rpms/selinux-policy/devel modules-targeted.conf, 1.127, 1.128 policy-20090105.patch, 1.116, 1.117 selinux-policy.spec, 1.854, 1.855
Daniel J Walsh
dwalsh at fedoraproject.org
Mon May 18 18:41:03 UTC 2009
- Previous message: rpms/xorg-x11-server/F-11 xserver-1.6.1-hush-warning.patch, NONE, 1.1 xserver-1.6.1-proc-cmdline.patch, NONE, 1.1 .cvsignore, 1.58, 1.59 import.log, 1.6, 1.7 sources, 1.53, 1.54 xorg-x11-server.spec, 1.446, 1.447 xserver-1.6.0-primary.patch, 1.3, 1.4 xvfb-run.sh, 1.2, 1.3 xserver-1.6.0-xinerama-crashes.patch, 1.1, NONE xserver-1.6.1-activate-device.patch, 1.1, NONE
- Next message: rpms/selinux-policy/F-11 modules-targeted.conf, 1.126, 1.127 policy-20090105.patch, 1.122, 1.123 selinux-policy.spec, 1.859, 1.860
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29272
Modified Files:
modules-targeted.conf policy-20090105.patch
selinux-policy.spec
Log Message:
* Mon May 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-38
- Add varnishd policy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -p -r1.127 -r1.128
--- modules-targeted.conf 2 May 2009 11:52:11 -0000 1.127
+++ modules-targeted.conf 18 May 2009 18:41:01 -0000 1.128
@@ -1450,6 +1450,13 @@ usernetctl = module
xen = module
# Layer: services
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+#
+varnishd = module
+
+# Layer: services
# Module: virt
#
# Virtualization libraries
@@ -1633,6 +1640,13 @@ portreserve = module
rpcbind = module
# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+#
+rssh = module
+
+# Layer: apps
# Module: vmware
#
# VMWare Workstation virtual machines
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -p -r1.116 -r1.117
--- policy-20090105.patch 14 May 2009 18:53:39 -0000 1.116
+++ policy-20090105.patch 18 May 2009 18:41:01 -0000 1.117
@@ -603,7 +603,7 @@ diff -b -B --ignore-all-space --exclude-
+userdom_read_user_tmpfs_files(kismet_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-05-18 08:21:37.000000000 -0400
@@ -116,8 +116,9 @@
seutil_dontaudit_read_config(logrotate_t)
@@ -626,6 +626,14 @@ diff -b -B --ignore-all-space --exclude-
consoletype_exec(logrotate_t)
')
+@@ -189,3 +194,7 @@
+ optional_policy(`
+ squid_domtrans(logrotate_t)
+ ')
++
++optional_policy(`
++ varnishlog_manage_log(logrotate_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.12/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-03-20 12:39:40.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/logwatch.te 2009-05-12 15:30:13.000000000 -0400
@@ -5068,7 +5076,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2009-05-12 16:34:51.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2009-05-18 09:34:14.000000000 -0400
@@ -1612,6 +1612,24 @@
########################################
@@ -5121,7 +5129,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-23 13:47:10.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-05-18 08:21:37.000000000 -0400
@@ -65,10 +65,12 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5225,7 +5233,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -173,14 +197,17 @@
+@@ -173,14 +197,18 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5235,6 +5243,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
++network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(vnc, tcp,5900,s0)
network_port(wccp, udp,2048,s0)
@@ -5245,7 +5254,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -209,6 +236,8 @@
+@@ -209,6 +237,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -5277,7 +5286,7 @@ diff -b -B --ignore-all-space --exclude-
/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-18 09:09:23.000000000 -0400
@@ -2268,6 +2268,25 @@
########################################
@@ -9152,7 +9161,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-05-18 09:16:47.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -11721,7 +11730,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-18 14:39:34.000000000 -0400
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -11925,8 +11934,11 @@ diff -b -B --ignore-all-space --exclude-
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
-@@ -217,17 +264,21 @@
+@@ -215,19 +262,24 @@
+ miscfiles_read_localization(cupsd_t)
+ # invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
++miscfiles_setattr_fonts(cupsd_t)
seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
@@ -11950,7 +11962,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -244,8 +295,16 @@
+@@ -244,8 +296,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -11967,7 +11979,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -261,6 +320,10 @@
+@@ -261,6 +321,10 @@
')
optional_policy(`
@@ -11978,7 +11990,7 @@ diff -b -B --ignore-all-space --exclude-
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -279,7 +342,7 @@
+@@ -279,7 +343,7 @@
# Cups configuration daemon local policy
#
@@ -11987,7 +11999,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -302,8 +365,10 @@
+@@ -302,8 +366,10 @@
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
@@ -12000,7 +12012,7 @@ diff -b -B --ignore-all-space --exclude-
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
-@@ -311,7 +376,7 @@
+@@ -311,7 +377,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
@@ -12009,7 +12021,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +389,7 @@
+@@ -324,6 +390,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -12017,7 +12029,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +407,14 @@
+@@ -341,13 +408,14 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -12033,7 +12045,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -359,14 +426,16 @@
+@@ -359,14 +427,16 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -12052,7 +12064,7 @@ diff -b -B --ignore-all-space --exclude-
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -382,6 +451,7 @@
+@@ -382,6 +452,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -12060,7 +12072,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -491,7 +561,10 @@
+@@ -491,7 +562,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -12072,7 +12084,7 @@ diff -b -B --ignore-all-space --exclude-
cups_stream_connect(hplip_t)
-@@ -500,6 +573,13 @@
+@@ -500,6 +574,13 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -12086,7 +12098,7 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -529,7 +609,8 @@
+@@ -529,7 +610,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -12096,7 +12108,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +634,9 @@
+@@ -553,7 +635,9 @@
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -12107,7 +12119,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -635,3 +718,49 @@
+@@ -635,3 +719,49 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -13663,7 +13675,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.12/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if 2009-05-18 08:59:04.000000000 -0400
@@ -20,6 +20,25 @@
########################################
@@ -13690,6 +13702,15 @@ diff -b -B --ignore-all-space --exclude-
## Allow the specified domain to read fail2ban's log files.
## </summary>
## <param name="domain">
+@@ -105,7 +124,7 @@
+ allow $1 fail2ban_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fail2ban_t)
+
+- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
++ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fail2ban_initrc_exec_t system_r;
+ allow $2 system_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-05-12 15:30:13.000000000 -0400
@@ -14417,7 +14438,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-18 13:42:49.000000000 -0400
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -14434,8 +14455,11 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Local policy
-@@ -143,11 +152,16 @@
+@@ -141,13 +150,19 @@
+ # hal is now execing pm-suspend
+ files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
++files_getattr_all_files(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
@@ -14451,7 +14475,7 @@ diff -b -B --ignore-all-space --exclude-
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
-@@ -195,6 +209,7 @@
+@@ -195,6 +210,7 @@
seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
@@ -14459,7 +14483,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -277,6 +292,17 @@
+@@ -277,6 +293,17 @@
')
optional_policy(`
@@ -14477,7 +14501,7 @@ diff -b -B --ignore-all-space --exclude-
rpc_search_nfs_state_data(hald_t)
')
-@@ -298,7 +324,11 @@
+@@ -298,7 +325,11 @@
')
optional_policy(`
@@ -14490,7 +14514,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -306,7 +336,7 @@
+@@ -306,7 +337,7 @@
# Hal acl local policy
#
@@ -14499,7 +14523,7 @@ diff -b -B --ignore-all-space --exclude-
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -321,6 +351,7 @@
+@@ -321,6 +352,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -14507,7 +14531,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(hald_acl_t)
-@@ -339,6 +370,8 @@
+@@ -339,6 +371,8 @@
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
@@ -14516,7 +14540,7 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(hald_acl_t)
-@@ -346,12 +379,18 @@
+@@ -346,12 +380,18 @@
miscfiles_read_localization(hald_acl_t)
@@ -14536,7 +14560,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
-@@ -374,6 +413,8 @@
+@@ -374,6 +414,8 @@
auth_use_nsswitch(hald_mac_t)
@@ -14545,7 +14569,7 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(hald_mac_t)
########################################
-@@ -415,6 +456,55 @@
+@@ -415,6 +457,55 @@
dev_rw_input_dev(hald_keymap_t)
@@ -14920,8 +14944,15 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.12/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc 2009-05-14 13:29:16.000000000 -0400
-@@ -6,13 +6,14 @@
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc 2009-05-18 13:00:35.000000000 -0400
+@@ -1,3 +1,6 @@
++HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
++/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
++
+ /etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+ /etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
+
+@@ -6,13 +9,14 @@
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
@@ -14937,7 +14968,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-@@ -21,7 +22,7 @@
+@@ -21,7 +25,7 @@
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -14946,9 +14977,20 @@ diff -b -B --ignore-all-space --exclude-
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-01-19 11:07:34.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-05-18 13:00:14.000000000 -0400
+@@ -128,6 +128,7 @@
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file read_file_perms;
++ allow $1 krb5_home_t:file read_file_perms;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-05-14 13:28:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-05-18 12:59:46.000000000 -0400
@@ -33,6 +33,7 @@
type kpropd_t;
type kpropd_exec_t;
@@ -14957,7 +14999,17 @@ diff -b -B --ignore-all-space --exclude-
type krb5_conf_t;
files_type(krb5_conf_t)
-@@ -281,6 +282,7 @@
+@@ -69,6 +70,9 @@
+ type krb5kdc_var_run_t;
+ files_pid_file(krb5kdc_var_run_t)
+
++type krb5_home_t;
++userdom_user_home_content(krb5_home_t)
++
+ ########################################
+ #
+ # kadmind local policy
+@@ -281,6 +285,7 @@
allow kpropd_t krb5_keytab_t:file read_file_perms;
@@ -17602,8 +17654,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.12/policy/modules/services/pads.if
--- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-05-12 15:30:13.000000000 -0400
-@@ -0,0 +1,10 @@
++++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-05-18 08:59:32.000000000 -0400
+@@ -0,0 +1,44 @@
+## <summary>SELinux policy for PADS daemon.</summary>
+## <desc>
+## <p>
@@ -17614,6 +17666,40 @@ diff -b -B --ignore-all-space --exclude-
+## </p>
+## </desc>
+
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pads environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the pads domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pads_admin', `
++ gen_require(`
++ type pads_t, pads_config_t;
++ type pads_var_run_t, pads_initrc_exec_t;
++ ')
++
++ allow $1 pads_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pads_t)
++
++ init_labeled_script_domtrans($1, pads_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 pads_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, pads_var_run_t)
++ admin_pattern($1, pads_config_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.12/policy/modules/services/pads.te
--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/pads.te 2009-05-12 15:30:13.000000000 -0400
@@ -20863,6 +20949,90 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.6.12/policy/modules/services/rlogin.fc
+--- nsaserefpolicy/policy/modules/services/rlogin.fc 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rlogin.fc 2009-05-18 12:57:27.000000000 -0400
+@@ -4,3 +4,5 @@
+ /usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+ /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
++
++HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.6.12/policy/modules/services/rlogin.if
+--- nsaserefpolicy/policy/modules/services/rlogin.if 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rlogin.if 2009-05-18 12:51:14.000000000 -0400
+@@ -18,3 +18,49 @@
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rlogind_exec_t, rlogind_t)
+ ')
++
++########################################
++## <summary>
++## Execute rlogind in the rlogin domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rlogin_domtrans',`
++ gen_require(`
++ type rlogind_t, rlogind_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rlogind_exec_t, rlogind_t)
++')
++
++########################################
++## <summary>
++## read rlogin homedir content (.config)
++## </summary>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`rlogin_read_config',`
++ gen_require(`
++ type rlogind_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
++ read_files_pattern($1, rlogind_home_t, rlogind_home_t)
++ read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.12/policy/modules/services/rlogin.te
+--- nsaserefpolicy/policy/modules/services/rlogin.te 2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rlogin.te 2009-05-18 12:59:52.000000000 -0400
+@@ -20,6 +20,9 @@
+ type rlogind_var_run_t;
+ files_pid_file(rlogind_var_run_t)
+
++type rlogind_home_t;
++userdom_user_home_content(rlogind_home_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -79,6 +82,8 @@
+
+ logging_send_syslog_msg(rlogind_t)
+
++rlogin_read_config(rlogind_t)
++
+ miscfiles_read_localization(rlogind_t)
+
+ seutil_read_config(rlogind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te 2009-05-12 15:30:13.000000000 -0400
@@ -20978,7 +21148,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_user_tmp_files(gssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.12/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-05-18 12:52:41.000000000 -0400
@@ -51,7 +51,7 @@
files_list_home(rshd_t)
@@ -20988,6 +21158,17 @@ diff -b -B --ignore-all-space --exclude-
auth_login_pgm_domain(rshd_t)
auth_write_login_records(rshd_t)
+@@ -84,6 +84,10 @@
+ ')
+
+ optional_policy(`
++ rlogin_read_config(rlogind_t)
++')
++
++optional_policy(`
+ tcpd_wrapped_domain(rshd_t, rshd_exec_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-05-12 15:30:13.000000000 -0400
@@ -22799,6 +22980,17 @@ diff -b -B --ignore-all-space --exclude-
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.6.12/policy/modules/services/snort.if
+--- nsaserefpolicy/policy/modules/services/snort.if 2008-10-10 15:53:03.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/snort.if 2009-05-18 08:57:28.000000000 -0400
+@@ -38,6 +38,7 @@
+ interface(`snort_admin',`
+ gen_require(`
+ type snort_t, snort_var_run_t, snort_log_t;
++ type snort_etc_t;
+ type snort_initrc_exec_t;
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.12/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/snort.te 2009-05-12 15:30:13.000000000 -0400
@@ -23318,7 +23510,7 @@ diff -b -B --ignore-all-space --exclude-
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.12/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-05-16 08:22:41.000000000 -0400
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
@@ -23327,7 +23519,7 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-05-14 14:05:37.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-05-18 12:55:03.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -23466,7 +23658,7 @@ diff -b -B --ignore-all-space --exclude-
fs_dontaudit_getattr_all_fs($1_t)
-@@ -245,6 +243,8 @@
+@@ -245,18 +243,23 @@
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
@@ -23475,8 +23667,10 @@ diff -b -B --ignore-all-space --exclude-
logging_search_logs($1_t)
-@@ -254,9 +254,14 @@
+ miscfiles_read_localization($1_t)
+- sysnet_read_config($1_t)
+-
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_search_user_home_dirs($1_t)
+ userdom_read_user_home_content_files($1_t)
@@ -23490,20 +23684,25 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`use_samba_home_dirs',`
-@@ -265,11 +270,7 @@
+@@ -265,15 +268,11 @@
optional_policy(`
kerberos_use($1_t)
++ kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
+- # Allow checking users mail at login
+- mta_getattr_spool($1_t)
- ')
-
- optional_policy(`
-- # Allow checking users mail at login
-- mta_getattr_spool($1_t)
-+ kerberos_manage_host_rcache($1_t)
+- nscd_socket_use($1_t)
++ rlogin_read_config($1_t)
')
optional_policy(`
-@@ -345,6 +346,7 @@
+@@ -345,6 +344,7 @@
allow ssh_t $3:unix_stream_socket connectto;
# user can manage the keys and config
@@ -23511,7 +23710,7 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern($3, home_ssh_t, home_ssh_t)
manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
-@@ -454,6 +456,24 @@
+@@ -454,6 +454,24 @@
########################################
## <summary>
@@ -23536,7 +23735,7 @@ diff -b -B --ignore-all-space --exclude-
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
-@@ -469,6 +489,23 @@
+@@ -469,6 +487,23 @@
allow $1 sshd_t:fifo_file { getattr read };
')
@@ -23560,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
-@@ -611,3 +648,42 @@
+@@ -611,3 +646,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -23605,7 +23804,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-05-18 12:53:20.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -23764,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +424,8 @@
+@@ -408,15 +424,13 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -23773,6 +23972,15 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+ optional_policy(`
+- nscd_socket_use(ssh_keygen_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-05-12 15:30:13.000000000 -0400
@@ -24384,6 +24592,377 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.fc serefpolicy-3.6.12/policy/modules/services/varnishd.fc
+--- nsaserefpolicy/policy/modules/services/varnishd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/varnishd.fc 2009-05-18 08:21:37.000000000 -0400
+@@ -0,0 +1,20 @@
++
++/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
++
++/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
++
++/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
++/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
++
++/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
++
++/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0)
++
++/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0)
++
++/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0)
++/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
++/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.12/policy/modules/services/varnishd.if
+--- nsaserefpolicy/policy/modules/services/varnishd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/varnishd.if 2009-05-18 08:21:37.000000000 -0400
+@@ -0,0 +1,202 @@
++## <summary>Varnishd http accelerator daemon</summary>
++
++#######################################
++## <summary>
++## Execute varnishd in the varnishd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`varnishd_domtrans',`
++ gen_require(`
++ type varnishd_t, varnishd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, varnishd_exec_t, varnishd_t)
++')
++
++#######################################
++## <summary>
++## Execute varnishd
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`varnishd_exec',`
++ gen_require(`
++ type varnishd_exec_t;
++ ')
++
++ can_exec($1, varnishd_exec_t)
++')
++
++######################################
++## <summary>
++## Read varnishd configuration file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`varnishd_read_config',`
++ gen_require(`
++ type varnishd_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
++')
++
++#######################################
++## <summary>
++## Read varnish logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`varnish_read_log',`
++ gen_require(`
++ type varnishlog_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
++')
++
++######################################
++## <summary>
++## Append varnish logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`varnishlog_append_log',`
++ gen_require(`
++ type varnishlog_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
++')
++
++#####################################
++## <summary>
++## Manage varnish logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`varnishlog_manage_log',`
++ gen_require(`
++ type varnishlog_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
++')
++
++#######################################
++## <summary>
++## All of the rules required to administrate
++## an varnishd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the varnishd domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`varnishd_admin',`
++ gen_require(`
++ type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
++ type varnishd_var_run_t, varnishd_tmp_t;
++ type varnishd_initrc_exec_t;
++ ')
++
++ allow $1 varnishd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, varnishd_t)
++
++ init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 varnishd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, varnishd_var_lib_t)
++
++ files_search_etc($1)
++ admin_pattern($1, varnishd_etc_t)
++
++ files_search_pids($1)
++ admin_pattern($1, varnishd_var_run_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, varnishd_tmp_t)
++
++')
++
++######################################
++## <summary>
++## All of the rules required to administrate
++## an varnishlog environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the varnishlog domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`varnishlog_admin',`
++ gen_require(`
++ type varnishlog_t;
++ type varnishlog_var_run_t, varnishlog_log_t;
++ type varnishlog_initrc_exec_t;
++ ')
++
++ allow $1 varnishlog_t:process { ptrace signal_perms };
++ ps_process_pattern($1, varnishlog_t)
++
++ init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 varnishlog_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_pids($1)
++ admin_pattern($1, varnishlog_var_run_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, varnishlog_log_t)
++
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.6.12/policy/modules/services/varnishd.te
+--- nsaserefpolicy/policy/modules/services/varnishd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/varnishd.te 2009-05-18 08:21:37.000000000 -0400
+@@ -0,0 +1,137 @@
++policy_module(varnishd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow varnishd to connect to all ports,
++## not just HTTP.
++## </p>
++## </desc>
++gen_tunable(varnishd_connect_any, false)
++
++
++type varnishd_t;
++type varnishd_exec_t;
++init_daemon_domain(varnishd_t, varnishd_exec_t)
++
++type varnishd_initrc_exec_t;
++init_script_file(varnishd_initrc_exec_t)
++
++# etc files
++type varnishd_etc_t;
++files_type(varnishd_etc_t)
++
++# tmp files
++type varnishd_tmp_t;
++files_tmp_file(varnishd_tmp_t)
++
++# var/lib files
++type varnishd_var_lib_t;
++files_type(varnishd_var_lib_t)
++
++# pid files
++type varnishd_var_run_t;
++files_pid_file(varnishd_var_run_t)
++
++
++type varnishlog_t;
++type varnishlog_exec_t;
++init_daemon_domain(varnishlog_t, varnishlog_exec_t)
++
++type varnishlog_initrc_exec_t;
++init_script_file(varnishlog_initrc_exec_t)
++
++# pid files
++type varnishlog_var_run_t;
++files_pid_file(varnishlog_var_run_t)
++
++# log files
++type varnishlog_log_t;
++files_type(varnishlog_log_t)
++
++########################################
++#
++# varnishd local policy
++#
++
++allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
++allow varnishd_t self:process signal;
++allow varnishd_t self:fifo_file rw_fifo_file_perms;
++allow varnishd_t self:tcp_socket create_stream_socket_perms;
++allow varnishd_t self:udp_socket create_socket_perms;
++
++# etc file
++read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
++list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
++
++# var/lib files for varnishd
++exec_files_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t)
++manage_dirs_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t)
++manage_files_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t)
++files_var_lib_filetrans(varnishd_t,varnishd_var_lib_t, { dir file })
++
++# tmp files for varnishd
++manage_dirs_pattern(varnishd_t,varnishd_tmp_t,varnishd_tmp_t)
++manage_files_pattern(varnishd_t,varnishd_tmp_t,varnishd_tmp_t)
++files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
++
++# pid files
++manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
++files_pid_filetrans(varnishd_t,varnishd_var_run_t,{ file })
++
++kernel_read_system_state(varnishd_t)
++
++corenet_tcp_bind_all_nodes(varnishd_t)
++corenet_tcp_bind_http_port(varnishd_t)
++corenet_tcp_bind_http_cache_port(varnishd_t)
++corenet_tcp_bind_varnishd_port(varnishd_t)
++corenet_tcp_connect_http_cache_port(varnishd_t)
++corenet_tcp_connect_http_port(varnishd_t)
++
++sysnet_read_config(varnishd_t)
++
++auth_use_nsswitch(varnishd_t)
++
++corecmd_exec_bin(varnishd_t)
++corecmd_exec_shell(varnishd_t)
++
++dev_read_urand(varnishd_t)
++
++fs_getattr_all_fs(varnishd_t)
++
++libs_use_ld_so(varnishd_t)
++libs_use_shared_libs(varnishd_t)
++
++logging_send_syslog_msg(varnishd_t)
++
++miscfiles_read_localization(varnishd_t)
++
++tunable_policy(`varnishd_connect_any',`
++ corenet_tcp_connect_all_ports(varnishd_t)
++ corenet_tcp_bind_all_ports(varnishd_t)
++')
++
++permissive varnishd_t;
++
++#######################################
++#
++# varnishlog local policy
++#
++
++# pid files
++manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
++files_pid_filetrans(varnishlog_t,varnishlog_var_run_t,{ file })
++
++# log files
++manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
++manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
++logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
++
++files_search_var_lib(varnishlog_t)
++read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
++
++permissive varnishlog_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-05-12 15:30:13.000000000 -0400
@@ -28105,7 +28684,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-05-18 09:09:12.000000000 -0400
@@ -623,7 +623,7 @@
')
@@ -28458,6 +29037,35 @@ diff -b -B --ignore-all-space --exclude-
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.12/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-03-20 12:39:40.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/miscfiles.if 2009-05-18 14:39:11.000000000 -0400
+@@ -87,6 +87,25 @@
+
+ ########################################
+ ## <summary>
++## Allow domaint ot setattr on fonts dir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_setattr_fonts',`
++ gen_require(`
++ type fonts_t;
++ ')
++
++ allow $1 fonts_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to write fonts.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-05-12 15:30:13.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.854
retrieving revision 1.855
diff -u -p -r1.854 -r1.855
--- selinux-policy.spec 14 May 2009 18:53:40 -0000 1.854
+++ selinux-policy.spec 18 May 2009 18:41:02 -0000 1.855
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 37%{?dist}
+Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
%endif
%changelog
+* Mon May 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-38
+- Add varnishd policy
+
* Thu May 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-37
- Fixes for kpropd
- Previous message: rpms/xorg-x11-server/F-11 xserver-1.6.1-hush-warning.patch, NONE, 1.1 xserver-1.6.1-proc-cmdline.patch, NONE, 1.1 .cvsignore, 1.58, 1.59 import.log, 1.6, 1.7 sources, 1.53, 1.54 xorg-x11-server.spec, 1.446, 1.447 xserver-1.6.0-primary.patch, 1.3, 1.4 xvfb-run.sh, 1.2, 1.3 xserver-1.6.0-xinerama-crashes.patch, 1.1, NONE xserver-1.6.1-activate-device.patch, 1.1, NONE
- Next message: rpms/selinux-policy/F-11 modules-targeted.conf, 1.126, 1.127 policy-20090105.patch, 1.122, 1.123 selinux-policy.spec, 1.859, 1.860
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list