diff --git a/policy-F13.patch b/policy-F13.patch index 3b8d36d..00cf918 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -7348,22 +7348,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. auth_use_nsswitch(locate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.fc serefpolicy-3.7.19/policy/modules/apps/telepathy.fc --- nsaserefpolicy/policy/modules/apps/telepathy.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/telepathy.fc 2010-07-13 15:32:42.432515993 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/telepathy.fc 2010-07-21 16:06:37.364385112 +0200 @@ -0,0 +1,14 @@ -+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) -+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) -+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -+ -+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) -+ -+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) -+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) -+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) -+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) -+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) -+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) ++#HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) ++#HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) ++#HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++ ++#/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) ++ ++#/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) ++#/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) ++#/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) ++#/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) ++#/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) ++#/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) ++#/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) ++#/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.7.19/policy/modules/apps/telepathy.if --- nsaserefpolicy/policy/modules/apps/telepathy.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/apps/telepathy.if 2010-07-13 15:32:42.433752902 +0200 @@ -11289,7 +11289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-07-13 15:32:42.440502894 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-07-21 16:02:00.296133754 +0200 @@ -9,25 +9,56 @@ role staff_r; @@ -11394,18 +11394,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t optional_policy(` sudo_role_template(staff, staff_r, staff_t) -@@ -146,6 +188,11 @@ +@@ -145,6 +187,11 @@ + userdom_dontaudit_use_user_terminals(staff_t) ') - optional_policy(` -+ telepathy_dbus_session_role(staff_r, staff_t) -+') ++#optional_policy(` ++# telepathy_dbus_session_role(staff_r, staff_t) ++#') + +ifndef(`distro_redhat',` -+optional_policy(` + optional_policy(` thunderbird_role(staff_r, staff_t) ') - @@ -169,6 +216,77 @@ wireshark_role(staff_r, staff_t) ') @@ -13024,7 +13024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-07-13 15:32:42.441502968 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-07-21 16:02:06.136385109 +0200 @@ -15,7 +15,7 @@ ## @@ -13097,21 +13097,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + +optional_policy(` + java_role_template(xguest, xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ mono_role_template(xguest, xguest_r, xguest_t) ') optional_policy(` - mozilla_role(xguest_r, xguest_t) -+ mono_role_template(xguest, xguest_r, xguest_t) -+') -+ -+optional_policy(` + nsplugin_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` -+ telepathy_dbus_session_role(xguest_r, xguest_t) ') ++#optional_policy(` ++# telepathy_dbus_session_role(xguest_r, xguest_t) ++#') ++ optional_policy(` tunable_policy(`xguest_connect_network',` + kernel_read_network_state(xguest_usertype) @@ -13149,19 +13149,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) -+ ') -+') -+ + ') + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) +optional_policy(` + gen_require(` + type mozilla_t; - ') ++ ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; - ') - --#gen_user(xguest_u,, xguest_r, s0, s0) ++') ++ +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 20:44:37.000000000 +0200 @@ -13461,7 +13461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt admin_pattern($1, abrt_var_cache_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-07-13 09:51:40.868752880 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-07-21 09:31:43.073135212 +0200 @@ -1,11 +1,19 @@ -policy_module(abrt, 1.0.1) @@ -13539,7 +13539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -75,27 +100,50 @@ +@@ -75,27 +100,51 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -13578,6 +13578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +files_dontaudit_list_default(abrt_t) +files_dontaudit_read_default_files(abrt_t) +files_dontaudit_read_all_symlinks(abrt_t) ++#files_dontaudit_getattr_all_sockets(abrt_t) fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) @@ -13593,7 +13594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -103,22 +151,125 @@ +@@ -103,22 +152,125 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -17896,8 +17897,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-07-09 09:07:32.569134985 +0200 -@@ -0,0 +1,134 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-07-21 09:37:29.061134765 +0200 +@@ -0,0 +1,139 @@ + +policy_module(corosync,1.0.0) + @@ -18032,6 +18033,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + rgmanager_manage_tmpfs_files(corosync_t) +') + ++optional_policy(` ++ corenet_tcp_connect_ricci_port(corosync_t) ++ ++ ricci_read_lib_files(corosync_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.19/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/cron.fc 2010-05-28 09:42:00.088610900 +0200 @@ -18054,7 +18060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.19/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-06-21 10:29:07.768073951 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-07-21 14:59:31.590385176 +0200 @@ -12,6 +12,10 @@ ## # @@ -18089,7 +18095,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_dontaudit_write_utmp($1_t) init_read_utmp($1_t) -@@ -154,27 +163,14 @@ +@@ -76,6 +85,7 @@ + userdom_use_user_terminals($1_t) + # Read user crontabs + userdom_read_user_home_content_files($1_t) ++ userdom_read_user_home_content_symlinks($1_t) + + tunable_policy(`fcron_crond',` + # fcron wants an instant update of a crontab change for the administrator +@@ -154,27 +164,14 @@ # interface(`cron_unconfined_role',` gen_require(` @@ -18119,7 +18133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` gen_require(` class dbus send_msg; -@@ -259,9 +255,8 @@ +@@ -259,9 +256,8 @@ gen_require(` type crond_t, system_cronjob_t; ') @@ -18130,7 +18144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron role system_r types $1; ') -@@ -408,7 +403,43 @@ +@@ -408,7 +404,43 @@ type crond_t; ') @@ -18175,7 +18189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -554,7 +585,7 @@ +@@ -554,7 +586,7 @@ type system_cronjob_t; ') @@ -18184,7 +18198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -587,11 +618,14 @@ +@@ -587,11 +619,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -18200,7 +18214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -627,7 +661,48 @@ +@@ -627,7 +662,48 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -22826,7 +22840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-07-14 11:34:15.880159804 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-07-21 09:12:00.666135102 +0200 @@ -28,12 +28,26 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -22887,7 +22901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -164,3 +185,156 @@ +@@ -164,3 +185,157 @@ optional_policy(` udev_read_db(munin_t) ') @@ -23028,6 +23042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +corecmd_exec_shell(munin_system_plugin_t) + +files_read_etc_files(munin_system_plugin_t) ++files_read_usr_files(munin_system_plugin_t) + +fs_getattr_all_fs(munin_system_plugin_t) + @@ -26826,7 +26841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-06-15 07:28:56.615609284 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-07-21 09:58:36.071135157 +0200 @@ -6,6 +6,15 @@ # Declarations # @@ -27030,7 +27045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -270,18 +307,31 @@ +@@ -270,18 +307,35 @@ files_read_etc_files(postfix_local_t) @@ -27048,6 +27063,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` clamav_search_lib(postfix_local_t) + clamav_exec_clamscan(postfix_local_t) ++') ++ ++optional_policy(` ++ dovecot_domtrans_deliver(postfix_local_t) ') optional_policy(` @@ -27062,7 +27081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -292,8 +342,7 @@ +@@ -292,8 +346,7 @@ # # Postfix map local policy # @@ -27072,7 +27091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,14 +389,15 @@ +@@ -340,14 +393,15 @@ miscfiles_read_localization(postfix_map_t) @@ -27092,7 +27111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -372,6 +422,7 @@ +@@ -372,6 +426,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -27100,7 +27119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -379,6 +430,12 @@ +@@ -379,6 +434,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -27113,7 +27132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -388,6 +445,16 @@ +@@ -388,6 +449,16 @@ ') optional_policy(` @@ -27130,7 +27149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -415,6 +482,10 @@ +@@ -415,6 +486,10 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -27141,7 +27160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -424,8 +495,11 @@ +@@ -424,8 +499,11 @@ ') optional_policy(` @@ -27155,7 +27174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -451,6 +525,17 @@ +@@ -451,6 +529,17 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -27173,7 +27192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -464,6 +549,7 @@ +@@ -464,6 +553,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -27181,7 +27200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -499,13 +585,14 @@ +@@ -499,13 +589,14 @@ # # connect to master process @@ -27197,7 +27216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +622,18 @@ +@@ -535,9 +626,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -27216,7 +27235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +655,22 @@ +@@ -559,20 +659,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -29130,7 +29149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.7.19/policy/modules/services/ricci.fc --- nsaserefpolicy/policy/modules/services/ricci.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-05-28 09:42:00.171610753 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-07-21 13:56:07.915385135 +0200 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) @@ -29140,7 +29159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if --- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-05-28 09:42:00.172610686 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-07-21 09:56:46.277134919 +0200 @@ -18,6 +18,24 @@ domtrans_pattern($1, ricci_exec_t, ricci_t) ') @@ -29166,11 +29185,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ######################################## ## ## Execute a domain transition to run ricci_modcluster. -@@ -165,3 +183,47 @@ +@@ -165,3 +183,67 @@ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') + ++###################################### ++## ++## Allow the specified domain to read ricci's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ricci_read_lib_files',` ++ gen_require(` ++ type ricci_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ list_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ++ read_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ++') + +######################################## +## @@ -29198,9 +29236,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc + allow $1 ricci_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ricci_t, ricci_t) + -+ ricci_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 ricci_initrc_exec_t system_r; ++ init_labeled_script_domtrans($1, ricci_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 ricci_initrc_exec_t system_r; ++ allow $2 system_r; + + files_search_tmp($1) + admin_pattern($1, ricci_tmp_t) @@ -30814,13 +30853,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.19/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc 2010-05-28 09:42:00.189610812 +0200 -@@ -1,15 +1,26 @@ ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc 2010-07-21 09:52:32.681135100 +0200 +@@ -1,15 +1,27 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) @@ -30975,7 +31015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-05-28 09:42:00.190610815 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-07-21 09:36:37.293135266 +0200 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -31233,23 +31273,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -401,24 +498,18 @@ +@@ -397,16 +494,22 @@ + ') + + optional_policy(` +- daemontools_service_domain(spamd_t, spamd_exec_t) ++ corenet_tcp_connect_postgresql_port(spamd_t) ++ corenet_sendrecv_postgresql_client_packets(spamd_t) ++ ++ postgresql_stream_connect(spamd_t) + ') + ++ + optional_policy(` +- dcc_domtrans_client(spamd_t) +- dcc_stream_connect_dccifd(spamd_t) ++ daemontools_service_domain(spamd_t, spamd_exec_t) ') optional_policy(` +- milter_manage_spamass_state(spamd_t) + dcc_domtrans_cdcc(spamd_t) - dcc_domtrans_client(spamd_t) ++ dcc_domtrans_client(spamd_t) + dcc_signal_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) ++ dcc_stream_connect_dccifd(spamd_t) ') optional_policy(` -- milter_manage_spamass_state(spamd_t) --') -- --optional_policy(` - mysql_search_db(spamd_t) - mysql_stream_connect(spamd_t) +@@ -415,10 +518,6 @@ ') optional_policy(` @@ -31260,7 +31311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam postfix_read_config(spamd_t) ') -@@ -433,6 +524,10 @@ +@@ -433,6 +532,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -31271,7 +31322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -445,5 +540,9 @@ +@@ -445,5 +548,9 @@ ') optional_policy(` @@ -31997,9 +32048,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn ####################################### ## ## Read varnish logs. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.19/policy/modules/services/vhostmd.fc +--- nsaserefpolicy/policy/modules/services/vhostmd.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.fc 2010-07-21 10:49:49.095135392 +0200 +@@ -1,5 +1,5 @@ +-/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) + + /usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) + +-/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) ++/var/run/vhostmd\.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.19/policy/modules/services/vhostmd.if +--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.if 2010-07-21 09:59:21.999134987 +0200 +@@ -212,7 +212,7 @@ + allow $1 vhostmd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, vhostmd_t) + +- vhostmd_initrc_domtrans($1) ++ init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 vhostmd_initrc_exec_t system_r; + allow $2 system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.19/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.te 2010-05-28 09:42:00.199610914 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.te 2010-07-21 16:30:52.823400881 +0200 @@ -45,6 +45,8 @@ corenet_tcp_connect_soundd_port(vhostmd_t) @@ -32034,7 +32108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-06-28 16:27:05.439151006 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-07-21 09:14:25.275134957 +0200 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -32144,7 +32218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +525,32 @@ +@@ -516,3 +525,49 @@ virt_manage_log($1) ') @@ -32177,6 +32251,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ptchown_run(svirt_t, $2) + ') +') ++ ++####################################### ++## ++## Do not audit attempts to write virt daemon unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_dontaudit_write_pipes',` ++ gen_require(` ++ type virtd_t; ++ ') ++ dontaudit $1 virtd_t:fifo_file write; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-07-13 09:50:27.906502586 +0200 @@ -36494,7 +36585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## Read the configuration options used when diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-28 09:42:00.507610874 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-07-21 09:19:47.151135117 +0200 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -36576,6 +36667,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { +@@ -236,6 +244,10 @@ + ') + + optional_policy(` ++ virt_dontaudit_write_pipes(insmod_t) ++') ++ ++optional_policy(` + # cjp: why is this needed: + dev_rw_xserver_misc(insmod_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.19/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/mount.fc 2010-05-28 09:42:00.508610668 +0200 @@ -38468,15 +38570,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-07-13 10:00:55.043752747 +0200 -@@ -1,5 +1,5 @@ ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-07-21 09:34:24.436135014 +0200 +@@ -1,11 +1,18 @@ -policy_module(sysnetwork, 1.10.3) +policy_module(sysnetwork, 1.11.0) ######################################## # -@@ -20,6 +20,9 @@ + # Declarations + # + ++## ++##

++## Allow dhcpc client applications to execute iptables commands ++##

++## ++gen_tunable(dhcpc_exec_iptables, false) ++ + # this is shared between dhcpc and dhcpd: + type dhcp_etc_t; + typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; +@@ -20,6 +27,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -38486,7 +38601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -58,6 +61,8 @@ +@@ -58,6 +68,8 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -38495,7 +38610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -@@ -67,6 +72,8 @@ +@@ -67,6 +79,8 @@ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -38504,7 +38619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -111,6 +118,7 @@ +@@ -111,6 +125,7 @@ # for SSP: dev_read_urand(dhcpc_t) @@ -38512,7 +38627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -156,6 +164,10 @@ +@@ -156,6 +171,10 @@ ') optional_policy(` @@ -38523,7 +38638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -172,6 +184,8 @@ +@@ -172,6 +191,8 @@ optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -38532,7 +38647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -193,6 +207,13 @@ +@@ -193,6 +214,13 @@ ') optional_policy(` @@ -38546,7 +38661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet nis_read_ypbind_pid(dhcpc_t) ') -@@ -214,6 +235,7 @@ +@@ -214,6 +242,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -38554,7 +38669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -277,8 +299,11 @@ +@@ -277,8 +306,11 @@ domain_use_interactive_fds(ifconfig_t) @@ -38566,7 +38681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -306,6 +331,8 @@ +@@ -306,6 +338,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -38575,7 +38690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -328,6 +355,8 @@ +@@ -328,6 +362,8 @@ optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) @@ -38584,6 +38699,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` +@@ -360,3 +396,9 @@ + xen_append_log(ifconfig_t) + xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) + ') ++ ++optional_policy(` ++ tunable_policy(`dhcpc_exec_iptables',` ++ iptables_domtrans(dhcpc_t) ++ ') ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.19/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/udev.fc 2010-05-28 09:42:00.520610847 +0200 diff --git a/selinux-policy.spec b/selinux-policy.spec index 3e7e911..95a0b43 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 38%{?dist} +Release: 39%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Wed Jul 21 2010 Miroslav Grepl 3.7.19-39 +- Allow munin_system_plugin to read files in /usr +- Do not audit insmod attempts to write virt daemon unnamed pipes +- Allow corosync to read ricci lib files + * Mon Jul 19 2010 Miroslav Grepl 3.7.19-38 - Allow xdm_t to manage gnome homedir content - Allow s-c-firewall to read and write virtual memory sysctls