[selinux-policy/f14/master] - Allow mysqld-safe to send system log messages - Fix label for lxdm.sock - Fixes for ddclient polic
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Nov 15 17:17:57 UTC 2010
commit ecbe1071fef8772e74d581453292c777684ca69b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Nov 15 18:17:46 2010 +0100
- Allow mysqld-safe to send system log messages
- Fix label for lxdm.sock
- Fixes for ddclient policy
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Add label for acroread
- Add dirsrv and dirsrv-admin policy
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
modules-targeted.conf | 14 +
policy-F14.patch | 1194 +++++++++++++++++++++++++++++++++++++++++++------
selinux-policy.spec | 13 +-
3 files changed, 1094 insertions(+), 127 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index bb443b5..c702919 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -202,6 +202,20 @@ bind = module
bugzilla = module
# Layer: services
+# Module: dirsrv
+#
+# An 309 directory server
+#
+dirsrv = module
+
+# Layer: services
+# Module: dirsrv-admin
+#
+# An 309 directory admin server
+#
+dirsrv-admin = module
+
+# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
diff --git a/policy-F14.patch b/policy-F14.patch
index 4aef10f..cadd856 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -990,7 +990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.9.7/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/rpm.if 2010-11-05 14:02:26.417649691 +0100
++++ serefpolicy-3.9.7/policy/modules/admin/rpm.if 2010-11-11 15:55:47.688148574 +0100
@@ -13,10 +13,13 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -1079,15 +1079,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -459,6 +506,7 @@
+@@ -459,6 +506,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ rpm_read_cache($1)
++')
++
++#######################################
++## <summary>
++## Dontaudit search the RPM package database.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_search_db',`
++ gen_require(`
++ type rpm_var_lib_t;
++ ')
++
++ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
')
########################################
-@@ -576,3 +624,66 @@
+@@ -576,3 +642,66 @@
files_pid_filetrans($1, rpm_var_run_t, file)
')
@@ -1991,8 +2009,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.9.7/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/apps/execmem.fc 2010-11-05 14:02:26.433649413 +0100
-@@ -0,0 +1,49 @@
++++ serefpolicy-3.9.7/policy/modules/apps/execmem.fc 2010-11-15 14:08:19.076399833 +0100
+@@ -0,0 +1,50 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2034,6 +2052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
++/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
@@ -2224,8 +2243,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.9.7/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/apps/firewallgui.te 2010-11-05 14:02:26.436649566 +0100
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.9.7/policy/modules/apps/firewallgui.te 2010-11-10 15:20:58.931148384 +0100
+@@ -0,0 +1,69 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -2292,6 +2311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+ policykit_dbus_chat(firewallgui_t)
+')
+
++optional_policy(`
++ rpm_dontaudit_search_db(firewallgui_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.9.7/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/apps/gnome.fc 2010-11-05 14:02:26.437649221 +0100
@@ -3904,7 +3926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.9.7/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/mozilla.te 2010-11-05 14:02:26.457912127 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/mozilla.te 2010-11-15 17:36:29.517396921 +0100
@@ -25,6 +25,7 @@
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -3975,7 +3997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,127 @@
+@@ -266,3 +291,128 @@
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4046,6 +4068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
++miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
@@ -9329,7 +9352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/dev/hugepages(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.9.7/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.if 2010-11-05 14:02:26.548899958 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.if 2010-11-10 17:07:51.566398029 +0100
@@ -646,11 +646,31 @@
')
@@ -9641,7 +9664,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2845,7 +3019,7 @@
+@@ -2653,6 +2827,25 @@
+ read_lnk_files_pattern($1, removable_t, removable_t)
+ ')
+
++#######################################
++## <summary>
++## Read block nodes on removable filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_removable_blk_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ allow $1 removable_t:dir list_dir_perms;
++ read_blk_files_pattern($1, removable_t, removable_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write block nodes on removable filesystems.
+@@ -2845,7 +3038,7 @@
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -9650,7 +9699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,6 +4144,42 @@
+@@ -3970,6 +4163,42 @@
########################################
## <summary>
@@ -9693,7 +9742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4252,6 +4462,8 @@
+@@ -4252,6 +4481,8 @@
')
allow $1 filesystem_type:filesystem mount;
@@ -9702,7 +9751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -4662,3 +4874,24 @@
+@@ -4662,3 +4893,24 @@
typeattribute $1 filesystem_unconfined_type;
')
@@ -13703,7 +13752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2010-11-05 14:02:26.586899847 +0100
++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2010-11-15 17:44:58.604398337 +0100
@@ -18,130 +18,195 @@
# Declarations
#
@@ -13739,7 +13788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-## Allow httpd to use built in scripting (usually php)
-## </p>
+## <p>
-+## Allow Apache to use mod_auth_pam
++## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
@@ -14294,18 +14343,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +789,10 @@
+@@ -603,6 +789,11 @@
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
++ zarafa_search_config(httpd_t)
+')
+
########################################
#
# Apache helper local policy
-@@ -618,6 +808,10 @@
+@@ -618,6 +809,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -14316,7 +14366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -654,28 +848,27 @@
+@@ -654,28 +849,27 @@
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14357,7 +14407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -699,17 +892,22 @@
+@@ -699,17 +893,22 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14383,7 +14433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +938,20 @@
+@@ -740,10 +939,20 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14405,7 +14455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +977,25 @@
+@@ -769,6 +978,25 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -14431,7 +14481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +1019,13 @@
+@@ -792,9 +1020,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -14445,7 +14495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1034,33 @@
+@@ -803,6 +1035,33 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -14479,7 +14529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1080,7 @@
+@@ -822,7 +1081,7 @@
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14488,7 +14538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1088,20 @@
+@@ -830,6 +1089,20 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14509,7 +14559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1114,20 @@
+@@ -842,10 +1115,20 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14530,7 +14580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -891,11 +1173,21 @@
+@@ -891,11 +1174,21 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -18262,7 +18312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
admin_pattern($1, ptal_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.9.7/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cups.te 2010-11-05 14:02:26.626900164 +0100
++++ serefpolicy-3.9.7/policy/modules/services/cups.te 2010-11-11 16:08:04.089399299 +0100
@@ -15,6 +15,7 @@
type cupsd_t;
type cupsd_exec_t;
@@ -18352,7 +18402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -587,14 +599,16 @@
+@@ -587,14 +599,17 @@
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -18360,6 +18410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
++userdom_read_user_home_content_symlinks(cups_pdf_t)
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
@@ -18370,7 +18421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -606,6 +620,10 @@
+@@ -606,6 +621,10 @@
fs_manage_cifs_files(cups_pdf_t)
')
@@ -18381,7 +18432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# HPLIP local policy
-@@ -639,7 +657,7 @@
+@@ -639,7 +658,7 @@
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -18390,7 +18441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +703,7 @@
+@@ -685,6 +704,7 @@
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -18717,6 +18768,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddcl
')
allow $1 ddclient_t:process { ptrace signal_perms };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.9.7/policy/modules/services/ddclient.te
+--- nsaserefpolicy/policy/modules/services/ddclient.te 2010-10-12 22:42:48.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/services/ddclient.te 2010-11-15 11:18:57.018407486 +0100
+@@ -18,6 +18,9 @@
+ type ddclient_log_t;
+ logging_log_file(ddclient_log_t)
+
++type ddclient_tmp_t;
++files_tmp_file(ddclient_tmp_t)
++
+ type ddclient_var_t;
+ files_type(ddclient_var_t)
+
+@@ -37,12 +40,16 @@
+ allow ddclient_t self:fifo_file rw_fifo_file_perms;
+ allow ddclient_t self:tcp_socket create_socket_perms;
+ allow ddclient_t self:udp_socket create_socket_perms;
++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow ddclient_t ddclient_etc_t:file read_file_perms;
+
+ allow ddclient_t ddclient_log_t:file manage_file_perms;
+ logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
++manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
++files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
++
+ manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+ manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+@@ -72,6 +79,8 @@
+ corenet_udp_sendrecv_generic_if(ddclient_t)
+ corenet_tcp_sendrecv_generic_node(ddclient_t)
+ corenet_udp_sendrecv_generic_node(ddclient_t)
++corenet_tcp_bind_generic_node(ddclient_t)
++corenet_udp_bind_generic_node(ddclient_t)
+ corenet_tcp_sendrecv_all_ports(ddclient_t)
+ corenet_udp_sendrecv_all_ports(ddclient_t)
+ corenet_tcp_connect_all_ports(ddclient_t)
+@@ -89,6 +98,8 @@
+ fs_getattr_all_fs(ddclient_t)
+ fs_search_auto_mountpoints(ddclient_t)
+
++mta_send_mail(ddclient_t)
++
+ logging_send_syslog_msg(ddclient_t)
+
+ miscfiles_read_localization(ddclient_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.9.7/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 2010-10-12 22:42:48.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/denyhosts.if 2010-11-05 14:02:26.632899981 +0100
@@ -19085,6 +19184,613 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.fc serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.fc
+--- nsaserefpolicy/policy/modules/services/dirsrv-admin.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.fc 2010-11-15 14:18:25.094399316 +0100
+@@ -0,0 +1,11 @@
++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++
++/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.if serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.if
+--- nsaserefpolicy/policy/modules/services/dirsrv-admin.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.if 2010-11-15 14:18:25.095399878 +0100
+@@ -0,0 +1,95 @@
++## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
++
++########################################
++## <summary>
++## Exec dirsrv-admin programs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_run_exec',`
++ gen_require(`
++ type dirsrvadmin_exec_t;
++ ')
++
++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_exec_t)
++')
++
++########################################
++## <summary>
++## Exec cgi programs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_run_httpd_script_exec',`
++ gen_require(`
++ type httpd_dirsrvadmin_script_exec_t;
++ ')
++
++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_dirsrvadmin_script_exec_t)
++')
++
++########################################
++## <summary>
++## Manage dirsrv-adminserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_read_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
++')
++
++########################################
++## <summary>
++## Manage dirsrv-adminserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_manage_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
++ allow $1 dirsrvadmin_config_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Manage dirsrv-adminserver tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_manage_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.te serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te
+--- nsaserefpolicy/policy/modules/services/dirsrv-admin.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te 2010-11-15 14:18:25.095399878 +0100
+@@ -0,0 +1,92 @@
++policy_module(dirsrv-admin,1.0.0)
++
++########################################
++#
++# Declarations for the daemon
++#
++
++type dirsrvadmin_t;
++type dirsrvadmin_exec_t;
++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
++role system_r types dirsrvadmin_t;
++
++type dirsrvadmin_config_t;
++files_type(dirsrvadmin_config_t)
++
++type dirsrvadmin_tmp_t;
++files_tmp_file(dirsrvadmin_tmp_t)
++
++########################################
++#
++# Local policy for the daemon
++#
++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
++
++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrvadmin_t)
++
++corecmd_exec_bin(dirsrvadmin_t)
++corecmd_read_bin_symlinks(dirsrvadmin_t)
++corecmd_search_bin(dirsrvadmin_t)
++corecmd_shell_entry_type(dirsrvadmin_t)
++
++files_exec_etc_files(dirsrvadmin_t)
++
++logging_search_logs(dirsrvadmin_t)
++
++miscfiles_read_localization(dirsrvadmin_t)
++
++# Needed for stop and restart scripts
++dirsrv_read_var_run(dirsrvadmin_t)
++
++apache_domtrans(dirsrvadmin_t)
++apache_signal(dirsrvadmin_t)
++
++########################################
++#
++# Local policy for the CGIs
++#
++#
++#
++# Create a domain for the CGI scripts
++apache_content_template(dirsrvadmin)
++
++allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++
++kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++
++corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
++corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++
++files_search_var_lib(httpd_dirsrvadmin_script_t)
++
++sysnet_read_config(httpd_dirsrvadmin_script_t)
++
++manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# The CGI scripts must be able to manage dirsrv-admin
++dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++dirsrv_signal(httpd_dirsrvadmin_script_t)
++dirsrv_signull(httpd_dirsrvadmin_script_t)
++dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++dirsrv_read_share(httpd_dirsrvadmin_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.fc serefpolicy-3.9.7/policy/modules/services/dirsrv.fc
+--- nsaserefpolicy/policy/modules/services/dirsrv.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.fc 2010-11-15 14:18:25.095399878 +0100
+@@ -0,0 +1,20 @@
++/etc/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0)
++
++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++
++/usr/share/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0)
++
++/var/run/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0)
++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
++
++/var/lib/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
++
++/var/lock/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
++
++/var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0)
++
++/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.if serefpolicy-3.9.7/policy/modules/services/dirsrv.if
+--- nsaserefpolicy/policy/modules/services/dirsrv.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.if 2010-11-15 14:18:25.096400022 +0100
+@@ -0,0 +1,193 @@
++## <summary>policy for dirsrv</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run dirsrv.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dirsrv_domtrans',`
++ gen_require(`
++ type dirsrv_t, dirsrv_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit dirsrv_t $1:socket_class_set { read write };
++ ')
++')
++
++
++########################################
++## <summary>
++## Allow caller to signal dirsrv.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_signal',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signal;
++')
++
++
++########################################
++## <summary>
++## Send a null signal to dirsrv.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_signull',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signull;
++')
++
++#######################################
++## <summary>
++## Allow a domain to manage dirsrv logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_log',`
++ gen_require(`
++ type dirsrv_var_log_t;
++ ')
++
++ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_log_t:file manage_file_perms;
++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
++')
++
++#######################################
++## <summary>
++## Allow a domain to manage dirsrv /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_var_lib',`
++ gen_require(`
++ type dirsrv_var_lib_t;
++ ')
++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_lib_t:file manage_file_perms;
++')
++
++#######################################
++## <summary>
++## Allow a domain to manage dirsrv /var/run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_run_t:file manage_file_perms;
++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
++')
++
++######################################
++## <summary>
++## Allow a domain to create dirsrv pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_pid_filetrans',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ # Allow creating a dir in /var/run with this type
++ files_pid_filetrans($1, dirsrv_var_run_t, dir)
++')
++
++#######################################
++## <summary>
++## Allow a domain to read dirsrv /var/run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_read_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir list_dir_perms;
++ allow $1 dirsrv_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Manage dirsrv configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_config',`
++ gen_require(`
++ type dirsrv_config_t;
++ ')
++
++ allow $1 dirsrv_config_t:dir manage_dir_perms;
++ allow $1 dirsrv_config_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Read dirsrv share files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_read_share',`
++ gen_require(`
++ type dirsrv_share_t;
++ ')
++
++ allow $1 dirsrv_share_t:dir list_dir_perms;
++ allow $1 dirsrv_share_t:file read_file_perms;
++ allow $1 dirsrv_share_t:lnk_file read;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.9.7/policy/modules/services/dirsrv.te
+--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2010-11-15 14:18:25.096400022 +0100
+@@ -0,0 +1,172 @@
++policy_module(dirsrv,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++# main daemon
++type dirsrv_t;
++type dirsrv_exec_t;
++domain_type(dirsrv_t)
++init_daemon_domain(dirsrv_t, dirsrv_exec_t)
++
++type dirsrv_snmp_t;
++type dirsrv_snmp_exec_t;
++domain_type(dirsrv_snmp_t)
++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
++
++type dirsrv_var_lib_t;
++files_type(dirsrv_var_lib_t)
++
++type dirsrv_var_log_t;
++logging_log_file(dirsrv_var_log_t)
++
++type dirsrv_snmp_var_log_t;
++logging_log_file(dirsrv_snmp_var_log_t)
++
++type dirsrv_var_run_t;
++files_pid_file(dirsrv_var_run_t)
++
++type dirsrv_snmp_var_run_t;
++files_pid_file(dirsrv_snmp_var_run_t)
++
++type dirsrv_var_lock_t;
++files_lock_file(dirsrv_var_lock_t)
++
++type dirsrv_config_t;
++files_type(dirsrv_config_t)
++
++type dirsrv_tmp_t;
++files_tmp_file(dirsrv_tmp_t)
++
++type dirsrv_tmpfs_t;
++files_tmpfs_file(dirsrv_tmpfs_t)
++
++type dirsrv_share_t;
++files_type(dirsrv_share_t);
++
++########################################
++#
++# dirsrv local policy
++#
++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
++allow dirsrv_t self:fifo_file rw_fifo_file_perms;
++allow dirsrv_t self:sem create_sem_perms;
++allow dirsrv_t self:tcp_socket create_stream_socket_perms;
++
++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
++
++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
++
++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++allow dirsrv_t dirsrv_var_log_t:dir { setattr };
++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
++
++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })
++
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
++
++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrv_t)
++
++corecmd_search_sbin(dirsrv_t)
++
++corenet_all_recvfrom_unlabeled(dirsrv_t)
++corenet_all_recvfrom_netlabel(dirsrv_t)
++corenet_tcp_sendrecv_generic_if(dirsrv_t)
++corenet_tcp_sendrecv_generic_node(dirsrv_t)
++corenet_tcp_sendrecv_all_ports(dirsrv_t)
++corenet_tcp_bind_all_nodes(dirsrv_t)
++corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_all_rpc_ports(dirsrv_t)
++corenet_udp_bind_all_rpc_ports(dirsrv_t)
++corenet_tcp_connect_all_ports(dirsrv_t)
++corenet_sendrecv_ldap_server_packets(dirsrv_t)
++corenet_sendrecv_all_client_packets(dirsrv_t)
++
++dev_read_urand(dirsrv_t)
++
++files_read_etc_files(dirsrv_t)
++files_read_usr_symlinks(dirsrv_t)
++
++fs_getattr_all_fs(dirsrv_t)
++
++miscfiles_read_localization(dirsrv_t)
++
++sysnet_dns_name_resolve(dirsrv_t)
++
++optional_policy(`
++ apache_dontaudit_leaks(dirsrv_t)
++')
++
++optional_policy(`
++ kerberos_read_config(dirsrv_t)
++ kerberos_dontaudit_write_config(dirsrv_t)
++')
++
++########################################
++#
++# dirsrv-snmp local policy
++#
++allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
++
++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
++
++corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
++
++dev_read_rand(dirsrv_snmp_t)
++dev_read_urand(dirsrv_snmp_t)
++
++domain_use_interactive_fds(dirsrv_snmp_t)
++
++#files_manage_var_files(dirsrv_snmp_t)
++files_read_etc_files(dirsrv_snmp_t)
++files_read_usr_files(dirsrv_snmp_t)
++
++fs_getattr_tmpfs(dirsrv_snmp_t)
++fs_search_tmpfs(dirsrv_snmp_t)
++
++miscfiles_read_localization(dirsrv_snmp_t)
++
++sysnet_read_config(dirsrv_snmp_t)
++sysnet_dns_name_resolve(dirsrv_snmp_t)
++
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_append_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_stream_connect(dirsrv_snmp_t)
++')
++
++optional_policy(`
++ rpcbind_stream_connect(initrc_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.9.7/policy/modules/services/djbdns.te
--- nsaserefpolicy/policy/modules/services/djbdns.te 2010-10-12 22:42:48.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/djbdns.te 2010-11-05 14:02:26.637916067 +0100
@@ -19260,7 +19966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.9.7/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/dovecot.te 2010-11-10 09:37:21.253148770 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dovecot.te 2010-11-15 10:55:18.053148999 +0100
@@ -18,7 +18,7 @@
files_tmp_file(dovecot_auth_tmp_t)
@@ -19350,7 +20056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +266,31 @@
+@@ -253,19 +266,33 @@
allow dovecot_deliver_t dovecot_t:process signull;
@@ -19360,6 +20066,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
++
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
@@ -19384,7 +20092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +327,5 @@
+@@ -302,4 +329,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -20935,8 +21643,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.
seutil_sigchld_newrole(gpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.9.7/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/gpsd.te 2010-11-05 14:02:26.661917221 +0100
-@@ -56,6 +56,10 @@
++++ serefpolicy-3.9.7/policy/modules/services/gpsd.te 2010-11-15 12:15:12.594147757 +0100
+@@ -46,6 +46,8 @@
+ corenet_tcp_bind_all_nodes(gpsd_t)
+ corenet_tcp_bind_gpsd_port(gpsd_t)
+
++dev_read_sysfs(gpsd_t)
++
+ term_use_unallocated_ttys(gpsd_t)
+ term_setattr_unallocated_ttys(gpsd_t)
+
+@@ -56,6 +58,10 @@
miscfiles_read_localization(gpsd_t)
optional_policy(`
@@ -21726,7 +22443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.9.7/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2010-11-05 14:02:26.682651075 +0100
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2010-11-15 16:25:46.721148183 +0100
@@ -26,9 +26,9 @@
## Execute kadmind in the current domain
## </summary>
@@ -21790,9 +22507,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
allow $1 kadmind_t:process { ptrace signal_perms };
+@@ -378,3 +376,22 @@
+
+ admin_pattern($1, krb5kdc_var_run_t)
+ ')
++
++########################################
++## <summary>
++## Type transition files created in /tmp
++## to the krb5_host_rcache type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ files_tmp_filetrans($1, krb5_host_rcache_t, file)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.9.7/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.te 2010-11-05 14:02:26.684916136 +0100
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.te 2010-11-15 16:26:19.720155777 +0100
@@ -6,9 +6,9 @@
#
@@ -21806,6 +22546,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
## </desc>
gen_tunable(allow_kerberos, false)
+@@ -40,7 +40,7 @@
+ type krb5_home_t;
+ userdom_user_home_content(krb5_home_t)
+
+-type krb5_host_rcache_t;
++type krb5_host_rcache_t alias saslauthd_tmp_t;
+ files_tmp_file(krb5_host_rcache_t)
+
+ # types for general configuration files in /etc
@@ -93,9 +93,9 @@
dontaudit kadmind_t krb5_conf_t:file write;
@@ -23794,7 +24543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.9.7/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mta.te 2010-11-05 14:02:26.728910324 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mta.te 2010-11-15 17:19:29.663148347 +0100
@@ -20,8 +20,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -23806,7 +24555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,9 @@
+@@ -50,21 +50,10 @@
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
@@ -23825,11 +24574,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-kernel_request_load_module(system_mail_t)
--
++allow system_mail_t mail_home_t:file manage_file_perms;
+
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
- dev_read_urand(system_mail_t)
-@@ -82,6 +69,10 @@
+@@ -82,6 +71,10 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -23840,7 +24589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +83,28 @@
+@@ -92,17 +85,28 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -23870,7 +24619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +113,8 @@
+@@ -111,6 +115,8 @@
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -23879,7 +24628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -124,12 +128,8 @@
+@@ -124,12 +130,8 @@
')
optional_policy(`
@@ -23893,7 +24642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -146,6 +146,10 @@
+@@ -146,6 +148,10 @@
')
optional_policy(`
@@ -23904,7 +24653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +162,6 @@
+@@ -158,18 +164,6 @@
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -23923,7 +24672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -189,6 +181,10 @@
+@@ -189,6 +183,10 @@
')
optional_policy(`
@@ -23934,7 +24683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +195,7 @@
+@@ -199,7 +197,7 @@
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -23943,7 +24692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +216,8 @@
+@@ -220,7 +218,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -23953,7 +24702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +246,16 @@
+@@ -249,11 +248,16 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -23970,7 +24719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +294,44 @@
+@@ -292,3 +296,44 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -24115,7 +24864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
allow $1 munin_t:process { ptrace signal_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.9.7/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/munin.te 2010-11-05 14:02:26.730899577 +0100
++++ serefpolicy-3.9.7/policy/modules/services/munin.te 2010-11-15 12:05:56.355148420 +0100
@@ -5,6 +5,8 @@
# Declarations
#
@@ -24263,7 +25012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +317,29 @@
+@@ -313,3 +317,30 @@
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -24287,6 +25036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
++files_search_var_lib(munin_plugin_domain)
+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
@@ -24347,7 +25097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.9.7/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.te 2010-11-05 14:02:26.731900350 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mysql.te 2010-11-15 10:46:22.654148291 +0100
@@ -6,9 +6,9 @@
#
@@ -24413,9 +25163,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+@@ -183,6 +186,8 @@
+
+ hostname_exec(mysqld_safe_t)
+
++logging_send_syslog_msg(mysqld_safe_t)
++
+ miscfiles_read_localization(mysqld_safe_t)
+
+ mysql_manage_db_files(mysqld_safe_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.9.7/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/nagios.if 2010-11-05 14:02:26.732900145 +0100
++++ serefpolicy-3.9.7/policy/modules/services/nagios.if 2010-11-15 15:06:29.931399045 +0100
@@ -12,10 +12,8 @@
## </param>
#
@@ -24436,7 +25195,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-@@ -49,7 +48,6 @@
+@@ -36,6 +35,8 @@
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
++ files_read_usr_files(nagios_$1_plugin_t)
++
+ miscfiles_read_localization(nagios_$1_plugin_t)
+ ')
+
+@@ -49,7 +50,6 @@
## Domain to not audit.
## </summary>
## </param>
@@ -24444,7 +25212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
-@@ -159,6 +157,26 @@
+@@ -159,6 +159,26 @@
########################################
## <summary>
@@ -24471,7 +25239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
## Execute the nagios NRPE with
## a domain transition.
## </summary>
-@@ -195,11 +213,9 @@
+@@ -195,11 +215,9 @@
#
interface(`nagios_admin',`
gen_require(`
@@ -24690,7 +25458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.9.7/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2010-11-05 14:02:26.736900093 +0100
++++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2010-11-15 16:20:58.798398973 +0100
@@ -12,6 +12,12 @@
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
@@ -24791,7 +25559,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
')
-@@ -202,6 +230,13 @@
+@@ -194,6 +222,10 @@
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(NetworkManager_t)
++')
++
++optional_policy(`
+ hal_write_log(NetworkManager_t)
+ ')
+
+@@ -202,6 +234,13 @@
')
optional_policy(`
@@ -24805,7 +25584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +254,7 @@
+@@ -219,6 +258,7 @@
')
optional_policy(`
@@ -24813,7 +25592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +299,7 @@
+@@ -263,6 +303,7 @@
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -24944,13 +25723,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.9.7/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/nscd.if 2010-11-05 14:02:26.739899687 +0100
-@@ -116,7 +116,25 @@
++++ serefpolicy-3.9.7/policy/modules/services/nscd.if 2010-11-11 16:02:10.525398693 +0100
+@@ -116,7 +116,26 @@
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
++ ps_process_pattern(nscd_t, $1)
+')
+
+########################################
@@ -24972,7 +25752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
')
########################################
-@@ -146,11 +164,14 @@
+@@ -146,11 +165,14 @@
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
@@ -24990,7 +25770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
')
########################################
-@@ -168,7 +189,7 @@
+@@ -168,7 +190,7 @@
type nscd_var_run_t;
')
@@ -24999,7 +25779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
')
########################################
-@@ -224,6 +245,7 @@
+@@ -224,6 +246,7 @@
## Role allowed access.
## </summary>
## </param>
@@ -29178,8 +29958,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.9.7/policy/modules/services/qpidd.te
--- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/qpidd.te 2010-11-05 14:02:26.783900161 +0100
-@@ -0,0 +1,59 @@
++++ serefpolicy-3.9.7/policy/modules/services/qpidd.te 2010-11-11 16:21:35.387148263 +0100
+@@ -0,0 +1,63 @@
+policy_module(qpidd, 1.0.0)
+
+########################################
@@ -29239,6 +30019,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
++
++optional_policy(`
++ corosync_stream_connect(qpidd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.9.7/policy/modules/services/radius.if
--- nsaserefpolicy/policy/modules/services/radius.if 2010-10-12 22:42:49.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/radius.if 2010-11-05 14:02:26.783900161 +0100
@@ -31589,8 +32373,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.9.7/policy/modules/services/sasl.if
--- nsaserefpolicy/policy/modules/services/sasl.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/sasl.if 2010-11-05 14:02:26.810900211 +0100
-@@ -42,7 +42,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/sasl.if 2010-11-15 16:25:30.783149535 +0100
+@@ -38,11 +38,11 @@
+ #
+ interface(`sasl_admin',`
+ gen_require(`
+- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
++ type saslauthd_t, saslauthd_var_run_t;
type saslauthd_initrc_exec_t;
')
@@ -31599,12 +32388,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+@@ -50,9 +50,6 @@
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_tmp($1)
+- admin_pattern($1, saslauthd_tmp_t)
+-
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.9.7/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/sasl.te 2010-11-05 14:02:26.811900216 +0100
-@@ -42,13 +42,17 @@
- manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
- files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
++++ serefpolicy-3.9.7/policy/modules/services/sasl.te 2010-11-15 16:27:08.408147870 +0100
+@@ -19,9 +19,6 @@
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+
+-type saslauthd_tmp_t;
+-files_tmp_file(saslauthd_tmp_t)
+-
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+
+@@ -38,17 +35,19 @@
+ allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+ allow saslauthd_t self:tcp_socket create_socket_perms;
+
+-allow saslauthd_t saslauthd_tmp_t:dir setattr;
+-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
++mta_tmp_filetrans_host_rcache(saslauthd_t)
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -31621,6 +32435,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -94,6 +93,7 @@
+
+ optional_policy(`
+ kerberos_keytab_template(saslauthd, saslauthd_t)
++ kerberos_manage_host_rcache(saslauthd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.9.7/policy/modules/services/sendmail.fc
--- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/sendmail.fc 2010-11-05 14:02:26.811900216 +0100
@@ -31930,7 +32752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.9.7/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/smartmon.te 2010-11-05 14:02:26.816899888 +0100
++++ serefpolicy-3.9.7/policy/modules/services/smartmon.te 2010-11-15 14:09:02.659147830 +0100
@@ -72,6 +72,7 @@
files_read_etc_runtime_files(fsdaemon_t)
# for config
@@ -31939,9 +32761,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
-@@ -82,6 +83,8 @@
+@@ -81,7 +82,10 @@
+
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
++storage_create_fixed_disk_dev(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
@@ -32004,7 +32828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.9.7/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/snmp.if 2010-11-05 14:02:26.818900037 +0100
++++ serefpolicy-3.9.7/policy/modules/services/snmp.if 2010-11-15 17:52:51.789397645 +0100
@@ -11,12 +11,12 @@
## </param>
#
@@ -32042,7 +32866,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
')
########################################
-@@ -123,12 +125,11 @@
+@@ -104,6 +106,26 @@
+ dontaudit $1 snmpd_var_lib_t:file write;
+ ')
+
++#######################################
++## <summary>
++## Append snmpd libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`snmp_append_snmp_var_lib_files',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -123,12 +145,11 @@
#
interface(`snmp_admin',`
gen_require(`
@@ -34309,7 +35160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
logging_list_logs($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.9.7/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/uucp.te 2010-11-05 14:02:26.846651592 +0100
++++ serefpolicy-3.9.7/policy/modules/services/uucp.te 2010-11-11 16:29:17.192152387 +0100
@@ -7,7 +7,6 @@
type uucpd_t;
type uucpd_exec_t;
@@ -34326,7 +35177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
dev_read_urand(uucpd_t)
-@@ -113,13 +113,17 @@
+@@ -113,17 +113,23 @@
kerberos_use(uucpd_t)
')
@@ -34345,6 +35196,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
+
++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
++
+ corecmd_exec_bin(uux_t)
+
+ files_read_etc_files(uux_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.9.7/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2010-10-12 22:42:49.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/varnishd.if 2010-11-05 14:02:26.847655717 +0100
@@ -35753,7 +36610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.9.7/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.fc 2010-11-05 14:02:26.864652928 +0100
++++ serefpolicy-3.9.7/policy/modules/services/xserver.fc 2010-11-15 10:56:07.500397354 +0100
@@ -2,13 +2,23 @@
# HOME_DIR
#
@@ -35862,7 +36719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@@ -37938,8 +38795,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.if serefpolicy-3.9.7/policy/modules/services/zarafa.if
--- nsaserefpolicy/policy/modules/services/zarafa.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/zarafa.if 2010-11-05 14:02:26.878901769 +0100
-@@ -0,0 +1,102 @@
++++ serefpolicy-3.9.7/policy/modules/services/zarafa.if 2010-11-15 17:44:44.958149688 +0100
+@@ -0,0 +1,122 @@
+## <summary>policy for zarafa services</summary>
+
+######################################
@@ -38042,6 +38899,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
++
++#######################################
++## <summary>
++## Allow the specified domain to search
++## zarafa configuration dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zarafa_search_config',`
++ gen_require(`
++ type zarafa_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 zarafa_etc_t:dir search_dir_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.te serefpolicy-3.9.7/policy/modules/services/zarafa.te
--- nsaserefpolicy/policy/modules/services/zarafa.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.9.7/policy/modules/services/zarafa.te 2010-11-05 14:02:26.879901005 +0100
@@ -38370,7 +39247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.9.7/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/authlogin.fc 2010-11-10 11:19:00.102148913 +0100
++++ serefpolicy-3.9.7/policy/modules/system/authlogin.fc 2010-11-10 15:15:09.909147820 +0100
@@ -10,6 +10,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
@@ -38387,6 +39264,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+@@ -40,6 +42,7 @@
+
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.9.7/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2010-11-05 14:02:26.891654584 +0100
@@ -40568,8 +41453,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.9.7/policy/modules/system/kdump.if
--- nsaserefpolicy/policy/modules/system/kdump.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/kdump.if 2010-11-05 14:02:26.927901357 +0100
-@@ -106,6 +106,6 @@
++++ serefpolicy-3.9.7/policy/modules/system/kdump.if 2010-11-11 16:27:21.214147846 +0100
+@@ -75,6 +75,24 @@
+ allow $1 kdump_etc_t:file manage_file_perms;
+ ')
+
++#####################################
++## <summary>
++## Dontaudit read kdump configuration file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kdump_dontaudit_read_config',`
++ gen_require(`
++ type kdump_etc_t;
++ ')
++
++ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
++')
++
+ ######################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -106,6 +124,6 @@
role_transition $2 kdump_initrc_exec_t system_r;
allow $2 system_r;
@@ -40591,7 +41501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.9.7/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/libraries.fc 2010-11-05 14:02:26.929899899 +0100
++++ serefpolicy-3.9.7/policy/modules/system/libraries.fc 2010-11-11 16:35:08.158148222 +0100
@@ -44,6 +44,7 @@
/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40635,7 +41545,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +209,7 @@
+@@ -198,9 +199,6 @@
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -208,6 +206,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40643,7 +41563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +249,7 @@
+@@ -247,6 +246,7 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40651,7 +41571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +305,8 @@
+@@ -302,13 +302,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40667,7 +41587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +317,150 @@
+@@ -319,14 +314,150 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -41555,16 +42475,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.9.7/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/modutils.te 2010-11-05 14:02:26.941900022 +0100
-@@ -18,6 +18,7 @@
++++ serefpolicy-3.9.7/policy/modules/system/modutils.te 2010-11-11 16:32:03.059397712 +0100
+@@ -18,8 +18,12 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
role system_r types insmod_t;
++type insmod_tmpfs_t;
++files_tmpfs_file(insmod_tmpfs_t)
++
# module loading config
-@@ -55,12 +56,15 @@
+ type modules_conf_t;
+ files_type(modules_conf_t)
+@@ -55,12 +59,15 @@
domain_use_interactive_fds(depmod_t)
@@ -41580,7 +42505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
fs_getattr_xattr_fs(depmod_t)
-@@ -74,6 +78,7 @@
+@@ -74,6 +81,7 @@
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
@@ -41588,7 +42513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -104,7 +109,7 @@
+@@ -104,7 +112,7 @@
# insmod local policy
#
@@ -41597,7 +42522,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +130,7 @@
+@@ -116,6 +124,9 @@
+ list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
++
+ can_exec(insmod_t, insmod_exec_t)
+
+ kernel_load_module(insmod_t)
+@@ -125,6 +136,7 @@
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -41605,7 +42540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +148,7 @@
+@@ -142,6 +154,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -41613,7 +42548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +167,15 @@
+@@ -160,11 +173,15 @@
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -41629,7 +42564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +184,7 @@
+@@ -173,8 +190,7 @@
seutil_read_file_contexts(insmod_t)
@@ -41639,7 +42574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -186,8 +196,11 @@
+@@ -186,8 +202,11 @@
')
optional_policy(`
@@ -41653,7 +42588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-@@ -235,6 +248,10 @@
+@@ -235,6 +254,10 @@
')
optional_policy(`
@@ -41681,13 +42616,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.9.7/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/mount.if 2010-11-05 14:02:26.942900026 +0100
-@@ -16,6 +16,14 @@
++++ serefpolicy-3.9.7/policy/modules/system/mount.if 2010-11-15 17:16:31.348423484 +0100
+@@ -16,6 +16,16 @@
')
domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
+
++ ps_process_pattern(mount_t, $1)
++
+ifdef(`hide_broken_symptoms', `
+ dontaudit mount_t $1:unix_stream_socket { read write };
+ dontaudit mount_t $1:tcp_socket { read write };
@@ -41697,7 +42634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -45,12 +53,58 @@
+@@ -45,12 +55,58 @@
role $2 types mount_t;
optional_policy(`
@@ -41757,7 +42694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
## Execute mount in the caller domain.
## </summary>
## <param name="domain">
-@@ -84,9 +138,11 @@
+@@ -84,9 +140,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -41769,7 +42706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -95,7 +151,7 @@
+@@ -95,7 +153,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -41778,7 +42715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
## </summary>
## </param>
#
-@@ -176,4 +232,109 @@
+@@ -176,4 +234,109 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
@@ -41890,7 +42827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.9.7/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/mount.te 2010-11-10 09:34:03.161148039 +0100
++++ serefpolicy-3.9.7/policy/modules/system/mount.te 2010-11-10 17:08:36.477147869 +0100
@@ -17,8 +17,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -41938,7 +42875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,60 +68,96 @@
+@@ -46,60 +68,97 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -42025,6 +42962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
+fs_read_nfs_symlinks(mount_t)
++fs_read_removable_blk_files(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
@@ -42042,7 +42980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -108,6 +166,8 @@
+@@ -108,6 +167,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -42051,7 +42989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -118,6 +178,12 @@
+@@ -118,6 +179,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -42064,7 +43002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +199,17 @@
+@@ -133,10 +200,17 @@
')
')
@@ -42082,7 +43020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -166,6 +239,8 @@
+@@ -166,6 +240,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -42091,7 +43029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -173,6 +248,28 @@
+@@ -173,6 +249,28 @@
')
optional_policy(`
@@ -42120,7 +43058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +277,44 @@
+@@ -180,13 +278,44 @@
')
')
@@ -42165,7 +43103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -195,6 +323,42 @@
+@@ -195,6 +324,42 @@
#
optional_policy(`
@@ -43672,7 +44610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.9.7/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/sysnetwork.te 2010-11-05 14:02:26.954900289 +0100
++++ serefpolicy-3.9.7/policy/modules/system/sysnetwork.te 2010-11-11 16:28:26.911147819 +0100
@@ -5,6 +5,13 @@
# Declarations
#
@@ -43828,10 +44766,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -334,6 +379,10 @@
+@@ -334,6 +379,14 @@
')
optional_policy(`
++ kdump_dontaudit_read_config(ifconfig_t)
++')
++
++optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
@@ -43839,7 +44781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +404,9 @@
+@@ -355,3 +408,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3129218..526acae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -319,6 +319,7 @@ Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
+Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
%description targeted
SELinux Reference policy targeted base module.
@@ -470,6 +471,16 @@ exit 0
%endif
%changelog
+* Mon Nov 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-11
+- Allow mysqld-safe to send system log messages
+- Fix label for lxdm.sock
+- Fixes for ddclient policy
+- Allow munin plugins to search /var/lib directory
+- Allow gpsd to read sysfs_t
+- Add label for acroread
+- Add dirsrv and dirsrv-admin policy
+- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
+
* Wed Nov 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-10
- Turn on ddclient policy
- Allow mount to set the attributes of all mount points
More information about the scm-commits
mailing list