diff --git a/modules-minimum.conf b/modules-minimum.conf index 484aca0..2723d30 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1406,6 +1406,13 @@ seunshare = module # shorewall = base +# Layer: apps +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + # Layer: system # Module: setrans # Required in base diff --git a/modules-targeted.conf b/modules-targeted.conf index 484aca0..2723d30 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1406,6 +1406,13 @@ seunshare = module # shorewall = base +# Layer: apps +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + # Layer: system # Module: setrans # Required in base diff --git a/policy-F12.patch b/policy-F12.patch index 31522dc..3aae040 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-20 10:47:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-21 09:33:05.000000000 -0400 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -726,7 +726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +225,48 @@ +@@ -167,6 +225,68 @@ ######################################## ## @@ -770,12 +770,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow rpm_script_t $1:dbus send_msg; +') + ++##################################### ++## ++## Allow the specified domain to append ++## to rpm log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_append_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, rpm_log_t, rpm_log_t) ++') ++ +######################################## +## ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +286,24 @@ +@@ -186,6 +306,24 @@ ######################################## ## @@ -800,7 +820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +337,51 @@ +@@ -219,7 +357,51 @@ ') files_search_tmp($1) @@ -852,7 +872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -241,6 +403,25 @@ +@@ -241,6 +423,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -878,7 +898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -265,6 +446,47 @@ +@@ -265,6 +466,47 @@ ######################################## ## @@ -926,11 +946,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +505,46 @@ +@@ -283,3 +525,81 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') + ++##################################### ++## ++## Create, read, write, and delete rpm pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_manage_pid_files',` ++ gen_require(` ++ type rpm_var_run_t; ++ ') ++ ++ manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t) ++') ++ ++###################################### ++## ++## Create files in /var/run with the rpm pid file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_pid_filetrans',` ++ gen_require(` ++ type rpm_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, rpm_var_run_t, file) ++') + +######################################## +## @@ -3979,7 +4034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-10-05 08:30:24.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-10-21 07:52:28.000000000 -0400 @@ -26,6 +26,7 @@ can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -3988,7 +4043,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -69,6 +70,7 @@ +@@ -63,12 +64,17 @@ + miscfiles_read_localization(pulseaudio_t) + + optional_policy(` ++ bluetooth_stream_connect(pulseaudio_t) ++') ++ ++optional_policy(` + gnome_manage_config(pulseaudio_t) + ') + optional_policy(` dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) @@ -3996,7 +4061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -88,6 +90,10 @@ +@@ -88,6 +94,10 @@ ') optional_policy(` @@ -4007,7 +4072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -100,4 +106,5 @@ +@@ -100,4 +110,5 @@ optional_policy(` xserver_manage_xdm_tmp_files(pulseaudio_t) xserver_read_xdm_lib_files(pulseaudio_t) @@ -4414,7 +4479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-10-15 12:43:45.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-10-21 07:38:35.000000000 -0400 @@ -0,0 +1,184 @@ + +## policy for sandbox @@ -4456,7 +4521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types sandbox_xserver_t; + allow $1 sandbox_xserver_t:process signal_perms; + -+ allow sandbox_x_domain $1:process sigchld; ++ allow sandbox_x_domain $1:process { sigchld signal }; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors + dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms; @@ -4949,6 +5014,147 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc +--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc 2009-10-21 09:33:05.000000000 -0400 +@@ -0,0 +1,6 @@ ++ ++/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) ++ ++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) ++ ++/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.6.32/policy/modules/apps/sectoolm.if +--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.if 2009-10-21 09:33:05.000000000 -0400 +@@ -0,0 +1,3 @@ ++ ++## policy for sectool-mechanism ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.6.32/policy/modules/apps/sectoolm.te +--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.te 2009-10-21 09:35:38.000000000 -0400 +@@ -0,0 +1,120 @@ ++ ++policy_module(sectoolm,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type sectoolm_t; ++type sectoolm_exec_t; ++dbus_system_domain(sectoolm_t, sectoolm_exec_t) ++ ++# /var/lib files ++type sectool_var_lib_t; ++files_type(sectool_var_lib_t) ++ ++# log files ++type sectool_var_log_t; ++logging_log_file(sectool_var_log_t) ++ ++# tmp files ++type sectool_tmp_t; ++files_tmp_file(sectool_tmp_t) ++ ++permissive sectoolm_t; ++ ++######################################## ++# ++# sectool local policy ++# ++ ++allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; ++allow sectoolm_t self:process { getcap getsched signull setsched }; ++dontaudit sectoolm_t self:process { execstack execmem }; ++ ++allow sectoolm_t self:fifo_file rw_fifo_file_perms; ++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; ++ ++# tmp files ++manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) ++manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) ++files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) ++ ++# var/lib files ++manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t) ++manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t) ++files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir }) ++ ++# log files ++manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t) ++logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file }) ++ ++corecmd_exec_bin(sectoolm_t) ++corecmd_exec_shell(sectoolm_t) ++ ++kernel_read_net_sysctls(sectoolm_t) ++kernel_read_network_state(sectoolm_t) ++kernel_read_kernel_sysctls(sectoolm_t) ++ ++dev_read_sysfs(sectoolm_t) ++dev_read_urand(sectoolm_t) ++ ++dev_getattr_all_blk_files(sectoolm_t) ++dev_getattr_all_chr_files(sectoolm_t) ++ ++# selinux test ++selinux_validate_context(sectoolm_t) ++ ++fs_getattr_all_fs(sectoolm_t) ++fs_list_noxattr_fs(sectoolm_t) ++ ++files_getattr_all_pipes(sectoolm_t) ++files_getattr_all_sockets(sectoolm_t) ++files_read_all_files(sectoolm_t) ++files_read_all_symlinks(sectoolm_t) ++ ++auth_use_nsswitch(sectoolm_t) ++ ++libs_exec_ld_so(sectoolm_t) ++ ++logging_send_syslog_msg(sectoolm_t) ++ ++# tcp_wrappers test ++application_exec_all(sectoolm_t) ++ ++domain_getattr_all_domains(sectoolm_t) ++domain_read_all_domains_state(sectoolm_t) ++ ++userdom_users_dgram_send(sectoolm_t) ++userdom_dgram_send(sectoolm_t) ++userdom_manage_user_tmp_sockets(sectoolm_t) ++ ++# tests related to network ++hostname_exec(sectoolm_t) ++iptables_domtrans(sectoolm_t) ++sysnet_domtrans_ifconfig(sectoolm_t) ++ ++optional_policy(` ++ mount_exec(sectoolm_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(sectoolm_t) ++') ++ ++# suid test using ++# rpm -Vf option ++optional_policy(` ++ prelink_domtrans(sectoolm_t) ++') ++ ++optional_policy(` ++ rpm_exec(sectoolm_t) ++ rpm_append_log(sectoolm_t) ++ rpm_manage_pid_files(sectoolm_t) ++ rpm_pid_filetrans(sectoolm_t) ++ rpm_dontaudit_manage_db(sectoolm_t) ++') ++ ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.32/policy/modules/apps/seunshare.fc --- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/seunshare.fc 2009-09-30 16:12:48.000000000 -0400 @@ -5307,7 +5513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-15 13:16:38.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-21 09:33:05.000000000 -0400 @@ -1,4 +1,4 @@ - +c @@ -5349,16 +5555,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,6 +228,8 @@ +@@ -221,6 +228,9 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +272,7 @@ +@@ -263,6 +273,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -5366,7 +5573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +325,21 @@ +@@ -315,3 +326,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5435,7 +5642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-07 16:06:40.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-21 07:47:57.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5444,7 +5651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -87,26 +88,32 @@ +@@ -87,26 +88,33 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -5466,6 +5673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +network_port(ftps, tcp,990,s0, udp,990,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) ++network_port(git, tcp,9418,s0, udp,9418,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hddtemp, tcp,7634,s0) @@ -5479,7 +5687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -129,7 +136,7 @@ +@@ -129,7 +137,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon @@ -5488,7 +5696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -147,6 +154,12 @@ +@@ -147,12 +155,19 @@ network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -5501,7 +5709,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -173,27 +186,34 @@ + network_port(postgresql, tcp,5432,s0) + network_port(postgrey, tcp,60000,s0) + network_port(prelude, tcp,4690,s0, udp,4690,s0) ++network_port(presence, tcp,5298,s0, udp,5298,s0) + network_port(printer, tcp,515,s0) + network_port(ptal, tcp,5703,s0) + network_port(pulseaudio, tcp,4713,s0) +@@ -173,27 +188,34 @@ network_port(sap, tcp,9875,s0, udp,9875,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -5539,7 +5754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -222,6 +242,8 @@ +@@ -222,6 +244,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -9137,7 +9352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-08 15:30:50.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-21 11:43:32.000000000 -0400 @@ -31,16 +31,37 @@ userdom_restricted_xwindows_user_template(xguest) @@ -9197,7 +9412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -75,9 +101,15 @@ +@@ -75,9 +101,16 @@ ') optional_policy(` @@ -9207,6 +9422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` tunable_policy(`xguest_connect_network',` networkmanager_dbus_chat(xguest_t) ++ networkmanager_read_var_lib_files(xguest_t) + corenet_tcp_connect_pulseaudio_port(xguest_t) + corenet_tcp_connect_ipp_port(xguest_t) ') @@ -9278,7 +9494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-19 14:55:25.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-21 10:05:17.000000000 -0400 @@ -75,6 +75,7 @@ corecmd_exec_bin(abrt_t) @@ -9364,7 +9580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-21 07:51:25.000000000 -0400 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -9700,7 +9916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-10-21 11:09:04.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -11190,6 +11406,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an bind environment ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.32/policy/modules/services/bluetooth.if +--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.if 2009-10-21 07:54:27.000000000 -0400 +@@ -153,6 +153,27 @@ + dontaudit $1 bluetooth_helper_t:file { read getattr }; + ') + ++##################################### ++## ++## Connect to bluetooth over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bluetooth_stream_connect',` ++ gen_require(` ++ type bluetooth_t, bluetooth_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 bluetooth_t:socket rw_socket_perms; ++ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) ++') ++ + ######################################## + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-30 16:12:48.000000000 -0400 @@ -13573,6 +13820,488 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc +--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/git.fc 2009-10-21 11:39:52.000000000 -0400 +@@ -1,3 +1,9 @@ + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) +-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) + /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++ ++/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) ++ ++/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0) ++ ++# Conflict with Fedora cgit fc spec. ++/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if +--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/git.if 2009-10-21 11:33:38.000000000 -0400 +@@ -1 +1,285 @@ +-## GIT revision control system ++## Git daemon is a really simple server for Git repositories. ++## ++##

++## A really simple TCP git daemon that normally listens on ++## port DEFAULT_GIT_PORT aka 9418. It waits for a ++## connection asking for a service, and will serve that ++## service if it is enabled. ++##

++##

++## It verifies that the directory has the magic file ++## git-daemon-export-ok, and it will refuse to export any ++## git directory that has not explicitly been marked for ++## export this way (unless the --export-all parameter is ++## specified). If you pass some directory paths as ++## git-daemon arguments, you can further restrict the ++## offers to a whitelist comprising of those. ++##

++##

++## By default, only upload-pack service is enabled, which ++## serves git-fetch-pack and git-ls-remote clients, which ++## are invoked from git-fetch, git-pull, and git-clone. ++##

++##

++## This is ideally suited for read-only updates, i.e., ++## pulling from git repositories. ++##

++##

++## An upload-archive also exists to serve git-archive. ++##

++## ++ ++####################################### ++## ++## Role access for Git daemon session. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++## ++## User domain for the role. ++## ++## ++# ++interface(`git_session_role', ` ++ gen_require(` ++ type gitd_session_t, gitd_exec_t, git_home_t; ++ ') ++ ++ ######################################## ++ # ++ # Git daemon session data declarations. ++ # ++ ++ ## ++ ##

++ ## Allow transitions to the Git daemon ++ ## session domain. ++ ##

++ ## ++ gen_tunable(gitd_session_transition, false) ++ ++ role $1 types gitd_session_t; ++ ++ ######################################## ++ # ++ # Git daemon session data policy. ++ # ++ ++ tunable_policy(`gitd_session_transition', ` ++ domtrans_pattern($2, gitd_exec_t, gitd_session_t) ++ ', ` ++ can_exec($2, gitd_exec_t) ++ ') ++ ++ allow $2 gitd_session_t:process { ptrace signal_perms }; ++ ps_process_pattern($2, gitd_session_t) ++ ++ exec_files_pattern($2, git_home_t, git_home_t) ++ manage_dirs_pattern($2, git_home_t, git_home_t) ++ manage_files_pattern($2, git_home_t, git_home_t) ++ ++ relabel_dirs_pattern($2, git_home_t, git_home_t) ++ relabel_files_pattern($2, git_home_t, git_home_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to execute ++## Git daemon data files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_execute_data_files', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ exec_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## Git daemon data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_manage_data_content', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ manage_dirs_pattern($1, git_data_t, git_data_t) ++ manage_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## Git daemon home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_manage_home_content', ` ++ gen_require(` ++ type git_home_t; ++ ') ++ ++ manage_dirs_pattern($1, git_home_t, git_home_t) ++ manage_files_pattern($1, git_home_t, git_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to read ++## Git daemon home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_read_home_content', ` ++ gen_require(` ++ type git_home_t; ++ ') ++ ++ list_dirs_pattern($1, git_home_t, git_home_t) ++ read_files_pattern($1, git_home_t, git_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to read ++## Git daemon data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_read_data_content', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ list_dirs_pattern($1, git_data_t, git_data_t) ++ read_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to relabel ++## Git daemon data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_relabel_data_content', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ relabel_dirs_pattern($1, git_data_t, git_data_t) ++ relabel_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to relabel ++## Git daemon home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_relabel_home_content', ` ++ gen_require(` ++ type git_home_t; ++ ') ++ ++ relabel_dirs_pattern($1, git_home_t, git_home_t) ++ relabel_files_pattern($1, git_home_t, git_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate an ++## Git daemon system environment ++## ++## ++## ++## Prefix of the domain. Example, user would be ++## the prefix for the user_t domain. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the Git daemon domain. ++## ++## ++## ++# ++interface(`git_system_admin', ` ++ gen_require(` ++ type gitd_t, gitd_exec_t; ++ ') ++ ++ allow $1 gitd_t:process { getattr ptrace signal_perms }; ++ ps_process_pattern($1, gitd_t) ++ ++ kernel_search_proc($1) ++ ++ manage_files_pattern($1, gitd_exec_t, gitd_exec_t) ++ ++ # This will not work since git-shell needs to execute gitd content thus public content files. ++ # There is currently no clean way to execute public content files. ++ # miscfiles_manage_public_files($1) ++ ++ git_manage_data_content($1) ++ git_relabel_data_content($1) ++ ++ seutil_domtrans_setfiles($1) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te +--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/git.te 2009-10-21 11:39:13.000000000 -0400 +@@ -1,9 +1,173 @@ + + policy_module(git, 1.0) + ++attribute gitd_type; ++attribute git_content_type; ++ ++######################################## ++# ++# Git daemon system private declarations. ++# ++ ++## ++##

++## Allow Git daemon system to search home directories. ++##

++## ++gen_tunable(git_system_enable_homedirs, false) ++ ++## ++##

++## Allow Git daemon system to access cifs file systems. ++##

++## ++gen_tunable(git_system_use_cifs, false) ++ ++## ++##

++## Allow Git daemon system to access nfs file systems. ++##

++## ++gen_tunable(git_system_use_nfs, false) ++ ++######################################## ++# ++# Git daemon global private declarations. ++# ++type gitd_exec_t; ++ ++type gitd_t, gitd_type; ++inetd_service_domain(gitd_t, gitd_exec_t) ++role system_r types gitd_t; ++ ++type git_data_t, git_content_type; ++files_type(git_data_t) ++ ++permissive gitd_t; ++ ++######################################## ++# ++# Git daemon session session private declarations. ++# ++ ++## ++##

++## Allow Git daemon session to bind ++## tcp sockets to all unreserved ports. ++##

++## ++gen_tunable(git_session_bind_all_unreserved_ports, false) ++ ++type gitd_session_t, gitd_type; ++application_domain(gitd_session_t, gitd_exec_t) ++ubac_constrained(gitd_session_t) ++ ++type git_home_t, git_content_type; ++userdom_user_home_content(git_home_t) ++ ++permissive gitd_session_t; ++ ++######################################## ++# ++# Git daemon global private policy. ++# ++ ++allow gitd_type self:fifo_file rw_fifo_file_perms; ++allow gitd_type self:tcp_socket create_socket_perms; ++allow gitd_type self:udp_socket create_socket_perms; ++allow gitd_type self:unix_dgram_socket create_socket_perms; ++ ++corenet_all_recvfrom_netlabel(gitd_type) ++corenet_all_recvfrom_unlabeled(gitd_type) ++ ++corenet_tcp_sendrecv_all_if(gitd_type) ++corenet_tcp_sendrecv_all_nodes(gitd_type) ++corenet_tcp_sendrecv_all_ports(gitd_type) ++ ++corenet_tcp_bind_all_nodes(gitd_type) ++corenet_tcp_bind_git_port(gitd_type) ++ ++corecmd_exec_bin(gitd_type) ++ ++files_read_etc_files(gitd_type) ++files_read_usr_files(gitd_type) ++ ++fs_search_auto_mountpoints(gitd_type) ++ ++kernel_read_system_state(gitd_type) ++ ++logging_send_syslog_msg(gitd_type) ++ ++auth_use_nsswitch(gitd_type) ++ ++miscfiles_read_localization(gitd_type) ++ ++######################################## ++# ++# Git daemon system repository private policy. ++# ++ ++list_dirs_pattern(gitd_t, git_content_type, git_content_type) ++read_files_pattern(gitd_t, git_content_type, git_content_type) ++files_search_var(gitd_t) ++ ++# This will not work since git-shell needs to execute gitd content thus public content files. ++# There is currently no clean way to execute public content files. ++# miscfiles_read_public_files(gitd_t) ++ ++tunable_policy(`git_system_enable_homedirs', ` ++ userdom_search_user_home_dirs(gitd_t) ++') ++ ++tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` ++ fs_list_nfs(gitd_t) ++ fs_read_nfs_files(gitd_t) ++') ++ ++tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` ++ fs_list_cifs(gitd_t) ++ fs_read_cifs_files(gitd_t) ++') ++ ++tunable_policy(`git_system_use_cifs', ` ++ fs_list_cifs(gitd_t) ++ fs_read_cifs_files(gitd_t) ++') ++ ++tunable_policy(`git_system_use_nfs', ` ++ fs_list_nfs(gitd_t) ++ fs_read_nfs_files(gitd_t) ++') ++ ++######################################## ++# ++# Git daemon session repository private policy. ++# ++ ++list_dirs_pattern(gitd_session_t, git_home_t, git_home_t) ++read_files_pattern(gitd_session_t, git_home_t, git_home_t) ++userdom_search_user_home_dirs(gitd_session_t) ++ ++userdom_use_user_terminals(gitd_session_t) ++ ++tunable_policy(`git_session_bind_all_unreserved_ports', ` ++ corenet_tcp_bind_all_unreserved_ports(gitd_session_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs', ` ++ fs_list_nfs(gitd_session_t) ++ fs_read_nfs_files(gitd_session_t) ++') ++ ++tunable_policy(`use_samba_home_dirs', ` ++ fs_list_cifs(gitd_session_t) ++ fs_read_cifs_files(gitd_session_t) ++') ++ + ######################################## + # +-# Declarations ++# cgi git Declarations + # + + apache_content_template(git) ++git_read_data_content(httpd_git_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.32/policy/modules/services/gpm.te --- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/gpm.te 2009-09-30 16:12:48.000000000 -0400 @@ -13896,8 +14625,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-30 16:12:48.000000000 -0400 -@@ -138,6 +138,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-10-21 11:02:27.000000000 -0400 +@@ -104,6 +104,8 @@ + corenet_tcp_bind_telnetd_port(inetd_t) + corenet_udp_bind_tftp_port(inetd_t) + corenet_tcp_bind_ssh_port(inetd_t) ++corenet_tcp_bind_git_port(inetd_t) ++corenet_udp_bind_git_port(inetd_t) + + # service port packets: + corenet_sendrecv_amanda_server_packets(inetd_t) +@@ -138,6 +140,8 @@ files_read_etc_files(inetd_t) files_read_etc_runtime_files(inetd_t) @@ -14544,7 +15282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-10-02 08:40:53.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-10-21 10:29:42.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## @@ -14570,7 +15308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read NetworkManager PID files. ## ## -@@ -134,3 +152,49 @@ +@@ -134,3 +152,50 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -14591,6 +15329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + files_search_var_lib($1) ++ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +') + @@ -17002,12 +17741,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.32/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -2,6 +2,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-10-21 11:42:45.000000000 -0400 +@@ -2,6 +2,8 @@ # /etc # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) ++/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) # # /usr @@ -21049,13 +21789,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -1,4 +1,4 @@ ++++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-10-21 10:05:54.000000000 -0400 +@@ -1,6 +1,9 @@ -/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++ ++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++ + /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2009-09-30 16:12:48.000000000 -0400 @@ -21123,8 +21868,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-09-30 16:12:48.000000000 -0400 -@@ -23,7 +23,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-10-21 10:05:38.000000000 -0400 +@@ -16,6 +16,9 @@ + type sssd_var_lib_t; + files_type(sssd_var_lib_t) + ++type sssd_var_log_t; ++logging_log_file(sssd_var_log_t) ++ + type sssd_var_run_t; + files_pid_file(sssd_var_run_t) + +@@ -23,7 +26,7 @@ # # sssd local policy # @@ -21133,7 +21888,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sssd_t self:process { setsched signal getsched }; allow sssd_t self:fifo_file rw_file_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -37,6 +37,8 @@ +@@ -33,10 +36,15 @@ + manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) + ++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) ++logging_log_filetrans(sssd_t, sssd_var_log_t, file) ++ + manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -21142,7 +21904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) -@@ -58,6 +60,8 @@ +@@ -58,6 +66,8 @@ miscfiles_read_localization(sssd_t) @@ -28732,7 +29494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 14:59:26.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-21 10:57:55.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -29456,7 +30218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_t, $1_r) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` @@ -29770,6 +30532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) ++ corenet_tcp_bind_all_nodes($1_usertype) - files_exec_usr_files($1_t) - # cjp: why? @@ -29782,7 +30545,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # the same domain and outside users) disabling this forces FTP passive mode + # and may change other protocols + tunable_policy(`user_tcp_server',` -+ corenet_tcp_bind_all_nodes($1_usertype) + corenet_tcp_bind_all_unreserved_ports($1_usertype) + ') @@ -30242,7 +31004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3253,559 @@ +@@ -3064,3 +3253,578 @@ allow $1 userdomain:dbus send_msg; ') @@ -30508,6 +31270,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 unpriv_userdomain:unix_dgram_socket sendto; +') + ++###################################### ++## ++## Send a message to users over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_users_dgram_send',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:unix_dgram_socket sendto; ++') ++ +####################################### +## +## Allow execmod on files in homedirectory diff --git a/selinux-policy.spec b/selinux-policy.spec index e2bca5d..236cc15 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 30%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,11 @@ exit 0 %endif %changelog +* Wed Oct 21 2009 Dan Walsh 3.6.32-31 +- Allow unconfined_execmem_t to transition to sandbox +- Add sectool policy +- Add sssd log files + * Tue Oct 20 2009 Dan Walsh 3.6.32-30 - Fixes found for confined users day