[selinux-policy/f14] - Backport f15 fixes
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 29 12:39:27 UTC 2011
commit 81d22dd3967f11f83fcb35f7f974f96623248617
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Aug 29 14:38:55 2011 +0200
- Backport f15 fixes
policy-F14.patch | 555 ++++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 5 +-
2 files changed, 440 insertions(+), 120 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 703e544..e098ac8 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2050,7 +2050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.9.7/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/shorewall.te 2011-05-17 15:52:41.041889000 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/shorewall.te 2011-08-22 09:13:31.551523004 +0000
@@ -58,6 +58,9 @@
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -2061,7 +2061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
kernel_read_kernel_sysctls(shorewall_t)
kernel_read_network_state(shorewall_t)
-@@ -80,13 +83,20 @@
+@@ -80,13 +83,22 @@
init_rw_utmp(shorewall_t)
@@ -2070,6 +2070,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
miscfiles_read_localization(shorewall_t)
++auth_use_nsswitch(shorewall_t)
++
sysnet_domtrans_ifconfig(shorewall_t)
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
@@ -8483,7 +8485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2011-06-02 13:09:36.996208002 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2011-08-22 12:58:15.142523005 +0000
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8635,12 +8637,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +372,28 @@
+@@ -340,3 +372,31 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
@@ -8729,7 +8734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-08-04 10:04:15.709523005 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-08-10 09:08:48.792523005 +0000
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -8785,7 +8790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -111,7 +122,7 @@
+@@ -111,11 +122,12 @@
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -8794,7 +8799,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,43 +136,59 @@
+ network_port(innd, tcp,119,s0)
++network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
+ network_port(ipmi, udp,623,s0, udp,664,s0)
+ network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+@@ -125,43 +137,59 @@
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8858,7 +8868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,24 +203,28 @@
+@@ -176,24 +204,28 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -8891,7 +8901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -203,20 +234,22 @@
+@@ -203,20 +235,22 @@
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -8917,7 +8927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -274,5 +307,5 @@
+@@ -274,5 +308,5 @@
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -15051,7 +15061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.9.7/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/apache.fc 2011-02-25 17:40:39.620532746 +0000
++++ serefpolicy-3.9.7/policy/modules/services/apache.fc 2011-08-22 07:57:24.850523004 +0000
@@ -2,7 +2,7 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -15079,7 +15089,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,7 +72,8 @@
+@@ -54,9 +52,11 @@
+ /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+ /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+@@ -74,7 +74,8 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -15089,7 +15111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -86,7 +85,6 @@
+@@ -86,7 +87,6 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -15097,7 +15119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,17 @@
+@@ -109,3 +109,17 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -20567,7 +20589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
admin_pattern($1, ptal_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.9.7/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/cups.te 2011-02-25 17:40:39.799528341 +0000
++++ serefpolicy-3.9.7/policy/modules/services/cups.te 2011-08-24 16:13:07.824160002 +0000
@@ -15,6 +15,7 @@
type cupsd_t;
type cupsd_exec_t;
@@ -20704,6 +20726,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
logging_send_syslog_msg(hplip_t)
+@@ -773,6 +793,10 @@
+ userdom_dontaudit_search_user_home_content(ptal_t)
+
+ optional_policy(`
++ kerberos_manage_host_rcache(cupsd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ptal_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.9.7/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/cvs.if 2011-02-25 17:40:39.800528316 +0000
@@ -22283,8 +22316,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.9.7/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dnsmasq.te 2011-03-18 14:17:25.483630000 +0000
-@@ -96,7 +96,20 @@
++++ serefpolicy-3.9.7/policy/modules/services/dnsmasq.te 2011-08-05 09:48:53.066523004 +0000
+@@ -53,6 +53,7 @@
+
+ kernel_read_kernel_sysctls(dnsmasq_t)
+ kernel_read_system_state(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -96,7 +97,20 @@
')
optional_policy(`
@@ -23116,6 +23157,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.9.7/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-10-12 20:42:50.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/fetchmail.te 2011-08-05 09:26:11.153523005 +0000
+@@ -88,6 +88,10 @@
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+ optional_policy(`
++ kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ procmail_domtrans(fetchmail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.9.7/policy/modules/services/fprintd.if
--- nsaserefpolicy/policy/modules/services/fprintd.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/fprintd.if 2011-02-25 17:40:39.926525213 +0000
@@ -24555,8 +24610,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.9.7/policy/modules/services/hddtemp.te
--- nsaserefpolicy/policy/modules/services/hddtemp.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/hddtemp.te 2011-02-25 17:40:39.991523614 +0000
-@@ -42,8 +42,8 @@
++++ serefpolicy-3.9.7/policy/modules/services/hddtemp.te 2011-08-10 09:11:22.410523005 +0000
+@@ -42,8 +42,12 @@
files_read_usr_files(hddtemp_t)
storage_raw_read_fixed_disk(hddtemp_t)
@@ -24565,7 +24620,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)
--
+
++optional_policy(`
++ sysnet_dns_name_resolve(hddtemp_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.9.7/policy/modules/services/icecast.if
--- nsaserefpolicy/policy/modules/services/icecast.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/icecast.if 2011-02-25 17:40:39.992523589 +0000
@@ -26336,8 +26394,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mata
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.te serefpolicy-3.9.7/policy/modules/services/matahari.te
--- nsaserefpolicy/policy/modules/services/matahari.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/matahari.te 2011-03-18 13:21:49.509630001 +0000
-@@ -0,0 +1,116 @@
++++ serefpolicy-3.9.7/policy/modules/services/matahari.te 2011-08-22 13:09:48.575523005 +0000
+@@ -0,0 +1,118 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -26446,6 +26504,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mata
+
+domain_use_interactive_fds(matahari_serviced_t)
+
++init_spec_domtrans_script(matahari_serviced_t)
++
+files_read_etc_files(matahari_serviced_t)
+
+logging_send_syslog_msg(matahari_serviced_t)
@@ -27919,7 +27979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.9.7/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mta.te 2011-06-06 11:04:30.913208001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/mta.te 2011-08-29 09:53:35.165160001 +0000
@@ -20,8 +20,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -28031,7 +28091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +166,6 @@
+@@ -158,22 +166,13 @@
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -28050,7 +28110,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -189,6 +185,10 @@
+ qmail_domtrans_inject(system_mail_t)
++ qmail_manage_spool_dirs(system_mail_t)
++ qmail_manage_spool_files(system_mail_t)
++ qmail_rw_spool_pipes(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -189,6 +188,10 @@
')
optional_policy(`
@@ -28061,7 +28128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +199,7 @@
+@@ -199,7 +202,7 @@
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -28070,7 +28137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +220,8 @@
+@@ -220,7 +223,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -28080,7 +28147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +243,10 @@
+@@ -242,6 +246,10 @@
')
optional_policy(`
@@ -28091,7 +28158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,11 +254,16 @@
+@@ -249,11 +257,16 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -28108,7 +28175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +302,44 @@
+@@ -292,3 +305,44 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -28986,7 +29053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.9.7/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2011-04-11 08:30:43.735000002 +0000
++++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2011-08-22 08:28:31.831523005 +0000
@@ -12,6 +12,12 @@
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
@@ -29103,7 +29170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
hal_write_log(NetworkManager_t)
')
-@@ -202,6 +237,13 @@
+@@ -202,10 +237,21 @@
')
optional_policy(`
@@ -29117,7 +29184,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +261,7 @@
+ optional_policy(`
++ netutils_exec_ping(NetworkManager_t)
++')
++
++optional_policy(`
+ nscd_domtrans(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+@@ -219,6 +265,7 @@
')
optional_policy(`
@@ -29125,7 +29200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +306,7 @@
+@@ -263,6 +310,7 @@
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -29860,7 +29935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
interface(`openct_domtrans',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.9.7/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/openvpn.te 2011-02-25 17:40:40.262516944 +0000
++++ serefpolicy-3.9.7/policy/modules/services/openvpn.te 2011-08-10 09:04:05.417523005 +0000
@@ -6,9 +6,9 @@
#
@@ -29884,9 +29959,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -43,12 +46,11 @@
- allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
- allow openvpn_t self:process { signal getsched };
+@@ -40,15 +43,14 @@
+ # openvpn local policy
+ #
+
+-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+-allow openvpn_t self:process { signal getsched };
++allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
++allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
-
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -30126,8 +30206,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.te serefpolicy-3.9.7/policy/modules/services/passenger.te
--- nsaserefpolicy/policy/modules/services/passenger.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/passenger.te 2011-02-25 17:40:40.276516599 +0000
-@@ -0,0 +1,76 @@
++++ serefpolicy-3.9.7/policy/modules/services/passenger.te 2011-08-22 13:04:27.931523003 +0000
+@@ -0,0 +1,82 @@
+policy_module(passanger, 1.0.0)
+
+########################################
@@ -30196,6 +30276,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+
+auth_use_nsswitch(passenger_t)
+
++logging_send_syslog_msg(passenger_t)
++
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
@@ -30204,6 +30286,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
++
++optional_policy(`
++ puppet_manage_lib(passenger_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.9.7/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/pcscd.if 2011-02-25 17:40:40.283516427 +0000
@@ -30248,13 +30334,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.9.7/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/pegasus.te 2011-02-25 17:40:40.300516008 +0000
++++ serefpolicy-3.9.7/policy/modules/services/pegasus.te 2011-08-29 10:00:30.763160000 +0000
@@ -29,7 +29,7 @@
# Local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
-+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
++allow pegasus_t self:capability { chown ipc_lock kill sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -30263,7 +30349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
-+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
++allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -31963,7 +32049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.9.7/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/postfix.te 2011-05-02 10:17:02.194000005 +0000
++++ serefpolicy-3.9.7/policy/modules/services/postfix.te 2011-08-29 10:56:24.116160000 +0000
@@ -5,6 +5,14 @@
# Declarations
#
@@ -32214,7 +32300,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +634,16 @@
+@@ -565,6 +611,10 @@
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(postfix_smtp_t)
++')
++
++optional_policy(`
+ milter_stream_connect_all(postfix_smtp_t)
+ ')
+
+@@ -588,10 +638,16 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -32231,7 +32328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -611,8 +663,8 @@
+@@ -611,8 +667,8 @@
# Postfix virtual local policy
#
@@ -32241,7 +32338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +682,8 @@
+@@ -630,3 +686,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -33505,7 +33602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.if serefpolicy-3.9.7/policy/modules/services/puppet.if
--- nsaserefpolicy/policy/modules/services/puppet.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/puppet.if 2011-02-25 17:40:40.402513497 +0000
++++ serefpolicy-3.9.7/policy/modules/services/puppet.if 2011-08-22 13:05:03.052523003 +0000
@@ -21,7 +21,7 @@
## </summary>
## </param>
@@ -33515,6 +33612,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
gen_require(`
type puppet_tmp_t;
')
+@@ -29,3 +29,22 @@
+ allow $1 puppet_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+ ')
++
++##############################################
++## <summary>
++## Manage Puppet lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_manage_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.9.7/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2011-06-27 12:42:58.153029998 +0000
@@ -33842,9 +33962,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.fc serefpolicy-3.9.7/policy/modules/services/qmail.fc
+--- nsaserefpolicy/policy/modules/services/qmail.fc 2010-10-12 20:42:50.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/qmail.fc 2011-08-29 09:53:07.486160001 +0000
+@@ -17,6 +17,7 @@
+ /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+ /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
++/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+ /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.if serefpolicy-3.9.7/policy/modules/services/qmail.if
--- nsaserefpolicy/policy/modules/services/qmail.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/qmail.if 2011-02-25 17:40:40.406513399 +0000
++++ serefpolicy-3.9.7/policy/modules/services/qmail.if 2011-08-29 09:52:50.364160001 +0000
@@ -62,14 +62,13 @@
type qmail_inject_t, qmail_inject_exec_t;
')
@@ -33877,6 +34008,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai
')
')
+@@ -149,3 +147,60 @@
+
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete qmail
++## spool directories.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_manage_spool_dirs',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete qmail
++## spool files.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_manage_spool_files',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++## Read and write to qmail spool pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`qmail_rw_spool_pipes',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.9.7/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/qmail.te 2011-02-25 17:40:40.406513399 +0000
@@ -34271,8 +34463,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.9.7/policy/modules/services/qpidd.te
--- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/qpidd.te 2011-02-25 17:40:40.409513324 +0000
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.9.7/policy/modules/services/qpidd.te 2011-08-22 13:12:13.625523004 +0000
+@@ -0,0 +1,64 @@
+policy_module(qpidd, 1.0.0)
+
+########################################
@@ -34326,6 +34518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
++files_read_usr_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
@@ -35187,7 +35380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.9.7/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-05-27 10:38:03.562208002 +0000
++++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-08-10 09:09:44.332523005 +0000
@@ -6,13 +6,22 @@
#
@@ -35258,7 +35451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
can_exec(fenced_t, fenced_exec_t)
-@@ -82,8 +95,12 @@
+@@ -82,8 +95,13 @@
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -35267,11 +35460,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
corecmd_exec_bin(fenced_t)
+corecmd_exec_shell(fenced_t)
++corenet_udp_bind_ionixnetmon_port(fenced_t)
+corenet_tcp_bind_zented_port(fenced_t)
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
-@@ -105,8 +122,24 @@
+@@ -105,8 +123,24 @@
')
optional_policy(`
@@ -35297,7 +35491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
optional_policy(`
-@@ -116,11 +149,30 @@
+@@ -116,11 +150,30 @@
######################################
#
@@ -35329,7 +35523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +191,6 @@
+@@ -139,10 +192,6 @@
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -35340,7 +35534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +202,10 @@
+@@ -154,9 +203,10 @@
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -35352,7 +35546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +217,7 @@
+@@ -168,8 +218,7 @@
# qdiskd local policy
#
@@ -35362,7 +35556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +247,8 @@
+@@ -199,6 +248,8 @@
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -35371,7 +35565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +257,6 @@
+@@ -207,10 +258,6 @@
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -35382,7 +35576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +269,28 @@
+@@ -223,18 +270,28 @@
# rhcs domains common policy
#
@@ -40044,10 +40238,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.if serefpolicy-3.9.7/policy/modules/services/vdagent.if
--- nsaserefpolicy/policy/modules/services/vdagent.if 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/vdagent.if 2011-02-25 17:40:40.696506261 +0000
-@@ -0,0 +1,39 @@
-+## <summary>The spice guest agent daemon.</summary>
++++ serefpolicy-3.9.7/policy/modules/services/vdagent.if 2011-08-11 09:56:10.773523005 +0000
+@@ -0,0 +1,128 @@
+
++## <summary>policy for vdagent</summary>
++
++#####################################
++## <summary>
++## Getattr on vdagent executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vdagent_getattr_exec',`
++ gen_require(`
++ type vdagent_exec_t;
++ ')
++
++ allow $1 vdagent_exec_t:file getattr;
++')
+
+########################################
+## <summary>
@@ -40067,9 +40279,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
+')
+
++#######################################
++## <summary>
++## Get the attributes of vdagent logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vdagent_getattr_log',`
++ gen_require(`
++ type vdagent_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 vdagent_log_t:file getattr_file_perms;
++')
++
+########################################
+## <summary>
-+## Connect to vdagent over an unix stream socket.
++## Read vdagent PID files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -40077,14 +40308,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+## </summary>
+## </param>
+#
++interface(`vdagent_read_pid_files',`
++ gen_require(`
++ type vdagent_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 vdagent_var_run_t:file read_file_perms;
++')
++
++#####################################
++## <summary>
++## Connect to vdagent over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`vdagent_stream_connect',`
++ gen_require(`
++ type vdagent_var_run_t, vdagent_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an vdagent environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`vdagent_admin',`
+ gen_require(`
-+ type vdagent_t, vdagent_var_run_t;
++ type vdagent_t;
++ type vdagent_var_run_t;
+ ')
+
++ allow $1 vdagent_t:process { ptrace signal_perms };
++ ps_process_pattern($1, vdagent_t)
++
+ files_search_pids($1)
-+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++ admin_pattern($1, vdagent_var_run_t)
++
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.9.7/policy/modules/services/vdagent.te
--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/vdagent.te 2011-03-09 15:08:09.881980002 +0000
@@ -44116,7 +44399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.9.7/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/authlogin.fc 2011-02-25 17:40:40.785504070 +0000
++++ serefpolicy-3.9.7/policy/modules/system/authlogin.fc 2011-08-22 09:29:03.318523005 +0000
@@ -10,6 +10,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
@@ -44125,15 +44408,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
-@@ -27,6 +28,7 @@
+@@ -27,7 +28,9 @@
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-@@ -40,6 +42,7 @@
+ /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+@@ -40,6 +43,7 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
@@ -44728,8 +45013,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.9.7/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/hostname.te 2011-02-25 17:40:40.812503404 +0000
-@@ -28,15 +28,18 @@
++++ serefpolicy-3.9.7/policy/modules/system/hostname.te 2011-08-11 13:32:02.324523004 +0000
+@@ -23,20 +23,24 @@
+
+ kernel_list_proc(hostname_t)
+ kernel_read_proc_symlinks(hostname_t)
++kernel_read_network_state(hostname_t)
+
+ dev_read_sysfs(hostname_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(hostname_t)
@@ -44748,7 +45039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-@@ -55,6 +58,10 @@
+@@ -55,6 +59,10 @@
sysnet_dns_name_resolve(hostname_t)
optional_policy(`
@@ -45246,7 +45537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.9.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-04-20 13:49:07.390000005 +0000
++++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-08-22 09:39:01.606523005 +0000
@@ -16,6 +16,34 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -45768,7 +46059,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +830,9 @@
+@@ -593,6 +823,10 @@
+ ')
+
+ optional_policy(`
++ cron_read_pipes(initrc_t)
++')
++
++optional_policy(`
+ daemontools_manage_svc(initrc_t)
+ ')
+
+@@ -600,6 +834,9 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -45778,7 +46080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +934,13 @@
+@@ -701,7 +938,13 @@
')
optional_policy(`
@@ -45792,7 +46094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +963,10 @@
+@@ -724,6 +967,10 @@
')
optional_policy(`
@@ -45803,7 +46105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +988,10 @@
+@@ -745,6 +992,10 @@
')
optional_policy(`
@@ -45814,7 +46116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1013,6 @@
+@@ -766,8 +1017,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -45823,7 +46125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -776,14 +1021,21 @@
+@@ -776,14 +1025,21 @@
')
optional_policy(`
@@ -45845,7 +46147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1057,19 @@
+@@ -805,11 +1061,19 @@
')
optional_policy(`
@@ -45866,7 +46168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1079,25 @@
+@@ -819,6 +1083,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -45892,7 +46194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -844,3 +1123,59 @@
+@@ -844,3 +1127,59 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -47136,7 +47438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.9.7/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-04-04 17:55:37.936000002 +0000
++++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-08-11 13:26:32.408523005 +0000
@@ -19,6 +19,11 @@
files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
@@ -47273,7 +47575,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
-@@ -488,6 +531,10 @@
+@@ -443,6 +486,7 @@
+
+ # cjp: this doesnt make sense
+ logging_send_syslog_msg(syslogd_t)
++logging_manage_all_logs(syslogd_t)
+
+ miscfiles_read_localization(syslogd_t)
+
+@@ -488,6 +532,10 @@
')
optional_policy(`
@@ -51028,7 +51338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.debug(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-06-06 16:17:16.344208002 +0000
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-08-11 09:56:45.512523005 +0000
@@ -30,8 +30,9 @@
')
@@ -52068,7 +52378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -956,54 +1165,77 @@
+@@ -956,55 +1165,84 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -52174,9 +52484,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- setroubleshoot_stream_connect($1_t)
+ ppp_run_cond($1_t, $1_r)
')
++
++ optional_policy(`
++ vdagent_getattr_log($1_t)
++ vdagent_getattr_exec($1_t)
++ vdagent_stream_connect($1_t)
++ ')
')
-@@ -1039,7 +1271,7 @@
+ #######################################
+@@ -1039,7 +1277,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -52185,7 +52502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1074,6 +1306,9 @@
+@@ -1074,6 +1312,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -52195,7 +52512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1323,7 @@
+@@ -1088,6 +1329,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -52203,7 +52520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,6 +1341,9 @@
+@@ -1105,6 +1347,9 @@
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -52213,7 +52530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
-@@ -1119,15 +1358,19 @@
+@@ -1119,15 +1364,19 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -52233,7 +52550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
term_use_all_terms($1_t)
-@@ -1142,6 +1385,7 @@
+@@ -1142,6 +1391,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -52241,7 +52558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1454,8 @@
+@@ -1210,6 +1460,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52250,7 +52567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1237,8 +1483,15 @@
+@@ -1237,8 +1489,15 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -52266,7 +52583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
aide_run($1,$2)
')
-@@ -1275,12 +1528,15 @@
+@@ -1275,12 +1534,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -52283,7 +52600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1391,6 +1647,7 @@
+@@ -1391,6 +1653,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52291,7 +52608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1437,6 +1694,14 @@
+@@ -1437,6 +1700,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52306,7 +52623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1452,9 +1717,11 @@
+@@ -1452,9 +1723,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52318,7 +52635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1511,6 +1778,42 @@
+@@ -1511,6 +1784,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -52361,7 +52678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1585,6 +1888,8 @@
+@@ -1585,6 +1894,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -52370,7 +52687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1599,10 +1904,12 @@
+@@ -1599,10 +1910,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52385,7 +52702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1645,26 +1952,45 @@
+@@ -1645,26 +1958,45 @@
########################################
## <summary>
@@ -52437,7 +52754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -1696,12 +2022,32 @@
+@@ -1696,12 +2028,32 @@
type user_home_dir_t, user_home_t;
')
@@ -52470,7 +52787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1712,11 +2058,14 @@
+@@ -1712,11 +2064,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -52488,7 +52805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1806,8 +2155,7 @@
+@@ -1806,8 +2161,7 @@
type user_home_dir_t, user_home_t;
')
@@ -52498,7 +52815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1823,20 +2171,14 @@
+@@ -1823,20 +2177,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52523,7 +52840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
-@@ -2178,7 +2520,7 @@
+@@ -2178,7 +2526,7 @@
type user_tmp_t;
')
@@ -52532,7 +52849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2431,13 +2773,14 @@
+@@ -2431,13 +2779,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -52548,7 +52865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -2458,26 +2801,6 @@
+@@ -2458,26 +2807,6 @@
########################################
## <summary>
@@ -52575,7 +52892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2566,6 +2889,24 @@
+@@ -2566,6 +2895,24 @@
allow $1 user_tty_device_t:chr_file rw_term_perms;
')
@@ -52600,7 +52917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Read and write a user domain pty.
-@@ -2584,6 +2925,24 @@
+@@ -2584,6 +2931,24 @@
allow $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -52625,7 +52942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Read and write a user TTYs and PTYs.
-@@ -2640,6 +2999,23 @@
+@@ -2640,6 +3005,23 @@
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -52649,7 +52966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2811,7 +3187,7 @@
+@@ -2811,7 +3193,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -52658,7 +52975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2827,11 +3203,13 @@
+@@ -2827,11 +3209,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -52674,7 +52991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2913,7 +3291,7 @@
+@@ -2913,7 +3297,7 @@
type user_devpts_t;
')
@@ -52683,7 +53000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2968,7 +3346,45 @@
+@@ -2968,7 +3352,45 @@
type user_tmp_t;
')
@@ -52730,7 +53047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3005,6 +3421,7 @@
+@@ -3005,6 +3427,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -52738,7 +53055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3135,3 +3552,873 @@
+@@ -3135,3 +3558,873 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ebe1e8c..771cf47 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
%endif
%changelog
+* Mon Aug 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-45
+- Backport f15 fixes
+
* Thu Aug 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-44
- Backport dirsrv-admin changes
More information about the scm-commits
mailing list