[selinux-policy] - Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 20 13:39:07 UTC 2010
commit 19988ca76d9e04c0f5683182e6257843942ae86b
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Aug 20 09:36:56 2010 -0400
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
policy-F14.patch | 448 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 9 +-
2 files changed, 350 insertions(+), 107 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 4ed629c..e7984de 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -4697,7 +4697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.8.8/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-08-19 06:50:14.000000000 -0400
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -4706,10 +4706,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -27,3 +28,4 @@
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.8.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-07-30 14:06:53.000000000 -0400
-@@ -48,6 +48,12 @@
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-08-19 06:49:11.000000000 -0400
+@@ -29,6 +29,8 @@
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
+
++ mozilla_plugin_run(mozilla_t, $2)
++
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mozilla_t)
+ allow $2 mozilla_t:process signal_perms;
+@@ -48,6 +50,12 @@
mozilla_dbus_chat($2)
@@ -4722,7 +4736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
optional_policy(`
pulseaudio_role($1, mozilla_t)
')
-@@ -108,7 +114,7 @@
+@@ -108,7 +116,7 @@
type mozilla_home_t;
')
@@ -4731,9 +4745,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
+@@ -168,6 +176,50 @@
+
+ ########################################
+ ## <summary>
++## Execute a domain transition to run mozilla_plugin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mozilla_domtrans_plugin',`
++ gen_require(`
++ type mozilla_plugin_t, mozilla_plugin_exec_t;
++ ')
++
++ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
++')
++
++
++########################################
++## <summary>
++## Execute mozilla_plugin in the mozilla_plugin domain, and
++## allow the specified role the mozilla_plugin domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the mozilla_plugin domain.
++## </summary>
++## </param>
++#
++interface(`mozilla_run_plugin',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ mozilla_domtrans_plugin($1)
++ role $2 types mozilla_plugin_t;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## mozilla over dbus.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-19 06:47:05.000000000 -0400
@@ -25,6 +25,7 @@
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -4742,7 +4807,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
-@@ -89,6 +90,7 @@
+@@ -33,6 +34,13 @@
+ files_tmpfs_file(mozilla_tmpfs_t)
+ ubac_constrained(mozilla_tmpfs_t)
+
++type mozilla_plugin_t;
++type mozilla_plugin_exec_t;
++application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
++role system_r types mozilla_plugin_t;
++
++permissive mozilla_plugin_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -89,6 +97,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
@@ -4750,7 +4829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
-@@ -238,6 +240,7 @@
+@@ -238,6 +247,7 @@
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -4758,7 +4837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -258,6 +261,11 @@
+@@ -258,6 +268,11 @@
')
optional_policy(`
@@ -4770,6 +4849,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
+@@ -266,3 +281,17 @@
+ optional_policy(`
+ thunderbird_domtrans(mozilla_t)
+ ')
++
++########################################
++#
++# mozilla_plugin local policy
++#
++
++allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
++allow mozilla_plugin_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(mozilla_plugin_t)
++
++files_read_etc_files(mozilla_plugin_t)
++
++miscfiles_read_localization(mozilla_plugin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if 2010-07-30 14:06:53.000000000 -0400
@@ -6019,7 +6116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-03 14:37:32.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-18 06:43:23.000000000 -0400
@@ -0,0 +1,314 @@
+
+## <summary>policy for sandbox</summary>
@@ -6337,8 +6434,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-16 07:01:26.000000000 -0400
-@@ -0,0 +1,392 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-19 07:46:41.000000000 -0400
+@@ -0,0 +1,397 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6404,7 +6501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+dev_rwx_zero(sandbox_xserver_t)
+
-+files_read_etc_files(sandbox_xserver_t)
++files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
@@ -6463,7 +6560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
-+files_read_etc_files(sandbox_domain)
++files_read_config_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
@@ -6475,6 +6572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
++mta_dontaudit_read_spool_symlinks(sandbox_domain)
++
+########################################
+#
+# sandbox_x_domain local policy
@@ -6511,7 +6610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+dev_read_sysfs(sandbox_x_domain)
+
+files_entrypoint_all_files(sandbox_x_domain)
-+files_read_etc_files(sandbox_x_domain)
++files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
@@ -6561,6 +6660,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
++optional_policy(`
++ udev_read_db(sandbox_x_domain)
++')
++
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
@@ -6705,7 +6808,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
-+ udev_read_db(sandbox_web_type)
+')
+
+########################################
@@ -7063,8 +7165,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
--- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-04 11:57:36.000000000 -0400
-@@ -0,0 +1,310 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-19 05:59:57.000000000 -0400
+@@ -0,0 +1,311 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7185,6 +7287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+dev_read_urand(telepathy_gabble_t)
+
+files_read_etc_files(telepathy_gabble_t)
++files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_certs(telepathy_gabble_t)
+
@@ -7707,7 +7810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-08-19 06:39:36.000000000 -0400
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7781,7 +7884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +355,24 @@
+@@ -340,3 +355,27 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7806,6 +7909,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-30 14:06:53.000000000 -0400
@@ -9798,8 +9904,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-07-30 14:06:53.000000000 -0400
-@@ -8,25 +8,55 @@
++++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-19 06:52:30.000000000 -0400
+@@ -8,25 +8,60 @@
role staff_r;
userdom_unpriv_user_template(staff)
@@ -9820,6 +9926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+
+auth_domtrans_pam_console(staff_t)
+
++init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
+seutil_read_module_store(staff_t)
@@ -9831,9 +9938,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
apache_role(staff_r, staff_t)
')
+ optional_policy(`
++ mozilla_run_plugin(staff_t, staff_r)
++')
++
+ifndef(`distro_redhat',`
+
- optional_policy(`
++optional_policy(`
auth_role(staff_r, staff_t)
')
+')
@@ -9855,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
bluetooth_role(staff_r, staff_t)
')
-@@ -94,12 +124,18 @@
+@@ -94,12 +129,18 @@
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
@@ -9874,7 +9985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
pyzor_role(staff_r, staff_t)
')
-@@ -114,22 +150,27 @@
+@@ -114,22 +155,27 @@
optional_policy(`
screen_role_template(staff, staff_r, staff_t)
')
@@ -9902,7 +10013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
-@@ -141,6 +182,11 @@
+@@ -141,6 +187,11 @@
')
optional_policy(`
@@ -9914,7 +10025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
thunderbird_role(staff_r, staff_t)
')
-@@ -164,6 +210,78 @@
+@@ -164,6 +215,78 @@
wireshark_role(staff_r, staff_t)
')
@@ -9995,8 +10106,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-08-11 08:20:53.000000000 -0400
-@@ -27,17 +27,29 @@
++++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-08-18 09:32:07.000000000 -0400
+@@ -27,17 +27,30 @@
corecmd_exec_shell(sysadm_t)
@@ -10014,6 +10125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
++init_dbus_chat(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
@@ -10026,7 +10138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +67,7 @@
+@@ -55,6 +68,7 @@
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -10034,7 +10146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
tunable_policy(`allow_ptrace',`
-@@ -69,7 +82,9 @@
+@@ -69,7 +83,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -10045,7 +10157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -85,9 +100,11 @@
+@@ -85,9 +101,11 @@
auditadm_role_change(sysadm_r)
')
@@ -10057,7 +10169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
backup_run(sysadm_t, sysadm_r)
-@@ -97,17 +114,25 @@
+@@ -97,17 +115,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -10083,7 +10195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -125,16 +150,18 @@
+@@ -125,16 +151,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -10104,7 +10216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -159,9 +186,11 @@
+@@ -159,9 +187,11 @@
dpkg_run(sysadm_t, sysadm_r)
')
@@ -10116,7 +10228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -171,6 +200,7 @@
+@@ -171,6 +201,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -10124,7 +10236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -186,6 +216,7 @@
+@@ -186,6 +217,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -10132,7 +10244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -199,6 +230,13 @@
+@@ -199,6 +231,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -10146,7 +10258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -206,12 +244,18 @@
+@@ -206,12 +245,18 @@
')
optional_policy(`
@@ -10165,7 +10277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -221,9 +265,11 @@
+@@ -221,9 +266,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -10177,7 +10289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -246,8 +292,10 @@
+@@ -246,8 +293,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -10188,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -255,6 +303,7 @@
+@@ -255,6 +304,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -10196,7 +10308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -269,6 +318,10 @@
+@@ -269,6 +319,10 @@
')
optional_policy(`
@@ -10207,7 +10319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -302,8 +355,14 @@
+@@ -302,8 +356,14 @@
')
optional_policy(`
@@ -10222,7 +10334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -313,9 +372,11 @@
+@@ -313,9 +373,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -10234,7 +10346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -325,9 +386,11 @@
+@@ -325,9 +387,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -10246,7 +10358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -352,8 +415,14 @@
+@@ -352,8 +416,14 @@
')
optional_policy(`
@@ -10261,7 +10373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -376,9 +445,11 @@
+@@ -376,9 +446,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -10273,7 +10385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -387,17 +458,21 @@
+@@ -387,17 +459,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -10295,7 +10407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -411,9 +486,11 @@
+@@ -411,9 +487,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -10307,7 +10419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -421,9 +498,15 @@
+@@ -421,9 +499,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -10323,7 +10435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -434,13 +517,30 @@
+@@ -434,13 +518,30 @@
')
optional_policy(`
@@ -10368,8 +10480,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,667 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if 2010-08-18 09:42:34.000000000 -0400
+@@ -0,0 +1,687 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
@@ -11037,10 +11149,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+ allow $1 unconfined_r;
+')
++
++########################################
++## <summary>
++## Allow domain to attach to TUN devices created by unconfined_t users.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_attach_tun_iface',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 08:23:36.000000000 -0400
-@@ -0,0 +1,453 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-19 06:51:51.000000000 -0400
+@@ -0,0 +1,458 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -11280,6 +11412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ ')
+ ')
+
++ init_dbus_chat(unconfined_usertype)
+ init_dbus_chat_script(unconfined_usertype)
+
+ dbus_stub(unconfined_t)
@@ -11361,6 +11494,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
+
+optional_policy(`
++ mozilla_run_plugin(unconfined_usertype, unconfined_r)
++')
++
++optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
@@ -11496,8 +11633,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.8.8/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-07-30 14:06:53.000000000 -0400
-@@ -12,10 +12,13 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-08-19 06:52:56.000000000 -0400
+@@ -12,11 +12,18 @@
userdom_unpriv_user_template(user)
@@ -11507,11 +11644,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
apache_role(user_r, user_t)
')
-+ifndef(`distro_redhat',`
optional_policy(`
++ mozilla_run_plugin(user_t, user_r)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
auth_role(user_r, user_t)
')
-@@ -104,12 +107,30 @@
+
+@@ -104,12 +111,30 @@
optional_policy(`
rssh_role(user_r, user_t)
')
@@ -11542,7 +11684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
spamassassin_role(user_r, user_t)
')
-@@ -149,6 +170,12 @@
+@@ -149,6 +174,12 @@
wireshark_role(user_r, user_t)
')
@@ -11557,7 +11699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-06 11:01:58.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-19 07:42:55.000000000 -0400
@@ -14,7 +14,7 @@
## <desc>
@@ -11616,7 +11758,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
')
')
-@@ -80,19 +88,74 @@
+@@ -76,23 +84,87 @@
+ ')
+
+ optional_policy(`
++ chrome_role(xguest_r, xguest_usertype)
++')
++
++
++optional_policy(`
+ hal_dbus_chat(xguest_t)
')
optional_policy(`
@@ -11630,11 +11781,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++ mono_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
-+ mono_role_template(xguest, xguest_r, xguest_t)
++ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
@@ -11678,14 +11833,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ telepathy_dbus_session_role(xguest_r, xguest_t)
- ')
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++ ')
++')
++
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
@@ -11693,8 +11847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
-+')
-+
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-07-27 16:06:05.000000000 -0400
@@ -12196,6 +12351,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.8.8/policy/modules/services/amavis.if
+--- nsaserefpolicy/policy/modules/services/amavis.if 2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/amavis.if 2010-08-19 05:56:46.000000000 -0400
+@@ -56,7 +56,7 @@
+ ')
+
+ files_search_spool($1)
+- allow $1 amavis_spool_t:file read_file_perms;
++ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/amavis.te 2010-07-30 14:06:53.000000000 -0400
@@ -12213,7 +12380,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-08-20 07:38:00.000000000 -0400
+@@ -2,7 +2,7 @@
+
+ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24,7 +24,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -12222,22 +12398,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,7 +42,6 @@
+@@ -43,8 +42,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,6 +72,7 @@
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,7 +72,8 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -86,7 +85,6 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -13784,8 +13964,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-11 07:44:10.000000000 -0400
-@@ -0,0 +1,145 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-20 07:29:39.000000000 -0400
+@@ -0,0 +1,146 @@
+policy_module(boinc,1.0.0)
+
+########################################
@@ -13901,6 +14081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
@@ -14587,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-16 07:42:43.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-18 19:16:59.000000000 -0400
@@ -80,6 +80,7 @@
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14608,7 +14789,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -182,6 +184,9 @@
+@@ -147,8 +149,10 @@
+
+ tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
+ ', `
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
+ ')
+
+ ########################################
+@@ -182,6 +186,9 @@
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
@@ -14618,7 +14810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +194,7 @@
+@@ -189,6 +196,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14626,7 +14818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +213,8 @@
+@@ -207,6 +215,8 @@
clamav_stream_connect(freshclam_t)
@@ -18496,6 +18688,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
fs_list_auto_mountpoints(lpr_t)
fs_read_cifs_files(lpr_t)
fs_read_cifs_symlinks(lpr_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.8.8/policy/modules/services/mailman.if
+--- nsaserefpolicy/policy/modules/services/mailman.if 2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mailman.if 2010-08-18 09:30:10.000000000 -0400
+@@ -74,7 +74,7 @@
+ corecmd_exec_all_executables(mailman_$1_t)
+
+ files_exec_etc_files(mailman_$1_t)
+- files_list_usr(mailman_$1_t)
++ files_read_usr_files(mailman_$1_t)
+ files_list_var(mailman_$1_t)
+ files_list_var_lib(mailman_$1_t)
+ files_read_var_lib_symlinks(mailman_$1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.8.8/policy/modules/services/memcached.if
--- nsaserefpolicy/policy/modules/services/memcached.if 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/memcached.if 2010-07-30 14:06:53.000000000 -0400
@@ -19443,28 +19647,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-17 07:18:28.000000000 -0400
-@@ -1,4 +1,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-18 09:25:56.000000000 -0400
+@@ -1,4 +1,5 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
-+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
-+/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -13,6 +16,8 @@
+@@ -11,6 +12,9 @@
+ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+ ')
++/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
++
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-+
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-17 07:17:30.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-18 06:49:03.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -20761,7 +20964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
kernel_list_proc(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-12 16:38:44.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-18 09:44:00.000000000 -0400
@@ -24,6 +24,9 @@
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -20794,14 +20997,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -113,6 +121,7 @@
+@@ -113,6 +121,8 @@
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
++userdom_attach_admin_tun_iface(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_user_home_content_files(openvpn_t)
+@@ -138,3 +148,7 @@
+
+ networkmanager_dbus_chat(openvpn_t)
+ ')
++
++optional_policy(`
++ unconfined_attach_tun_iface(openvpn_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.8.8/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/pcscd.te 2010-08-04 14:25:34.000000000 -0400
@@ -23824,6 +24036,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.8.8/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpcbind.fc 2010-08-20 07:30:37.000000000 -0400
+@@ -2,6 +2,7 @@
+
+ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
++/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.8.8/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if 2010-07-30 14:06:53.000000000 -0400
@@ -25982,9 +26205,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.8.8/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sssd.te 2010-07-30 14:06:53.000000000 -0400
-@@ -31,6 +31,7 @@
- allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
++++ serefpolicy-3.8.8/policy/modules/services/sssd.te 2010-08-18 07:03:35.000000000 -0400
+@@ -28,9 +28,10 @@
+ #
+ # sssd local policy
+ #
+-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:key manage_key_perms;
@@ -26175,7 +26402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+iscsi_manage_semaphores(tgtd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.8.8/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tor.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tor.te 2010-08-18 07:42:58.000000000 -0400
@@ -67,9 +67,10 @@
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
@@ -26188,7 +26415,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
kernel_read_system_state(tor_t)
-@@ -100,6 +101,8 @@
+@@ -88,6 +89,7 @@
+ corenet_sendrecv_all_client_packets(tor_t)
+ # ... especially including port 80 and other privileged ports
+ corenet_tcp_connect_all_reserved_ports(tor_t)
++corenet_udp_bind_dns_port(tor_t)
+
+ # tor uses crypto and needs random
+ dev_read_urand(tor_t)
+@@ -100,6 +102,8 @@
auth_use_nsswitch(tor_t)
@@ -31761,7 +31996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-08-18 07:09:50.000000000 -0400
@@ -60,6 +60,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -31779,19 +32014,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -234,7 +237,11 @@
+@@ -234,7 +237,12 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
+mls_file_read_all_levels(audisp_t)
mls_file_write_all_levels(audisp_t)
++mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +251,22 @@
+@@ -244,14 +252,22 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -31815,7 +32051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -266,9 +281,16 @@
+@@ -266,9 +282,16 @@
files_read_etc_files(audisp_remote_t)
logging_send_syslog_msg(audisp_remote_t)
@@ -31832,7 +32068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -369,9 +391,15 @@
+@@ -369,9 +392,15 @@
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -31848,7 +32084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +440,7 @@
+@@ -412,6 +441,7 @@
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -31856,7 +32092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(syslogd_t)
-@@ -488,6 +517,10 @@
+@@ -488,6 +518,10 @@
')
optional_policy(`
@@ -35390,7 +35626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-11 08:23:58.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-19 07:42:28.000000000 -0400
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3ec2e0a..c8087f0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 15%{?dist}
+Release: 17%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,13 @@ exit 0
%endif
%changelog
+* Thu Aug 18 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-17
+- Allow clamscan_t execmem if clamd_use_jit set
+- Add policy for firefox plugin-container
+
+* Wed Aug 17 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-16
+- Fix /root/.forward definition
+
* Tue Aug 17 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-15
- label dead.letter as mail_home_t
More information about the scm-commits
mailing list