[selinux-policy/f13/master] - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy - Allow uucpd to execute ssh clien
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 4 13:53:36 UTC 2010
commit aa1986475a6ed522a71f35cd8aa70d75fc2a6ddd
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Aug 4 15:51:43 2010 +0200
- Allow ncftool to run brctl
- Fixes for ricci-modclusterd policy
- Allow uucpd to execute ssh client
- Add label for dayplanner
- Allow sandbox_xserver execstack
policy-F13.patch | 497 ++++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 9 +-
2 files changed, 397 insertions(+), 109 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 7c7f67b..8411ffc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -356,6 +356,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.7.19/policy/modules/admin/brctl.if
+--- nsaserefpolicy/policy/modules/admin/brctl.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/brctl.if 2010-08-04 14:41:54.102084891 +0200
+@@ -17,3 +17,23 @@
+
+ domtrans_pattern($1, brctl_exec_t, brctl_t)
+ ')
++
++######################################
++## <summary>
++## Execute brctl in the brctl domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`brctl_run',`
++ gen_require(`
++ type brctl_t, brctl_exec_t;
++ ')
++
++ brctl_domtrans($1)
++ role $2 types brctl_t;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.19/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/certwatch.te 2010-07-19 15:48:02.471151653 +0200
@@ -682,8 +709,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.7.19/policy/modules/admin/ncftool.if
--- nsaserefpolicy/policy/modules/admin/ncftool.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if 2010-06-15 18:40:03.049767991 +0200
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if 2010-08-04 14:43:25.607335716 +0200
+@@ -0,0 +1,78 @@
+
+## <summary>policy for ncftool</summary>
+
@@ -728,6 +755,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
++
++ optional_policy(`
++ brctl_run(ncftool_t, $2)
++ ')
+')
+
+########################################
@@ -760,8 +791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-06-16 22:19:10.097109891 +0200
-@@ -0,0 +1,79 @@
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-04 14:43:51.328085349 +0200
+@@ -0,0 +1,81 @@
+
+policy_module(ncftool,1.0.0)
+
@@ -830,6 +861,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
++sysnet_read_dhcpc_pid(ncftool_t)
++sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
@@ -6786,7 +6819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-07-09 09:45:47.464135449 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-04 15:18:13.603335743 +0200
@@ -0,0 +1,391 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -6823,7 +6856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process execmem;
++allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -8245,7 +8278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-07-14 11:26:33.298158993 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-04 15:16:45.690085499 +0200
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8300,9 +8333,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -217,10 +230,15 @@
+@@ -216,11 +229,17 @@
+
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8316,7 +8351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +258,7 @@
+@@ -240,6 +259,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8324,7 +8359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +316,7 @@
+@@ -297,6 +317,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -8332,7 +8367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +351,21 @@
+@@ -331,3 +352,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -9381,7 +9416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-07-09 09:46:06.705385324 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-04 14:39:59.845084944 +0200
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9920,12 +9955,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
## </summary>
## <param name="domain">
-@@ -5032,6 +5404,25 @@
+@@ -5032,6 +5404,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
+#######################################
+## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
+## Create generic pid directory.
+## </summary>
+## <param name="domain">
@@ -9946,7 +9999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5091,6 +5482,24 @@
+@@ -5091,6 +5500,24 @@
########################################
## <summary>
@@ -9971,7 +10024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Create an object in the process ID directory, with a private type.
## </summary>
## <desc>
-@@ -5238,6 +5647,7 @@
+@@ -5238,6 +5665,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9979,7 +10032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5306,6 +5716,24 @@
+@@ -5306,6 +5734,24 @@
########################################
## <summary>
@@ -10004,7 +10057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5494,12 +5922,15 @@
+@@ -5494,12 +5940,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -10021,7 +10074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5520,3 +5951,229 @@
+@@ -5520,3 +5969,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -11197,7 +11250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-05-28 09:42:00.042610995 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-08-04 15:34:29.688085386 +0200
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -11255,7 +11308,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
-@@ -1333,7 +1354,7 @@
+@@ -1233,10 +1254,12 @@
+ interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
++ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
++ dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -1333,7 +1356,7 @@
attribute ttynode;
')
@@ -13484,7 +13550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
admin_pattern($1, abrt_var_cache_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-07-21 09:31:43.073135212 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-08-04 15:15:53.954335601 +0200
@@ -1,11 +1,19 @@
-policy_module(abrt, 1.0.1)
@@ -13617,7 +13683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -103,22 +152,125 @@
+@@ -103,22 +152,129 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -13630,9 +13696,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
++ afs_rw_udp_sockets(abrt_t)
++')
+
+optional_policy(`
-+ afs_rw_udp_sockets(abrt_t)
++ apache_read_modules(abrt_t)
+')
+
+optional_policy(`
@@ -13654,10 +13726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+')
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ prelink_exec(abrt_t)
+ libs_exec_ld_so(abrt_t)
+ corecmd_exec_all_executables(abrt_t)
@@ -14281,7 +14351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-07-09 09:33:54.638134829 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-04 15:15:10.969085367 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -14490,15 +14560,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Apache cache.
## </summary>
## <param name="domain">
-@@ -756,6 +789,7 @@
+@@ -756,6 +789,28 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++#######################################
++## <summary>
++## Allow the specified domain to read
++## the apache modules files.
++## directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_read_modules',`
++ gen_require(`
++ type httpd_modules_t;
++ ')
++
++ allow $1 httpd_modules_t:dir list_dir_perms;
++ read_files_pattern($1,httpd_modules_t, httpd_modules_t)
')
########################################
-@@ -814,6 +848,7 @@
+@@ -814,6 +869,7 @@
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -14506,7 +14597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -841,6 +876,54 @@
+@@ -841,6 +897,54 @@
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -14561,7 +14652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +941,11 @@
+@@ -858,6 +962,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -14573,7 +14664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1033,7 @@
+@@ -945,7 +1054,7 @@
type httpd_squirrelmail_t;
')
@@ -14582,7 +14673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -985,6 +1073,24 @@
+@@ -985,6 +1094,24 @@
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
@@ -14607,7 +14698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Read apache system content.
-@@ -1086,6 +1192,25 @@
+@@ -1086,6 +1213,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -14633,7 +14724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1227,7 @@
+@@ -1102,7 +1248,7 @@
type httpd_tmp_t;
')
@@ -14642,7 +14733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1297,7 @@
+@@ -1172,7 +1318,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -14651,7 +14742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1327,62 @@
+@@ -1202,12 +1348,62 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -17595,7 +17686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
role_transition $2 cobblerd_initrc_exec_t system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.19/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-07-23 14:04:59.759138567 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-08-04 15:19:21.628084941 +0200
@@ -1,5 +1,5 @@
-policy_module(cobbler, 1.0.0)
@@ -17603,7 +17694,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
########################################
#
-@@ -24,6 +24,9 @@
+@@ -14,6 +14,14 @@
+ ## </desc>
+ gen_tunable(cobbler_anon_write, false)
+
++## <desc>
++## <p>
++## Allow Cobbler to connect to the
++## network using TCP.
++## </p>
++## </desc>
++gen_tunable(cobbler_can_network_connect, false)
++
+ type cobblerd_t;
+ type cobblerd_exec_t;
+ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+@@ -24,6 +32,9 @@
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
@@ -17613,14 +17719,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
-@@ -36,12 +39,18 @@
+@@ -36,12 +47,20 @@
#
allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+dontaudit cobblerd_t self:capability sys_tty_config;
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_stream_socket_perms;
+list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
@@ -17632,7 +17740,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
-@@ -70,7 +79,12 @@
+@@ -65,12 +84,23 @@
+ corenet_tcp_sendrecv_generic_if(cobblerd_t)
+ corenet_tcp_sendrecv_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
++corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_sendrecv_http_client_packets(cobblerd_t)
++
++domain_dontaudit_exec_all_entry_files(cobblerd_t)
++domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+ dev_read_urand(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
@@ -17645,7 +17764,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
-@@ -84,7 +98,7 @@
+@@ -79,12 +109,18 @@
+ sysnet_rw_dhcp_config(cobblerd_t)
+ sysnet_write_config(cobblerd_t)
+
++tunable_policy(`cobbler_can_network_connect',`
++ corenet_tcp_connect_all_ports(cobblerd_t)
++ corenet_tcp_sendrecv_all_ports(cobblerd_t)
++ corenet_sendrecv_all_client_packets(cobblerd_t)
++')
++
+ tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
')
optional_policy(`
@@ -17654,7 +17784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
optional_policy(`
-@@ -112,10 +126,21 @@
+@@ -112,10 +148,21 @@
')
optional_policy(`
@@ -17976,8 +18106,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-07-21 09:37:29.061134765 +0200
-@@ -0,0 +1,139 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-08-04 14:57:52.139335328 +0200
+@@ -0,0 +1,140 @@
+
+policy_module(corosync,1.0.0)
+
@@ -18116,6 +18246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+ corenet_tcp_connect_ricci_port(corosync_t)
+
+ ricci_read_lib_files(corosync_t)
++ ricci_rw_modclusterd_tmpfs_files(corosync_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.19/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2010-04-13 20:44:36.000000000 +0200
@@ -29381,7 +29512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-07-21 09:56:46.277134919 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-08-04 15:00:06.454085086 +0200
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -29407,7 +29538,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
## <summary>
## Execute a domain transition to run ricci_modcluster.
-@@ -165,3 +183,67 @@
+@@ -94,6 +112,25 @@
+ allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+ ')
+
++#######################################
++## <summary>
++## Read and write to ricci_modclusterd temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_rw_modclusterd_tmpfs_files',`
++ gen_require(`
++ type ricci_modclusterd_tmpfs_t;
++ ')
++
++ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
++ allow $1 ricci_modclusterd_tmpfs_t:file unlink;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run ricci_modlog.
+@@ -165,3 +202,67 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -29477,7 +29634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-05-28 09:42:00.173610620 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-08-04 14:57:19.868085260 +0200
@@ -11,6 +11,9 @@
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
@@ -29488,22 +29645,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# tmp files
type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)
-@@ -194,10 +197,13 @@
+@@ -50,6 +53,9 @@
+ domain_type(ricci_modclusterd_t)
+ init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
++type ricci_modclusterd_tmpfs_t;
++files_tmpfs_file(ricci_modclusterd_tmpfs_t)
++
+ type ricci_modlog_t;
+ type ricci_modlog_exec_t;
+ domain_type(ricci_modlog_t)
+@@ -194,12 +200,21 @@
# ricci_modcluster local policy
#
-allow ricci_modcluster_t self:capability sys_nice;
++manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t,ricci_modclusterd_tmpfs_t)
++fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
++
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
-+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
-+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
-+
kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)
++kernel_request_load_module(ricci_modclusterd_t)
++
++corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
++corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
++corenet_tcp_connect_generic_port(ricci_modclusterd_t)
-@@ -227,6 +233,11 @@
+ corecmd_exec_shell(ricci_modcluster_t)
+ corecmd_exec_bin(ricci_modcluster_t)
+@@ -227,6 +242,11 @@
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
@@ -29515,7 +29690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
-@@ -245,6 +256,10 @@
+@@ -245,6 +265,10 @@
')
optional_policy(`
@@ -29526,7 +29701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
-@@ -259,11 +274,11 @@
+@@ -259,11 +283,11 @@
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
@@ -29539,7 +29714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -294,6 +309,8 @@
+@@ -294,6 +318,8 @@
fs_getattr_xattr_fs(ricci_modclusterd_t)
@@ -29548,7 +29723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
init_stream_connect_script(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-@@ -303,7 +320,11 @@
+@@ -303,7 +329,11 @@
miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
@@ -29561,7 +29736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
-@@ -312,6 +333,10 @@
+@@ -312,6 +342,10 @@
')
optional_policy(`
@@ -29572,7 +29747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_modclusterd_t)
')
-@@ -440,6 +465,12 @@
+@@ -440,6 +474,12 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -29585,7 +29760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +488,11 @@
+@@ -457,6 +497,11 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
@@ -31928,7 +32103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-05-28 09:42:00.194610898 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-08-04 15:01:13.430084931 +0200
@@ -34,6 +34,9 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -31991,8 +32166,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -292,22 +303,30 @@
+@@ -290,24 +301,34 @@
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
++dev_rw_crypto(sshd_t)
++
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
@@ -32026,7 +32205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -315,7 +334,12 @@
+@@ -315,7 +336,12 @@
')
optional_policy(`
@@ -32040,7 +32219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -323,6 +347,10 @@
+@@ -323,6 +349,10 @@
')
optional_policy(`
@@ -32051,7 +32230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +361,18 @@
+@@ -333,10 +363,18 @@
')
optional_policy(`
@@ -32256,6 +32435,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/uucp.te 2010-08-04 15:04:00.352085562 +0200
+@@ -84,6 +84,7 @@
+ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
++corenet_tcp_connect_ssh_port(uucpd_t)
+
+ dev_read_urand(uucpd_t)
+
+@@ -114,6 +115,10 @@
+ kerberos_use(uucpd_t)
+ ')
+
++optional_policy(`
++ ssh_exec(uucpd_t)
++')
++
+ ########################################
+ #
+ # UUX Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.19/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/varnishd.if 2010-05-28 09:42:00.198610771 +0200
@@ -32285,6 +32486,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
#######################################
## <summary>
## Read varnish logs.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.7.19/policy/modules/services/varnishd.te
+--- nsaserefpolicy/policy/modules/services/varnishd.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/varnishd.te 2010-08-04 15:24:49.633084903 +0200
+@@ -52,6 +52,7 @@
+ #
+
+ allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
++dontaudit varnishd_t self:capability sys_tty_config;
+ allow varnishd_t self:process signal;
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.19/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.fc 2010-07-21 10:49:49.095135392 +0200
@@ -32507,7 +32719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-07-13 09:50:27.906502586 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-08-04 15:20:48.325085430 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -32531,7 +32743,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -72,8 +72,12 @@
+@@ -66,20 +66,26 @@
+ # virt Image files
+ type virt_image_t; # customizable
+ virt_image(virt_image_t)
++files_mountpoint(virt_image_t)
+
+ # virt Image files
+ type virt_content_t; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
@@ -32544,7 +32763,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -90,6 +94,11 @@
+
+ type virt_var_lib_t;
+ files_type(virt_var_lib_t)
++files_mountpoint(virt_var_lib_t)
+
+ type virtd_t;
+ type virtd_exec_t;
+@@ -90,6 +96,11 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -32556,7 +32782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -105,10 +114,6 @@
+@@ -105,10 +116,6 @@
allow svirt_t self:udp_socket create_socket_perms;
@@ -32567,7 +32793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
allow svirt_t svirt_image_t:dir search_dir_perms;
-@@ -148,11 +153,13 @@
+@@ -148,11 +155,13 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -32581,7 +32807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
tunable_policy(`virt_use_sysfs',`
-@@ -161,6 +168,7 @@
+@@ -161,6 +170,7 @@
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -32589,7 +32815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
-@@ -179,22 +187,30 @@
+@@ -179,22 +189,30 @@
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -32623,7 +32849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,9 +221,15 @@
+@@ -205,9 +223,15 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -32639,7 +32865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -248,25 +270,41 @@
+@@ -248,25 +272,41 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -32684,7 +32910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -291,15 +329,22 @@
+@@ -291,15 +331,22 @@
logging_send_syslog_msg(virtd_t)
@@ -32707,7 +32933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +415,7 @@
+@@ -370,6 +417,7 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -32715,7 +32941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +453,19 @@
+@@ -407,6 +455,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -32735,7 +32961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +486,7 @@
+@@ -427,6 +488,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -32743,7 +32969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,6 +494,7 @@
+@@ -434,6 +496,7 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -32751,7 +32977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
domain_use_interactive_fds(virt_domain)
-@@ -445,6 +506,11 @@
+@@ -445,6 +508,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -32763,7 +32989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +528,13 @@
+@@ -462,8 +530,13 @@
')
optional_policy(`
@@ -33546,7 +33772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-07-19 13:20:20.524151390 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-04 15:12:04.599085274 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -34034,7 +34260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +603,19 @@
+@@ -447,14 +603,21 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -34046,6 +34272,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
++
++application_signal(xdm_t)
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
@@ -34054,7 +34282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +626,12 @@
+@@ -465,10 +628,12 @@
logging_read_generic_logs(xdm_t)
@@ -34069,7 +34297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +640,12 @@
+@@ -477,6 +642,12 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -34082,7 +34310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +677,17 @@
+@@ -508,11 +679,17 @@
')
optional_policy(`
@@ -34100,7 +34328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +695,51 @@
+@@ -520,12 +697,51 @@
')
optional_policy(`
@@ -34152,7 +34380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +757,63 @@
+@@ -543,20 +759,63 @@
')
optional_policy(`
@@ -34218,7 +34446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +822,6 @@
+@@ -565,7 +824,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -34226,7 +34454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +832,10 @@
+@@ -576,6 +834,10 @@
')
optional_policy(`
@@ -34237,7 +34465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +860,9 @@
+@@ -600,10 +862,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -34249,7 +34477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +874,18 @@
+@@ -615,6 +876,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -34268,7 +34496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +905,19 @@
+@@ -634,12 +907,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -34290,7 +34518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +951,6 @@
+@@ -673,7 +953,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -34298,7 +34526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +960,12 @@
+@@ -683,9 +962,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -34312,7 +34540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +980,13 @@
+@@ -700,8 +982,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -34326,7 +34554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1008,14 @@
+@@ -723,11 +1010,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -34341,7 +34569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1067,28 @@
+@@ -779,12 +1069,28 @@
')
optional_policy(`
@@ -34371,7 +34599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1115,7 @@
+@@ -811,7 +1117,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -34380,7 +34608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1136,14 @@
+@@ -832,9 +1138,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -34395,7 +34623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1158,14 @@
+@@ -849,11 +1160,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -34412,7 +34640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1311,33 @@
+@@ -999,3 +1313,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -34446,6 +34674,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.19/policy/modules/system/application.if
+--- nsaserefpolicy/policy/modules/system/application.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/application.if 2010-08-04 15:09:32.261085029 +0200
+@@ -130,3 +130,21 @@
+
+ allow $1 application_domain_type:process signull;
+ ')
++
++#######################################
++## <summary>
++## Send signal to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_signal',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.19/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/application.te 2010-05-28 09:42:00.208611712 +0200
@@ -35649,7 +35902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.19/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.fc 2010-06-16 22:14:29.964859861 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.fc 2010-08-04 14:47:49.067094603 +0200
@@ -25,6 +25,7 @@
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -35658,6 +35911,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+@@ -37,6 +38,8 @@
+
+ /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
++/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++
+ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
+ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-07-01 15:59:17.968602268 +0200
@@ -36055,6 +36317,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.19/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/kdump.te 2010-08-04 15:02:29.137102846 +0200
+@@ -30,6 +30,7 @@
+
+ kernel_read_system_state(kdump_t)
+ kernel_read_core_if(kdump_t)
++kernel_request_load_module(kdump_t)
+
+ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-07-23 13:50:23.212138972 +0200
@@ -38588,7 +38861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-06-15 18:40:03.064777332 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-08-04 14:40:49.949335299 +0200
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -38733,7 +39006,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#######################################
-@@ -464,6 +535,10 @@
+@@ -444,6 +515,7 @@
+ type dhcpc_var_run_t;
+ ')
+
++ files_rw_pid_dirs($1)
+ allow $1 dhcpc_var_run_t:file unlink;
+ ')
+
+@@ -464,6 +536,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -38744,7 +39025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -677,7 +752,10 @@
+@@ -677,7 +753,10 @@
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
@@ -38756,7 +39037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -709,5 +787,52 @@
+@@ -709,5 +788,52 @@
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 45c1ce1..9d53773 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,13 @@ exit 0
%endif
%changelog
+* Wed Aug 4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-43
+- Allow ncftool to run brctl
+- Fixes for ricci-modclusterd policy
+- Allow uucpd to execute ssh client
+- Add label for dayplanner
+- Allow sandbox_xserver execstack
+
* Mon Aug 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-42
- Allow kdump to read information from the debugging filesystem
- Update boinc policy
More information about the scm-commits
mailing list