##
-@@ -45,7 +47,14 @@
+@@ -45,7 +47,21 @@
##
##
@@ -10129,11 +10189,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+##
+##
++## Allow httpd scripts and modules execmem/execstack
++##
++##
++gen_tunable(httpd_execmem,false)
++
++##
++##
+## Allow HTTPD scripts and modules to connect to the network
##
##
gen_tunable(httpd_can_network_connect,false)
-@@ -95,8 +104,8 @@
+@@ -95,8 +111,8 @@
##
##
@@ -10144,7 +10211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## the terminal.
##
##
-@@ -109,14 +118,33 @@
+@@ -109,14 +125,33 @@
##
gen_tunable(httpd_unified,false)
@@ -10180,7 +10247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# user script domains
attribute httpd_script_domains;
-@@ -147,6 +175,9 @@
+@@ -147,6 +182,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -10190,7 +10257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -180,6 +211,9 @@
+@@ -180,6 +218,9 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -10200,7 +10267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +236,16 @@
+@@ -202,12 +243,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10218,7 +10285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +287,7 @@
+@@ -249,6 +294,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -10226,7 +10293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +328,7 @@
+@@ -289,6 +335,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -10234,7 +10301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +355,7 @@
+@@ -315,9 +362,7 @@
auth_use_nsswitch(httpd_t)
@@ -10245,7 +10312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +373,10 @@
+@@ -335,6 +380,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10256,7 +10323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,25 +393,50 @@
+@@ -351,25 +400,50 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -10311,7 +10378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,12 +449,22 @@
+@@ -382,12 +456,22 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -10339,7 +10406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_ftp_server',`
-@@ -399,11 +476,21 @@
+@@ -399,11 +483,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -10361,7 +10428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +524,13 @@
+@@ -437,8 +531,13 @@
')
optional_policy(`
@@ -10377,7 +10444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -450,19 +542,13 @@
+@@ -450,19 +549,13 @@
')
optional_policy(`
@@ -10398,17 +10465,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -473,12 +559,15 @@
+@@ -472,13 +565,22 @@
+ openca_kill(httpd_t)
')
- optional_policy(`
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
++
++optional_policy(`
+tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
+')
+')
+
-+optional_policy(`
+ optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-
@@ -10418,7 +10492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -486,6 +575,7 @@
+@@ -486,6 +588,7 @@
')
optional_policy(`
@@ -10426,7 +10500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +611,22 @@
+@@ -521,6 +624,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -10449,7 +10523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -550,18 +656,26 @@
+@@ -550,18 +669,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10479,7 +10553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -585,6 +699,8 @@
+@@ -585,6 +712,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10488,7 +10562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +709,7 @@
+@@ -593,9 +722,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10499,7 +10573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +742,7 @@
+@@ -628,6 +755,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10507,7 +10581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +753,12 @@
+@@ -638,6 +766,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10520,7 +10594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +776,6 @@
+@@ -655,10 +789,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10531,7 +10605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -668,7 +785,8 @@
+@@ -668,7 +798,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10541,7 +10615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +800,44 @@
+@@ -682,15 +813,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10553,15 +10627,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -10587,7 +10661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +850,10 @@
+@@ -703,6 +863,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10598,7 +10672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -724,3 +875,60 @@
+@@ -724,3 +888,60 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -12475,7 +12549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-07-28 08:35:13.000000000 -0400
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -12712,10 +12786,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
-@@ -438,6 +334,25 @@
+@@ -438,7 +334,26 @@
########################################
##
+-## Read, and write cron daemon TCP sockets.
+## Read temporary files from cron.
+##
+##
@@ -12735,9 +12810,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+########################################
+##
- ## Read, and write cron daemon TCP sockets.
++## dontaudit Read, and write cron daemon TCP sockets.
##
##
+ ##
+@@ -446,7 +361,7 @@
+ ##
+ ##
+ #
+-interface(`cron_rw_tcp_sockets',`
++interface(`cron_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
@@ -558,11 +473,14 @@
#
interface(`cron_read_system_job_tmp_files',`
@@ -13088,7 +13173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.3.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-07-29 15:03:03.000000000 -0400
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13128,7 +13213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14038,7 +14123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-07-28 08:37:27.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -14250,7 +14335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration.
##
##
-@@ -366,3 +431,55 @@
+@@ -366,3 +431,73 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -14306,6 +14391,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ dbus_connect_system_bus($1)
+
+')
++
++########################################
++##
++## Dontaudit Read, and write system dbus TCP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
++ gen_require(`
++ type system_dbusd_t;
++ ')
++
++ allow $1 system_dbusd_t:tcp_socket { read write };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-07-15 14:02:52.000000000 -0400
@@ -18124,7 +18227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-07-28 08:35:21.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -18225,7 +18328,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +175,40 @@
+@@ -114,9 +153,6 @@
+ postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+
+- optional_policy(`
+- cron_rw_tcp_sockets(system_mail_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -136,11 +172,40 @@
')
optional_policy(`
@@ -18247,7 +18360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
-# should break this up among sections:
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
++
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
+
@@ -18256,7 +18369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
-+
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
@@ -18267,7 +18380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +222,4 @@
+@@ -154,3 +219,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -23044,7 +23157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-07-29 11:05:12.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write,false)
@@ -23130,7 +23243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -157,8 +178,14 @@
+@@ -157,8 +178,15 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
@@ -23141,11 +23254,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
++userdom_dontaudit_write_user_tmp_files(user, rpcd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-@@ -166,8 +193,7 @@
+@@ -166,8 +194,7 @@
')
optional_policy(`
@@ -23873,7 +23987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-07-29 15:52:01.000000000 -0400
@@ -59,6 +59,13 @@
##
gen_tunable(samba_share_nfs,false)
@@ -23928,6 +24042,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
kerberos_use(samba_net_t)
+@@ -203,7 +219,7 @@
+ #
+ # smbd Local policy
+ #
+-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search };
+ dontaudit smbd_t self:capability sys_tty_config;
+ allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow smbd_t self:process setrlimit;
@@ -213,7 +229,7 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
@@ -24430,7 +24553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.3.1/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-07-25 07:32:08.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -24459,7 +24582,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,19 +74,23 @@
+@@ -64,24 +69,29 @@
+
+ fs_getattr_all_fs(sendmail_t)
+ fs_search_auto_mountpoints(sendmail_t)
++fs_rw_anon_inodefs_files(sendmail_t)
+
+ term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
@@ -24483,7 +24612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
auth_use_nsswitch(sendmail_t)
-@@ -91,26 +100,42 @@
+@@ -91,26 +101,42 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
@@ -24527,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
-@@ -118,6 +143,7 @@
+@@ -118,6 +144,7 @@
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -24535,7 +24664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -125,24 +151,25 @@
+@@ -125,24 +152,25 @@
')
optional_policy(`
@@ -27252,7 +27381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-07-29 15:14:04.000000000 -0400
@@ -12,9 +12,15 @@
##
##
@@ -27580,12 +27709,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-
+-
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
--
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
+
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
- allow $2 $1_xauth_t:process signal;
@@ -27604,14 +27733,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-+ ps_process_pattern($2,xauth_t)
-
+-
- fs_getattr_xattr_fs($1_xauth_t)
- fs_search_auto_mountpoints($1_xauth_t)
-
- # cjp: why?
- term_use_ptmx($1_xauth_t)
--
++ ps_process_pattern($2,xauth_t)
+
- auth_use_nsswitch($1_xauth_t)
-
- libs_use_ld_so($1_xauth_t)
@@ -27660,34 +27789,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+ userdom_use_user_terminals($1,iceauth_t)
-+
+
+- fs_search_auto_mountpoints($1_iceauth_t)
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
-- fs_search_auto_mountpoints($1_iceauth_t)
+- libs_use_ld_so($1_iceauth_t)
+- libs_use_shared_libs($1_iceauth_t)
+ ##############################
+ #
+ # User X object manager local policy
+ #
-- libs_use_ld_so($1_iceauth_t)
-- libs_use_shared_libs($1_iceauth_t)
+- userdom_use_user_terminals($1,$1_iceauth_t)
+ # Device rules
+ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
-- userdom_use_user_terminals($1,$1_iceauth_t)
-+ allow $2 { input_xevent_t }:x_event send;
-+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-+ mls_xwin_read_to_clearance($2)
++ allow $2 { input_xevent_t }:x_event send;
++ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
++ mls_xwin_read_to_clearance($2)
++
+ xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
')
@@ -28320,9 +28449,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t;
- ')
-
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ ')
++
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@@ -28354,8 +28482,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type user_xauth_home_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ allow $2 user_xauth_home_t:file { getattr read };
+')
+
@@ -28542,7 +28671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1312,3 +1978,120 @@
+@@ -1312,3 +1978,179 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -28663,6 +28792,65 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ files_search_pids($1)
+ write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
+')
++
++########################################
++##
+ ##
+-## Do not audit attempts to append users
++## Do not audit attempts to write users
+ ## temporary files.
+ ##
+ ##
+@@ -2842,21 +2905,23 @@
+ ##
+ ##
#
- template(`userdom_dontaudit_append_user_tmp_files',`
+-template(`userdom_dontaudit_append_user_tmp_files',`
++template(`userdom_dontaudit_write_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- dontaudit $2 $1_tmp_t:file append;
++ dontaudit $2 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read and write user temporary files.
++## Do not audit attempts to append users
++## temporary files.
+ ##
+ ##
+ ##
+-## Read and write user temporary files.
++## Do not audit attempts to append users
++## temporary files.
+ ##
+ ##
+ ## This is a templated interface, and should only
+@@ -2871,66 +2936,137 @@
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-template(`userdom_rw_user_tmp_files',`
++template(`userdom_dontaudit_append_user_tmp_files',`
+ gen_require(`
+- type $1_tmp_t;
++ type user_tmp_t;
+ ')
+
+- files_search_tmp($2)
+- allow $2 $1_tmp_t:dir list_dir_perms;
+- rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ dontaudit $2 user_tmp_t:file append;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to manage users
+-## temporary files.
+## unlink all unprivileged users files in /tmp
-+##
+ ##
+-##
+-##
+-## Do not audit attempts to manage users
+-## temporary files.
+-##
+-##
+-## This is a templated interface, and should only
+-## be called from a per-userdomain template.
+-##
+-##
+-##
+-##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-##
+-##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-template(`userdom_dontaudit_manage_user_tmp_files',`
++interface(`userdom_unlink_unpriv_users_tmp_files',`
+ gen_require(`
+- type $1_tmp_t;
++ attribute user_tmpfile;
+ ')
+
+- dontaudit $2 $1_tmp_t:file manage_file_perms;
++ files_delete_tmp_dir_entry($1)
++ allow $1 user_tmpfile:file unlink;
+ ')
+
+ ########################################
+ ##
+-## Read user
+-## temporary symbolic links.
++## Connect to unpriviledged users over an unix stream socket.
+ ##
+-##
+-##
+-## Read user
+-## temporary symbolic links.
+-##
+-##
+##
+##
+## Domain allowed access.
+##
+##
+#
-+interface(`userdom_unlink_unpriv_users_tmp_files',`
++interface(`userdom_unpriv_users_stream_connect',`
+ gen_require(`
+ attribute user_tmpfile;
++ attribute userdomain;
+ ')
+
-+ files_delete_tmp_dir_entry($1)
-+ allow $1 user_tmpfile:file unlink;
++ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
+')
+
+########################################
+##
-+## Connect to unpriviledged users over an unix stream socket.
++## Read and write user temporary files.
+##
++##
++##
++## Read and write user temporary files.
++##
++##
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
+##
+##
+## Domain allowed access.
+##
+##
+#
-+interface(`userdom_unpriv_users_stream_connect',`
++template(`userdom_rw_user_tmp_files',`
+ gen_require(`
-+ attribute user_tmpfile;
-+ attribute userdomain;
- ')
-
-- dontaudit $2 $1_tmp_t:file append;
-+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
- ')
-
- ########################################
-@@ -2877,12 +2978,12 @@
- #
- template(`userdom_rw_user_tmp_files',`
- gen_require(`
-- type $1_tmp_t;
+ type user_tmp_t;
- ')
-
- files_search_tmp($2)
-- allow $2 $1_tmp_t:dir list_dir_perms;
-- rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
++ ')
++
++ files_search_tmp($2)
+ allow $2 user_tmp_t:dir list_dir_perms;
+ rw_files_pattern($2,user_tmp_t,user_tmp_t)
- ')
-
- ########################################
-@@ -2914,10 +3015,10 @@
- #
- template(`userdom_dontaudit_manage_user_tmp_files',`
- gen_require(`
-- type $1_tmp_t;
++')
++
++########################################
++##
++## Do not audit attempts to manage users
++## temporary files.
++##
++##
++##
++## Do not audit attempts to manage users
++## temporary files.
++##
++##
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++template(`userdom_dontaudit_manage_user_tmp_files',`
++ gen_require(`
+ type user_tmp_t;
- ')
-
-- dontaudit $2 $1_tmp_t:file manage_file_perms;
++ ')
++
+ dontaudit $2 user_tmp_t:file manage_file_perms;
- ')
-
- ########################################
-@@ -2949,12 +3050,12 @@
++')
++
++########################################
++##
++## Read user
++## temporary symbolic links.
++##
++##
++##
++## Read user
++## temporary symbolic links.
++##
++##
+ ## This is a templated interface, and should only
+ ## be called from a per-userdomain template.
+ ##
+@@ -2949,12 +3085,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -36432,7 +36764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3087,11 @@
+@@ -2986,11 +3122,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -36446,7 +36778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3123,11 @@
+@@ -3022,11 +3158,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -36460,7 +36792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3159,11 @@
+@@ -3058,11 +3194,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -36474,7 +36806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3195,11 @@
+@@ -3094,11 +3230,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -36488,7 +36820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3231,11 @@
+@@ -3130,11 +3266,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -36502,7 +36834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3280,10 @@
+@@ -3179,10 +3315,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -36515,7 +36847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3324,10 @@
+@@ -3223,10 +3359,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -36528,56 +36860,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,24 +3355,24 @@
+@@ -3254,6 +3390,42 @@
##
##
#
--template(`userdom_rw_user_tmpfs_files',`
+template(`userdom_read_user_tmpfs_files',`
- gen_require(`
- type $1_tmpfs_t;
- ')
-
- fs_search_tmpfs($2)
- allow $2 $1_tmpfs_t:dir list_dir_perms;
-- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-+ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- ')
-
- ########################################
- ##
--## List users untrusted directories.
-+## Read/write user tmpfs files.
- ##
- ##
- ##
--## List users untrusted directories.
-+## Read/write user tmpfs files.
- ##
- ##
- ## This is a templated interface, and should only
-@@ -3290,12 +3391,84 @@
- ##
- ##
- #
--template(`userdom_list_user_untrusted_content',`
-+template(`userdom_rw_user_tmpfs_files',`
- gen_require(`
-- type $1_untrusted_content_t;
++ gen_require(`
+ type $1_tmpfs_t;
- ')
-
-- allow $2 $1_untrusted_content_t:dir list_dir_perms;
++ ')
++
+ fs_search_tmpfs($2)
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+')
+
+########################################
+##
-+## Unlink user tmpfs files.
++## Read/write user tmpfs files.
+##
+##
+##
@@ -36600,24 +36900,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+template(`userdom_delete_user_tmpfs_files',`
-+ gen_require(`
-+ type $1_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($2)
-+ allow $2 $1_tmpfs_t:dir list_dir_perms;
-+ delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-+')
-+
-+########################################
-+##
-+## List users untrusted directories.
+ template(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type $1_tmpfs_t;
+@@ -3267,6 +3439,42 @@
+
+ ########################################
+ ##
++## Unlink user tmpfs files.
+##
+##
+##
-+## List users untrusted directories.
++## Read/write user tmpfs files.
+##
+##
+## This is a templated interface, and should only
@@ -36636,16 +36930,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+template(`userdom_list_user_untrusted_content',`
++template(`userdom_delete_user_tmpfs_files',`
+ gen_require(`
-+ type $1_untrusted_content_t;
++ type $1_tmpfs_t;
+ ')
+
-+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -3962,6 +4135,24 @@
++ fs_search_tmpfs($2)
++ allow $2 $1_tmpfs_t:dir list_dir_perms;
++ delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++')
++
++########################################
++##
+ ## List users untrusted directories.
+ ##
+ ##
+@@ -3962,6 +4170,24 @@
########################################
##
@@ -36670,7 +36971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Manage unpriviledged user SysV shared
## memory segments.
##
-@@ -4231,11 +4422,11 @@
+@@ -4231,11 +4457,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -36684,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4442,10 @@
+@@ -4251,10 +4477,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -36697,7 +36998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4461,11 @@
+@@ -4270,11 +4496,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -36711,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4480,16 @@
+@@ -4289,16 +4515,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -36731,7 +37032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
##
##
-@@ -4307,12 +4498,35 @@
+@@ -4307,12 +4533,35 @@
##
##
#
@@ -36770,7 +37071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4541,13 @@
+@@ -4327,13 +4576,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -36788,7 +37089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4745,10 @@
+@@ -4531,10 +4780,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -36801,7 +37102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4765,10 @@
+@@ -4551,10 +4800,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -36814,7 +37115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4783,10 @@
+@@ -4569,10 +4818,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -36827,7 +37128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4802,10 @@
+@@ -4588,10 +4837,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -36840,7 +37141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4820,10 @@
+@@ -4606,10 +4855,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -36853,7 +37154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4839,10 @@
+@@ -4625,10 +4874,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -36866,17 +37167,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4858,29 @@
+@@ -4644,12 +4893,29 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
- ')
-
-- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-- dontaudit $1 sysadm_home_t:dir search_dir_perms;
-- dontaudit $1 sysadm_home_t:file read_file_perms;
++ ')
++
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+')
@@ -36894,13 +37192,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+interface(`userdom_dontaudit_read_sysadm_home_sym_links',`
+ gen_require(`
+ type admin_home_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+- dontaudit $1 sysadm_home_t:dir search_dir_perms;
+- dontaudit $1 sysadm_home_t:file read_file_perms;
+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
')
########################################
-@@ -4676,10 +4907,10 @@
+@@ -4676,10 +4942,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -36913,7 +37214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4925,10 @@
+@@ -4694,10 +4960,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -36926,7 +37227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +4943,13 @@
+@@ -4712,13 +4978,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -36944,7 +37245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,11 +4985,49 @@
+@@ -4754,11 +5020,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -36995,7 +37296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4778,6 +5047,14 @@
+@@ -4778,6 +5082,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -37010,7 +37311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4815,6 +5092,8 @@
+@@ -4815,6 +5127,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -37019,11 +37320,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4839,6 +5118,26 @@
+@@ -4839,7 +5153,7 @@
########################################
##
+-## Create, read, write, and delete all directories
+## delete all directories
+ ## in all users home directories.
+ ##
+ ##
+@@ -4848,18 +5162,57 @@
+ ##
+ ##
+ #
+-interface(`userdom_manage_all_users_home_content_dirs',`
++interface(`userdom_delete_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
+- allow $1 home_type:dir manage_dir_perms;
++ delete_dirs_pattern($1, home_type, home_type)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete all files
++## Create, read, write, and delete all directories
+## in all users home directories.
+##
+##
@@ -37032,24 +37356,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_delete_all_users_home_content_dirs',`
++interface(`userdom_manage_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
-+ delete_dirs_pattern($1, home_type, home_type)
++ allow $1 home_type:dir manage_dir_perms;
+')
+
+########################################
+##
- ## Create, read, write, and delete all directories
- ## in all users home directories.
- ##
-@@ -4859,6 +5158,25 @@
-
- ########################################
- ##
+## Delete all files
+## in all users home directories.
+##
@@ -37069,10 +37386,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+########################################
+##
- ## Create, read, write, and delete all files
++## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4879,6 +5197,26 @@
+ ##
+@@ -4879,6 +5232,26 @@
########################################
##
@@ -37099,7 +37417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
##
-@@ -5115,7 +5453,7 @@
+@@ -5115,7 +5488,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -37108,29 +37426,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,8 +5642,8 @@
+@@ -5304,6 +5677,63 @@
########################################
##
--## Create, read, write, and delete directories in
--## unprivileged users home directories.
+## append all unprivileged users home directory
+## files.
- ##
- ##
- ##
-@@ -5313,19 +5651,26 @@
- ##
- ##
- #
--interface(`userdom_manage_unpriv_users_home_content_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_append_unpriv_users_home_content_files',`
- gen_require(`
- attribute user_home_dir_type, user_home_type;
- ')
-
- files_search_home($1)
-- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++ gen_require(`
++ attribute user_home_dir_type, user_home_type;
++ ')
++
++ files_search_home($1)
+ allow $1 user_home_type:dir list_dir_perms;
+ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ tunable_policy(`use_nfs_home_dirs',`
@@ -37139,95 +37453,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files($1)
+ ')
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in
--## unprivileged users home directories.
-+## dontaudit Read all unprivileged users home directory
-+## files.
- ##
- ##
- ##
-@@ -5333,18 +5678,29 @@
- ##
- ##
- #
--interface(`userdom_manage_unpriv_users_home_content_files',`
-+interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
- gen_require(`
- attribute user_home_dir_type, user_home_type;
- ')
-
- files_search_home($1)
-- manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:file read_lnk_file_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_read_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_dontaudit_read_cifs_files($1)
-+ ')
- ')
-
- ########################################
- ##
--## Set the attributes of user ptys.
-+## Create, read, write, and delete directories in
-+## unprivileged users home directories.
- ##
- ##
- ##
-@@ -5352,17 +5708,19 @@
- ##
- ##
- #
--interface(`userdom_setattr_unpriv_users_ptys',`
-+interface(`userdom_manage_unpriv_users_home_content_dirs',`
- gen_require(`
-- attribute user_ptynode;
-+ attribute user_home_dir_type, user_home_type;
- ')
-
-- allow $1 user_ptynode:chr_file setattr;
-+ files_search_home($1)
-+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
- ')
-
- ########################################
- ##
--## Read and write unprivileged user ptys.
-+## Create, read, write, and delete files in
-+## unprivileged users home directories.
- ##
- ##
- ##
-@@ -5370,14 +5728,51 @@
- ##
- ##
- #
--interface(`userdom_use_unpriv_users_ptys',`
-+interface(`userdom_manage_unpriv_users_home_content_files',`
- gen_require(`
-- attribute user_ptynode;
-+ attribute user_home_dir_type, user_home_type;
- ')
-
-- term_search_ptys($1)
-- allow $1 user_ptynode:chr_file rw_file_perms;
--')
-+ files_search_home($1)
-+ manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+')
+
+########################################
+##
-+## Set the attributes of user ptys.
++## dontaudit Read all unprivileged users home directory
++## files.
+##
+##
+##
@@ -37235,36 +37466,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_setattr_unpriv_users_ptys',`
++interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
+ gen_require(`
-+ attribute user_ptynode;
++ attribute user_home_dir_type, user_home_type;
+ ')
+
-+ allow $1 user_ptynode:chr_file setattr;
-+')
++ files_search_home($1)
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:file read_lnk_file_perms;
+
-+########################################
-+##
-+## Read and write unprivileged user ptys.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_unpriv_users_ptys',`
-+ gen_require(`
-+ attribute user_ptynode;
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_read_nfs_files($1)
+ ')
+
-+ term_search_ptys($1)
-+ allow $1 user_ptynode:chr_file rw_file_perms;
++ tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_read_cifs_files($1)
++ ')
+')
-
- ########################################
- ##
-@@ -5509,6 +5904,43 @@
++
++########################################
++##
+ ## Create, read, write, and delete directories in
+ ## unprivileged users home directories.
+ ##
+@@ -5509,6 +5939,43 @@
########################################
##
@@ -37308,7 +37534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
##
##
-@@ -5559,7 +5991,7 @@
+@@ -5559,7 +6026,7 @@
attribute userdomain;
')
@@ -37317,7 +37543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -5674,6 +6106,42 @@
+@@ -5674,6 +6141,42 @@
########################################
##
@@ -37360,7 +37586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5704,3 +6172,408 @@
+@@ -5704,3 +6207,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -39077,14 +39303,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## Policy for staff user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,29 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-07-29 16:29:56.000000000 -0400
+@@ -0,0 +1,30 @@
+policy_module(staff,1.0.1)
+userdom_admin_login_user_template(staff)
+
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
++domain_dontaudit_ptrace_all_domains(staff_t)
+
+kernel_read_ring_buffer(staff_t)
+
@@ -39207,8 +39434,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+## Policy for xguest user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.3.1/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/xguest.te 2008-07-16 07:34:06.000000000 -0400
-@@ -0,0 +1,70 @@
++++ serefpolicy-3.3.1/policy/modules/users/xguest.te 2008-07-29 15:24:16.000000000 -0400
+@@ -0,0 +1,69 @@
+policy_module(xguest,1.0.1)
+
+##
@@ -39278,7 +39505,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.3.1/policy/support/file_patterns.spt
--- nsaserefpolicy/policy/support/file_patterns.spt 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/support/file_patterns.spt 2008-07-15 14:02:52.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7a0fa7..dda05a5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,11 @@ exit 0
%endif
%changelog
+* Tue Jul 29 2008 Dan Walsh 3.3.1-81
+- Add boolean httpd_execmem
+- Add dontaudit for leaky pam_nssldap
+- Dontaudit ptrace of domains for staff_t
+
* Thu Jul 24 2008 Dan Walsh 3.3.1-80
- Allow system_crond_t to restart init scripts
- Allow dnsmasq to bind to any udp port