rpms/selinux-policy/F-12 policy-20100106.patch, 1.36, 1.37 selinux-policy.spec, 1.1021, 1.1022
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 17 15:52:13 UTC 2010
- Previous message: rpms/bind/F-13 .cvsignore, 1.63, 1.64 bind.spec, 1.339, 1.340 sources, 1.72, 1.73
- Next message: rpms/esorex/devel esorex-ltdl.patch,NONE,1.1 esorex.spec,1.17,1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7678
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Add label for /opt/zimbra/log directory
- Add label for /usr/local/centreon/log directory
- Add label for /var/spool/bacula/log directory
- Add nagios_mail_plugin type for nagios mail plugins
- Do not audit attempts to search the network state directory for locate
- Allow ping read and write the console, all ttys and all ptys
- Allow pppd to send audit messages
- Allow modemmanager net_admin capability
- Fixes for cluster policy
policy-20100106.patch:
modules/admin/dmesg.fc | 1
modules/admin/logwatch.te | 5
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 +
modules/admin/mcelog.te | 31 ++
modules/admin/netutils.te | 2
modules/admin/prelink.te | 1
modules/admin/quota.te | 1
modules/admin/readahead.te | 2
modules/admin/rpm.if | 21 -
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 6
modules/apps/cdrecord.te | 2
modules/apps/chrome.te | 3
modules/apps/execmem.if | 5
modules/apps/firewallgui.te | 4
modules/apps/gnome.fc | 9
modules/apps/gnome.if | 81 +++++-
modules/apps/gnome.te | 8
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5
modules/apps/kdumpgui.te | 4
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/nsplugin.if | 36 ++
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 6
modules/apps/pulseaudio.te | 10
modules/apps/sambagui.te | 4
modules/apps/sandbox.if | 54 +++-
modules/apps/sandbox.te | 49 ++-
modules/apps/slocate.te | 1
modules/apps/vmware.if | 18 +
modules/apps/vmware.te | 9
modules/apps/wine.if | 4
modules/apps/wine.te | 14 +
modules/kernel/corecommands.fc | 4
modules/kernel/corenetwork.if.in | 18 +
modules/kernel/corenetwork.te.in | 5
modules/kernel/devices.fc | 5
modules/kernel/devices.if | 109 ++++++++
modules/kernel/devices.te | 18 +
modules/kernel/files.if | 38 +++
modules/kernel/filesystem.if | 118 ++++++++-
modules/kernel/filesystem.te | 12
modules/roles/staff.te | 16 -
modules/roles/sysadm.te | 4
modules/roles/unconfineduser.fc | 5
modules/roles/unconfineduser.te | 4
modules/roles/xguest.te | 6
modules/services/abrt.if | 5
modules/services/abrt.te | 14 +
modules/services/afs.te | 6
modules/services/aisexec.fc | 2
modules/services/aisexec.te | 8
modules/services/amavis.te | 1
modules/services/apache.fc | 5
modules/services/apache.if | 27 ++
modules/services/apache.te | 14 -
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 2
modules/services/avahi.fc | 2
modules/services/ccs.te | 6
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 -
modules/services/clogd.if | 24 -
modules/services/clogd.te | 7
modules/services/consolekit.te | 6
modules/services/corosync.fc | 2
modules/services/corosync.te | 8
modules/services/cron.te | 9
modules/services/cups.te | 7
modules/services/dbus.if | 2
modules/services/djbdns.if | 38 +++
modules/services/djbdns.te | 8
modules/services/dnsmasq.fc | 2
modules/services/dnsmasq.te | 8
modules/services/dovecot.te | 6
modules/services/exim.if | 18 +
modules/services/fail2ban.if | 18 +
modules/services/ftp.fc | 2
modules/services/ftp.if | 37 ++
modules/services/ftp.te | 116 +++++++++
modules/services/git.fc | 17 -
modules/services/git.if | 466 ++++++++++++++++++++++++++++---------
modules/services/git.te | 145 ++++++-----
modules/services/gpm.fc | 2
modules/services/kerberos.if | 2
modules/services/ldap.fc | 8
modules/services/ldap.te | 7
modules/services/lircd.te | 7
modules/services/mailman.te | 1
modules/services/memcached.te | 14 -
modules/services/modemmanager.te | 2
modules/services/mta.if | 19 +
modules/services/mta.te | 1
modules/services/munin.te | 1
modules/services/mysql.te | 5
modules/services/nagios.fc | 46 +++
modules/services/nagios.if | 2
modules/services/nagios.te | 88 ++++++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5
modules/services/nis.te | 8
modules/services/nx.if | 18 +
modules/services/openvpn.te | 4
modules/services/plymouth.te | 33 +-
modules/services/policykit.te | 8
modules/services/postfix.if | 37 ++
modules/services/postfix.te | 5
modules/services/ppp.fc | 2
modules/services/ppp.te | 8
modules/services/prelude.te | 2
modules/services/qmail.if | 18 +
modules/services/rgmanager.if | 21 +
modules/services/rgmanager.te | 22 +
modules/services/rhcs.fc | 9
modules/services/rhcs.te | 64 +++--
modules/services/ricci.te | 3
modules/services/rpc.te | 2
modules/services/samba.te | 14 -
modules/services/sendmail.te | 4
modules/services/setroubleshoot.te | 4
modules/services/snmp.te | 4
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +
modules/services/spamassassin.te | 6
modules/services/ssh.if | 2
modules/services/ssh.te | 81 ------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++---
modules/services/sssd.te | 14 -
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 15 +
modules/services/ucspitcp.te | 5
modules/services/usbmuxd.fc | 6
modules/services/usbmuxd.if | 64 +++++
modules/services/usbmuxd.te | 48 +++
modules/services/virt.if | 1
modules/services/virt.te | 10
modules/services/xserver.fc | 7
modules/services/xserver.if | 2
modules/services/xserver.te | 23 +
modules/system/application.te | 12
modules/system/daemontools.if | 62 ++++
modules/system/daemontools.te | 26 +-
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4
modules/system/init.if | 33 ++
modules/system/init.te | 26 +-
modules/system/ipsec.te | 11
modules/system/iptables.if | 10
modules/system/iptables.te | 6
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10
modules/system/libraries.fc | 16 +
modules/system/locallogin.te | 6
modules/system/logging.fc | 7
modules/system/logging.if | 18 +
modules/system/logging.te | 9
modules/system/lvm.te | 2
modules/system/miscfiles.if | 37 ++
modules/system/modutils.te | 1
modules/system/mount.if | 4
modules/system/mount.te | 16 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.if | 4
modules/system/sysnetwork.te | 1
modules/system/udev.te | 5
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 36 ++
modules/system/xen.te | 7
support/obj_perm_sets.spt | 5
users | 2
180 files changed, 2612 insertions(+), 518 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -p -r1.36 -r1.37
--- policy-20100106.patch 12 Feb 2010 16:52:45 -0000 1.36
+++ policy-20100106.patch 17 Feb 2010 15:52:13 -0000 1.37
@@ -6,6 +6,21 @@ diff -b -B --ignore-all-space --exclude-
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te
+--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-01-18 18:24:22.550542523 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2010-02-17 16:16:54.606863741 +0100
+@@ -103,6 +103,11 @@
+
+ mta_send_mail(logwatch_t)
+
++ifdef(`hide_broken_symptoms',`
++ #Bugzilla 554754
++ files_dontaudit_write_etc_dirs(logwatch_t)
++')
++
+ ifdef(`distro_redhat',`
+ files_search_all(logwatch_t)
+ files_getattr_all_file_type_fs(logwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc
--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc 2010-02-03 17:54:52.841394806 +0100
@@ -71,6 +86,18 @@ diff -b -B --ignore-all-space --exclude-
+miscfiles_read_localization(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-02-16 16:59:33.332598118 +0100
+@@ -132,6 +132,8 @@
+
+ kernel_read_system_state(ping_t)
+
++term_use_all_terms(ping_t)
++
+ auth_use_nsswitch(ping_t)
+
+ logging_send_syslog_msg(ping_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100
@@ -107,8 +134,8 @@ diff -b -B --ignore-all-space --exclude-
fs_dontaudit_search_ramfs(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-01-29 10:12:23.130864561 +0100
-@@ -189,22 +189,22 @@
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-02-16 17:05:12.130597953 +0100
+@@ -189,22 +189,23 @@
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
@@ -138,6 +165,7 @@ diff -b -B --ignore-all-space --exclude-
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
')
########################################
@@ -892,6 +920,17 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(sandbox_net_client_t)
dbus_read_config(sandbox_net_client_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.32/policy/modules/apps/slocate.te
+--- nsaserefpolicy/policy/modules/apps/slocate.te 2010-01-18 18:24:22.654539968 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/slocate.te 2010-02-15 15:04:15.236661606 +0100
+@@ -31,6 +31,7 @@
+
+ kernel_read_system_state(locate_t)
+ kernel_dontaudit_search_sysctl(locate_t)
++kernel_dontaudit_search_network_state(locate_t)
+
+ corecmd_exec_bin(locate_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/vmware.if 2010-01-25 17:40:10.448685801 +0100
@@ -1043,8 +1082,8 @@ diff -b -B --ignore-all-space --exclude-
## Getattr the point-to-point device.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:10:56.565608631 +0100
-@@ -92,8 +92,8 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-02-16 17:21:28.658848158 +0100
+@@ -92,11 +92,12 @@
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
@@ -1055,6 +1094,10 @@ diff -b -B --ignore-all-space --exclude-
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(epmap, udp,135,s0, tcp,135,s0)
+ network_port(festival, tcp,1314,s0)
+ network_port(fingerd, tcp,79,s0)
+ network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-04 19:33:02.466936526 +0100
@@ -1280,8 +1323,33 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-01-18 18:24:22.691530426 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-02-11 21:31:15.568440872 +0100
-@@ -5537,3 +5537,23 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-02-17 16:16:16.656863896 +0100
+@@ -2049,6 +2049,24 @@
+ dontaudit $1 etc_t:file write;
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to write /etc dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_etc_dirs',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 etc_t:dir write;
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write generic files in /etc.
+@@ -5537,3 +5555,23 @@
dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
')
@@ -1588,7 +1656,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-18 18:27:02.753530981 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-02-16 16:57:03.610848178 +0100
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
@@ -1598,9 +1666,18 @@ diff -b -B --ignore-all-space --exclude-
domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
+@@ -344,7 +346,7 @@
+ ')
+
+ optional_policy(`
+- tzdata_run(unconfined_t, unconfined_r)
++ tzdata_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-18 18:27:02.754531109 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-02-16 17:36:22.545598200 +0100
@@ -15,7 +15,7 @@
## <desc>
@@ -1610,6 +1687,17 @@ diff -b -B --ignore-all-space --exclude-
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)
+@@ -55,6 +55,10 @@
+
+ allow xguest_t self:process execmem;
+
++tunable_policy(`allow_execstack',`
++ allow xguest_t self:process execstack;
++')
++
+ # Allow mounting of file systems
+ optional_policy(`
+ tunable_policy(`xguest_mount_media',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100
@@ -1695,9 +1783,18 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# AFS bossserver local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.32/policy/modules/services/aisexec.fc
+--- nsaserefpolicy/policy/modules/services/aisexec.fc 2010-01-18 18:24:22.729540009 +0100
++++ serefpolicy-3.6.32/policy/modules/services/aisexec.fc 2010-02-17 15:26:59.638613137 +0100
+@@ -8,5 +8,3 @@
+ /var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+ /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+-
+-/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.32/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-01-18 18:24:22.731542358 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.te 2010-02-04 21:53:44.131187049 +0100
++++ serefpolicy-3.6.32/policy/modules/services/aisexec.te 2010-02-17 12:12:36.836863654 +0100
@@ -75,8 +75,6 @@
corenet_tcp_bind_reserved_port(aisexec_t)
corenet_udp_bind_cluster_port(aisexec_t)
@@ -1822,7 +1919,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-03 20:16:18.858822145 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-16 16:54:40.527598125 +0100
@@ -309,7 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -1865,6 +1962,15 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
')
+@@ -895,6 +901,8 @@
+
+ sysnet_read_config(httpd_sys_script_t)
+
++logging_inherit_append_all_logs(httpd_sys_script_t)
++
+ ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100
@@ -1898,6 +2004,28 @@ diff -b -B --ignore-all-space --exclude-
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te
+--- nsaserefpolicy/policy/modules/services/ccs.te 2010-01-18 18:24:22.749530749 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ccs.te 2010-02-17 15:18:32.630863465 +0100
+@@ -74,8 +74,6 @@
+ manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+
+-aisexec_stream_connect(ccs_t)
+-
+ kernel_read_kernel_sysctls(ccs_t)
+
+ corecmd_list_bin(ccs_t)
+@@ -117,5 +115,9 @@
+ ')
+
+ optional_policy(`
++ aisexec_stream_connect(ccs_t)
++ corosync_stream_connect(ccs_t)
++')
++optional_policy(`
+ unconfined_use_fds(ccs_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-01-18 18:24:22.753540198 +0100
+++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2010-02-02 18:56:12.191317011 +0100
@@ -1947,9 +2075,102 @@ diff -b -B --ignore-all-space --exclude-
+ gpsd_rw_shm(chronyd_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if
+--- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100
++++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100
+@@ -42,26 +42,6 @@
+
+ #####################################
+ ## <summary>
+-## Manage clogd tmpfs files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## The type of the process performing this action.
+-## </summary>
+-## </param>
+-#
+-interface(`clogd_manage_tmpfs_files',`
+- gen_require(`
+- type clogd_tmpfs_t;
+- ')
+-
+- fs_search_tmpfs($1)
+- manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+- manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+-')
+-
+-#####################################
+-## <summary>
+ ## Allow read and write access to clogd semaphores.
+ ## </summary>
+ ## <param name="domain">
+@@ -94,5 +74,9 @@
+ ')
+
+ allow $1 clogd_t:shm { rw_shm_perms destroy };
++ allow $1 clogd_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++ fs_search_tmpfs($1)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te
+--- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100
++++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100
+@@ -41,8 +41,6 @@
+ manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+ files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
+
+-aisexec_stream_connect(clogd_t)
+-
+ dev_manage_generic_blk_files(clogd_t)
+
+ storage_raw_read_fixed_disk(clogd_t)
+@@ -56,6 +54,11 @@
+ miscfiles_read_localization(clogd_t)
+
+ optional_policy(`
++ aisexec_stream_connect(clogd_t)
++ corosync_stream_connect(clogd_t)
++')
++
++optional_policy(`
+ dev_read_lvm_control(clogd_t)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
+--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-01-18 18:24:22.762530308 +0100
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-02-16 22:55:22.460609811 +0100
+@@ -80,13 +80,11 @@
+ hal_ptrace(consolekit_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+- fs_dontaudit_list_nfs(consolekit_t)
+- fs_dontaudit_rw_nfs_files(consolekit_t)
++ fs_read_nfs_files(consolekit_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_dontaudit_list_cifs(consolekit_t)
+- fs_dontaudit_rw_cifs_files(consolekit_t)
++ fs_read_cifs_files(consolekit_t)
+ ')
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc
+--- nsaserefpolicy/policy/modules/services/corosync.fc 2010-01-18 18:24:22.762530308 +0100
++++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2010-02-17 15:36:57.020864395 +0100
+@@ -9,5 +9,5 @@
+
+ /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
+
++/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-01-18 18:24:22.764539991 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-02-04 21:49:37.774952184 +0100
++++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-02-17 15:10:00.826864054 +0100
@@ -73,6 +73,8 @@
kernel_read_system_state(corosync_t)
@@ -1967,17 +2188,15 @@ diff -b -B --ignore-all-space --exclude-
# to communication with RHCS
dlm_controld_manage_tmpfs_files(corosync_t)
dlm_controld_rw_semaphores(corosync_t)
-@@ -95,12 +98,11 @@
- # to communication with RHCS
- dlm_controld_manage_tmpfs_files(corosync_t)
- dlm_controld_rw_semaphores(corosync_t)
--
- fenced_manage_tmpfs_files(corosync_t)
- fenced_rw_semaphores(corosync_t)
--
+@@ -101,6 +104,11 @@
+
gfs_controld_manage_tmpfs_files(corosync_t)
gfs_controld_rw_semaphores(corosync_t)
+')
++
++optional_policy(`
++ rgmanager_manage_tmpfs_files(corosync_t)
++')
optional_policy(`
ccs_read_config(corosync_t)
@@ -2009,7 +2228,7 @@ diff -b -B --ignore-all-space --exclude-
# System cron process domain
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-02-01 21:13:34.192326070 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-02-17 16:19:02.686863774 +0100
@@ -265,6 +265,7 @@
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -2048,6 +2267,14 @@ diff -b -B --ignore-all-space --exclude-
allow cups_pdf_t self:fifo_file rw_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+@@ -689,6 +693,7 @@
+
+ domain_use_interactive_fds(hplip_t)
+
++files_dontaudit_write_usr_dirs(hplip_t)
+ files_read_etc_files(hplip_t)
+ files_read_etc_runtime_files(hplip_t)
+ files_read_usr_files(hplip_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2010-01-18 18:24:22.774530577 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-02-09 15:13:10.361616292 +0100
@@ -2207,6 +2434,34 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_cifs_files(dovecot_deliver_t)
fs_manage_cifs_symlinks(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.32/policy/modules/services/exim.if
+--- nsaserefpolicy/policy/modules/services/exim.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/exim.if 2010-02-15 12:36:35.630568574 +0100
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, exim_exec_t, exim_t)
+ ')
+
++###################################
++## <summary>
++## Execute the exim in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_exec',`
++ gen_require(`
++ type exim_exec_t;
++ ')
++
++ can_exec($1, exim_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read,
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-18 18:24:22.784531151 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-18 18:27:02.761531161 +0100
@@ -2235,6 +2490,18 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.6.32/policy/modules/services/ftp.fc
+--- nsaserefpolicy/policy/modules/services/ftp.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ftp.fc 2010-02-16 17:34:27.415598063 +0100
+@@ -22,7 +22,7 @@
+ #
+ # /var
+ #
+-/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0)
++/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
+
+ /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
+ /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-02-08 00:21:16.418154590 +0100
@@ -2284,7 +2551,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-18 18:24:22.787539983 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-18 18:27:02.763531066 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-02-16 17:41:51.446598108 +0100
@@ -53,6 +53,39 @@
## </desc>
gen_tunable(ftp_home_dir, false)
@@ -2340,6 +2607,15 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# ftpd local policy
+@@ -101,7 +142,7 @@
+ allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process signal_perms;
+-allow ftpd_t self:process { getcap setcap setsched setrlimit };
++allow ftpd_t self:process { getpgid getcap setcap setsched setrlimit };
+ allow ftpd_t self:fifo_file rw_fifo_file_perms;
+ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -342,3 +383,76 @@
files_read_etc_files(ftpdctl_t)
@@ -3302,6 +3578,15 @@ diff -b -B --ignore-all-space --exclude-
+
+#git_role_template(git_shell)
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.fc serefpolicy-3.6.32/policy/modules/services/gpm.fc
+--- nsaserefpolicy/policy/modules/services/gpm.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/gpm.fc 2010-02-16 22:45:57.818609498 +0100
+@@ -5,3 +5,5 @@
+ /etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0)
+
+ /usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
++
++/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100
@@ -3443,6 +3728,18 @@ diff -b -B --ignore-all-space --exclude-
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
+--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-01-18 18:24:22.810530337 +0100
++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2010-02-16 17:07:08.660598103 +0100
+@@ -16,7 +16,7 @@
+ #
+ # ModemManager local policy
+ #
+-allow modemmanager_t self:capability { sys_admin sys_tty_config };
++allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+ allow modemmanager_t self:process signal;
+ allow modemmanager_t self:fifo_file rw_file_perms;
+ allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-09 12:33:50.721866005 +0100
@@ -3496,7 +3793,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-08 11:12:04.320336459 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-17 16:21:10.049863655 +0100
@@ -44,7 +44,7 @@
# Local policy
#
@@ -3515,28 +3812,39 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -156,6 +158,7 @@
+
+ domain_read_all_domains_state(mysqld_safe_t)
+
++files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+ files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+
+ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-02-09 13:30:45.031616023 +0100
-@@ -23,30 +23,66 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-02-15 12:58:59.258318229 +0100
+@@ -23,30 +23,68 @@
/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-
+# admin plugins
-+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++
++# mail plugins
++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
@@ -3602,20 +3910,37 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-09 13:29:19.023616028 +0100
-@@ -45,6 +45,11 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-16 22:43:30.246609111 +0100
+@@ -45,10 +45,18 @@
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
+# creates nagios_admin_plugin_exec_t for executable
+# and nagios_admin_plugin_t for domain
+nagios_plugin_template(admin)
-+permissive nagios_admin_plugin_t;
+
# creates nagios_checkdisk_plugin_exec_t for executable
# and nagios_checkdisk_plugin_t for domain
nagios_plugin_template(checkdisk)
-@@ -118,6 +123,9 @@
+
++# creates nagios_mail_plugin_exec_t for executable
++# and nagios_mail_plugin_t for domain
++nagios_plugin_template(mail)
++
+ # creates nagios_services_plugin_exec_t for executable
+ # and nagios_services_plugin_t for domain
+ nagios_plugin_template(services)
+@@ -66,7 +74,9 @@
+ unconfined_domain(nagios_unconfined_plugin_t)
+ ')
+
++permissive nagios_admin_plugin_t;
+ permissive nagios_checkdisk_plugin_t;
++permissive nagios_mail_plugin_t;
+ permissive nagios_services_plugin_t;
+ permissive nagios_system_plugin_t;
+
+@@ -118,6 +128,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -3625,23 +3950,15 @@ diff -b -B --ignore-all-space --exclude-
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
-@@ -264,6 +272,41 @@
+@@ -264,6 +277,77 @@
udev_read_db(nrpe_t)
')
-+######################################
++#####################################
+#
+# local policy for admin check plugins
+#
+
-+allow nagios_admin_plugin_t self:capability { setuid setgid dac_override };
-+
-+allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms;
-+allow nagios_admin_plugin_t self:udp_socket create_socket_perms;
-+
-+kernel_read_system_state(nagios_admin_plugin_t)
-+kernel_read_kernel_sysctls(nagios_admin_plugin_t)
-+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
@@ -3649,25 +3966,69 @@ diff -b -B --ignore-all-space --exclude-
+
+files_read_etc_files(nagios_admin_plugin_t)
+
-+libs_use_lib_files(nagios_admin_plugin_t)
-+libs_use_ld_so(nagios_admin_plugin_t)
++# for check_file_age plugin
++files_getattr_all_dirs(nagios_admin_plugin_t)
++files_getattr_all_files(nagios_admin_plugin_t)
++files_getattr_all_symlinks(nagios_admin_plugin_t)
++files_getattr_all_pipes(nagios_admin_plugin_t)
++files_getattr_all_sockets(nagios_admin_plugin_t)
++files_getattr_all_file_type_fs(nagios_admin_plugin_t)
++dev_getattr_all_chr_files(nagios_admin_plugin_t)
++dev_getattr_all_blk_files(nagios_admin_plugin_t)
++
++######################################
++#
++# local policy for mail check plugins
++#
++
++allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
++
++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
++allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(nagios_mail_plugin_t)
++kernel_read_kernel_sysctls(nagios_mail_plugin_t)
++
++corecmd_read_bin_files(nagios_mail_plugin_t)
++corecmd_read_bin_symlinks(nagios_mail_plugin_t)
++
++dev_read_urand(nagios_mail_plugin_t)
+
-+logging_send_syslog_msg(nagios_admin_plugin_t)
++files_read_etc_files(nagios_mail_plugin_t)
+
-+sysnet_read_config(nagios_admin_plugin_t)
++libs_use_lib_files(nagios_mail_plugin_t)
++libs_use_ld_so(nagios_mail_plugin_t)
+
-+nscd_dontaudit_search_pid(nagios_admin_plugin_t)
++logging_send_syslog_msg(nagios_mail_plugin_t)
++
++sysnet_read_config(nagios_mail_plugin_t)
++
++nscd_dontaudit_search_pid(nagios_mail_plugin_t)
++
++optional_policy(`
++ exim_exec(nagios_mail_plugin_t)
++')
+
+optional_policy(`
-+ mta_read_config(nagios_admin_plugin_t)
-+ mta_list_queue(nagios_admin_plugin_t)
-+ mta_read_queue(nagios_admin_plugin_t)
-+ mta_sendmail_exec(nagios_admin_plugin_t)
++ mta_read_config(nagios_mail_plugin_t)
++ mta_list_queue(nagios_mail_plugin_t)
++ mta_read_queue(nagios_mail_plugin_t)
++ mta_sendmail_exec(nagios_mail_plugin_t)
+')
++
++optional_policy(`
++ postfix_stream_connect_master(nagios_mail_plugin_t)
++ posftix_exec_postqueue(nagios_mail_plugin_t)
++')
++
++optional_policy(`
++ qmail_exec_queue(nagios_mail_plugin_t)
++')
######################################
#
-@@ -315,6 +358,10 @@
+@@ -315,6 +399,10 @@
mysql_stream_connect(nagios_services_plugin_t)
')
@@ -3714,7 +4075,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2010-01-18 18:24:22.828542614 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nis.te 2010-01-29 09:57:06.796318812 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nis.te 2010-02-16 16:52:00.477848263 +0100
@@ -47,6 +47,9 @@
type ypxfr_exec_t;
init_daemon_domain(ypxfr_t, ypxfr_exec_t)
@@ -3725,6 +4086,15 @@ diff -b -B --ignore-all-space --exclude-
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
+@@ -56,7 +59,7 @@
+
+ dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+ allow ypbind_t self:fifo_file rw_fifo_file_perms;
+-allow ypbind_t self:process signal_perms;
++allow ypbind_t self:process { signal_perms getsched };
+ allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+ allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ypbind_t self:tcp_socket create_stream_socket_perms;
@@ -312,6 +315,9 @@
allow ypxfr_t ypserv_conf_t:file read_file_perms;
@@ -3786,7 +4156,7 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-02-09 10:12:27.273913281 +0100
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-02-17 15:21:52.401613227 +0100
@@ -41,6 +41,19 @@
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -3807,7 +4177,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(plymouthd_t)
kernel_request_load_module(plymouthd_t)
kernel_change_ring_buffer_level(plymouthd_t)
-@@ -56,21 +69,9 @@
+@@ -56,32 +69,24 @@
files_read_usr_files(plymouthd_t)
miscfiles_read_localization(plymouthd_t)
@@ -3830,7 +4200,10 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Plymouth private policy
-@@ -80,8 +81,11 @@
+ #
+
++allow plymouth_t self:capability dac_override;
+ allow plymouth_t self:process { signal };
allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
@@ -3842,7 +4215,7 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(plymouth_t)
files_read_etc_files(plymouth_t)
-@@ -90,6 +94,8 @@
+@@ -90,6 +95,8 @@
plymouth_stream_connect(plymouth_t)
@@ -3884,6 +4257,60 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.32/policy/modules/services/postfix.if
+--- nsaserefpolicy/policy/modules/services/postfix.if 2010-01-18 18:24:22.853540347 +0100
++++ serefpolicy-3.6.32/policy/modules/services/postfix.if 2010-02-15 12:27:32.822569677 +0100
+@@ -395,6 +395,25 @@
+ can_exec($1, postfix_master_exec_t)
+ ')
+
++#######################################
++## <summary>
++## Connect to postfix master process using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfix_stream_connect_master',`
++ gen_require(`
++ type postfix_master_t, postfix_public_t;
++ ')
++
++stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Create a named socket in a postfix private directory.
+@@ -604,6 +623,24 @@
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+ ')
+
++#######################################
++## <summary>
++## Execute the master postqueue in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`posftix_exec_postqueue',`
++ gen_require(`
++ type postfix_postqueue_exec_t;
++ ')
++
++ can_exec($1, postfix_postqueue_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the master postdrop in the
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -3927,7 +4354,7 @@ diff -b -B --ignore-all-space --exclude-
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-10 13:44:03.868859469 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-16 17:01:56.727848442 +0100
@@ -71,7 +71,7 @@
# PPPD Local policy
#
@@ -3945,7 +4372,15 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
-@@ -192,6 +193,10 @@
+@@ -167,6 +168,7 @@
+
+ auth_use_nsswitch(pppd_t)
+
++logging_send_audit_msgs(pppd_t)
+ logging_send_syslog_msg(pppd_t)
+
+ miscfiles_read_localization(pppd_t)
+@@ -192,6 +194,10 @@
')
optional_policy(`
@@ -3968,9 +4403,37 @@ diff -b -B --ignore-all-space --exclude-
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.if serefpolicy-3.6.32/policy/modules/services/qmail.if
+--- nsaserefpolicy/policy/modules/services/qmail.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/qmail.if 2010-02-15 12:32:28.414320834 +0100
+@@ -99,6 +99,24 @@
+ ')
+ ')
+
++#####################################
++## <summary>
++## Execute the qmail_queue in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_exec_queue',`
++ gen_require(`
++ type qmail_queue_exec_t;
++ ')
++
++ can_exec($1, qmail_queue_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read qmail configuration files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-01-18 18:24:22.870539995 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-01-29 10:16:32.195864190 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-02-17 12:16:40.504614881 +0100
@@ -16,7 +16,7 @@
')
@@ -3980,9 +4443,32 @@ diff -b -B --ignore-all-space --exclude-
')
+@@ -57,3 +57,22 @@
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+ ')
+
++#######################################
++## <summary>
++## Read/write rgmanager tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rgmanager_manage_tmpfs_files',`
++ gen_require(`
++ type rgmanager_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++ manage_lnk_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-04 21:16:05.525935129 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-17 15:18:47.432864765 +0100
@@ -22,6 +22,9 @@
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
@@ -4036,10 +4522,21 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
apache_domtrans(rgmanager_t)
+@@ -158,6 +168,10 @@
+ ')
+
+ optional_policy(`
++ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
++')
++
++optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-04 14:38:28.643078705 +0100
-@@ -1,19 +1,19 @@
++++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-17 15:54:23.838864423 +0100
+@@ -1,19 +1,20 @@
-/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -4049,6 +4546,7 @@ diff -b -B --ignore-all-space --exclude-
-/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
@@ -4065,8 +4563,18 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-04 21:25:24.804186866 +0100
-@@ -126,12 +126,11 @@
++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-17 15:13:44.349614415 +0100
+@@ -40,6 +40,9 @@
+ type fenced_tmpfs_t;
+ files_tmpfs_file(fenced_tmpfs_t)
+
++type fenced_lock_t;
++files_lock_file(fenced_lock_t)
++
+ # log files
+ type fenced_var_log_t;
+ logging_log_file(fenced_var_log_t)
+@@ -126,12 +128,11 @@
files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
@@ -4081,7 +4589,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_sysfs(dlm_controld_t)
fs_manage_configfs_files(dlm_controld_t)
-@@ -146,6 +145,12 @@
+@@ -146,6 +147,12 @@
miscfiles_read_localization(dlm_controld_t)
@@ -4094,7 +4602,25 @@ diff -b -B --ignore-all-space --exclude-
#######################################
#
# fenced local policy
-@@ -183,8 +188,6 @@
+@@ -166,12 +173,16 @@
+ # tmp files
+ manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+ manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+-files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir })
++manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
++files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+ manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
+ manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
+ fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file })
+
++manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
++files_lock_filetrans(fenced_t,fenced_lock_t,file)
++
+ # log files
+ manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t)
+ logging_log_filetrans(fenced_t,fenced_var_log_t,{ file })
+@@ -183,8 +194,6 @@
files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -4103,7 +4629,15 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(fenced_t)
-@@ -214,9 +217,11 @@
+@@ -195,6 +204,7 @@
+ storage_raw_write_fixed_disk(fenced_t)
+ storage_raw_read_removable_device(fenced_t)
+
++term_getattr_pty_fs(fenced_t)
+ term_use_ptmx(fenced_t)
+
+ auth_use_nsswitch(fenced_t)
+@@ -214,9 +224,11 @@
optional_policy(`
ccs_read_config(fenced_t)
@@ -4115,7 +4649,7 @@ diff -b -B --ignore-all-space --exclude-
corosync_stream_connect(fenced_t)
')
-@@ -253,19 +258,17 @@
+@@ -253,19 +265,17 @@
manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
@@ -4140,7 +4674,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_sysfs(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
-@@ -278,6 +281,12 @@
+@@ -278,6 +288,12 @@
miscfiles_read_localization(gfs_controld_t)
optional_policy(`
@@ -4153,7 +4687,7 @@ diff -b -B --ignore-all-space --exclude-
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -309,8 +318,6 @@
+@@ -309,8 +325,6 @@
manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
@@ -4162,18 +4696,19 @@ diff -b -B --ignore-all-space --exclude-
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -326,6 +333,10 @@
+@@ -326,6 +340,11 @@
logging_send_syslog_msg(groupd_t)
+optional_policy(`
+ aisexec_stream_connect(groupd_t)
++ corosync_stream_connect(groupd_t)
+')
+
######################################
#
# qdiskd local policy
-@@ -359,9 +370,6 @@
+@@ -359,9 +378,6 @@
manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
@@ -4183,18 +4718,55 @@ diff -b -B --ignore-all-space --exclude-
corecmd_getattr_sbin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)
-@@ -399,6 +407,11 @@
+@@ -399,12 +415,19 @@
miscfiles_read_localization(qdiskd_t)
optional_policy(`
+- netutils_domtrans_ping(qdiskd_t)
+ aisexec_stream_connect(qdiskd_t)
++ corosync_stream_connect(qdiskd_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(qdiskd_t)
+ ccs_stream_connect(qdiskd_t)
+ ')
+
++optional_policy(`
++ netutils_domtrans_ping(qdiskd_t)
+')
-+
+
+optional_policy(`
- netutils_domtrans_ping(qdiskd_t)
++ udev_read_db(qdiskd_t)
++')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te
+--- nsaserefpolicy/policy/modules/services/ricci.te 2010-01-18 18:24:22.875542796 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2010-02-17 15:15:28.470864257 +0100
+@@ -231,6 +231,7 @@
+
+ optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
++ corosync_stream_connect(ricci_modcluster_t)
')
+ optional_policy(`
+@@ -319,6 +320,7 @@
+
+ optional_policy(`
+ aisexec_stream_connect(ricci_modclusterd_t)
++ corosync_stream_connect(ricci_modclusterd_t)
+ ')
+
+ optional_policy(`
+@@ -482,6 +484,7 @@
+
+ optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
++ corosync_stream_connect(ricci_modstorage_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2010-01-18 18:24:22.880531210 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2010-02-11 21:29:42.257440026 +0100
@@ -4209,7 +4781,7 @@ diff -b -B --ignore-all-space --exclude-
fs_read_rpc_files(rpcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-09 10:52:45.543866160 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-16 17:22:07.619848238 +0100
@@ -208,7 +208,7 @@
files_read_usr_symlinks(samba_net_t)
@@ -4262,15 +4834,17 @@ diff -b -B --ignore-all-space --exclude-
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
-@@ -829,6 +835,7 @@
+@@ -828,7 +834,9 @@
+ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
++corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -838,7 +845,7 @@
+@@ -838,7 +846,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -4851,7 +5425,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-12 09:35:29.523875558 +0100
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-15 12:09:29.413328973 +0100
@@ -13,6 +13,9 @@
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
@@ -4882,7 +5456,7 @@ diff -b -B --ignore-all-space --exclude-
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -46,6 +53,8 @@
+@@ -46,8 +53,14 @@
userdom_dontaudit_search_user_home_dirs(tuned_t)
@@ -4890,7 +5464,13 @@ diff -b -B --ignore-all-space --exclude-
+
miscfiles_read_localization(tuned_t)
++optional_policy(`
++ gnome_dontaudit_search_config(tuned_t)
++')
++
# to allow disk tuning
+ optional_policy(`
+ fstools_domtrans(tuned_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.6.32/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ucspitcp.te 2010-02-11 14:18:05.345868624 +0100
@@ -5140,7 +5720,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-12 16:53:54.085716333 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-16 22:51:37.723859395 +0100
@@ -253,6 +253,7 @@
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -5149,7 +5729,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(iceauth_t)
-@@ -301,6 +302,11 @@
+@@ -301,6 +302,13 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -5157,11 +5737,13 @@ diff -b -B --ignore-all-space --exclude-
+
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
++corenet_tcp_connect_xserver_port(xauth_t)
++
+domain_dontaudit_leaks(xauth_t)
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -309,8 +315,12 @@
+@@ -309,8 +317,12 @@
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
@@ -5174,7 +5756,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -341,6 +351,7 @@
+@@ -341,6 +353,7 @@
term_dontaudit_use_unallocated_ttys(xauth_t)
dev_dontaudit_rw_dri(xauth_t)
dev_dontaudit_rw_generic_dev_nodes(xauth_t)
@@ -5182,7 +5764,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -373,6 +384,8 @@
+@@ -373,6 +386,8 @@
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
@@ -5191,7 +5773,7 @@ diff -b -B --ignore-all-space --exclude-
allow xdm_t xauth_home_t:file manage_file_perms;
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-@@ -506,6 +519,7 @@
+@@ -506,6 +521,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
@@ -5199,7 +5781,7 @@ diff -b -B --ignore-all-space --exclude-
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -582,6 +596,7 @@
+@@ -582,6 +598,7 @@
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
@@ -5207,7 +5789,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +683,7 @@
+@@ -668,6 +685,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -5215,7 +5797,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -675,6 +691,10 @@
+@@ -675,6 +693,10 @@
')
optional_policy(`
@@ -5226,7 +5808,7 @@ diff -b -B --ignore-all-space --exclude-
loadkeys_exec(xdm_t)
')
-@@ -712,6 +732,7 @@
+@@ -712,6 +734,7 @@
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
@@ -5710,18 +6292,28 @@ diff -b -B --ignore-all-space --exclude-
# the ipsec wrapper wants to run /usr/bin/logger (should we put
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-01-18 18:24:22.941530168 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-09 10:36:30.616615893 +0100
-@@ -67,6 +67,13 @@
++++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-15 18:56:51.198318435 +0100
+@@ -17,6 +17,10 @@
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iptables_exec_t, iptables_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit iptables_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ #####################################
+@@ -67,6 +71,12 @@
optional_policy(`
modutils_run_insmod(iptables_t, $2)
')
+
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
-+ dontaudit iptables_t $1:tcp_socket rw_socket_perms;
-+ dontaudit iptables_t $1:udp_socket rw_socket_perms;
-+')
-+
++ ifdef(`hide_broken_symptoms', `
++ dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit iptables_t $1:tcp_socket rw_socket_perms;
++ dontaudit iptables_t $1:udp_socket rw_socket_perms;
++ ')
')
########################################
@@ -5814,7 +6406,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-10 12:10:25.609868564 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-15 20:42:14.719317823 +0100
@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -5891,13 +6483,31 @@ diff -b -B --ignore-all-space --exclude-
',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-01 20:28:30.386409309 +0100
-@@ -69,3 +69,5 @@
++++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-16 17:27:23.944598052 +0100
+@@ -24,6 +24,8 @@
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
++/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
+ /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+
+@@ -63,9 +65,14 @@
+ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
++/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+ /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-01-18 18:24:22.950540043 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2010-02-09 12:55:48.458629829 +0100
@@ -5959,6 +6569,25 @@ diff -b -B --ignore-all-space --exclude-
udev_read_db(syslogd_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2010-01-18 18:24:22.953540006 +0100
++++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-02-17 15:17:15.102863378 +0100
+@@ -143,6 +143,7 @@
+
+ optional_policy(`
+ aisexec_stream_connect(clvmd_t)
++ corosync_stream_connect(clvmd_t)
+ ')
+
+ optional_policy(`
+@@ -317,6 +318,7 @@
+
+ optional_policy(`
+ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
@@ -6014,6 +6643,20 @@ diff -b -B --ignore-all-space --exclude-
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
kernel_setsched(insmod_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
+--- nsaserefpolicy/policy/modules/system/mount.if 2010-01-18 18:24:22.960539988 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-02-17 16:23:56.866863904 +0100
+@@ -17,6 +17,10 @@
+
+ domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit mount_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-02-11 21:24:42.750703041 +0100
@@ -6072,6 +6715,20 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(load_policy_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100
+@@ -430,6 +430,10 @@
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit ifconfig_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-01-27 18:34:03.409614110 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1021
retrieving revision 1.1022
diff -u -p -r1.1021 -r1.1022
--- selinux-policy.spec 12 Feb 2010 16:52:06 -0000 1.1021
+++ selinux-policy.spec 17 Feb 2010 15:52:13 -0000 1.1022
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 90%{?dist}
+Release: 91%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,17 @@ exit 0
%endif
%changelog
+* Wed Feb 17 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-91
+- Add label for /opt/zimbra/log directory
+- Add label for /usr/local/centreon/log directory
+- Add label for /var/spool/bacula/log directory
+- Add nagios_mail_plugin type for nagios mail plugins
+- Do not audit attempts to search the network state directory for locate
+- Allow ping read and write the console, all ttys and all ptys
+- Allow pppd to send audit messages
+- Allow modemmanager net_admin capability
+- Fixes for cluster policy
+
* Fri Feb 12 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-90
- Allow dnsmasq to create log file
- Previous message: rpms/bind/F-13 .cvsignore, 1.63, 1.64 bind.spec, 1.339, 1.340 sources, 1.72, 1.73
- Next message: rpms/esorex/devel esorex-ltdl.patch,NONE,1.1 esorex.spec,1.17,1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list