diff --git a/policy-F12.patch b/policy-F12.patch index b379d63..379b1a1 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -5325,7 +5325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.14/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-08 15:22:17.000000000 -0400 -+++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-11 08:31:29.000000000 -0400 @@ -1655,6 +1655,78 @@ ######################################## @@ -5780,7 +5780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.14/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-11 11:53:08.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5855,10 +5855,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a filesystem on a directory with the default file type. ## ## -@@ -1915,6 +1957,26 @@ - - ######################################## - ## +@@ -1911,6 +1953,27 @@ + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) ++ files_read_etc_runtime_files($1) ++') ++ ++######################################## ++## +## Read config files in /etc. +## +## @@ -5875,14 +5880,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 etcfile:dir list_dir_perms; + read_files_pattern($1, etcfile, etcfile) + read_lnk_files_pattern($1, etcfile, etcfile) -+') -+ -+######################################## -+## - ## Do not audit attempts to write generic files in /etc. - ## - ## -@@ -2250,6 +2312,49 @@ + ') + + ######################################## +@@ -2250,6 +2313,49 @@ ######################################## ## @@ -5932,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -2820,6 +2925,7 @@ +@@ -2820,6 +2926,7 @@ ') allow $1 modules_object_t:dir search_dir_perms; @@ -5940,7 +5941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3390,6 +3496,24 @@ +@@ -3390,6 +3497,24 @@ ######################################## ## @@ -5965,7 +5966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3456,6 +3580,8 @@ +@@ -3456,6 +3581,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -5974,7 +5975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3546,7 +3672,7 @@ +@@ -3546,7 +3673,7 @@ type usr_t; ') @@ -5983,7 +5984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3564,7 +3690,12 @@ +@@ -3564,7 +3691,12 @@ type usr_t; ') @@ -5997,7 +5998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4413,6 +4544,28 @@ +@@ -4413,6 +4545,28 @@ ######################################## ## @@ -6026,7 +6027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create an object in the locks directory, with a private ## type using a type transition. ## -@@ -4532,7 +4685,8 @@ +@@ -4532,7 +4686,8 @@ type var_t, var_run_t; ') @@ -6036,7 +6037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4873,7 +5027,7 @@ +@@ -4873,7 +5028,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -6045,7 +6046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4895,12 +5049,15 @@ +@@ -4895,12 +5050,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -6062,7 +6063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5078,173 @@ +@@ -4921,3 +5079,173 @@ typeattribute $1 files_unconfined_type; ') @@ -6611,7 +6612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.14/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-11 10:02:52.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -6657,6 +6658,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ioctl of generic pty devices. ## ## +@@ -552,6 +571,25 @@ + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + ') + ++####################################### ++## ++## Set the attributes of the tty device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_setattr_controlling_term',` ++ gen_require(` ++ type devtty_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 devtty_t:chr_file setattr; ++') ++ + ######################################## + ## + ## Read and write the controlling diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.14/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/roles/guest.te 2009-06-08 21:43:15.000000000 -0400 @@ -10170,7 +10197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.14/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-11 08:36:56.000000000 -0400 @@ -33,6 +33,7 @@ allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; @@ -12318,7 +12345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.14/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-11 11:10:09.000000000 -0400 @@ -9,14 +9,15 @@ # # Delcarations @@ -12382,15 +12409,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -75,6 +92,7 @@ +@@ -73,8 +90,10 @@ + dev_read_urand(system_dbusd_t) + dev_read_sysfs(system_dbusd_t) ++fs_list_inotifyfs(system_dbusd_t) fs_getattr_all_fs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) +fs_dontaudit_list_nfs(system_dbusd_t) selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) -@@ -91,9 +109,9 @@ +@@ -91,9 +110,9 @@ corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -12401,7 +12431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(system_dbusd_t) files_list_home(system_dbusd_t) -@@ -101,6 +119,8 @@ +@@ -101,6 +120,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -12410,7 +12440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -128,9 +148,38 @@ +@@ -128,9 +149,38 @@ ') optional_policy(` @@ -12706,8 +12736,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.14/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-08 21:43:15.000000000 -0400 -@@ -0,0 +1,233 @@ ++++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-11 08:32:14.000000000 -0400 +@@ -0,0 +1,234 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -12785,6 +12815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) + ++dev_read_input(devicekit_power_t) +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t) @@ -13511,8 +13542,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.14/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-08 21:43:15.000000000 -0400 -@@ -0,0 +1,52 @@ ++++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-11 09:53:33.000000000 -0400 +@@ -0,0 +1,54 @@ +policy_module(fprintd,1.0.0) + +######################################## @@ -13544,6 +13575,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_etc_files(fprintd_t) +files_read_usr_files(fprintd_t) + ++fs_list_inotifyfs(fprintd_t) ++ +kernel_read_system_state(fprintd_t) + +auth_use_nsswitch(fprintd_t) @@ -14373,7 +14406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.14/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-11 09:54:27.000000000 -0400 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -14395,10 +14428,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_ring_buffer(kerneloops_t) -@@ -38,14 +43,13 @@ +@@ -38,14 +43,15 @@ files_read_etc_files(kerneloops_t) ++fs_list_inotifyfs(kerneloops_t) ++ +auth_use_nsswitch(kerneloops_t) + logging_send_syslog_msg(kerneloops_t) @@ -15516,7 +15551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.14/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-11 08:40:45.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -15561,7 +15596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,10 +88,14 @@ +@@ -81,13 +88,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) @@ -15576,7 +15611,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -98,15 +109,19 @@ ++fs_list_inotifyfs(NetworkManager_t) + + mls_file_read_all_levels(NetworkManager_t) + +@@ -98,15 +110,19 @@ domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) @@ -15597,7 +15636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +131,40 @@ +@@ -116,25 +132,40 @@ seutil_read_config(NetworkManager_t) @@ -15645,7 +15684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -146,8 +176,25 @@ +@@ -146,8 +177,25 @@ ') optional_policy(` @@ -15673,7 +15712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,23 +202,50 @@ +@@ -155,23 +203,50 @@ ') optional_policy(` @@ -15726,7 +15765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -179,12 +253,15 @@ +@@ -179,12 +254,15 @@ ') optional_policy(` @@ -20645,7 +20684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:43.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-11 08:41:02.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -20680,7 +20719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +76,23 @@ +@@ -68,16 +76,24 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -20702,10 +20741,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_read_fusefs_symlinks(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t) ++fs_list_inotifyfs(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,22 +109,28 @@ +@@ -94,22 +110,28 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -22436,8 +22476,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow the specified domain to append to ulogd's log files. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.14/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-08 21:43:15.000000000 -0400 -@@ -129,6 +129,7 @@ ++++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-11 09:57:39.000000000 -0400 +@@ -95,6 +95,8 @@ + files_search_home(uucpd_t) + files_search_spool(uucpd_t) + ++term_setattr_controlling_term(uucpd_t) ++ + auth_use_nsswitch(uucpd_t) + + logging_send_syslog_msg(uucpd_t) +@@ -129,6 +131,7 @@ optional_policy(` mta_send_mail(uux_t) mta_read_queue(uux_t) @@ -24065,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.14/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-11 09:54:56.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -24268,7 +24317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -329,22 +362,37 @@ +@@ -329,22 +362,39 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -24281,7 +24330,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) ++ +fs_getattr_all_fs(xdm_t) ++fs_list_inotifyfs(xdm_t) +fs_read_noxattr_fs_files(xdm_t) + +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) @@ -24309,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +406,7 @@ +@@ -358,6 +408,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -24317,7 +24368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) -@@ -366,10 +415,14 @@ +@@ -366,10 +417,14 @@ delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) @@ -24333,7 +24384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +442,13 @@ +@@ -389,11 +444,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -24347,7 +24398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +456,7 @@ +@@ -401,6 +458,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -24355,7 +24406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +469,17 @@ +@@ -413,14 +471,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -24375,7 +24426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +490,13 @@ +@@ -431,9 +492,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -24389,7 +24440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +505,7 @@ +@@ -442,6 +507,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -24397,7 +24448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +514,7 @@ +@@ -450,6 +516,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -24405,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +525,10 @@ +@@ -460,10 +527,10 @@ logging_read_generic_logs(xdm_t) @@ -24418,7 +24469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +537,9 @@ +@@ -472,6 +539,9 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24428,7 +24479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t,xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +572,12 @@ +@@ -504,10 +574,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -24441,7 +24492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +585,45 @@ +@@ -515,12 +587,45 @@ ') optional_policy(` @@ -24487,7 +24538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +645,23 @@ +@@ -542,6 +647,23 @@ ') optional_policy(` @@ -24511,7 +24562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +670,9 @@ +@@ -550,8 +672,9 @@ ') optional_policy(` @@ -24523,7 +24574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +681,6 @@ +@@ -560,7 +683,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -24531,7 +24582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +691,10 @@ +@@ -571,6 +693,10 @@ ') optional_policy(` @@ -24542,7 +24593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +711,7 @@ +@@ -587,7 +713,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24551,7 +24602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +726,11 @@ +@@ -602,9 +728,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24563,7 +24614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +742,14 @@ +@@ -616,13 +744,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -24579,7 +24630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +762,19 @@ +@@ -635,9 +764,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24599,7 +24650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -680,9 +817,14 @@ +@@ -680,9 +819,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -24614,7 +24665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +839,12 @@ +@@ -697,8 +841,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24627,7 +24678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +866,7 @@ +@@ -720,6 +868,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -24635,7 +24686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +889,7 @@ +@@ -742,7 +891,7 @@ ') ifdef(`enable_mls',` @@ -24644,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,12 +921,16 @@ +@@ -774,12 +923,16 @@ ') optional_policy(` @@ -24662,7 +24713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -806,7 +957,7 @@ +@@ -806,7 +959,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -24671,7 +24722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +978,14 @@ +@@ -827,9 +980,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24686,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +1000,14 @@ +@@ -844,11 +1002,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -24702,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +1015,11 @@ +@@ -856,6 +1017,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -24714,7 +24765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1045,8 @@ +@@ -881,6 +1047,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -24723,7 +24774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1071,8 @@ +@@ -905,6 +1073,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24732,7 +24783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1140,49 @@ +@@ -972,17 +1142,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -25621,7 +25672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.14/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-11 09:54:00.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25749,7 +25800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -270,16 +305,20 @@ +@@ -270,17 +305,22 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -25769,9 +25820,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_getattr_all_blk_files(initrc_t) +dev_getattr_all_chr_files(initrc_t) ++fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -328,7 +367,7 @@ + fs_write_ramfs_pipes(initrc_t) +@@ -328,7 +368,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -25780,7 +25833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +382,14 @@ +@@ -343,14 +383,14 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -25797,7 +25850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +405,9 @@ +@@ -366,7 +406,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -25807,7 +25860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -451,7 +492,7 @@ +@@ -451,7 +493,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -25816,7 +25869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) -@@ -465,6 +506,7 @@ +@@ -465,6 +507,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -25824,7 +25877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +540,7 @@ +@@ -498,6 +541,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -25832,7 +25885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +559,33 @@ +@@ -516,6 +560,33 @@ ') ') @@ -25866,7 +25919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +640,10 @@ +@@ -570,6 +641,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -25877,7 +25930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +665,10 @@ +@@ -591,6 +666,10 @@ ') optional_policy(` @@ -25888,7 +25941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,20 +725,20 @@ +@@ -647,20 +726,20 @@ ') optional_policy(` @@ -25915,7 +25968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -719,8 +797,6 @@ +@@ -719,8 +798,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -25924,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +809,12 @@ +@@ -733,10 +810,12 @@ squid_manage_logs(initrc_t) ') @@ -25937,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +832,11 @@ +@@ -754,6 +833,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -25949,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -765,6 +848,13 @@ +@@ -765,6 +849,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -25963,7 +26016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +880,35 @@ +@@ -790,3 +881,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -26167,7 +26220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.14/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-08 15:22:18.000000000 -0400 -+++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-11 11:46:19.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -26327,7 +26380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -@@ -311,3 +339,37 @@ +@@ -311,3 +339,39 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -26365,6 +26418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.14/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.14/policy/modules/system/libraries.if 2009-06-08 21:43:15.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index f013916..da68c5b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.14 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,9 @@ exit 0 %endif %changelog +* Thu Jun 11 2009 Dan Walsh 3.6.14-3 +- Allow NetworkManager to read inotifyfs + * Wed Jun 10 2009 Dan Walsh 3.6.14-2 - Allow setroubleshoot to run mlocate