,8 +1317,6 @@ +@@ -1318,8 +1317,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -36394,7 +34444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1367,13 +1371,6 @@ +@@ -1374,13 +1371,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -36408,7 +34458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` postgresql_unconfined($1_t) ') -@@ -1425,6 +1422,7 @@ +@@ -1432,6 +1422,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36416,7 +34466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1454,10 +1452,6 @@ +@@ -1461,10 +1452,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -36427,7 +34477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` aide_run($1,$2, $3) ') -@@ -1477,12 +1471,30 @@ +@@ -1484,6 +1471,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -36442,203 +34492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## - ##

- ## Change to the generic user role. - ## -+## -+##

-+## Change to the generic user role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## - ## - ## - ## The prefix of the user role (e.g., user -@@ -1492,8 +1504,7 @@ - ## - # - template(`userdom_role_change_generic_user',` -- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_template() instead.') -- unprivuser_role_change_template($1) -+ userdom_role_change_template($1, user) - ') - - ######################################## -@@ -1520,14 +1531,23 @@ - ## - # - template(`userdom_role_change_from_generic_user',` -- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_to_template() instead.') -- unprivuser_role_change_to_template($1) -+ userdom_role_change_template(user, $1) - ') - - ######################################## - ## - ## Change to the staff user role. - ## -+## -+##

-+## Change to the staff user role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## - ## - ## - ## The prefix of the user role (e.g., user -@@ -1537,8 +1557,7 @@ - ## - # - template(`userdom_role_change_staff',` -- refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_template() instead.') -- staff_role_change_template($1) -+ userdom_role_change_template($1, staff) - ') - - ######################################## -@@ -1565,14 +1584,23 @@ - ## - # - template(`userdom_role_change_from_staff',` -- refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_to_template() instead.') -- staff_role_change_to_template($1) -+ userdom_role_change_template(staff, $1) - ') - - ######################################## - ## - ## Change to the sysadm user role. - ## -+## -+##

-+## Change to the sysadm user role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## - ## - ## - ## The prefix of the user role (e.g., user -@@ -1582,8 +1610,7 @@ - ## - # - template(`userdom_role_change_sysadm',` -- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_template() instead.') -- sysadm_role_change_template($1) -+ userdom_role_change_template($1, sysadm) - ') - - ######################################## -@@ -1610,14 +1637,23 @@ - ## - # - template(`userdom_role_change_from_sysadm',` -- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_to_template() instead.') -- sysadm_role_change_to_template($1) -+ userdom_role_change_template(sysadm, $1) - ') - - ######################################## - ## - ## Change to the secadm user role. - ## -+## -+##

-+## Change to the secadm user role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## - ## - ## - ## The prefix of the user role (e.g., user -@@ -1627,8 +1663,11 @@ - ## - # - template(`userdom_role_change_secadm',` -- refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_template() instead.') -- secadm_role_change_template($1) -+ ifdef(`enable_mls',` -+ userdom_role_change_template($1,secadm) -+ ',` -+ refpolicywarn(`$0($*) has no effect in non-MLS policy.') -+ ') - ') - - ######################################## -@@ -1655,14 +1694,27 @@ - ## - # - template(`userdom_role_change_from_secadm',` -- refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_to_template() instead.') -- secadm_role_change_to_template($1) -+ ifdef(`enable_mls',` -+ userdom_role_change_template(secadm,$1) -+ ',` -+ refpolicywarn(`$0($*) has no effect in non-MLS policy.') -+ ') - ') - - ######################################## - ## - ## Change to the auditadm user role. - ## -+## -+##

-+## Change to the auditadm user role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## - ## - ## - ## The prefix of the auditadm role (e.g., user -@@ -1672,8 +1724,11 @@ - ## - # - template(`userdom_role_change_auditadm',` -- refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_template() instead.') -- auditadm_role_change_template($1) -+ ifdef(`enable_mls',` -+ userdom_role_change_template($1,auditadm) -+ ',` -+ refpolicywarn(`$0($*) has no effect in non-MLS policy.') -+ ') - ') - - ######################################## -@@ -1700,8 +1755,11 @@ - ## - # - template(`userdom_role_change_from_auditadm',` -- refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_to_template() instead.') -- auditadm_role_change_to_template($1) -+ ifdef(`enable_mls',` -+ userdom_role_change_template(auditadm,$1) -+ ',` -+ refpolicywarn(`$0($*) has no effect in non-MLS policy.') -+ ') - ') - - ######################################## -@@ -1734,11 +1792,15 @@ +@@ -1741,11 +1736,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -36657,7 +34511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1834,11 +1896,11 @@ +@@ -1841,11 +1840,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -36671,7 +34525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1868,11 +1930,11 @@ +@@ -1875,11 +1874,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -36685,7 +34539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1916,12 +1978,12 @@ +@@ -1923,12 +1922,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -36697,11 +34551,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_home_dir_t:dir search_dir_perms; - domain_auto_trans($2,$1_home_t,$3) + allow $2 user_home_dir_t:dir search_dir_perms; -+ domain_auto_trans($2,user_home_t,$3) ++ domain_auto_trans($2, user_home_t, $3) ') ######################################## -@@ -1951,10 +2013,11 @@ +@@ -1958,10 +1957,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -36715,7 +34569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1986,11 +2049,47 @@ +@@ -1993,11 +1993,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -36726,7 +34580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ manage_dirs_pattern($2,{ user_home_dir_t user_home_type },user_home_t) ++ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_t) +') + +######################################## @@ -36765,7 +34619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2022,10 +2121,10 @@ +@@ -2029,10 +2065,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -36778,7 +34632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2055,11 +2154,11 @@ +@@ -2062,11 +2098,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -36788,11 +34642,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ read_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t) ++ read_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) ') ######################################## -@@ -2089,11 +2188,11 @@ +@@ -2096,11 +2132,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36807,7 +34661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2123,10 +2222,14 @@ +@@ -2130,10 +2166,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -36824,7 +34678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2156,11 +2259,11 @@ +@@ -2163,11 +2203,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -36834,11 +34688,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ read_lnk_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t) ++ read_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) ') ######################################## -@@ -2190,11 +2293,11 @@ +@@ -2197,11 +2237,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -36848,11 +34702,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) -+ exec_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t) ++ exec_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) ') ######################################## -@@ -2224,10 +2327,10 @@ +@@ -2231,10 +2271,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -36865,7 +34719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2259,12 +2362,12 @@ +@@ -2266,12 +2306,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -36877,11 +34731,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_files_pattern($2,user_home_t,user_home_t) ++ manage_files_pattern($2, user_home_t, user_home_t) ') ######################################## -@@ -2296,10 +2399,10 @@ +@@ -2303,10 +2343,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -36894,7 +34748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2331,12 +2434,12 @@ +@@ -2338,12 +2378,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -36906,11 +34760,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_lnk_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_lnk_files_pattern($2,user_home_t,user_home_t) ++ manage_lnk_files_pattern($2, user_home_t, user_home_t) ') ######################################## -@@ -2368,12 +2471,12 @@ +@@ -2375,12 +2415,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -36922,11 +34776,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_fifo_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_fifo_files_pattern($2,user_home_t,user_home_t) ++ manage_fifo_files_pattern($2, user_home_t, user_home_t) ') ######################################## -@@ -2405,12 +2508,12 @@ +@@ -2412,12 +2452,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -36938,11 +34792,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_sock_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; -+ manage_sock_files_pattern($2,user_home_t,user_home_t) ++ manage_sock_files_pattern($2, user_home_t, user_home_t) ') ######################################## -@@ -2455,11 +2558,11 @@ +@@ -2462,11 +2502,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -36952,11 +34806,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - filetrans_pattern($2,$1_home_dir_t,$3,$4) -+ filetrans_pattern($2,user_home_dir_t,$3,$4) ++ filetrans_pattern($2, user_home_dir_t, $3, $4) ') ######################################## -@@ -2504,11 +2607,11 @@ +@@ -2511,11 +2551,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -36966,11 +34820,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - filetrans_pattern($2,$1_home_t,$3,$4) -+ filetrans_pattern($2,user_home_t,$3,$4) ++ filetrans_pattern($2, user_home_t, $3, $4) ') ######################################## -@@ -2548,11 +2651,11 @@ +@@ -2555,11 +2595,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -36980,11 +34834,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($2) - filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) -+ filetrans_pattern($2,user_home_dir_t,user_home_t,$3) ++ filetrans_pattern($2, user_home_dir_t, user_home_t, $3) ') ######################################## -@@ -2582,11 +2685,11 @@ +@@ -2589,11 +2629,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -36998,7 +34852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2616,11 +2719,11 @@ +@@ -2623,11 +2663,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -37012,7 +34866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2652,10 +2755,10 @@ +@@ -2659,10 +2699,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -37025,7 +34879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2687,10 +2790,10 @@ +@@ -2694,10 +2734,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -37038,7 +34892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2720,12 +2823,12 @@ +@@ -2727,12 +2767,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -37050,11 +34904,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_tmp_t:dir list_dir_perms; - read_files_pattern($2,$1_tmp_t,$1_tmp_t) + allow $2 user_tmp_t:dir list_dir_perms; -+ read_files_pattern($2,user_tmp_t,user_tmp_t) ++ read_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -2757,10 +2860,10 @@ +@@ -2764,10 +2804,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -37067,7 +34921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2792,10 +2895,10 @@ +@@ -2799,10 +2839,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -37080,7 +34934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2825,12 +2928,12 @@ +@@ -2832,12 +2872,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -37092,11 +34946,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_tmp_t:dir list_dir_perms; - rw_files_pattern($2,$1_tmp_t,$1_tmp_t) + allow $2 user_tmp_t:dir list_dir_perms; -+ rw_files_pattern($2,user_tmp_t,user_tmp_t) ++ rw_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -2862,10 +2965,10 @@ +@@ -2869,10 +2909,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -37109,7 +34963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2897,12 +3000,12 @@ +@@ -2904,12 +2944,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -37121,11 +34975,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $2 $1_tmp_t:dir list_dir_perms; - read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) + allow $2 user_tmp_t:dir list_dir_perms; -+ read_lnk_files_pattern($2,user_tmp_t,user_tmp_t) ++ read_lnk_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -2934,11 +3037,11 @@ +@@ -2941,11 +2981,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -37135,11 +34989,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) - manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_dirs_pattern($2,user_tmp_t,user_tmp_t) ++ manage_dirs_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -2970,11 +3073,11 @@ +@@ -2977,11 +3017,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -37149,11 +35003,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) - manage_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_files_pattern($2,user_tmp_t,user_tmp_t) ++ manage_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -3006,11 +3109,11 @@ +@@ -3013,11 +3053,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -37163,11 +35017,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) - manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_lnk_files_pattern($2,user_tmp_t,user_tmp_t) ++ manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -3042,11 +3145,11 @@ +@@ -3049,11 +3089,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -37177,11 +35031,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) - manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_fifo_files_pattern($2,user_tmp_t,user_tmp_t) ++ manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -3078,11 +3181,11 @@ +@@ -3085,11 +3125,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -37191,11 +35045,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) - manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t) -+ manage_sock_files_pattern($2,user_tmp_t,user_tmp_t) ++ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## -@@ -3127,10 +3230,10 @@ +@@ -3134,10 +3174,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -37204,11 +35058,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') - filetrans_pattern($2,$1_tmp_t,$3,$4) -+ filetrans_pattern($2,user_tmp_t,$3,$4) ++ filetrans_pattern($2, user_tmp_t, $3, $4) files_search_tmp($2) ') -@@ -3171,19 +3274,19 @@ +@@ -3178,19 +3218,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -37217,7 +35071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') - files_tmp_filetrans($2,$1_tmp_t,$3) -+ files_tmp_filetrans($2,user_tmp_t,$3) ++ files_tmp_filetrans($2, user_tmp_t, $3) ') ######################################## @@ -37232,7 +35086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -4609,11 +4712,11 @@ +@@ -4616,11 +4656,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -37246,14 +35100,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,10 +4736,18 @@ +@@ -4640,6 +4680,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; --') - --######################################## --##

++ + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') @@ -37261,14 +35112,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') -+') -+ -+######################################## -+## - ## Search all users home directories. - ## - ## -@@ -4670,6 +4781,8 @@ + ') + + ######################################## +@@ -4677,6 +4725,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -37277,7 +35124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4714,6 +4827,25 @@ +@@ -4721,6 +4771,25 @@ ######################################## ## @@ -37295,7 +35142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + attribute home_type; + ') + -+ delete_files_pattern($1,home_type,home_type) ++ delete_files_pattern($1, home_type, home_type) +') + +######################################## @@ -37303,7 +35150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4939,7 +5071,7 @@ +@@ -4946,7 +5015,7 @@ ######################################## ## @@ -37312,7 +35159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5311,6 +5443,42 @@ +@@ -5318,6 +5387,42 @@ ######################################## ## @@ -37355,30 +35202,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5361,7 +5529,7 @@ +@@ -5368,7 +5473,7 @@ attribute userdomain; ') - read_files_pattern($1,userdomain,userdomain) -+ ps_process_pattern($1,userdomain) ++ ps_process_pattern($1, userdomain) kernel_search_proc($1) ') -@@ -5476,6 +5644,42 @@ +@@ -5483,7 +5588,7 @@ ######################################## ## +-## Send a dbus message to all user domains. +## Manage keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5491,10 +5596,46 @@ + ## + ## + # +-interface(`userdom_dbus_send_all_users',` +interface(`userdom_manage_all_users_keys',` -+ gen_require(` -+ attribute userdomain; + gen_require(` + attribute userdomain; +- class dbus send_msg; + ') + + allow $1 userdomain:key manage_key_perms; @@ -37404,10 +35254,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## - ## Send a dbus message to all user domains. - ## - ## -@@ -5506,3 +5710,525 @@ ++## Send a dbus message to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dbus_send_all_users',` ++ gen_require(` ++ attribute userdomain; ++ class dbus send_msg; + ') + + allow $1 userdomain:dbus send_msg; +@@ -5513,3 +5654,525 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -37746,8 +35608,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + fs_search_tmpfs($2) + allow $2 $1_tmpfs_t:dir list_dir_perms; -+ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) -+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) ++ read_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t) ++ read_lnk_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t) +') + +####################################### @@ -37773,7 +35635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+template(`userdom_admin_login_user_template', ` ++template(`userdom_admin_login_user_template',` + + userdom_unpriv_user_template($1) + @@ -37811,8 +35673,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + optional_policy(` -+ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ netutils_run_ping_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ++ netutils_run_traceroute_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) + ') +') + @@ -37930,12 +35792,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + files_list_home($1) -+ delete_lnk_files_pattern($1,home_type,home_type) ++ delete_lnk_files_pattern($1, home_type, home_type) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.1/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/userdomain.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.2/policy/modules/system/userdomain.te +--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/userdomain.te 2008-08-05 12:15:11.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -38023,7 +35885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +# Rules used to associate a homedir as a mountpoint +allow user_home_t self:filesystem associate; + -+tunable_policy(`allow_console_login', ` ++tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') + @@ -38050,9 +35912,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + manage_fifo_files_pattern(privhome, cifs_t, cifs_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.1/policy/modules/system/xen.fc ---- nsaserefpolicy/policy/modules/system/xen.fc 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/xen.fc 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.2/policy/modules/system/xen.fc +--- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/xen.fc 2008-08-05 12:15:11.000000000 -0400 @@ -20,6 +20,7 @@ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) @@ -38061,9 +35923,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.1/policy/modules/system/xen.if ---- nsaserefpolicy/policy/modules/system/xen.if 2008-06-12 23:25:07.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/xen.if 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.2/policy/modules/system/xen.if +--- nsaserefpolicy/policy/modules/system/xen.if 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/xen.if 2008-08-05 12:15:11.000000000 -0400 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` @@ -38076,7 +35938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) + + files_search_var_lib($1) -+ stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t) ++ stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) ') ######################################## @@ -38103,11 +35965,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + + files_list_var_lib($1) + allow $1 xend_var_lib_t:dir search_dir_perms; -+ rw_files_pattern($1,xen_image_t,xen_image_t) ++ rw_files_pattern($1, xen_image_t, xen_image_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.1/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/xen.te 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.2/policy/modules/system/xen.te +--- nsaserefpolicy/policy/modules/system/xen.te 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/modules/system/xen.te 2008-08-05 12:15:11.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -38117,7 +35979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te +## Allow xen to manage nfs files +##

+## -+gen_tunable(xen_use_nfs,false) ++gen_tunable(xen_use_nfs, false) + # console ptys type xen_devpts_t; @@ -38133,7 +35995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te -domain_type(xenstored_t) -domain_entry_file(xenstored_t,xenstored_exec_t) -role system_r types xenstored_t; -+init_daemon_domain(xenstored_t,xenstored_exec_t) ++init_daemon_domain(xenstored_t, xenstored_exec_t) + +# tmp files +type xenstored_tmp_t; @@ -38155,7 +36017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te type xenconsoled_exec_t; -domain_type(xenconsoled_t) -domain_entry_file(xenconsoled_t,xenconsoled_exec_t) -+init_daemon_domain(xenconsoled_t,xenconsoled_exec_t) ++init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) role system_r types xenconsoled_t; # pid files @@ -38173,16 +36035,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te # pid file -allow xend_t xend_var_run_t:dir setattr; -+manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t) ++manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) -files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file }) -+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir }) ++files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) # log files -allow xend_t xend_var_log_t:dir setattr; -+manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t) ++manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) @@ -38267,8 +36129,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; -+manage_files_pattern(xenstored_t,xenstored_tmp_t,xenstored_tmp_t) -+manage_dirs_pattern(xenstored_t,xenstored_tmp_t,xenstored_tmp_t) ++manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) ++manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) + # pid file @@ -38277,10 +36139,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) +# log files -+manage_dirs_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t) -+manage_files_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t) -+manage_sock_files_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t) -+logging_log_filetrans(xenstored_t,xenstored_var_log_t,{ sock_file file dir }) ++manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) ++manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) ++manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) ++logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) + # var/lib files for xenstored manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) @@ -38296,7 +36158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) -+manage_sock_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) ++manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; @@ -38344,9 +36206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te +optional_policy(` + unconfined_domain(xend_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.1/policy/support/file_patterns.spt ---- nsaserefpolicy/policy/support/file_patterns.spt 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/support/file_patterns.spt 2008-07-25 12:35:13.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.2/policy/support/file_patterns.spt +--- nsaserefpolicy/policy/support/file_patterns.spt 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/support/file_patterns.spt 2008-08-05 12:15:11.000000000 -0400 @@ -537,3 +537,23 @@ allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3; @@ -38371,9 +36233,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns + relabelfrom_fifo_files_pattern($1,$2,$2) + relabelfrom_sock_files_pattern($1,$2,$2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.1/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-30 16:47:18.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.2/policy/support/obj_perm_sets.spt +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/support/obj_perm_sets.spt 2008-08-05 12:15:11.000000000 -0400 @@ -316,3 +316,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') @@ -38388,20 +36250,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.1/policy/users ---- nsaserefpolicy/policy/users 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/users 2008-07-25 12:35:13.000000000 -0400 -@@ -1,3 +1,9 @@ -+role auditadm_r; -+role secadm_r; -+role sysadm_r; -+role staff_r; -+role user_r; -+role unconfined_r; - ################################## - # - # Core User configuration. -@@ -25,11 +31,8 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.2/policy/users +--- nsaserefpolicy/policy/users 2008-08-04 16:39:57.000000000 -0400 ++++ serefpolicy-3.5.2/policy/users 2008-08-05 16:15:48.000000000 -0400 +@@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) @@ -38415,7 +36267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5 # # The following users correspond to Unix identities. -@@ -38,8 +41,4 @@ +@@ -38,8 +35,4 @@ # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # diff --git a/selinux-policy.spec b/selinux-policy.spec index d4c62cc..b8a522d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,8 +16,8 @@ %define CHECKPOLICYVER 2.0.16-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.5.1 -Release: 5%{?dist} +Version: 3.5.2 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -79,7 +79,7 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{ %define installCmds() \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ +make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ #%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \ @@ -159,7 +159,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2714. +Based off of reference policy: Checked out revision 2771. %build