|
|
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv10880
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Fri Jul 7 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-79
- Allow hal to write to pm-suspend
Resolves:#245926
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 21
policy/flask/security_classes | 8
policy/global_tunables | 94 +++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 11
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 14
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 5
policy/modules/admin/firstboot.if | 24 -
policy/modules/admin/kudzu.te | 14
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 22
policy/modules/admin/netutils.te | 19
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 23
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 104 ++++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 38 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 13
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 58 ++
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 ++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 70 +++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 39 -
policy/modules/apps/mozilla.if | 208 +++++++--
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 7
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 20
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 30 +
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 140 ++++++
policy/modules/kernel/corenetwork.te.in | 16
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/devices.if | 36 +
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 80 +++
policy/modules/kernel/domain.te | 26 +
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 224 +++++++++
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 30 +
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 4
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 21
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.te | 11
policy/modules/services/amavis.if | 19
policy/modules/services/amavis.te | 4
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 157 ++++++
policy/modules/services/apache.te | 47 +-
policy/modules/services/apm.te | 3
policy/modules/services/arpwatch.te | 5
policy/modules/services/audioentropy.te | 4
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 10
policy/modules/services/avahi.if | 40 +
policy/modules/services/avahi.te | 10
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 6
policy/modules/services/bluetooth.te | 10
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 25 -
policy/modules/services/clamav.te | 3
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 92 ++-
policy/modules/services/cron.te | 58 ++
policy/modules/services/cups.fc | 5
policy/modules/services/cups.te | 19
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 5
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 66 ++
policy/modules/services/dbus.te | 4
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 3
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.if | 44 +
policy/modules/services/dovecot.te | 64 ++
policy/modules/services/fail2ban.fc | 3
policy/modules/services/fail2ban.if | 80 +++
policy/modules/services/fail2ban.te | 74 +++
policy/modules/services/ftp.te | 21
policy/modules/services/hal.fc | 14
policy/modules/services/hal.if | 160 ++++++
policy/modules/services/hal.te | 176 ++++++-
policy/modules/services/inetd.te | 34 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 25 +
policy/modules/services/kerberos.te | 21
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 75 ++-
policy/modules/services/lpd.te | 5
policy/modules/services/mailman.if | 20
policy/modules/services/mailman.te | 1
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 2
policy/modules/services/munin.te | 5
policy/modules/services/nagios.fc | 3
policy/modules/services/nagios.te | 8
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 7
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 39 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 31 -
policy/modules/services/ntp.te | 2
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 5
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openct.te | 2
policy/modules/services/openvpn.te | 9
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 79 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 11
policy/modules/services/portmap.te | 5
policy/modules/services/portslave.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 45 +
policy/modules/services/postfix.te | 94 ++++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 32 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 2
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 26 +
policy/modules/services/rlogin.te | 11
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 27 -
policy/modules/services/rshd.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 6
policy/modules/services/samba.if | 101 ++++
policy/modules/services/samba.te | 96 +++-
policy/modules/services/sasl.te | 14
policy/modules/services/sendmail.if | 22
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 17
policy/modules/services/spamassassin.fc | 5
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 26 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 16
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 14
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++
policy/modules/services/uucp.te | 44 +
policy/modules/services/uwimap.te | 1
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 211 +++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 180 +++++++
policy/modules/system/authlogin.te | 43 +
policy/modules/system/clock.te | 18
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.if | 19
policy/modules/system/fstools.te | 11
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 66 ++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 121 +++++
policy/modules/system/iptables.te | 27 -
policy/modules/system/libraries.fc | 43 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 11
policy/modules/system/logging.fc | 5
policy/modules/system/logging.if | 61 ++
policy/modules/system/logging.te | 33 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 44 +
policy/modules/system/lvm.te | 92 +++
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 26 -
policy/modules/system/mount.te | 31 -
policy/modules/system/netlabel.te | 10
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 16
policy/modules/system/selinuxutil.fc | 10
policy/modules/system/selinuxutil.if | 124 +++++
policy/modules/system/selinuxutil.te | 138 ++---
policy/modules/system/sysnetwork.if | 2
policy/modules/system/sysnetwork.te | 13
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/udev.te | 22
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 22
policy/modules/system/unconfined.te | 23
policy/modules/system/userdomain.if | 622 +++++++++++++++++++++++----
policy/modules/system/userdomain.te | 117 ++---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 44 +
policy/modules/system/xen.te | 61 ++
policy/support/*Warnings* | 189 ++++++++
policy/support/file_patterns.spt | 534 +++++++++++++++++++++++
policy/support/obj_perm_sets.spt | 144 ++++++
265 files changed, 8070 insertions(+), 811 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- policy-20061106.patch 14 Jun 2007 13:56:37 -0000 1.51
+++ policy-20061106.patch 6 Jul 2007 15:35:02 -0000 1.52
@@ -47,8 +47,35 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/flask/access_vectors
serefpolicy-2.4.6/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-29 12:04:48.000000000
-0500
-+++ serefpolicy-2.4.6/policy/flask/access_vectors 2007-05-22
12:40:26.000000000 -0400
-@@ -619,6 +619,8 @@
++++ serefpolicy-2.4.6/policy/flask/access_vectors 2007-06-26
16:22:26.000000000 -0400
+@@ -185,6 +185,8 @@
+ rawip_recv
+ rawip_send
+ enforce_dest
++ dccp_recv
++ dccp_send
+ }
+
+ class netif
+@@ -195,6 +197,8 @@
+ udp_send
+ rawip_recv
+ rawip_send
++ dccp_recv
++ dccp_send
+ }
+
+ class netlink_socket
+@@ -594,6 +598,8 @@
+ shmempwd
+ shmemgrp
+ shmemhost
++ getserv
++ shmemserv
+ }
+
+ # Define the access vector interpretation for controlling
+@@ -619,6 +625,8 @@
send
recv
relabelto
@@ -57,6 +84,46 @@
}
class key
+@@ -637,3 +645,16 @@
+ translate
+ contains
+ }
++
++class dccp_socket
++inherits socket
++{
++ node_bind
++ name_connect
++}
++
++class memprotect
++{
++ mmap_zero
++}
++
+diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/flask/security_classes
serefpolicy-2.4.6/policy/flask/security_classes
+--- nsaserefpolicy/policy/flask/security_classes 2006-11-29
12:04:48.000000000 -0500
++++ serefpolicy-2.4.6/policy/flask/security_classes 2007-06-26
16:21:45.000000000 -0400
+@@ -63,8 +63,8 @@
+ class xserver # userspace
+ class xextension # userspace
+
+-# pax flags
+-class pax
++# pax flags; deprecated--can be reclaimed
++class pax # userspace
+
+ # extended netlink sockets
+ class netlink_route_socket
+@@ -95,4 +95,8 @@
+
+ class context # userspace
+
++class dccp_socket
++
++class memprotect
++
+ # FLASK
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables
serefpolicy-2.4.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-29 12:04:51.000000000
-0500
+++ serefpolicy-2.4.6/policy/global_tunables 2007-05-22 12:40:26.000000000
-0400
@@ -517,7 +584,7 @@
/sbin/ybin.* --
gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/bootloader.te
serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-29
12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2007-07-06
09:36:29.000000000 -0400
@@ -93,6 +93,8 @@
fs_manage_dos_files(bootloader_t)
@@ -543,7 +610,7 @@
')
+
+optional_policy(`
-+ hal_dontaudit_append_var_lib_files(bootloader_t)
++ hal_dontaudit_append_lib_files(bootloader_t)
+')
+
+optional_policy(`
@@ -892,8 +959,8 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/prelink.te
serefpolicy-2.4.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2007-05-22
12:40:26.000000000 -0400
-@@ -18,24 +18,33 @@
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2007-07-06
11:23:21.000000000 -0400
+@@ -18,31 +18,39 @@
type prelink_log_t;
logging_log_file(prelink_log_t)
@@ -928,7 +995,15 @@
# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { create_file_perms execute relabelto
relabelfrom };
-@@ -57,6 +66,7 @@
+
+ kernel_read_system_state(prelink_t)
+-kernel_dontaudit_search_kernel_sysctl(prelink_t)
+-kernel_dontaudit_search_sysctl(prelink_t)
++kernel_read_kernel_sysctls(prelink_t)
+
+ corecmd_manage_all_executables(prelink_t)
+ corecmd_relabel_all_executables(prelink_t)
+@@ -57,6 +65,7 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
@@ -936,7 +1011,7 @@
fs_getattr_xattr_fs(prelink_t)
-@@ -79,11 +89,15 @@
+@@ -79,11 +88,15 @@
ifdef(`targeted_policy',`
term_use_unallocated_ttys(prelink_t)
term_use_generic_ptys(prelink_t)
@@ -1046,8 +1121,33 @@
/var/lib/alternatives(/.*)?
gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/rpm.if
serefpolicy-2.4.6/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-11-29 12:04:49.000000000
-0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.if 2007-05-22
12:40:26.000000000 -0400
-@@ -278,3 +278,89 @@
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.if 2007-06-18
11:24:35.000000000 -0400
+@@ -218,6 +218,24 @@
+
+ ########################################
+ ## <summary>
++## dontaudit and use file descriptors from RPM scripts.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_use_script_fds',`
++ gen_require(`
++ type rpm_script_t;
++ ')
++
++ dontaudit $1 rpm_script_t:fd use;
++')
++
++########################################
++## <summary>
+ ## Read the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+@@ -278,3 +296,89 @@
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
')
@@ -3381,8 +3481,33 @@
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/kernel/devices.if
serefpolicy-2.4.6/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.if 2007-05-22
12:40:26.000000000 -0400
-@@ -3248,3 +3248,21 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.if 2007-07-03
12:59:04.000000000 -0400
+@@ -2717,6 +2717,24 @@
+
+ ########################################
+ ## <summary>
++## Get the attributes of a directory in the usb filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_search_usbfs_dirs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Mount a usbfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -3248,3 +3266,21 @@
typeattribute $1 devices_unconfined_type;
')
@@ -3431,7 +3556,7 @@
# random_device_t is the type of /dev/random
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/kernel/domain.if
serefpolicy-2.4.6/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/domain.if 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.if 2007-06-22
21:48:34.000000000 -0400
@@ -413,6 +413,24 @@
########################################
@@ -3457,7 +3582,7 @@
## Send general signals to all domains.
## </summary>
## <param name="domain">
-@@ -1276,3 +1294,43 @@
+@@ -1276,3 +1294,65 @@
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')
@@ -3501,10 +3626,43 @@
+ allow $1 domain:association { sendto recvfrom };
+')
+
++########################################
++## <summary>
++## Ability to mmap a low area of the address space,
++## as configured by /proc/sys/kernel/mmap_min_addr.
++## Preventing such mappings helps protect against
++## exploiting null deref bugs in the kernel.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to mmap low memory.
++## </summary>
++## </param>
++#
++interface(`domain_mmap_low',`
++ gen_require(`
++ attribute mmap_low_domain_type;
++ ')
++
++ allow $1 self:memprotect mmap_zero;
++
++ typeattribute $1 mmap_low_domain_type;
++')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/kernel/domain.te
serefpolicy-2.4.6/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2007-05-22
12:40:26.000000000 -0400
-@@ -144,3 +144,25 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2007-06-22
14:13:07.000000000 -0400
+@@ -15,6 +15,10 @@
+ # Domains that are unconfined
+ attribute unconfined_domain_type;
+
++# Domains that can mmap low memory.
++attribute mmap_low_domain_type;
++neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
++
+ # Domains that can set their current context
+ # (perform dynamic transitions)
+ attribute set_curr_context;
+@@ -144,3 +148,25 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -4313,8 +4471,16 @@
attribute privrangetrans;
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/kernel/storage.fc
serefpolicy-2.4.6/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/storage.fc 2007-05-22
12:40:26.000000000 -0400
-@@ -42,7 +42,8 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/storage.fc 2007-07-06
10:28:37.000000000 -0400
+@@ -23,6 +23,7 @@
+ /dev/loop.* -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/lvm -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx? -b
gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megadev.* -c
gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/nb[^/]+ -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/optcd -b
gen_context(system_u:object_r:removable_device_t,s0)
+@@ -42,7 +43,8 @@
/dev/sjcd -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -4735,7 +4901,16 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/apache.te
serefpolicy-2.4.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.te 2007-05-23
13:48:48.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apache.te 2007-07-03
10:49:14.000000000 -0400
+@@ -129,7 +129,7 @@
+ # Apache server local policy
+ #
+
+-allow httpd_t self:capability { chown dac_override kill setgid setuid
sys_tty_config };
++allow httpd_t self:capability { chown dac_override kill setgid setuid
sys_nice sys_tty_config };
+ dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
+ allow httpd_t self:fd use;
@@ -143,6 +143,8 @@
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto
};
allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -4818,7 +4993,16 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
-@@ -695,6 +713,7 @@
+@@ -659,6 +677,8 @@
+ # Should we add a boolean?
+ apache_domtrans_rotatelogs(httpd_sys_script_t)
+
++sysnet_read_config(httpd_sys_script_t)
++
+ ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file { getattr append };
+ ')
+@@ -695,6 +715,7 @@
optional_policy(`
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
@@ -4826,7 +5010,7 @@
')
########################################
-@@ -704,6 +723,8 @@
+@@ -704,6 +725,8 @@
allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
@@ -4835,7 +5019,7 @@
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-@@ -714,9 +735,27 @@
+@@ -714,9 +737,27 @@
libs_use_ld_so(httpd_rotatelogs_t)
libs_use_shared_libs(httpd_rotatelogs_t)
@@ -4953,7 +5137,7 @@
# /usr
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/automount.te
serefpolicy-2.4.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/automount.te 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/automount.te 2007-07-01
21:22:12.000000000 -0400
@@ -13,8 +13,7 @@
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -4991,6 +5175,14 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
+@@ -106,6 +103,7 @@
+
+ dev_read_sysfs(automount_t)
+ # for SSP
++dev_read_rand(automount_t)
+ dev_read_urand(automount_t)
+
+ domain_use_interactive_fds(automount_t)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/avahi.if
serefpolicy-2.4.6/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2006-11-29
12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/avahi.if 2007-05-22
12:40:26.000000000 -0400
@@ -5643,7 +5835,7 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/cups.fc
serefpolicy-2.4.6/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2007-07-06
10:56:58.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5662,6 +5854,11 @@
/usr/lib(64)?/cups/daemon/.* --
gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd --
gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+@@ -52,3 +56,4 @@
+ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+ /var/spool/cups(/.*)?
gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
++/usr/local/Brother/inf(/.*)?
gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/cups.te
serefpolicy-2.4.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-29
12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/cups.te 2007-05-22
12:40:26.000000000 -0400
@@ -5958,8 +6155,14 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/dhcp.te
serefpolicy-2.4.6/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dhcp.te 2007-05-22
12:40:26.000000000 -0400
-@@ -127,6 +127,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/dhcp.te 2007-07-02
12:08:23.000000000 -0400
+@@ -1,4 +1,5 @@
+
++
+ policy_module(dhcp,1.2.0)
+
+ ########################################
+@@ -127,6 +128,8 @@
dbus_system_bus_client_template(dhcpd,dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
dbus_send_system_bus(dhcpd_t)
@@ -6431,27 +6634,90 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/hal.fc
serefpolicy-2.4.6/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2007-05-22
12:40:26.000000000 -0400
-@@ -7,3 +7,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2007-07-06
09:29:41.000000000 -0400
+@@ -6,4 +6,16 @@
+
/usr/sbin/hald --
gen_context(system_u:object_r:hald_exec_t,s0)
- /usr/share/hal/device-manager/hal-device-manager --
gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/hal/device-manager/hal-device-manager --
gen_context(system_u:object_r:bin_t,s0)
++/var/lib/hal(/.*)?
gen_context(system_u:object_r:hald_var_lib_t,s0)
++
++/var/cache/hald(/.*)?
gen_context(system_u:object_r:hald_cache_t,s0)
++
++/var/run/haldaemon.pid --
gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/vbestate --
gen_context(system_u:object_r:hald_var_run_t,s0)
+
-+/var/lib/hal(/.*)?
gen_context(system_u:object_r:hald_var_lib_t,s0)
++/usr/libexec/hal-acl-tool --
gen_context(system_u:object_r:hald_acl_exec_t,s0)
++/usr/libexec/hald-addon-macbookpro-backlight --
gen_context(system_u:object_r:hald_mac_exec_t,s0)
++/usr/libexec/hal-system-sonypic --
gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
++
++/var/log/pm-suspend.log
gen_context(system_u:object_r:hald_log_t,s0)
+
-+/var/run/haldaemon.pid --
gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/hal.if
serefpolicy-2.4.6/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.if 2007-05-22
12:40:26.000000000 -0400
-@@ -157,3 +157,117 @@
- files_search_pids($1)
- allow $1 hald_var_run_t:file rw_file_perms;
- ')
++++ serefpolicy-2.4.6/policy/modules/services/hal.if 2007-07-06
09:29:44.000000000 -0400
+@@ -15,12 +15,44 @@
+ type hald_t, hald_exec_t;
+ ')
+
+- domain_auto_trans($1,hald_exec_t,hald_t)
++ domtrans_pattern($1,hald_exec_t,hald_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to use file descriptors from hal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_use_fds',`
++ gen_require(`
++ type hald_t;
++ ')
+
++ dontaudit $1 hald_t:fd use;
++')
+
+########################################
+## <summary>
-+## dontaudit Read/Write hal libraries files
++## Do not audit attempts to read and write to
++## hald unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_rw_pipes',`
++ gen_require(`
++ type hald_t;
++ ')
+
+- allow $1 hald_t:fd use;
+- allow hald_t $1:fd use;
+- allow hald_t $1:fifo_file rw_file_perms;
+- allow hald_t $1:process sigchld;
++ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -116,7 +148,26 @@
+ type hald_tmp_t;
+ ')
+
+- allow $1 hald_tmp_t:file r_file_perms;
++ allow $1 hald_tmp_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read or write
++## HAL libraries files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6459,14 +6725,28 @@
+## </summary>
+## </param>
+#
-+interface(`hal_dontaudit_append_var_lib_files',`
++interface(`hal_dontaudit_append_lib_files',`
+ gen_require(`
+ type hald_var_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ dontaudit $1 hald_var_lib_t:file ra_file_perms;
-+')
++ dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
+ ')
+
+ ########################################
+@@ -135,7 +186,7 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 hald_var_run_t:file r_file_perms;
++ allow $1 hald_var_run_t:file read_file_perms;
+ ')
+
+
+@@ -157,3 +208,98 @@
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+ ')
+
+########################################
+## <summary>
@@ -6527,44 +6807,82 @@
+
+########################################
+## <summary>
-+## dontaudit use file descriptors for hal
++## Allow attempts to read and write to
++## hald unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`hal_dontaudit_use_fds',`
++interface(`hal_rw_pipes',`
+ gen_require(`
+ type hald_t;
+ ')
+
-+ dontaudit $1 hald_t:fd use;
++ allow $1 hald_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Read/Write to hald unnamed pipes.
++## Allow ptrace of hal domain
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`hal_dontaudit_rw_pipes',`
++interface(`hal_ptrace',`
+ gen_require(`
+ type hald_t;
+ ')
+
-+ dontaudit $1 hald_t:fifo_file rw_file_perms;
++ allow $1 hald_t:process ptrace;
+')
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/hal.te
serefpolicy-2.4.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.te 2007-05-22
12:40:26.000000000 -0400
-@@ -16,19 +16,22 @@
++++ serefpolicy-2.4.6/policy/modules/services/hal.te 2007-07-06
09:29:37.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(hal,1.4.1)
++policy_module(hal,1.6.1)
+
+ ########################################
+ #
+@@ -10,44 +10,80 @@
+ type hald_exec_t;
+ init_daemon_domain(hald_t,hald_exec_t)
+
++type hald_acl_t;
++type hald_acl_exec_t;
++domain_type(hald_acl_t)
++domain_entry_file(hald_acl_t,hald_acl_exec_t)
++role system_r types hald_acl_t;
++
++type hald_cache_t;
++files_pid_file(hald_cache_t)
++
++type hald_log_t;
++files_type(hald_log_t)
++
++type hald_mac_t;
++type hald_mac_exec_t;
++domain_type(hald_mac_t)
++domain_entry_file(hald_mac_t,hald_mac_exec_t)
++role system_r types hald_mac_t;
++
++type hald_sonypic_t;
++type hald_sonypic_exec_t;
++domain_type(hald_sonypic_t)
++domain_entry_file(hald_sonypic_t,hald_sonypic_exec_t)
++role system_r types hald_sonypic_t;
++
+ type hald_tmp_t;
+ files_tmp_file(hald_tmp_t)
+
type hald_var_run_t;
files_pid_file(hald_var_run_t)
@@ -6580,50 +6898,58 @@
-allow hald_t self:capability { audit_write chown setuid setgid kill net_admin
sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config
};
-dontaudit hald_t self:capability sys_tty_config;
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin
sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-+dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
++dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
allow hald_t self:process signal_perms;
- allow hald_t self:fifo_file rw_file_perms;
+-allow hald_t self:fifo_file rw_file_perms;
++allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
-allow hald_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
-+logging_send_audit_msg(hald_t)
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
allow hald_t self:udp_socket create_socket_perms;
-@@ -39,6 +42,11 @@
- allow hald_t hald_tmp_t:file create_file_perms;
+ # For backwards compatibility with older kernels
+ allow hald_t self:netlink_socket create_socket_perms;
+
+-allow hald_t hald_tmp_t:dir create_dir_perms;
+-allow hald_t hald_tmp_t:file create_file_perms;
++manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
++
++# log files for hald
++allow hald_t hald_log_t:file manage_file_perms;
++logging_log_filetrans(hald_t,hald_log_t,file)
++
++manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
++manage_files_pattern(hald_t,hald_tmp_t,hald_tmp_t)
files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
+-allow hald_t hald_var_run_t:file create_file_perms;
+-allow hald_t hald_var_run_t:dir rw_dir_perms;
+# var/lib files for hald
-+allow hald_t hald_var_lib_t:file create_file_perms;
-+allow hald_t hald_var_lib_t:sock_file create_file_perms;
-+allow hald_t hald_var_lib_t:dir create_dir_perms;
++manage_dirs_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
++manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+
- allow hald_t hald_var_run_t:file create_file_perms;
- allow hald_t hald_var_run_t:dir rw_dir_perms;
++manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
files_pid_filetrans(hald_t,hald_var_run_t,file)
-@@ -47,7 +55,7 @@
+
+ kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
- kernel_read_kernel_sysctls(hald_t)
+-kernel_read_kernel_sysctls(hald_t)
++kernel_rw_kernel_sysctl(hald_t)
kernel_read_fs_sysctls(hald_t)
-kernel_read_irq_sysctls(hald_t)
+kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
-@@ -75,11 +83,19 @@
- dev_setattr_generic_usb_dev(hald_t)
- dev_setattr_usbfs_files(hald_t)
+@@ -77,9 +113,13 @@
dev_rw_power_management(hald_t)
-+
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
+dev_read_sound(hald_t)
+dev_write_sound(hald_t)
-+dev_setattr_sound_dev(hald_t)
-+
+dev_read_raw_memory(hald_t)
-+dev_write_raw_memory(hald_t)
domain_use_interactive_fds(hald_t)
domain_read_all_domains_state(hald_t)
@@ -6631,7 +6957,7 @@
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
-@@ -93,6 +109,7 @@
+@@ -93,9 +133,11 @@
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
@@ -6639,14 +6965,162 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -126,6 +143,7 @@
++fs_list_inotifyfs(hald_t)
+ fs_list_auto_mountpoints(hald_t)
+ files_getattr_all_mountpoints(hald_t)
+
+@@ -119,19 +161,18 @@
+
+ auth_use_nsswitch(hald_t)
+
+-init_use_fds(hald_t)
+-init_use_script_ptys(hald_t)
+ init_domtrans_script(hald_t)
+-init_write_initctl(hald_t)
init_read_utmp(hald_t)
#hal runs shutdown, probably need a shutdown domain
init_rw_utmp(hald_t)
-+init_exec(hald_t)
++init_telinit(hald_t)
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
+ libs_exec_ld_so(hald_t)
+ libs_exec_lib_files(hald_t)
+
++logging_send_audit_msg(hald_t)
+ logging_send_syslog_msg(hald_t)
+ logging_search_logs(hald_t)
+
+@@ -142,6 +183,7 @@
+
+ seutil_read_config(hald_t)
+ seutil_read_default_contexts(hald_t)
++seutil_read_file_contexts(hald_t)
+
+ sysnet_read_config(hald_t)
+
+@@ -149,12 +191,16 @@
+ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+
+ ifdef(`targeted_policy',`
+- term_dontaudit_use_console(hald_t)
+ term_dontaudit_use_generic_ptys(hald_t)
+ files_dontaudit_read_root_files(hald_t)
+ ')
+
+ optional_policy(`
++ alsa_domtrans(hald_t)
++ alsa_read_rw_config(hald_t)
++')
++
++optional_policy(`
+ bootloader_domtrans(hald_t)
+ ')
+
+@@ -240,3 +286,103 @@
+ optional_policy(`
+ vbetool_domtrans(hald_t)
+ ')
++
++########################################
++#
++# Hal acl local policy
++#
++
++allow hald_acl_t self:capability { dac_override fowner };
++allow hald_acl_t self:fifo_file read_fifo_file_perms;
++
++domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
++allow hald_t hald_acl_t:process signal;
++allow hald_acl_t hald_t:unix_stream_socket connectto;
++
++manage_dirs_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
++files_search_var_lib(hald_acl_t)
++
++corecmd_exec_bin(hald_acl_t)
++
++dev_getattr_all_chr_files(hald_acl_t)
++dev_getattr_generic_usb_dev(hald_acl_t)
++dev_getattr_video_dev(hald_acl_t)
++dev_setattr_video_dev(hald_acl_t)
++dev_getattr_sound_dev(hald_acl_t)
++dev_setattr_sound_dev(hald_acl_t)
++dev_setattr_generic_usb_dev(hald_acl_t)
++dev_setattr_usbfs_files(hald_acl_t)
++
++files_read_usr_files(hald_acl_t)
++files_read_etc_files(hald_acl_t)
++
++storage_getattr_removable_dev(hald_acl_t)
++storage_setattr_removable_dev(hald_acl_t)
++
++auth_use_nsswitch(hald_acl_t)
++
++libs_use_ld_so(hald_acl_t)
++libs_use_shared_libs(hald_acl_t)
++
++miscfiles_read_localization(hald_acl_t)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_console(hald_acl_t)
++ term_dontaudit_use_generic_ptys(hald_acl_t)
++')
++
++########################################
++#
++# Local hald mac policy
++#
++
++domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
++allow hald_t hald_mac_t:process signal;
++allow hald_mac_t hald_t:unix_stream_socket connectto;
++
++manage_dirs_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
++files_search_var_lib(hald_mac_t)
++
++dev_write_raw_memory(hald_mac_t)
++
++files_read_usr_files(hald_mac_t)
++
++libs_use_ld_so(hald_mac_t)
++libs_use_shared_libs(hald_mac_t)
++
++miscfiles_read_localization(hald_mac_t)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_console(hald_mac_t)
++ term_dontaudit_use_generic_ptys(hald_mac_t)
++')
++
++########################################
++#
++# Local hald sonypic policy
++#
++
++domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
++allow hald_t hald_sonypic_t:process signal;
++allow hald_sonypic_t hald_t:unix_stream_socket connectto;
++
++dev_read_video_dev(hald_sonypic_t)
++dev_write_video_dev(hald_sonypic_t)
++
++manage_dirs_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
++files_search_var_lib(hald_sonypic_t)
++
++files_read_usr_files(hald_sonypic_t)
++
++libs_use_ld_so(hald_sonypic_t)
++libs_use_shared_libs(hald_sonypic_t)
++
++miscfiles_read_localization(hald_sonypic_t)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_console(hald_sonypic_t)
++ term_dontaudit_use_generic_ptys(hald_sonypic_t)
++')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/inetd.te
serefpolicy-2.4.6/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2006-11-29
12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/inetd.te 2007-05-31
14:33:45.000000000 -0400
@@ -6816,7 +7290,7 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/kerberos.te
serefpolicy-2.4.6/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2007-06-27
11:42:22.000000000 -0400
@@ -69,7 +69,7 @@
allow kadmind_t krb5kdc_conf_t:dir search;
@@ -6826,7 +7300,33 @@
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
-@@ -156,14 +156,22 @@
+@@ -86,6 +86,7 @@
+ kernel_read_kernel_sysctls(kadmind_t)
+ kernel_list_proc(kadmind_t)
+ kernel_read_proc_symlinks(kadmind_t)
++kernel_read_system_state(kadmind_t)
+
+ corenet_non_ipsec_sendrecv(kadmind_t)
+ corenet_tcp_sendrecv_all_if(kadmind_t)
+@@ -114,6 +115,9 @@
+ domain_use_interactive_fds(kadmind_t)
+
+ files_read_etc_files(kadmind_t)
++files_read_usr_symlinks(kadmind_t)
++files_read_usr_files(kadmind_t)
++files_read_var_files(kadmind_t)
+
+ init_use_fds(kadmind_t)
+ init_use_script_ptys(kadmind_t)
+@@ -126,6 +130,7 @@
+ miscfiles_read_localization(kadmind_t)
+
+ sysnet_read_config(kadmind_t)
++sysnet_use_ldap(kadmind_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+ userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
+@@ -156,14 +161,22 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner
dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -6851,7 +7351,7 @@
can_exec(krb5kdc_t, krb5kdc_exec_t)
allow krb5kdc_t krb5kdc_conf_t:dir search;
-@@ -189,6 +197,7 @@
+@@ -189,6 +202,7 @@
kernel_list_proc(krb5kdc_t)
kernel_read_proc_symlinks(krb5kdc_t)
kernel_read_network_state(krb5kdc_t)
@@ -6859,6 +7359,14 @@
corenet_non_ipsec_sendrecv(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
+@@ -226,6 +240,7 @@
+ miscfiles_read_localization(krb5kdc_t)
+
+ sysnet_read_config(krb5kdc_t)
++sysnet_use_ldap(krb5kdc_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+ userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/ktalk.fc
serefpolicy-2.4.6/policy/modules/services/ktalk.fc
--- nsaserefpolicy/policy/modules/services/ktalk.fc 2006-11-29
12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/ktalk.fc 2007-05-22
12:40:26.000000000 -0400
@@ -7235,8 +7743,16 @@
allow ypxfr_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/nis.te
serefpolicy-2.4.6/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.te 2007-06-04
11:06:56.000000000 -0400
-@@ -170,8 +170,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/nis.te 2007-07-06
11:31:29.000000000 -0400
+@@ -139,6 +139,7 @@
+ # yppasswdd local policy
+ #
+
++allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_file_perms;
+ allow yppasswdd_t self:process { setfscreate signal_perms };
+@@ -170,8 +171,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
@@ -7247,7 +7763,7 @@
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -275,6 +275,8 @@
+@@ -275,6 +276,8 @@
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
@@ -7256,7 +7772,7 @@
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -291,6 +293,7 @@
+@@ -291,6 +294,7 @@
domain_use_interactive_fds(ypserv_t)
files_read_var_files(ypserv_t)
@@ -7264,7 +7780,7 @@
init_use_fds(ypserv_t)
init_use_script_ptys(ypserv_t)
-@@ -329,7 +332,19 @@
+@@ -329,7 +333,19 @@
# ypxfr local policy
#
@@ -7284,7 +7800,7 @@
corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
-@@ -342,10 +357,29 @@
+@@ -342,10 +358,29 @@
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
@@ -7343,7 +7859,7 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/nscd.te
serefpolicy-2.4.6/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nscd.te 2007-06-04
14:59:43.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/nscd.te 2007-07-02
11:37:15.000000000 -0400
@@ -28,15 +28,14 @@
# Local policy
#
@@ -7371,7 +7887,15 @@
corenet_non_ipsec_sendrecv(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
-@@ -100,14 +100,12 @@
+@@ -75,6 +75,7 @@
+ corenet_udp_sendrecv_all_nodes(nscd_t)
+ corenet_tcp_sendrecv_all_ports(nscd_t)
+ corenet_udp_sendrecv_all_ports(nscd_t)
++corenet_udp_bind_all_nodes(nscd_t)
+ corenet_tcp_connect_all_ports(nscd_t)
+ corenet_sendrecv_all_client_packets(nscd_t)
+ corenet_rw_tun_tap_dev(nscd_t)
+@@ -100,14 +101,12 @@
logging_send_syslog_msg(nscd_t)
@@ -7386,7 +7910,7 @@
sysnet_read_config(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-@@ -120,14 +118,9 @@
+@@ -120,14 +119,9 @@
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
files_dontaudit_read_root_files(nscd_t)
@@ -7404,7 +7928,7 @@
')
optional_policy(`
-@@ -138,3 +131,10 @@
+@@ -138,3 +132,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -7414,6 +7938,8 @@
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
++ samba_read_config(nscd_t)
++ samba_read_var_files(nscd_t)
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/ntp.te
serefpolicy-2.4.6/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-11-29
12:04:49.000000000 -0500
@@ -8437,7 +8963,7 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/ricci.te
serefpolicy-2.4.6/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ricci.te 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/ricci.te 2007-06-18
11:24:10.000000000 -0400
@@ -136,6 +136,7 @@
files_create_boot_flag(ricci_t)
@@ -8457,7 +8983,7 @@
dbus_system_bus_client_template(ricci,ricci_t)
dbus_send_system_bus(ricci_t)
oddjob_dbus_chat(ricci_t)
-@@ -334,6 +339,10 @@
+@@ -334,6 +339,14 @@
')
optional_policy(`
@@ -8465,10 +8991,14 @@
+')
+
+optional_policy(`
++ rpm_dontaudit_use_script_fds(ricci_modclusterd_t)
++')
++
++optional_policy(`
unconfined_use_fds(ricci_modclusterd_t)
')
-@@ -387,6 +396,8 @@
+@@ -387,6 +400,8 @@
files_search_usr(ricci_modrpm_t)
files_read_etc_files(ricci_modrpm_t)
@@ -8477,7 +9007,7 @@
miscfiles_read_localization(ricci_modrpm_t)
optional_policy(`
-@@ -416,6 +427,9 @@
+@@ -416,6 +431,9 @@
files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
@@ -8487,7 +9017,7 @@
consoletype_exec(ricci_modservice_t)
-@@ -462,6 +476,7 @@
+@@ -462,6 +480,7 @@
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
@@ -8495,7 +9025,7 @@
storage_raw_read_fixed_disk(ricci_modstorage_t)
-@@ -475,13 +490,18 @@
+@@ -475,13 +494,18 @@
logging_send_syslog_msg(ricci_modstorage_t)
lvm_domtrans(ricci_modstorage_t)
@@ -8701,7 +9231,7 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/samba.if
serefpolicy-2.4.6/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.if 2007-06-11
14:33:13.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/samba.if 2007-07-03
12:51:53.000000000 -0400
@@ -140,6 +140,7 @@
')
@@ -8746,7 +9276,35 @@
## Execute samba log in the caller domain.
## </summary>
## <param name="domain">
-@@ -266,6 +289,27 @@
+@@ -246,6 +269,27 @@
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to
++## read samba /var files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`samba_read_var_files',`
++ gen_require(`
++ type samba_var_t;
++ ')
++
++ files_search_var($1)
++ files_search_var_lib($1)
++ read_files_pattern($1,samba_var_t,samba_var_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to
+ ## read and write samba /var files.
+ ## </summary>
+ ## <param name="domain">
+@@ -266,6 +310,27 @@
########################################
## <summary>
@@ -8774,7 +9332,7 @@
## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
-@@ -395,3 +439,39 @@
+@@ -395,3 +460,39 @@
allow $1 winbind_var_run_t:sock_file { getattr read write };
allow $1 winbind_t:unix_stream_socket connectto;
')
@@ -8816,7 +9374,7 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/samba.te
serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2007-06-11
09:42:56.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2007-07-03
11:14:53.000000000 -0400
@@ -10,6 +10,13 @@
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
@@ -9003,16 +9561,18 @@
')
optional_policy(`
-@@ -614,6 +640,8 @@
+@@ -614,15 +640,19 @@
# Winbind local policy
#
+
-+allow winbind_t self:capability setuid;
++allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
-@@ -623,6 +651,9 @@
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
@@ -9022,9 +9582,20 @@
allow winbind_t samba_etc_t:dir r_dir_perms;
allow winbind_t samba_etc_t:lnk_file { getattr read };
allow winbind_t samba_etc_t:file r_file_perms;
-@@ -677,10 +708,12 @@
+@@ -655,6 +685,8 @@
+ kernel_list_proc(winbind_t)
+ kernel_read_proc_symlinks(winbind_t)
+
++corecmd_exec_bin(winbind_t)
++
+ corenet_tcp_sendrecv_all_if(winbind_t)
+ corenet_udp_sendrecv_all_if(winbind_t)
+ corenet_raw_sendrecv_all_if(winbind_t)
+@@ -676,11 +708,14 @@
+
term_dontaudit_use_console(winbind_t)
++auth_use_nsswitch(winbind_t)
auth_domtrans_chk_passwd(winbind_t)
+auth_domtrans_upd_passwd(winbind_t)
@@ -9035,7 +9606,35 @@
init_use_fds(winbind_t)
init_use_script_ptys(winbind_t)
-@@ -743,6 +776,8 @@
+@@ -692,13 +727,13 @@
+
+ miscfiles_read_localization(winbind_t)
+
+-sysnet_read_config(winbind_t)
+-sysnet_dns_name_resolve(winbind_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+ userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
+ userdom_priveleged_home_dir_manager(winbind_t)
+
++allow winbind_t smbd_tmp_t:dir rw_dir_perms;
++allow winbind_t smbd_tmp_t:file rw_file_perms;
++
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(winbind_t)
+ term_dontaudit_use_generic_ptys(winbind_t)
+@@ -710,10 +745,6 @@
+ ')
+
+ optional_policy(`
+- nscd_socket_use(winbind_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(winbind_t)
+ ')
+
+@@ -743,6 +774,8 @@
domain_use_interactive_fds(winbind_helper_t)
@@ -9044,7 +9643,7 @@
libs_use_ld_so(winbind_helper_t)
libs_use_shared_libs(winbind_helper_t)
-@@ -763,3 +798,24 @@
+@@ -763,3 +796,24 @@
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
@@ -9324,13 +9923,16 @@
')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/spamassassin.fc
serefpolicy-2.4.6/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.fc 2007-05-22
12:40:26.000000000 -0400
-@@ -8,6 +8,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.fc 2007-06-18
10:50:37.000000000 -0400
+@@ -8,6 +8,11 @@
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/lib/spamassassin(/.*)?
gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
++/var/run/spamassassin(/.*)?
gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/run/spamass-milter(/.*)?
gen_context(system_u:object_r:spamd_var_run_t,s0)
++
ifdef(`strict_policy',`
HOME_DIR/\.spamassassin(/.*)?
gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
')
@@ -9385,7 +9987,7 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/spamassassin.te
serefpolicy-2.4.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2007-06-18
10:51:14.000000000 -0400
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -9415,7 +10017,7 @@
########################################
#
-@@ -57,6 +61,9 @@
+@@ -57,12 +61,15 @@
allow spamd_t spamd_spool_t:dir create_dir_perms;
files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
@@ -9425,6 +10027,13 @@
allow spamd_t spamd_tmp_t:dir create_dir_perms;
allow spamd_t spamd_tmp_t:file create_file_perms;
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+
+ allow spamd_t spamd_var_run_t:file create_file_perms;
+-allow spamd_t spamd_var_run_t:dir rw_dir_perms;
++allow spamd_t spamd_var_run_t:dir create_dir_perms;
+ files_pid_filetrans(spamd_t,spamd_var_run_t,file)
+
+ kernel_read_all_sysctls(spamd_t)
@@ -78,6 +85,7 @@
corenet_tcp_bind_all_nodes(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
@@ -9529,12 +10138,24 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/squid.te
serefpolicy-2.4.6/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/squid.te 2007-05-22
12:40:26.000000000 -0400
-@@ -180,3 +180,14 @@
- #squid requires the following when run in diskd mode, the recommended setting
- allow squid_t tmpfs_t:file { read write };
- ') dnl end TODO
-+
++++ serefpolicy-2.4.6/policy/modules/services/squid.te 2007-07-01
21:13:34.000000000 -0400
+@@ -98,6 +98,8 @@
+
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
++#squid requires the following when run in diskd mode, the recommended setting
++fs_rw_tmpfs_files(squid_t)
+
+ selinux_dontaudit_getattr_dir(squid_t)
+
+@@ -176,7 +178,13 @@
+ udev_read_db(squid_t)
+ ')
+
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
+optional_policy(`
+ apache_content_template(squid)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -9919,7 +10540,7 @@
/tmp/\.X11-unix/.* -s <<none>>
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/services/xserver.if
serefpolicy-2.4.6/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-11-29
12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2007-05-23
09:22:42.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2007-07-03
12:46:50.000000000 -0400
@@ -45,7 +45,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -9929,7 +10550,16 @@
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec
setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:fd use;
-@@ -93,6 +93,8 @@
+@@ -86,6 +86,8 @@
+ allow $1_xserver_t xserver_log_t:dir r_dir_perms;
+ logging_log_filetrans($1_xserver_t,xserver_log_t,file)
+
++ domain_mmap_low($1_xserver_t)
++
+ kernel_read_system_state($1_xserver_t)
+ kernel_read_device_sysctls($1_xserver_t)
+ kernel_read_modprobe_sysctls($1_xserver_t)
+@@ -93,6 +95,8 @@
kernel_read_kernel_sysctls($1_xserver_t)
kernel_write_proc_files($1_xserver_t)
@@ -9938,7 +10568,7 @@
# Run helper programs in $1_xserver_t.
corecmd_search_sbin($1_xserver_t)
corecmd_exec_bin($1_xserver_t)
-@@ -170,6 +172,11 @@
+@@ -170,6 +174,11 @@
')
optional_policy(`
@@ -9950,7 +10580,7 @@
apm_stream_connect($1_xserver_t)
')
-@@ -279,6 +286,8 @@
+@@ -279,6 +288,8 @@
allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
allow $1_xauth_t $1_xserver_t:process sigchld;
@@ -9959,7 +10589,7 @@
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
-@@ -425,6 +434,8 @@
+@@ -425,6 +436,8 @@
allow $2 $1_iceauth_home_t:file manage_file_perms;
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
@@ -9968,7 +10598,7 @@
fs_search_auto_mountpoints($1_iceauth_t)
libs_use_ld_so($1_iceauth_t)
-@@ -548,7 +559,7 @@
+@@ -548,7 +561,7 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -9977,7 +10607,7 @@
')
allow $2 self:shm create_shm_perms;
-@@ -557,6 +568,7 @@
+@@ -557,6 +570,7 @@
# Read .Xauthority file
allow $2 $1_xauth_home_t:file { getattr read };
@@ -9985,7 +10615,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -578,6 +590,8 @@
+@@ -578,6 +592,8 @@
xserver_rw_session_template($1,$2,$3)
xserver_use_user_fonts($1,$2)
@@ -9994,7 +10624,7 @@
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 $1_xserver_t:shm rw_shm_perms;
-@@ -906,10 +920,12 @@
+@@ -906,10 +922,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -10007,7 +10637,7 @@
')
########################################
-@@ -1024,6 +1040,7 @@
+@@ -1024,6 +1042,7 @@
logging_search_logs($1)
allow $1 xserver_log_t:dir rw_dir_perms;
allow $1 xserver_log_t:file unlink;
@@ -10015,7 +10645,7 @@
')
########################################
-@@ -1062,6 +1079,7 @@
+@@ -1062,6 +1081,7 @@
type xdm_xserver_tmp_t;
')
@@ -10023,7 +10653,7 @@
allow $1 xdm_xserver_tmp_t:file { getattr read };
')
-@@ -1080,6 +1098,7 @@
+@@ -1080,6 +1100,7 @@
type xdm_tmp_t;
')
@@ -10031,7 +10661,7 @@
allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:file { getattr read };
')
-@@ -1160,3 +1179,171 @@
+@@ -1160,3 +1181,189 @@
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
')
@@ -10171,6 +10801,24 @@
+
+########################################
+## <summary>
++## Get the attributes of xauth executable
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_getattr_xauth',`
++ gen_require(`
++ type xauth_exec_t;
++ ')
++
++ allow $1 xauth_exec_t:file getattr;
++')
++
++########################################
++## <summary>
+## Transition to a user Xauthority domain.
+## </summary>
+## <desc>
@@ -12333,7 +12981,7 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/mount.te
serefpolicy-2.4.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2007-07-01
20:54:25.000000000 -0400
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -12354,7 +13002,16 @@
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
-@@ -64,6 +66,7 @@
+@@ -40,6 +42,8 @@
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
++kernel_search_debugfs(mount_t)
++kernel_read_unlabeled_state(mount_t)
+
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
+@@ -64,6 +68,7 @@
fs_read_tmpfs_symlinks(mount_t)
term_use_all_terms(mount_t)
@@ -12362,7 +13019,16 @@
# required for mount.smbfs
corecmd_exec_sbin(mount_t)
-@@ -117,11 +120,16 @@
+@@ -91,6 +96,8 @@
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+
+ libs_use_ld_so(mount_t)
+ libs_use_shared_libs(mount_t)
+@@ -117,11 +124,16 @@
')
')
@@ -12381,7 +13047,7 @@
')
')
-@@ -163,14 +171,6 @@
+@@ -163,14 +175,6 @@
apm_use_fds(mount_t)
')
@@ -12396,7 +13062,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -184,6 +184,11 @@
+@@ -184,6 +188,11 @@
nscd_socket_use(mount_t)
')
@@ -12957,6 +13623,18 @@
+ ssh_sigchld(load_policy_t)
+ ssh_rw_stream_sockets(load_policy_t)
+')
+diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/sysnetwork.if
serefpolicy-2.4.6/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2006-11-29
12:04:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.if 2007-06-18
15:38:25.000000000 -0400
+@@ -532,6 +532,8 @@
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file r_file_perms;
++ # LDAP Configuration using encrypted requires
++ dev_read_urand($1)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/sysnetwork.te
serefpolicy-2.4.6/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-11-29
12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2007-05-22
12:40:26.000000000 -0400
@@ -13089,7 +13767,7 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/udev.te
serefpolicy-2.4.6/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/udev.te 2007-06-12
11:13:55.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/udev.te 2007-06-28
07:26:03.000000000 -0400
@@ -70,7 +70,7 @@
allow udev_t udev_var_run_t:file create_file_perms;
@@ -13099,7 +13777,26 @@
kernel_read_system_state(udev_t)
kernel_getattr_core_if(udev_t)
-@@ -144,8 +144,11 @@
+@@ -84,12 +84,18 @@
+ kernel_dgram_send(udev_t)
+ kernel_signal(udev_t)
+
++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
++kernel_rw_net_sysctls(udev_t)
++kernel_read_network_state(udev_t)
++
+ corecmd_exec_all_executables(udev_t)
+
+ dev_rw_sysfs(udev_t)
+ dev_manage_all_dev_nodes(udev_t)
+ dev_rw_generic_files(udev_t)
+ dev_delete_generic_files(udev_t)
++dev_search_usbfs_dirs(udev_t)
++dev_relabel_all_dev_nodes(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -144,8 +150,11 @@
seutil_read_file_contexts(udev_t)
seutil_domtrans_restorecon(udev_t)
@@ -13111,6 +13808,28 @@
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
+@@ -186,6 +195,10 @@
+ ')
+
+ optional_policy(`
++ fstools_domtrans(udev_t)
++')
++
++optional_policy(`
+ hal_dgram_send(udev_t)
+ ')
+
+@@ -198,3 +211,10 @@
+ optional_policy(`
+ xserver_read_xdm_pid(udev_t)
+ ')
++
++optional_policy(`
++ xen_manage_log(udev_t)
++ kernel_write_xen_state(udev_t)
++ kernel_read_xen_state(udev_t)
++ xen_read_image_files(udev_t)
++')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/unconfined.fc
serefpolicy-2.4.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-11-29
12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2007-05-22
12:40:26.000000000 -0400
@@ -13126,7 +13845,7 @@
')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/unconfined.if
serefpolicy-2.4.6/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2007-05-22
12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2007-06-22
11:15:09.000000000 -0400
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -13160,6 +13879,13 @@
## Connect to the unconfined domain using
## a unix domain stream socket.
## </summary>
+@@ -541,3 +560,6 @@
+
+ allow $1 unconfined_t:dbus acquire_svc;
+ ')
++
++
++
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/unconfined.te
serefpolicy-2.4.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-29
12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2007-05-22
12:40:26.000000000 -0400
@@ -14361,7 +15087,7 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/xen.if
serefpolicy-2.4.6/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.if 2007-06-11
08:26:34.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.if 2007-06-15
13:12:08.000000000 -0400
@@ -77,6 +77,7 @@
')
@@ -14370,9 +15096,56 @@
allow $1 xend_var_log_t:file { getattr append };
dontaudit $1 xend_var_log_t:file write;
')
+@@ -163,3 +164,46 @@
+ allow xm_t $1:fifo_file rw_file_perms;
+ allow xm_t $1:process sigchld;
+ ')
++
++########################################
++## <summary>
++## Allow the specified domain to manage
++## xend log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xen_manage_log',`
++ gen_require(`
++ type var_log_t, xend_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 xend_var_log_t:dir create_dir_perms;
++ allow $1 xend_var_log_t:file create_file_perms;
++ dontaudit $1 xend_var_log_t:file write;
++')
++
++########################################
++## <summary>
++## Allow the specified domain to read
++## xend image files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xen_read_image_files',`
++ gen_require(`
++ type xen_image_t, xend_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 xend_var_lib_t:dir search_dir_perms;
++ read_files_pattern($1,xen_image_t,xen_image_t)
++')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/xen.te
serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-06-11
08:20:44.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-06-15
13:12:32.000000000 -0400
@@ -20,12 +20,15 @@
type xenctl_t;
files_type(xenctl_t)
@@ -14482,6 +15255,15 @@
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
+@@ -248,7 +271,7 @@
+
+ miscfiles_read_localization(xenconsoled_t)
+
+-xen_append_log(xenconsoled_t)
++xen_manage_log(xenconsoled_t)
+ xen_stream_connect_xenstore(xenconsoled_t)
+
+ ########################################
@@ -283,6 +306,12 @@
files_read_usr_files(xenstored_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.370
retrieving revision 1.371
diff -u -r1.370 -r1.371
--- selinux-policy.spec 14 Jun 2007 13:49:50 -0000 1.370
+++ selinux-policy.spec 6 Jul 2007 15:35:03 -0000 1.371
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 75%{?dist}
+Release: 79%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,24 @@
%endif
%changelog
+* Fri Jul 7 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-79
+- Allow hal to write to pm-suspend
+Resolves:#245926
+
+* Sun Jul 1 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-78
+- Added fixes for gfs init script
+Resolves:#246194
+
+* Mon Jun 11 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-77
+- More fixes add mmap_zero for new kernel
+Resolves:#244690
+
+* Mon Jun 11 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-76
+- Allow xenconsole to manage xen log files
+- add mmap_zero for new kernel
+- Fixes for RHEL5
+Resolves:#244690
+
* Thu May 31 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-75
- Allow samba to remove log files
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|