[selinux-policy] - Allow clamscan to read proc_t - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Aug 23 21:29:56 UTC 2010
commit eee39f9d8eac8626cf811e98d7282bbc588f2353
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Aug 23 17:29:52 2010 -0400
- Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
policy-F14.patch | 619 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 7 +-
2 files changed, 466 insertions(+), 160 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index e7984de..1357638 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -10,6 +10,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/M
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.8.8/man/man8/ftpd_selinux.8
+--- nsaserefpolicy/man/man8/ftpd_selinux.8 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.8.8/man/man8/ftpd_selinux.8 2010-08-23 13:38:00.000000000 -0400
+@@ -15,7 +15,7 @@
+ semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
+ .TP
+ .B
+-restorecon -R -v /var/ftp
++restorecon -F -R -v /var/ftp
+ .TP
+ Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
+ .PP
+@@ -23,7 +23,7 @@
+ semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
+ .TP
+ .B
+-restorecon -R -v /var/ftp/incoming
++restorecon -F -R -v /var/ftp/incoming
+
+ .SH BOOLEANS
+ .PP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 serefpolicy-3.8.8/man/man8/git_selinux.8
--- nsaserefpolicy/man/man8/git_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.8/man/man8/git_selinux.8 2010-07-30 14:06:53.000000000 -0400
@@ -3364,8 +3385,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.8.8/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -1,8 +1,28 @@
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-08-23 10:35:05.000000000 -0400
+@@ -1,8 +1,30 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -3375,8 +3396,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
@@ -3398,7 +3421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-05 09:43:28.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-23 14:05:52.000000000 -0400
@@ -74,6 +74,24 @@
########################################
@@ -4064,7 +4087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
## Send generic signals to user gpg processes.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.8.8/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-08-23 14:06:23.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -4127,7 +4150,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
mta_write_config(gpg_t)
-@@ -151,10 +167,10 @@
+@@ -142,6 +158,10 @@
+ ')
+
+ optional_policy(`
++ gnome_read_config(gpg_t)
++')
++
++optional_policy(`
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
+ ')
+@@ -151,10 +171,10 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -4142,7 +4176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
########################################
#
-@@ -205,6 +221,7 @@
+@@ -205,6 +225,7 @@
#
# GPG agent local policy
#
@@ -4150,7 +4184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -245,6 +262,7 @@
+@@ -245,6 +266,7 @@
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -4158,7 +4192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
')
tunable_policy(`gpg_agent_env_file',`
-@@ -332,6 +350,9 @@
+@@ -332,6 +354,9 @@
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -4168,7 +4202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -347,6 +368,12 @@
+@@ -347,6 +372,12 @@
')
optional_policy(`
@@ -4181,7 +4215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +383,25 @@
+@@ -356,4 +387,28 @@
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -4195,6 +4229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+
+allow gpg_web_t self:process setrlimit;
+
++dev_read_rand(gpg_web_t)
++dev_read_urand(gpg_web_t)
++
+can_exec(gpg_web_t, gpg_exec_t)
+
+files_read_usr_files(gpg_web_t)
@@ -4798,7 +4835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-19 06:47:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-23 17:17:34.000000000 -0400
@@ -25,6 +25,7 @@
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -4821,15 +4858,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
########################################
#
# Local policy
-@@ -89,6 +97,7 @@
+@@ -89,16 +97,20 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
++corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
-@@ -238,6 +247,7 @@
+ corenet_tcp_connect_http_cache_port(mozilla_t)
++corenet_tcp_connect_squid_port(mozilla_t)
+ corenet_tcp_connect_ftp_port(mozilla_t)
+ corenet_tcp_connect_ipp_port(mozilla_t)
+ corenet_tcp_connect_generic_port(mozilla_t)
+ corenet_tcp_connect_soundd_port(mozilla_t)
+ corenet_sendrecv_http_client_packets(mozilla_t)
+ corenet_sendrecv_http_cache_client_packets(mozilla_t)
++corenet_sendrecv_squid_client_packets(mozilla_t)
+ corenet_sendrecv_ftp_client_packets(mozilla_t)
+ corenet_sendrecv_ipp_client_packets(mozilla_t)
+ corenet_sendrecv_generic_client_packets(mozilla_t)
+@@ -238,6 +250,7 @@
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -4837,7 +4887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -258,6 +268,11 @@
+@@ -258,6 +271,11 @@
')
optional_policy(`
@@ -4849,7 +4899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +281,17 @@
+@@ -266,3 +284,17 @@
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -5360,8 +5410,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-13 15:48:58.000000000 -0400
-@@ -0,0 +1,301 @@
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-23 17:18:54.000000000 -0400
+@@ -0,0 +1,306 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5460,6 +5510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
++corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
@@ -5554,6 +5605,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
+
+optional_policy(`
++ sandbox_read_tmpfs_files(nsplugin_t)
++')
++
++optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
@@ -6116,8 +6171,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-18 06:43:23.000000000 -0400
-@@ -0,0 +1,314 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-23 08:34:27.000000000 -0400
+@@ -0,0 +1,333 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6325,6 +6380,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+########################################
+## <summary>
++## allow domain to read
++## sandbox tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_read_tmpfs_files',`
++ gen_require(`
++ attribute sandbox_tmpfs_type;
++ ')
++
++ allow $1 sandbox_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
+## allow domain to manage
+## sandbox tmpfs files
+## </summary>
@@ -6434,8 +6508,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-19 07:46:41.000000000 -0400
-@@ -0,0 +1,397 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 17:16:41.000000000 -0400
+@@ -0,0 +1,400 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6730,10 +6804,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_raw_sendrecv_all_nodes(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
++corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
++corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
@@ -6745,6 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
++corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
@@ -7567,8 +7644,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.8.8/policy/modules/apps/userhelper.te
--- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-07-30 14:06:53.000000000 -0400
-@@ -6,9 +6,51 @@
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-08-23 08:31:37.000000000 -0400
+@@ -6,9 +6,54 @@
#
attribute userhelper_type;
@@ -7604,9 +7681,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+
+corecmd_exec_bin(consolehelper_domain)
+
-+files_read_etc_files(consolehelper_domain)
++files_read_config_files(consolehelper_domain)
++files_read_usr_files(consolehelper_domain)
+
+auth_search_pam_console_data(consolehelper_domain)
++auth_read_pam_pid(consolehelper_domain)
+
+init_read_utmp(consolehelper_domain)
+
@@ -7616,6 +7695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
++userdom_search_user_home_content(consolehelper_domain)
+
+optional_policy(`
+ xserver_stream_connect(consolehelper_domain)
@@ -7943,7 +8023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-04 13:10:54.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-23 17:15:30.000000000 -0400
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -7994,6 +8074,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+@@ -109,7 +117,7 @@
+ network_port(howl, tcp,5335,s0, udp,5353,s0)
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+ network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+ network_port(i18n_input, tcp,9010,s0)
+ network_port(imaze, tcp,5323,s0, udp,5323,s0)
+ network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -124,29 +132,32 @@
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8074,7 +8163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
network_port(speech, tcp,8036,s0)
- network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -8134,7 +8224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-16 07:06:37.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-21 06:37:45.000000000 -0400
@@ -461,6 +461,24 @@
########################################
@@ -8185,7 +8275,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -606,6 +642,24 @@
+@@ -515,6 +551,24 @@
+
+ ########################################
+ ## <summary>
++## Read and write generic block device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_generic_blk_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:blk_file rw_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ## Create generic character device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -606,6 +660,24 @@
########################################
## <summary>
@@ -8210,7 +8325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1015,6 +1069,42 @@
+@@ -1015,6 +1087,42 @@
########################################
## <summary>
@@ -8253,7 +8368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1277,6 +1367,24 @@
+@@ -1277,6 +1385,24 @@
########################################
## <summary>
@@ -8278,7 +8393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3540,6 +3648,24 @@
+@@ -3540,6 +3666,24 @@
########################################
## <summary>
@@ -8303,7 +8418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3851,6 +3977,24 @@
+@@ -3851,6 +3995,24 @@
########################################
## <summary>
@@ -8328,7 +8443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4161,11 +4305,10 @@
+@@ -4161,11 +4323,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -9583,8 +9698,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-07-30 14:06:53.000000000 -0400
-@@ -1977,7 +1977,7 @@
++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-08-23 17:02:01.000000000 -0400
+@@ -698,6 +698,26 @@
+
+ ########################################
+ ## <summary>
++## Read/Write information from the debugging filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_rw_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ rw_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++## <summary>
+ ## Mount a kernel VM filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1977,7 +1997,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -9593,7 +9735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
########################################
-@@ -2845,6 +2845,24 @@
+@@ -2845,6 +2865,24 @@
########################################
## <summary>
@@ -9618,7 +9760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2860,3 +2878,23 @@
+@@ -2860,3 +2898,23 @@
typeattribute $1 kern_unconfined;
')
@@ -9706,7 +9848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# Unlabeled process local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-08-23 17:02:47.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -9716,7 +9858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
')
########################################
-@@ -202,6 +202,7 @@
+@@ -202,10 +202,31 @@
type security_t;
')
@@ -9724,7 +9866,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -223,6 +224,7 @@
+
++
++########################################
++## <summary>
++## Do not audit attempts to write
++## generic selinuxfs entries
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`selinux_dontaudit_write_fs',`
++ gen_require(`
++ type security_t;
++ ')
++
++ dontaudit $1 security_t:dir write;
++')
++
+ ########################################
+ ## <summary>
+ ## Allows the caller to get the mode of policy enforcement
+@@ -223,6 +244,7 @@
type security_t;
')
@@ -9732,7 +9898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -404,6 +406,7 @@
+@@ -404,6 +426,7 @@
')
allow $1 security_t:dir list_dir_perms;
@@ -9740,7 +9906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
-@@ -622,3 +625,23 @@
+@@ -622,3 +645,42 @@
typeattribute $1 selinux_unconfined_type;
')
@@ -9764,6 +9930,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+ fs_type($1)
+ mls_trusted_object($1)
+')
++
++########################################
++## <summary>
++## Unmount a security filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the domain unmounting the filesystem.
++## </summary>
++## </param>
++#
++interface(`selinux_unmount_fs',`
++ gen_require(`
++ type security_t;
++ ')
++
++ allow $1 security_t:filesystem unmount;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-30 14:06:53.000000000 -0400
@@ -11699,7 +11884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-19 07:42:55.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-23 17:20:22.000000000 -0400
@@ -14,7 +14,7 @@
## <desc>
@@ -11758,7 +11943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
')
')
-@@ -76,23 +84,87 @@
+@@ -76,23 +84,90 @@
')
optional_policy(`
@@ -11813,10 +11998,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_raw_sendrecv_generic_node(xguest_usertype)
+ corenet_tcp_sendrecv_http_port(xguest_usertype)
+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
++ corenet_tcp_sendrecv_squid_port(xguest_usertype)
+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+ corenet_tcp_connect_http_port(xguest_usertype)
+ corenet_tcp_connect_http_cache_port(xguest_usertype)
++ corenet_tcp_connect_squid_port(xguest_usertype)
+ corenet_tcp_connect_flash_port(xguest_usertype)
+ corenet_tcp_connect_ftp_port(xguest_usertype)
+ corenet_tcp_connect_ipp_port(xguest_usertype)
@@ -11824,6 +12011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_connect_soundd_port(xguest_usertype)
+ corenet_sendrecv_http_client_packets(xguest_usertype)
+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
++ corenet_sendrecv_squid_client_packets(xguest_usertype)
+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
+ corenet_sendrecv_generic_client_packets(xguest_usertype)
@@ -11958,7 +12146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-03 09:01:25.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-23 09:53:21.000000000 -0400
@@ -5,6 +5,14 @@
# Declarations
#
@@ -12445,7 +12633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-03 09:01:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-21 06:54:45.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -12696,7 +12884,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -841,6 +895,74 @@
+@@ -836,11 +890,80 @@
+ ')
+
+ files_search_var($1)
++ apache_search_sys_content($1)
+ manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -12737,7 +12931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ type httpd_sys_rw_content_t;
+ ')
+
-+ files_search_var($1)
++ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -12771,7 +12965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +980,11 @@
+@@ -858,6 +981,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -12783,7 +12977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1072,7 @@
+@@ -945,7 +1073,7 @@
type httpd_squirrelmail_t;
')
@@ -12792,7 +12986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1086,6 +1213,25 @@
+@@ -1086,6 +1214,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -12818,7 +13012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1248,7 @@
+@@ -1102,7 +1249,7 @@
type httpd_tmp_t;
')
@@ -12827,7 +13021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1318,7 @@
+@@ -1172,7 +1319,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12836,7 +13030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1348,43 @@
+@@ -1202,12 +1349,43 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -12883,7 +13077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-10 11:21:49.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-23 17:21:05.000000000 -0400
@@ -18,6 +18,8 @@
# Declarations
#
@@ -12928,7 +13122,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
-@@ -100,6 +123,13 @@
+@@ -71,6 +94,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow http daemon to check spam
++## </p>
++## </desc>
++gen_tunable(httpd_can_check_spam, false)
++
++## <desc>
++## <p>
+ ## Allow Apache to communicate with avahi service via dbus
+ ## </p>
+ ## </desc>
+@@ -100,6 +130,13 @@
## <desc>
## <p>
@@ -12942,7 +13150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
-@@ -107,6 +137,13 @@
+@@ -107,6 +144,13 @@
## <desc>
## <p>
@@ -12956,7 +13164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -130,7 +167,7 @@
+@@ -130,7 +174,7 @@
## <desc>
## <p>
@@ -12965,7 +13173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
-@@ -142,6 +179,13 @@
+@@ -142,6 +186,13 @@
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -12979,7 +13187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -216,7 +260,10 @@
+@@ -216,7 +267,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -12991,7 +13199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +273,10 @@
+@@ -226,6 +280,10 @@
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -13002,7 +13210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +284,7 @@
+@@ -233,6 +291,7 @@
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -13010,7 +13218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +338,7 @@
+@@ -286,6 +345,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -13018,7 +13226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +408,7 @@
+@@ -355,6 +415,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -13026,7 +13234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +419,10 @@
+@@ -365,8 +426,10 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -13037,7 +13245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +434,12 @@
+@@ -378,12 +441,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -13053,7 +13261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +458,10 @@
+@@ -402,6 +465,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -13064,7 +13272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -416,16 +476,31 @@
+@@ -416,16 +483,31 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -13098,16 +13306,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -446,6 +521,16 @@
+@@ -439,13 +521,25 @@
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
++ corenet_tcp_connect_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
- ')
-
++ corenet_sendrecv_squid_client_packets(httpd_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
-+')
-+
+ ')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
@@ -13115,7 +13332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
-@@ -456,6 +541,10 @@
+@@ -456,6 +550,10 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -13126,7 +13343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +559,25 @@
+@@ -470,11 +568,25 @@
userdom_read_user_home_content_files(httpd_t)
')
@@ -13152,7 +13369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +587,16 @@
+@@ -484,7 +596,16 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -13169,7 +13386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +612,10 @@
+@@ -500,8 +621,10 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -13180,7 +13397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -513,7 +627,13 @@
+@@ -513,7 +636,13 @@
')
optional_policy(`
@@ -13195,7 +13412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +648,7 @@
+@@ -528,7 +657,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -13204,7 +13421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +657,12 @@
+@@ -537,8 +666,12 @@
')
optional_policy(`
@@ -13218,7 +13435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +681,7 @@
+@@ -557,6 +690,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -13226,7 +13443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +692,7 @@
+@@ -567,6 +701,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -13234,7 +13451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +703,23 @@
+@@ -577,12 +712,23 @@
')
optional_policy(`
@@ -13258,7 +13475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +728,11 @@
+@@ -591,6 +737,11 @@
')
optional_policy(`
@@ -13270,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +745,10 @@
+@@ -603,6 +754,10 @@
yam_read_content(httpd_t)
')
@@ -13281,7 +13498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache helper local policy
-@@ -618,6 +764,10 @@
+@@ -618,6 +773,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -13292,7 +13509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +849,18 @@
+@@ -699,17 +858,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -13314,7 +13531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +891,21 @@
+@@ -740,10 +900,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -13337,7 +13554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +931,12 @@
+@@ -769,6 +940,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -13350,7 +13567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +960,13 @@
+@@ -792,9 +969,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -13364,10 +13581,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +975,22 @@
+@@ -803,6 +984,28 @@
mta_send_mail(httpd_sys_script_t)
')
++optional_policy(`
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
++ ')
++')
++
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
@@ -13387,7 +13610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1018,16 @@
+@@ -830,6 +1033,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -13404,7 +13627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1040,7 @@
+@@ -842,6 +1055,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -13412,7 +13635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1090,33 @@
+@@ -891,11 +1105,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -13964,8 +14187,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-20 07:29:39.000000000 -0400
-@@ -0,0 +1,146 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-23 09:55:03.000000000 -0400
+@@ -0,0 +1,152 @@
+policy_module(boinc,1.0.0)
+
+########################################
@@ -14004,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+#
+
+allow boinc_t self:capability { kill };
-+allow boinc_t self:process { setsched };
++allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -14099,6 +14322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file { read write };
+
++list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
+kernel_read_system_state(boinc_project_t)
@@ -14106,10 +14330,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
++corecmd_exec_bin(boinc_project_t)
++corecmd_exec_shell(boinc_project_t)
++
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
+dev_rw_xserver_misc(boinc_project_t)
+
++files_read_etc_files(boinc_project_t)
++
+miscfiles_read_localization(boinc_project_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc
@@ -14768,7 +14997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-18 19:16:59.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-23 11:36:59.000000000 -0400
@@ -80,6 +80,7 @@
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14827,6 +15056,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
+@@ -251,6 +261,7 @@
+ corenet_tcp_connect_clamd_port(clamscan_t)
+
+ kernel_read_kernel_sysctls(clamscan_t)
++kernel_read_system_state(clamscan_t)
+
+ files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.8/policy/modules/services/cmirrord.fc
--- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc 2010-07-30 14:06:53.000000000 -0400
@@ -16525,7 +16762,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
kernel_read_kernel_sysctls(cyphesis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.8/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-08-23 13:57:07.000000000 -0400
+@@ -26,7 +26,7 @@
+ # Local policy
+ #
+
+-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
+ dontaudit cyrus_t self:capability sys_tty_config;
+ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow cyrus_t self:process setrlimit;
@@ -135,6 +135,7 @@
')
@@ -19801,7 +20047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-17 07:17:58.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-23 10:08:13.000000000 -0400
@@ -20,8 +20,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -19945,7 +20191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,6 +245,10 @@
+@@ -249,11 +245,16 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -19956,7 +20202,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
#
# User send mail local policy
-@@ -292,3 +292,42 @@
+ #
+
++
+ domain_use_interactive_fds(user_mail_t)
+
+ userdom_use_user_terminals(user_mail_t)
+@@ -292,3 +293,44 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -19969,6 +20221,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
++read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
++
+can_exec(user_mail_domain, mta_exec_type)
+
+allow system_mail_t user_mail_domain:file read_file_perms;
@@ -21697,7 +21951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 09:09:19.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-23 13:23:59.000000000 -0400
@@ -24,6 +24,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -21725,7 +21979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
policykit_domtrans_auth(policykit_t)
-@@ -56,56 +60,107 @@
+@@ -56,10 +60,16 @@
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -21741,9 +21995,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+fs_list_inotifyfs(policykit_t)
auth_use_nsswitch(policykit_t)
-+auth_read_var_auth(policykit_t)
- logging_send_syslog_msg(policykit_t)
+@@ -67,45 +77,90 @@
miscfiles_read_localization(policykit_t)
@@ -21821,6 +22074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+fs_search_tmpfs(polkit_auth_t)
auth_use_nsswitch(policykit_auth_t)
++auth_read_var_auth(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
@@ -22251,7 +22505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-08-23 14:01:01.000000000 -0400
@@ -5,6 +5,15 @@
# Declarations
#
@@ -22382,7 +22636,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix map local policy
-@@ -420,6 +457,7 @@
+@@ -401,6 +438,8 @@
+
+ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
++corecmd_exec_bin(postfix_pipe_t)
++
+ optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+ ')
+@@ -420,6 +459,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -22390,7 +22653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -588,6 +626,11 @@
+@@ -588,6 +628,11 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -22402,7 +22665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
-@@ -630,3 +673,8 @@
+@@ -630,3 +675,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -22524,6 +22787,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
kernel_read_system_state(prelude_t)
kernel_read_sysctl(prelude_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.8.8/policy/modules/services/privoxy.te
+--- nsaserefpolicy/policy/modules/services/privoxy.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/privoxy.te 2010-08-23 17:21:38.000000000 -0400
+@@ -58,10 +58,12 @@
+ corenet_tcp_bind_http_cache_port(privoxy_t)
+ corenet_tcp_connect_http_port(privoxy_t)
+ corenet_tcp_connect_http_cache_port(privoxy_t)
++corenet_tcp_connect_squid_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
+ corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
++corenet_sendrecv_squid_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
+ corenet_sendrecv_http_client_packets(privoxy_t)
+ corenet_sendrecv_ftp_client_packets(privoxy_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/procmail.fc 2010-07-30 14:06:53.000000000 -0400
@@ -26480,16 +26759,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te
--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-17 06:53:12.000000000 -0400
-@@ -31,6 +31,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-23 09:53:33.000000000 -0400
+@@ -31,6 +31,9 @@
allow ulogd_t self:capability net_admin;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
++allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
++allow ulogd_t self:udp_socket create_socket_perms;
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -43,6 +44,15 @@
+@@ -43,6 +46,18 @@
manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
@@ -26499,12 +26780,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog
miscfiles_read_localization(ulogd_t)
+
++sysnet_dns_name_resolve(ulogd_t)
++
+optional_policy(`
+ mysql_stream_connect(ulogd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(ulogd_t)
++ postgresql_tcp_connect(ulogd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400
@@ -29335,7 +29619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-13 13:17:18.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-23 08:32:56.000000000 -0400
@@ -91,9 +91,12 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -29788,8 +30072,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-07-30 14:06:53.000000000 -0400
-@@ -117,6 +117,8 @@
++++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-23 08:25:15.000000000 -0400
+@@ -55,6 +55,7 @@
+
+ kernel_read_system_state(fsadm_t)
+ kernel_read_kernel_sysctls(fsadm_t)
++kernel_request_load_module(fsadm_t)
+ # Allow console log change (updfstab)
+ kernel_change_ring_buffer_level(fsadm_t)
+ # mkreiserfs needs this
+@@ -117,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -29798,7 +30090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -147,7 +149,7 @@
+@@ -147,7 +150,7 @@
seutil_read_config(fsadm_t)
@@ -29807,7 +30099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +168,14 @@
+@@ -166,6 +169,14 @@
')
optional_policy(`
@@ -30301,7 +30593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-17 09:55:08.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-23 17:03:04.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -30413,7 +30705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,68 @@
+@@ -185,15 +216,70 @@
sysadm_shell_domtrans(init_t)
')
@@ -30430,6 +30722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
++ kernel_unmount_debugfs(init_t)
+
+ dev_write_kmsg(init_t)
+ dev_rw_autofs(init_t)
@@ -30451,6 +30744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
++ selinux_unmount_fs(init_t)
+
+ init_read_script_state(init_t)
+
@@ -30482,7 +30776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -202,6 +286,10 @@
+@@ -202,6 +288,10 @@
')
optional_policy(`
@@ -30493,7 +30787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
unconfined_domain(init_t)
')
-@@ -211,7 +299,7 @@
+@@ -211,7 +301,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30502,7 +30796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +328,7 @@
+@@ -240,6 +330,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30510,7 +30804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +346,22 @@
+@@ -257,11 +348,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30533,7 +30827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +397,13 @@
+@@ -297,11 +399,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30547,7 +30841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +422,10 @@
+@@ -320,8 +424,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30559,7 +30853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +441,8 @@
+@@ -337,6 +443,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30568,7 +30862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +456,8 @@
+@@ -350,6 +458,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30577,7 +30871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +470,7 @@
+@@ -362,6 +472,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30585,7 +30879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +502,14 @@
+@@ -393,13 +504,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -30601,7 +30895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +582,7 @@
+@@ -472,7 +584,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30610,7 +30904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +628,19 @@
+@@ -518,6 +630,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30630,7 +30924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +648,17 @@
+@@ -525,10 +650,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30648,7 +30942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +673,35 @@
+@@ -543,6 +675,35 @@
')
')
@@ -30684,7 +30978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +714,8 @@
+@@ -555,6 +716,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30693,7 +30987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +732,7 @@
+@@ -571,6 +734,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -30701,7 +30995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +745,11 @@
+@@ -583,6 +747,11 @@
')
optional_policy(`
@@ -30713,7 +31007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +766,7 @@
+@@ -599,6 +768,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30721,7 +31015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +868,12 @@
+@@ -700,7 +870,12 @@
')
optional_policy(`
@@ -30734,7 +31028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +896,10 @@
+@@ -723,6 +898,10 @@
')
optional_policy(`
@@ -30745,7 +31039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -744,6 +921,10 @@
+@@ -744,6 +923,10 @@
')
optional_policy(`
@@ -30756,7 +31050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -765,8 +946,6 @@
+@@ -765,8 +948,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30765,7 +31059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -775,14 +954,21 @@
+@@ -775,14 +956,21 @@
')
optional_policy(`
@@ -30787,7 +31081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +990,19 @@
+@@ -804,11 +992,19 @@
')
optional_policy(`
@@ -30808,7 +31102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +1012,25 @@
+@@ -818,6 +1014,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30834,7 +31128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1056,55 @@
+@@ -843,3 +1058,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32739,7 +33033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-08-23 16:56:51.000000000 -0400
@@ -17,8 +17,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -32787,7 +33081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,30 +68,51 @@
+@@ -46,30 +68,54 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -32805,7 +33099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
-+kernel_search_debugfs(mount_t)
++kernel_rw_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
@@ -32823,6 +33117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
++ifdef(`hide_broken_symptoms',`
++ dev_rw_generic_blk_files(mount_t)
++')
domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
@@ -32841,7 +33138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -79,15 +122,20 @@
+@@ -79,25 +125,32 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -32865,7 +33162,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -98,6 +146,7 @@
+
+ selinux_get_enforce_mode(mount_t)
++selinux_dontaudit_write_fs(mount_t)
+
+ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -32873,7 +33174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -106,6 +155,8 @@
+@@ -106,6 +159,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -32882,7 +33183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -116,6 +167,12 @@
+@@ -116,6 +171,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -32895,7 +33196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -131,10 +188,17 @@
+@@ -131,10 +192,17 @@
')
')
@@ -32913,7 +33214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -164,6 +228,8 @@
+@@ -164,6 +232,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -32922,7 +33223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -171,6 +237,25 @@
+@@ -171,6 +241,25 @@
')
optional_policy(`
@@ -32948,7 +33249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +263,11 @@
+@@ -178,6 +267,11 @@
')
')
@@ -32960,7 +33261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +275,19 @@
+@@ -185,6 +279,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -32980,7 +33281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -193,6 +296,42 @@
+@@ -193,6 +300,42 @@
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c8087f0..b22ba70 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Mon Aug 23 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-18
+- Allow clamscan to read proc_t
+- Allow mount_t to write to debufs_t dir
+- Dontaudit mount_t trying to write to security_t dir
+
* Thu Aug 18 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-17
- Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
More information about the scm-commits
mailing list