rpms/selinux-policy/F-12 policy-20100106.patch, 1.30, 1.31 selinux-policy.spec, 1.1015, 1.1016
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 9 12:22:30 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11803
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Allow mysql ipc_lock capability
- Allow passwd sys_nice capability
- Allow plymouth to read network config files
- Fixes for git
- Add label for /usr/sbin/ns-slapd
- Allow munin to list mail queue
- Add label for shorewall compiler
policy-20100106.patch:
modules/admin/dmesg.fc | 1
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 +
modules/admin/mcelog.te | 31 ++
modules/admin/prelink.te | 1
modules/admin/readahead.te | 2
modules/admin/rpm.if | 20 -
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 6
modules/apps/cdrecord.te | 2
modules/apps/chrome.te | 3
modules/apps/firewallgui.te | 4
modules/apps/gnome.fc | 9
modules/apps/gnome.if | 81 +++++-
modules/apps/gnome.te | 8
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5
modules/apps/kdumpgui.te | 4
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 4
modules/apps/pulseaudio.te | 8
modules/apps/sambagui.te | 4
modules/apps/sandbox.if | 50 +++
modules/apps/sandbox.te | 43 ++-
modules/apps/vmware.if | 18 +
modules/apps/vmware.te | 9
modules/apps/wine.if | 4
modules/apps/wine.te | 14 +
modules/kernel/corecommands.fc | 3
modules/kernel/corenetwork.if.in | 18 +
modules/kernel/corenetwork.te.in | 4
modules/kernel/devices.fc | 5
modules/kernel/devices.if | 90 +++++++
modules/kernel/devices.te | 18 +
modules/kernel/files.if | 20 +
modules/kernel/filesystem.if | 58 ++++
modules/roles/unconfineduser.fc | 5
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5
modules/services/abrt.te | 14 +
modules/services/afs.te | 6
modules/services/aisexec.te | 8
modules/services/amavis.te | 1
modules/services/apache.fc | 1
modules/services/apache.if | 27 ++
modules/services/apache.te | 12
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 -
modules/services/corosync.te | 6
modules/services/cron.te | 4
modules/services/cups.te | 6
modules/services/dovecot.te | 6
modules/services/fail2ban.if | 18 +
modules/services/ftp.if | 37 ++
modules/services/ftp.te | 114 +++++++++
modules/services/git.fc | 17 -
modules/services/git.if | 466 ++++++++++++++++++++++++++++---------
modules/services/git.te | 145 ++++++-----
modules/services/kerberos.if | 2
modules/services/ldap.fc | 8
modules/services/ldap.te | 7
modules/services/lircd.te | 7
modules/services/mailman.te | 1
modules/services/memcached.te | 14 -
modules/services/mta.if | 19 +
modules/services/mta.te | 1
modules/services/munin.te | 1
modules/services/mysql.te | 4
modules/services/nagios.fc | 40 +++
modules/services/nagios.if | 2
modules/services/nagios.te | 7
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5
modules/services/nis.te | 6
modules/services/nx.if | 18 +
modules/services/openvpn.te | 4
modules/services/plymouth.te | 32 +-
modules/services/policykit.te | 8
modules/services/postfix.te | 5
modules/services/ppp.fc | 2
modules/services/ppp.te | 6
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rgmanager.te | 18 +
modules/services/rhcs.fc | 8
modules/services/rhcs.te | 47 ++-
modules/services/samba.te | 13 -
modules/services/sendmail.te | 2
modules/services/setroubleshoot.te | 4
modules/services/snmp.te | 4
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +
modules/services/spamassassin.te | 6
modules/services/ssh.te | 80 ------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++---
modules/services/sssd.te | 14 -
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 9
modules/services/usbmuxd.fc | 6
modules/services/usbmuxd.if | 64 +++++
modules/services/usbmuxd.te | 44 +++
modules/services/virt.te | 5
modules/services/xserver.fc | 7
modules/services/xserver.te | 16 +
modules/system/application.te | 12
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4
modules/system/init.if | 33 ++
modules/system/init.te | 18 +
modules/system/ipsec.te | 2
modules/system/iptables.if | 7
modules/system/iptables.te | 2
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10
modules/system/libraries.fc | 14 -
modules/system/locallogin.te | 5
modules/system/logging.fc | 2
modules/system/logging.if | 18 +
modules/system/logging.te | 4
modules/system/miscfiles.if | 37 ++
modules/system/modutils.te | 1
modules/system/mount.te | 15 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/udev.te | 5
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +
modules/system/xen.te | 7
support/obj_perm_sets.spt | 5
users | 2
143 files changed, 1953 insertions(+), 445 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -p -r1.30 -r1.31
--- policy-20100106.patch 7 Feb 2010 23:45:13 -0000 1.30
+++ policy-20100106.patch 9 Feb 2010 12:22:30 -0000 1.31
@@ -38,8 +38,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te 2010-02-03 17:55:20.114145133 +0100
-@@ -0,0 +1,30 @@
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te 2010-02-09 09:59:05.624865373 +0100
+@@ -0,0 +1,31 @@
+
+policy_module(mcelog,1.0.0)
+
@@ -59,6 +59,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+# mcelog local policy
+#
++allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
@@ -81,6 +82,18 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_home_content(prelink_t)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te 2010-01-18 18:24:22.565530533 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2010-02-09 10:21:28.868615982 +0100
+@@ -62,6 +62,8 @@
+ fs_search_auto_mountpoints(readahead_t)
+ fs_getattr_all_pipes(readahead_t)
+ fs_getattr_all_files(readahead_t)
++fs_read_cgroup_files(readahead_t)
++fs_read_tmpfs_files(readahead_t)
+ fs_read_tmpfs_symlinks(readahead_t)
+ fs_list_inotifyfs(readahead_t)
+ fs_dontaudit_search_ramfs(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-01-29 10:12:23.130864561 +0100
@@ -131,7 +144,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-01-18 18:24:22.584530156 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-01-26 14:45:59.214713808 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-02-08 14:09:13.659608943 +0100
@@ -122,6 +122,10 @@
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -143,6 +156,27 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Crack local policy
+@@ -252,7 +256,7 @@
+ # Passwd local policy
+ #
+
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
++allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
+ allow passwd_t self:fd use;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te
+--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te 2010-02-09 09:59:13.342615577 +0100
+@@ -32,6 +32,8 @@
+ allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+ allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
++corecmd_exec_bin(cdrecord_t)
++
+ # allow searching for cdrom-drive
+ dev_list_all_dev_nodes(cdrecord_t)
+ dev_read_sysfs(cdrecord_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-02-02 14:30:20.961067885 +0100
@@ -386,6 +420,20 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# GPG helper local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te
+--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 2010-01-18 18:24:22.610530600 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2010-02-08 11:58:12.837586833 +0100
+@@ -56,6 +56,10 @@
+ userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+ optional_policy(`
++ gnome_dontaudit_search_config(kdumpgui_t)
++')
++
++optional_policy(`
+ dev_rw_lvm_control(kdumpgui_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100
@@ -466,6 +514,20 @@ diff -b -B --ignore-all-space --exclude-
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_getattr_proc(pulseaudio_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
+--- nsaserefpolicy/policy/modules/apps/sambagui.te 2010-01-18 18:24:22.646540277 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2010-02-08 10:39:43.173336716 +0100
+@@ -52,6 +52,10 @@
+ userdom_dontaudit_search_admin_dir(sambagui_t)
+
+ optional_policy(`
++ gnome_dontaudit_search_config(sambagui_t)
++')
++
++optional_policy(`
+ consoletype_exec(sambagui_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-22 15:41:50.752727640 +0100
@@ -804,7 +866,7 @@ diff -b -B --ignore-all-space --exclude-
domain_mmap_low(wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-02-04 18:36:15.524100702 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-02-09 09:59:17.989881706 +0100
@@ -219,7 +219,7 @@
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -814,6 +876,14 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
+@@ -237,6 +237,7 @@
+ /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in 2010-02-02 15:20:43.717067439 +0100
@@ -894,7 +964,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-04 18:30:05.373350781 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-09 09:59:21.541627154 +0100
@@ -1398,6 +1398,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -938,7 +1008,32 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## getattr the dri devices.
-@@ -3551,6 +3587,24 @@
+@@ -1728,6 +1764,24 @@
+
+ ########################################
+ ## <summary>
++## Write to the kernel messages device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_write_kmsg',`
++ gen_require(`
++ type device_t, kmsg_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, kmsg_device_t)
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the ksm devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -3551,6 +3605,24 @@
rw_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -963,7 +1058,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Mount a usbfs filesystem.
-@@ -3833,6 +3887,24 @@
+@@ -3833,6 +3905,24 @@
write_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -1057,8 +1152,60 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-01-29 10:02:57.270864470 +0100
-@@ -4409,3 +4409,23 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-02-09 09:59:39.756615405 +0100
+@@ -3496,6 +3496,24 @@
+
+ ########################################
+ ## <summary>
++## Read generic tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ read_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
+ ## Read and write generic tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+@@ -4297,6 +4315,26 @@
+
+ ########################################
+ ## <summary>
++## Read files on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ read_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+ ## Read and write files on cgroup
+ ## file systems.
+ ## </summary>
+@@ -4409,3 +4447,23 @@
write_files_pattern($1, cgroup_t, cgroup_t)
')
@@ -1533,7 +1680,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-27 16:52:32.499864534 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-02-08 11:55:25.971336166 +0100
@@ -82,6 +82,7 @@
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -1542,7 +1689,15 @@ diff -b -B --ignore-all-space --exclude-
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-@@ -277,6 +278,8 @@
+@@ -94,6 +95,7 @@
+ corenet_tcp_sendrecv_generic_node(dovecot_t)
+ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
++corenet_tcp_bind_mail_port(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
+@@ -277,6 +279,8 @@
')
tunable_policy(`use_nfs_home_dirs',`
@@ -1551,7 +1706,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
-@@ -284,6 +287,8 @@
+@@ -284,6 +288,8 @@
')
tunable_policy(`use_samba_home_dirs',`
@@ -1772,75 +1927,889 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2010-01-18 18:24:22.788540040 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-01-22 12:32:18.191604638 +0100
-@@ -1,6 +1,9 @@
- /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
- /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-02-09 12:46:59.674881314 +0100
+@@ -1,9 +1,16 @@
+-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
++HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
-+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-+
- /srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+-/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
++/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
+
+-# Conflict with Fedora cgit fc spec.
+-/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
++/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_content_rw_t,s0)
++/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
++
++/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2010-01-18 18:24:22.789540167 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.if 2010-01-22 12:30:50.923622237 +0100
-@@ -104,7 +104,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/git.if 2010-02-09 12:46:59.675881993 +0100
+@@ -1,4 +1,4 @@
+-## <summary>Git daemon is a really simple server for Git repositories.</summary>
++## <summary>Git - Fast Version Control System.</summary>
+ ## <desc>
+ ## <p>
+ ## A really simple TCP git daemon that normally listens on
+@@ -6,27 +6,6 @@
+ ## connection asking for a service, and will serve that
+ ## service if it is enabled.
+ ## </p>
+-## <p>
+-## It verifies that the directory has the magic file
+-## git-daemon-export-ok, and it will refuse to export any
+-## git directory that has not explicitly been marked for
+-## export this way (unless the --export-all parameter is
+-## specified). If you pass some directory paths as
+-## git-daemon arguments, you can further restrict the
+-## offers to a whitelist comprising of those.
+-## </p>
+-## <p>
+-## By default, only upload-pack service is enabled, which
+-## serves git-fetch-pack and git-ls-remote clients, which
+-## are invoked from git-fetch, git-pull, and git-clone.
+-## </p>
+-## <p>
+-## This is ideally suited for read-only updates, i.e.,
+-## pulling from git repositories.
+-## </p>
+-## <p>
+-## An upload-archive also exists to serve git-archive.
+-## </p>
+ ## </desc>
+
+ #######################################
+@@ -46,50 +25,172 @@
+ #
+ interface(`git_session_role', `
+ gen_require(`
+- type gitd_session_t, gitd_exec_t, git_home_t;
++ type git_session_t, gitd_exec_t;
')
- exec_files_pattern($1, git_data_t, git_data_t)
-- files_search_var($1)
+ ########################################
+ #
+- # Git daemon session data declarations.
++ # Git daemon session shared declarations.
+ #
+
+- ## <desc>
+- ## <p>
+- ## Allow transitions to the Git daemon
+- ## session domain.
+- ## </p>
+- ## </desc>
+- gen_tunable(gitd_session_transition, false)
++ role $1 types git_session_t;
++
++ ########################################
++ #
++ # Git daemon session shared policy.
++ #
++
++ domtrans_pattern($2, gitd_exec_t, git_session_t)
++
++ allow $2 git_session_t:process { ptrace signal_perms };
++ ps_process_pattern($2, git_session_t)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for Git
++## daemon shared repository content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`git_content_template',`
+
+- role $1 types gitd_session_t;
++ gen_require(`
++ attribute git_system_content;
++ attribute git_content;
++ ')
+
+ ########################################
+ #
+- # Git daemon session data policy.
++ # Git daemon content shared declarations.
++ #
++
++ type git_$1_content_t, git_system_content, git_content;
++ files_type(git_$1_content_t)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for Git
++## daemon shared repository roles.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
+ #
++template(`git_role_template',`
+
+- tunable_policy(`gitd_session_transition', `
+- domtrans_pattern($2, gitd_exec_t, gitd_session_t)
+- ', `
+- can_exec($2, gitd_exec_t)
++ gen_require(`
++ class context contains;
++ role system_r;
+ ')
+
+- allow $2 gitd_session_t:process { ptrace signal_perms };
+- ps_process_pattern($2, gitd_session_t)
++ ########################################
++ #
++ # Git daemon role shared declarations.
++ #
++
++ attribute $1_usertype;
+
+- exec_files_pattern($2, git_home_t, git_home_t)
+- manage_dirs_pattern($2, git_home_t, git_home_t)
+- manage_files_pattern($2, git_home_t, git_home_t)
++ type $1_t;
++ userdom_unpriv_usertype($1, $1_t)
++ domain_type($1_t)
+
+- relabel_dirs_pattern($2, git_home_t, git_home_t)
+- relabel_files_pattern($2, git_home_t, git_home_t)
++ role $1_r types $1_t;
++ allow system_r $1_r;
++
++ ########################################
++ #
++ # Git daemon role shared policy.
++ #
++
++ allow $1_t self:context contains;
++ allow $1_t self:fifo_file rw_fifo_file_perms;
++
++ corecmd_exec_bin($1_t)
++ corecmd_bin_entry_type($1_t)
++ corecmd_shell_entry_type($1_t)
++
++ domain_interactive_fd($1_t)
++ domain_user_exemption_target($1_t)
++
++ kernel_read_system_state($1_t)
++
++ files_read_etc_files($1_t)
++ files_dontaudit_search_home($1_t)
++
++ miscfiles_read_localization($1_t)
++
++ git_rwx_generic_system_content($1_t)
++
++ ssh_rw_stream_sockets($1_t)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1_t)
++ fs_manage_cifs_dirs($1_t)
++ fs_manage_cifs_files($1_t)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1_t)
++ fs_manage_nfs_dirs($1_t)
++ fs_manage_nfs_files($1_t)
++ ')
++
++ optional_policy(`
++ nscd_read_pid($1_t)
++ ')
++')
++
++#######################################
++## <summary>
++## Allow specified domain access to the
++## specified Git daemon content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## Type of the object that access is allowed to.
++## </summary>
++## </param>
++#
++interface(`git_content_delegation',`
++ gen_require(`
++ type $1, $2;
++ ')
++
++ exec_files_pattern($1, $2, $2)
++ manage_dirs_pattern($1, $2, $2)
++ manage_files_pattern($1, $2, $2)
++ files_search_var($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow the specified domain to execute
+-## Git daemon data files.
++## Allow the specified domain to manage
++## and execute all Git daemon content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -98,19 +199,46 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_execute_data_files', `
++interface(`git_rwx_all_content',`
+ gen_require(`
+- type git_data_t;
++ attribute git_content;
+ ')
+
+- exec_files_pattern($1, git_data_t, git_data_t)
++ exec_files_pattern($1, git_content, git_content)
++ manage_dirs_pattern($1, git_content, git_content)
++ manage_files_pattern($1, git_content, git_content)
++ userdom_search_user_home_dirs($1)
+ files_search_var($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+ ')
+
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to manage
+-## Git daemon data content.
++## and execute all Git daemon system content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -119,20 +247,33 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_manage_data_content', `
++interface(`git_rwx_all_system_content',`
+ gen_require(`
+- type git_data_t;
++ attribute git_system_content;
+ ')
+
+- manage_dirs_pattern($1, git_data_t, git_data_t)
+- manage_files_pattern($1, git_data_t, git_data_t)
++ exec_files_pattern($1, git_system_content, git_system_content)
++ manage_dirs_pattern($1, git_system_content, git_system_content)
++ manage_files_pattern($1, git_system_content, git_system_content)
+ files_search_var($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+ ')
+
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to manage
+-## Git daemon home content.
++## and execute Git daemon generic system content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -141,20 +282,33 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_manage_home_content', `
++interface(`git_rwx_generic_system_content',`
+ gen_require(`
+- type git_home_t;
++ type git_system_content_t;
++ ')
++
++ exec_files_pattern($1, git_system_content_t, git_system_content_t)
++ manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
++ manage_files_pattern($1, git_system_content_t, git_system_content_t)
++ files_search_var($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
+ ')
+
+- manage_dirs_pattern($1, git_home_t, git_home_t)
+- manage_files_pattern($1, git_home_t, git_home_t)
+- files_search_home($1)
++ tunable_policy(`git_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+ ')
+
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to read
+-## Git daemon home content.
++## all Git daemon content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -163,20 +317,41 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_read_home_content', `
++interface(`git_read_all_content_files',`
+ gen_require(`
+- type git_home_t;
++ attribute git_content;
++ ')
++
++ list_dirs_pattern($1, git_content, git_content)
++ read_files_pattern($1, git_content, git_content)
++ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
+ ')
+
+- list_dirs_pattern($1, git_home_t, git_home_t)
+- read_files_pattern($1, git_home_t, git_home_t)
+- files_search_home($1)
++ tunable_policy(`git_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
')
########################################
-@@ -126,7 +126,7 @@
+ ## <summary>
+ ## Allow the specified domain to read
+-## Git daemon data content.
++## Git daemon session content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -185,20 +360,30 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_read_data_content', `
++interface(`git_read_session_content_files',`
+ gen_require(`
+- type git_data_t;
++ type git_session_content_t;
+ ')
- manage_dirs_pattern($1, git_data_t, git_data_t)
- manage_files_pattern($1, git_data_t, git_data_t)
+- list_dirs_pattern($1, git_data_t, git_data_t)
+- read_files_pattern($1, git_data_t, git_data_t)
- files_search_var($1)
-+ files_search_var_lib($1)
++ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
++ read_files_pattern($1, git_session_content_t, git_session_content_t)
++ userdom_search_user_home_dirs($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
')
########################################
-@@ -192,7 +192,7 @@
+ ## <summary>
+-## Allow the specified domain to relabel
+-## Git daemon data content.
++## Allow the specified domain to read
++## all Git daemon system content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -207,20 +392,30 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_relabel_data_content', `
++interface(`git_read_all_system_content_files',`
+ gen_require(`
+- type git_data_t;
++ attribute git_system_content;
+ ')
- list_dirs_pattern($1, git_data_t, git_data_t)
- read_files_pattern($1, git_data_t, git_data_t)
+- relabel_dirs_pattern($1, git_data_t, git_data_t)
+- relabel_files_pattern($1, git_data_t, git_data_t)
- files_search_var($1)
++ list_dirs_pattern($1, git_system_content, git_system_content)
++ read_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
')
########################################
-@@ -214,7 +214,7 @@
+ ## <summary>
+-## Allow the specified domain to relabel
+-## Git daemon home content.
++## Allow the specified domain to read
++## Git daemon generic system content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -229,57 +424,112 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_relabel_home_content', `
++interface(`git_read_generic_system_content_files',`
+ gen_require(`
+- type git_home_t;
++ type git_system_content_t;
+ ')
- relabel_dirs_pattern($1, git_data_t, git_data_t)
- relabel_files_pattern($1, git_data_t, git_data_t)
-- files_search_var($1)
+- relabel_dirs_pattern($1, git_home_t, git_home_t)
+- relabel_files_pattern($1, git_home_t, git_home_t)
+- files_search_home($1)
++ list_dirs_pattern($1, git_system_content_t, git_system_content_t)
++ read_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
++
++ tunable_policy(`git_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`git_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
')
########################################
+ ## <summary>
+-## All of the rules required to administrate an
+-## Git daemon system environment
++## Allow the specified domain to relabel
++## all Git daemon content.
+ ## </summary>
+-## <param name="userdomain_prefix">
++## <param name="domain">
+ ## <summary>
+-## Prefix of the domain. Example, user would be
+-## the prefix for the user_t domain.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
++#
++interface(`git_relabel_all_content',`
++ gen_require(`
++ attribute git_content;
++ ')
++
++ relabel_dirs_pattern($1, git_content, git_content)
++ relabel_files_pattern($1, git_content, git_content)
++ userdom_search_user_home_dirs($1)
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## all Git daemon system content.
++## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
++## <rolecap/>
++#
++interface(`git_relabel_all_system_content',`
++ gen_require(`
++ attribute git_system_content;
++ ')
++
++ relabel_dirs_pattern($1, git_system_content, git_system_content)
++ relabel_files_pattern($1, git_system_content, git_system_content)
++ files_search_var_lib($1)
++')
++
++########################################
+ ## <summary>
+-## The role to be allowed to manage the Git daemon domain.
++## Allow the specified domain to relabel
++## Git daemon generic system content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_system_admin', `
++interface(`git_relabel_generic_system_content',`
+ gen_require(`
+- type gitd_t, gitd_exec_t;
++ type git_system_content_t;
+ ')
+
+- allow $1 gitd_t:process { getattr ptrace signal_perms };
+- ps_process_pattern($1, gitd_t)
+-
+- kernel_search_proc($1)
+-
+- manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
+-
+- # This will not work since git-shell needs to execute gitd content thus public content files.
+- # There is currently no clean way to execute public content files.
+- # miscfiles_manage_public_files($1)
++ relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
++ relabel_files_pattern($1, git_system_content_t, git_system_content_t)
++ files_search_var_lib($1)
++')
+
+- git_manage_data_content($1)
+- git_relabel_data_content($1)
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## Git daemon session content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_session_content',`
++ gen_require(`
++ type git_session_content_t;
++ ')
+
+- seutil_domtrans_setfiles($1)
++ relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
++ relabel_files_pattern($1, git_session_content_t, git_session_content_t)
++ userdom_search_user_home_dirs($1)
+ ')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-22 12:32:35.787604988 +0100
-@@ -73,7 +73,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-02-09 12:46:59.675881993 +0100
+@@ -1,13 +1,5 @@
+
+-policy_module(git, 1.0)
+-
+-attribute gitd_type;
+-attribute git_content_type;
+-
+-########################################
+-#
+-# Git daemon system private declarations.
+-#
++policy_module(git, 1.0.3)
+
+ ## <desc>
+ ## <p>
+@@ -34,20 +26,29 @@
+ #
+ # Git daemon global private declarations.
+ #
++
++attribute git_domains;
++attribute git_system_content;
++attribute git_content;
++
+ type gitd_exec_t;
+
+-type gitd_t, gitd_type;
+-inetd_service_domain(gitd_t, gitd_exec_t)
+-role system_r types gitd_t;
++########################################
++#
++# Git daemon system private declarations.
++#
+
+-type git_data_t, git_content_type;
+-files_type(git_data_t)
++type git_system_t, git_domains;
++inetd_service_domain(git_system_t, gitd_exec_t)
++role system_r types git_system_t;
+
+-permissive gitd_t;
++type git_system_content_t, git_system_content, git_content;
++files_type(git_system_content_t)
++typealias git_system_content_t alias git_data_t;
+
+ ########################################
+ #
+-# Git daemon session session private declarations.
++# Git daemon session private declarations.
+ #
+
+ ## <desc>
+@@ -58,85 +59,82 @@
+ ## </desc>
+ gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+-type gitd_session_t, gitd_type;
+-application_domain(gitd_session_t, gitd_exec_t)
+-ubac_constrained(gitd_session_t)
+-
+-type git_home_t, git_content_type;
+-userdom_user_home_content(git_home_t)
++type git_session_t, git_domains;
++application_domain(git_session_t, gitd_exec_t)
++ubac_constrained(git_session_t)
+
+-permissive gitd_session_t;
++type git_session_content_t, git_content;
++userdom_user_home_content(git_session_content_t)
+
+ ########################################
+ #
+ # Git daemon global private policy.
#
- allow gitd_type self:fifo_file rw_fifo_file_perms;
+-allow gitd_type self:fifo_file rw_fifo_file_perms;
-allow gitd_type self:tcp_socket create_socket_perms;
-+allow gitd_type self:tcp_socket create_stream_socket_perms;
- allow gitd_type self:udp_socket create_socket_perms;
- allow gitd_type self:unix_dgram_socket create_socket_perms;
+-allow gitd_type self:udp_socket create_socket_perms;
+-allow gitd_type self:unix_dgram_socket create_socket_perms;
++allow git_domains self:fifo_file rw_fifo_file_perms;
++allow git_domains self:netlink_route_socket create_netlink_socket_perms;
++allow git_domains self:tcp_socket { create_socket_perms listen };
++allow git_domains self:udp_socket create_socket_perms;
++allow git_domains self:unix_dgram_socket create_socket_perms;
+
+-corenet_all_recvfrom_netlabel(gitd_type)
+-corenet_all_recvfrom_unlabeled(gitd_type)
++corenet_all_recvfrom_netlabel(git_domains)
++corenet_all_recvfrom_unlabeled(git_domains)
+
+-corenet_tcp_sendrecv_all_if(gitd_type)
+-corenet_tcp_sendrecv_all_nodes(gitd_type)
+-corenet_tcp_sendrecv_all_ports(gitd_type)
++corenet_tcp_bind_generic_node(git_domains)
+
+-corenet_tcp_bind_all_nodes(gitd_type)
+-corenet_tcp_bind_git_port(gitd_type)
++corenet_tcp_sendrecv_generic_if(git_domains)
++corenet_tcp_sendrecv_generic_node(git_domains)
++corenet_tcp_sendrecv_generic_port(git_domains)
+
+-corecmd_exec_bin(gitd_type)
++corenet_tcp_bind_git_port(git_domains)
++corenet_sendrecv_git_server_packets(git_domains)
+
+-files_read_etc_files(gitd_type)
+-files_read_usr_files(gitd_type)
++corecmd_exec_bin(git_domains)
+
+-fs_search_auto_mountpoints(gitd_type)
++files_read_etc_files(git_domains)
++files_read_usr_files(git_domains)
+
+-kernel_read_system_state(gitd_type)
++fs_search_auto_mountpoints(git_domains)
+
+-logging_send_syslog_msg(gitd_type)
++kernel_read_system_state(git_domains)
+
+-auth_use_nsswitch(gitd_type)
++auth_use_nsswitch(git_domains)
+
+-miscfiles_read_localization(gitd_type)
++logging_send_syslog_msg(git_domains)
++
++miscfiles_read_localization(git_domains)
+
+ ########################################
+ #
+ # Git daemon system repository private policy.
+ #
+
+-list_dirs_pattern(gitd_t, git_content_type, git_content_type)
+-read_files_pattern(gitd_t, git_content_type, git_content_type)
+-files_search_var(gitd_t)
+-
+-# This will not work since git-shell needs to execute gitd content thus public content files.
+-# There is currently no clean way to execute public content files.
+-# miscfiles_read_public_files(gitd_t)
++list_dirs_pattern(git_system_t, git_content, git_content)
++read_files_pattern(git_system_t, git_content, git_content)
++files_search_var(git_system_t)
+
+ tunable_policy(`git_system_enable_homedirs', `
+- userdom_search_user_home_dirs(gitd_t)
++ userdom_search_user_home_dirs(git_system_t)
+ ')
+
+ tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+- fs_list_nfs(gitd_t)
+- fs_read_nfs_files(gitd_t)
++ fs_list_nfs(git_system_t)
++ fs_read_nfs_files(git_system_t)
+ ')
+
+ tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+- fs_list_cifs(gitd_t)
+- fs_read_cifs_files(gitd_t)
++ fs_list_cifs(git_system_t)
++ fs_read_cifs_files(git_system_t)
+ ')
-@@ -171,3 +171,6 @@
+ tunable_policy(`git_system_use_cifs', `
+- fs_list_cifs(gitd_t)
+- fs_read_cifs_files(gitd_t)
++ fs_list_cifs(git_system_t)
++ fs_read_cifs_files(git_system_t)
+ ')
+
+ tunable_policy(`git_system_use_nfs', `
+- fs_list_nfs(gitd_t)
+- fs_read_nfs_files(gitd_t)
++ fs_list_nfs(git_system_t)
++ fs_read_nfs_files(git_system_t)
+ ')
+
+ ########################################
+@@ -144,24 +142,24 @@
+ # Git daemon session repository private policy.
+ #
+
+-list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
+-read_files_pattern(gitd_session_t, git_home_t, git_home_t)
+-userdom_search_user_home_dirs(gitd_session_t)
++list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
++read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
++userdom_search_user_home_dirs(git_session_t)
+
+-userdom_use_user_terminals(gitd_session_t)
++userdom_use_user_terminals(git_session_t)
+
+ tunable_policy(`git_session_bind_all_unreserved_ports', `
+- corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
++ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs', `
+- fs_list_nfs(gitd_session_t)
+- fs_read_nfs_files(gitd_session_t)
++ fs_list_nfs(git_session_t)
++ fs_read_nfs_files(git_session_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs', `
+- fs_list_cifs(gitd_session_t)
+- fs_read_cifs_files(gitd_session_t)
++ fs_list_cifs(git_session_t)
++ fs_read_cifs_files(git_session_t)
+ ')
+
+ ########################################
+@@ -169,5 +167,16 @@
+ # cgi git Declarations
+ #
++optional_policy(`
apache_content_template(git)
- git_read_data_content(httpd_git_script_t)
+-git_read_data_content(httpd_git_script_t)
++ git_read_session_content_files(httpd_git_script_t)
++ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++')
+
-+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++########################################
++#
++# Git-shell private policy.
++#
+
++#git_role_template(git_shell)
++#gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100
@@ -1855,17 +2824,21 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-01-29 10:17:34.113864636 +0100
-@@ -2,6 +2,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-09 10:45:23.074866029 +0100
+@@ -1,8 +1,12 @@
+
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
++/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
++
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dirsrv.* -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-+
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
ifdef(`distro_debian',`
-@@ -10,8 +12,12 @@
+ /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+@@ -10,8 +14,12 @@
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
@@ -1978,6 +2951,35 @@ diff -b -B --ignore-all-space --exclude-
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-09 12:33:50.721866005 +0100
+@@ -786,6 +786,25 @@
+ allow $1 mqueue_spool_t:dir search_dir_perms;
+ ')
+
++#####################################
++## <summary>
++## List the mail queue.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_list_queue',`
++ gen_require(`
++ type mqueue_spool_t;
++ ')
++
++ allow $1 mqueue_spool_t:dir list_dir_perms;
++ files_search_spool($1)
++')
++
+ #######################################
+ ## <summary>
+ ## Read the mail queue.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100
@@ -1989,9 +2991,29 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
+--- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100
++++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-02-09 12:34:15.400865901 +0100
+@@ -134,6 +134,7 @@
+ optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
++ mta_list_queue(munin_t)
+ mta_read_queue(munin_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-01-26 14:38:16.349463228 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-08 11:12:04.320336459 +0100
+@@ -44,7 +44,7 @@
+ # Local policy
+ #
+
+-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
++allow mysqld_t self:capability { dac_override setgid setuid sys_resource ipc_lock net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+ allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -147,6 +147,8 @@
dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -2069,6 +3091,18 @@ diff -b -B --ignore-all-space --exclude-
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
+--- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-02-09 12:44:57.821616516 +0100
+@@ -150,6 +150,8 @@
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
++ allow nagios_t nagios_$1_plugin_t:process signal_perms;
++
+ # cjp: leaked file descriptor
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-22 16:03:19.932604694 +0100
@@ -2201,7 +3235,7 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-02-03 23:23:09.612821595 +0100
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-02-09 10:12:27.273913281 +0100
@@ -41,6 +41,19 @@
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -2257,6 +3291,15 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(plymouth_t)
files_read_etc_files(plymouth_t)
+@@ -90,6 +94,8 @@
+
+ plymouth_stream_connect(plymouth_t)
+
++sysnet_read_config(plymouth_t)
++
+ optional_policy(`
+ lvm_domtrans(plymouth_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-02 15:30:16.529067989 +0100
@@ -2595,7 +3638,16 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-01 20:42:31.450160322 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-09 10:52:45.543866160 +0100
+@@ -208,7 +208,7 @@
+ files_read_usr_symlinks(samba_net_t)
+
+ auth_use_nsswitch(samba_net_t)
+-auth_rw_cache(samba_net_t)
++auth_manage_cache(samba_net_t)
+
+ logging_send_syslog_msg(samba_net_t)
+
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
@@ -2605,7 +3657,15 @@ diff -b -B --ignore-all-space --exclude-
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
-@@ -350,7 +352,7 @@
+@@ -327,6 +329,7 @@
+ auth_use_nsswitch(smbd_t)
+ auth_domtrans_chk_passwd(smbd_t)
+ auth_domtrans_upd_passwd(smbd_t)
++auth_manage_cache(smbd_t)
+
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+@@ -350,7 +353,7 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -2614,7 +3674,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_signal_all_users(smbd_t)
usermanage_read_crack_db(smbd_t)
-@@ -485,6 +487,8 @@
+@@ -485,6 +488,8 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
@@ -2623,7 +3683,7 @@ diff -b -B --ignore-all-space --exclude-
allow nmbd_t smbcontrol_t:process signal;
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -661,6 +665,7 @@
+@@ -661,6 +666,7 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -2631,6 +3691,23 @@ diff -b -B --ignore-all-space --exclude-
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
+@@ -829,6 +835,7 @@
+ corenet_tcp_bind_generic_node(winbind_t)
+ corenet_udp_bind_generic_node(winbind_t)
+ corenet_tcp_connect_smbd_port(winbind_t)
++corenet_tcp_connect_all_unreserved_ports(winbind_t)
+
+ dev_read_sysfs(winbind_t)
+ dev_read_urand(winbind_t)
+@@ -838,7 +845,7 @@
+
+ auth_domtrans_chk_passwd(winbind_t)
+ auth_use_nsswitch(winbind_t)
+-auth_rw_cache(winbind_t)
++auth_manage_cache(winbind_t)
+
+ domain_use_interactive_fds(winbind_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-18 18:27:02.771531176 +0100
@@ -2713,7 +3790,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-01-18 18:24:22.896530172 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2010-02-04 18:16:54.117060833 +0100
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2010-02-09 12:37:21.512866130 +0100
@@ -147,6 +147,8 @@
kernel_read_kernel_sysctls(spamassassin_t)
@@ -2723,6 +3800,17 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
+@@ -470,6 +473,10 @@
+ userdom_search_user_home_dirs(spamd_t)
+
+ optional_policy(`
++ dcc_domtrans_cdcc(spamd_t)
++')
++
++optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-02-08 00:22:54.835167354 +0100
@@ -3376,8 +4464,16 @@ diff -b -B --ignore-all-space --exclude-
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-03 10:39:48.878145130 +0100
-@@ -301,6 +301,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-09 10:08:14.902615674 +0100
+@@ -253,6 +253,7 @@
+ allow xdm_t iceauth_home_t:file read_file_perms;
+
+ dev_read_rand(iceauth_t)
++dev_dontaudit_read_urand(iceauth_t)
+
+ fs_search_auto_mountpoints(iceauth_t)
+
+@@ -301,6 +302,9 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -3387,7 +4483,7 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -309,8 +312,12 @@
+@@ -309,8 +313,12 @@
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
@@ -3400,7 +4496,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -506,6 +513,7 @@
+@@ -506,6 +514,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
@@ -3408,7 +4504,7 @@ diff -b -B --ignore-all-space --exclude-
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -582,6 +590,7 @@
+@@ -582,6 +591,7 @@
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
@@ -3416,7 +4512,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +677,7 @@
+@@ -668,6 +678,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -3424,7 +4520,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -675,6 +685,10 @@
+@@ -675,6 +686,10 @@
')
optional_policy(`
@@ -3435,7 +4531,7 @@ diff -b -B --ignore-all-space --exclude-
loadkeys_exec(xdm_t)
')
-@@ -712,6 +726,7 @@
+@@ -712,6 +727,7 @@
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
@@ -3445,8 +4541,26 @@ diff -b -B --ignore-all-space --exclude-
# On crash gdm execs gdb to dump stack
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2010-01-18 18:24:22.925530368 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-02-03 15:31:03.649144986 +0100
-@@ -15,6 +15,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-02-09 12:51:23.459615874 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(application, 1.1.0)
++policy_module(application, 1.1.1)
+
+ # Attribute of user applications
+ attribute application_domain_type;
+@@ -7,14 +7,18 @@
+ # Executables to be run by user
+ attribute application_exec_type;
+
+-userdom_append_user_home_content_files(application_domain_type)
+-userdom_write_user_tmp_files(application_domain_type)
+-logging_rw_all_logs(application_domain_type)
++userdom_inherit_append_user_home_content_files(application_domain_type)
+ userdom_inherit_append_admin_home_files(application_domain_type)
++userdom_inherit_append_user_tmp_files(application_domain_type)
++logging_inherit_append_all_logs(application_domain_type)
+
files_dontaudit_search_all_dirs(application_domain_type)
optional_policy(`
@@ -3506,7 +4620,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-04 19:32:10.455185143 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-09 09:59:47.912615584 +0100
@@ -165,6 +165,7 @@
type init_t;
role system_r;
@@ -3532,15 +4646,25 @@ diff -b -B --ignore-all-space --exclude-
')
application_domain($1,$2)
-@@ -281,6 +285,7 @@
+@@ -281,6 +285,8 @@
domtrans_pattern(initrc_t,$2,$1)
allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 initrc_transition_domain:fd use;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -775,8 +780,10 @@
+@@ -554,7 +560,7 @@
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 initctl_t:fifo_file write;
++ allow $1 initctl_t:fifo_file write_file_perms;
+ ')
+
+ ########################################
+@@ -775,8 +781,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -3551,7 +4675,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1686,3 +1693,26 @@
+@@ -1686,3 +1694,26 @@
allow $1 initrc_t:sem rw_sem_perms;
')
@@ -3580,7 +4704,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-04 17:25:21.696810756 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-09 09:59:50.702615499 +0100
@@ -40,6 +40,7 @@
attribute init_script_domain_type;
attribute init_script_file_type;
@@ -3589,10 +4713,27 @@ diff -b -B --ignore-all-space --exclude-
# Mark process types as daemons
attribute daemon;
-@@ -212,6 +213,10 @@
+@@ -118,6 +119,7 @@
+
+ allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
++allow initrc_t init_t:fifo_file rw_fifo_file_perms;
+
+ # For /var/run/shutdown.pid.
+ allow init_t init_var_run_t:file manage_file_perms;
+@@ -191,6 +193,7 @@
+ ')
+
+ ifdef(`distro_redhat',`
++ fs_read_tmpfs_symlinks(init_t)
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ ')
+@@ -212,6 +215,11 @@
')
optional_policy(`
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
+')
+
@@ -3600,7 +4741,34 @@ diff -b -B --ignore-all-space --exclude-
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
-@@ -872,6 +877,7 @@
+@@ -224,6 +232,10 @@
+ ')
+
+ optional_policy(`
++ sssd_stream_connect(init_t)
++')
++
++optional_policy(`
+ unconfined_domain(init_t)
+ ')
+
+@@ -312,6 +324,7 @@
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
+ dev_rw_sysfs(initrc_t)
+@@ -531,6 +544,7 @@
+ # Needs to cp localtime to /var dirs
+ files_write_var_dirs(initrc_t)
+
++ fs_read_tmpfs_symlinks(initrc_t)
+ fs_rw_tmpfs_chr_files(initrc_t)
+
+ storage_manage_fixed_disk(initrc_t)
+@@ -872,6 +886,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -3608,7 +4776,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -885,6 +891,9 @@
+@@ -885,6 +900,9 @@
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
@@ -3630,6 +4798,23 @@ diff -b -B --ignore-all-space --exclude-
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
+--- nsaserefpolicy/policy/modules/system/iptables.if 2010-01-18 18:24:22.941530168 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-09 10:36:30.616615893 +0100
+@@ -67,6 +67,13 @@
+ optional_policy(`
+ modutils_run_insmod(iptables_t, $2)
+ ')
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit iptables_t $1:tcp_socket rw_socket_perms;
++ dontaudit iptables_t $1:udp_socket rw_socket_perms;
++')
++
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-02 15:25:03.135335306 +0100
@@ -3781,6 +4966,34 @@ diff -b -B --ignore-all-space --exclude-
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if 2010-01-18 18:24:22.950540043 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.if 2010-02-09 12:55:48.458629829 +0100
+@@ -641,6 +641,24 @@
+ append_files_pattern($1, logfile, logfile)
+ ')
+
++######################################
++## <summary>
++## Append to all log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_inherit_append_all_logs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ allow $1 logfile:file { getattr append };
++')
++
+ ########################################
+ ## <summary>
+ ## Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-02 14:39:43.439068166 +0100
@@ -3839,9 +5052,20 @@ diff -b -B --ignore-all-space --exclude-
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
+--- nsaserefpolicy/policy/modules/system/modutils.te 2010-01-18 18:24:22.959530712 +0100
++++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-02-09 09:59:53.815865530 +0100
+@@ -131,6 +131,7 @@
+ kernel_read_debugfs(insmod_t)
+ # Rules for /proc/sys/kernel/tainted
+ kernel_read_kernel_sysctls(insmod_t)
++kernel_request_load_module(insmod_t)
+ kernel_rw_kernel_sysctl(insmod_t)
+ kernel_read_hotplug_sysctls(insmod_t)
+ kernel_setsched(insmod_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-02-02 18:59:46.438067812 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-02-08 11:03:56.385336831 +0100
@@ -155,6 +155,8 @@
seutil_read_config(mount_t)
@@ -3859,11 +5083,15 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -260,6 +263,14 @@
+@@ -260,6 +263,18 @@
samba_read_config(mount_t)
')
+optional_policy(`
++ ssh_exec(mount_t)
++')
++
++optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
+
@@ -3898,8 +5126,16 @@ diff -b -B --ignore-all-space --exclude-
kernel_use_fds(dhcpc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-03 14:37:00.939144600 +0100
-@@ -273,6 +273,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100
+@@ -100,6 +100,7 @@
+ # udev_node.c/node_symlink() symlink labels are explicitly
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
++dev_manage_generic_symlinks(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -273,6 +274,10 @@
')
optional_policy(`
@@ -3999,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-
storage_raw_read_fixed_disk(xenstored_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-01 20:58:41.140409177 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-09 10:00:01.300658461 +0100
@@ -28,8 +28,7 @@
#
# All socket classes.
@@ -4010,6 +5246,15 @@ diff -b -B --ignore-all-space --exclude-
#
# Datagram socket classes.
+@@ -227,7 +226,7 @@
+ define(`create_lnk_file_perms',`{ create getattr }')
+ define(`rename_lnk_file_perms',`{ getattr rename }')
+ define(`delete_lnk_file_perms',`{ getattr unlink }')
+-define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
++define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1015
retrieving revision 1.1016
diff -u -p -r1.1015 -r1.1016
--- selinux-policy.spec 5 Feb 2010 20:30:42 -0000 1.1015
+++ selinux-policy.spec 9 Feb 2010 12:22:30 -0000 1.1016
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 85%{?dist}
+Release: 86%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,15 @@ exit 0
%endif
%changelog
+* Tue Feb 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-86
+- Allow mysql ipc_lock capability
+- Allow passwd sys_nice capability
+- Allow plymouth to read network config files
+- Fixes for git
+- Add label for /usr/sbin/ns-slapd
+- Allow munin to list mail queue
+- Add label for shorewall compiler
+
* Fri Feb 5 2010 Dan Walsh <dwalsh at redhat.com> 3.6.32-85
- Cleanup spec file
More information about the scm-commits
mailing list