[selinux-policy/f14/master] - Add xdm_exec_bootloader boolean - Allow cgconfig fsetid capability - Allow logwatch and cron to ml
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Nov 18 15:44:29 UTC 2010
commit 5c874c61fc9a18363998ab981aced770d4829664
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Nov 18 16:44:17 2010 +0100
- Add xdm_exec_bootloader boolean
- Allow cgconfig fsetid capability
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Patch for Stephen Beahm for ulogd policy
- Turn on pyzor policy
modules-targeted.conf | 7 +
policy-F14.patch | 417 +++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 11 ++-
3 files changed, 298 insertions(+), 137 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index c702919..3cbe055 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1316,6 +1316,13 @@ publicfile = module
pulseaudio = module
# Layer: services
+# Module: pyzor
+#
+# Spam Blocker
+#
+pyzor = module
+
+# Layer: services
# Module: qmail
#
# Policy for qmail
diff --git a/policy-F14.patch b/policy-F14.patch
index cadd856..1e0516e 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -330,6 +330,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.9.7/policy/modules/admin/bootloader.if
+--- nsaserefpolicy/policy/modules/admin/bootloader.if 2010-10-12 22:42:51.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/admin/bootloader.if 2010-11-18 16:22:06.419397638 +0100
+@@ -19,6 +19,24 @@
+ domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+ ')
+
++#####################################
++## <summary>
++## Execute bootloader in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bootloader_exec',`
++ gen_require(`
++ type bootloader_exec_t;
++ ')
++
++ can_exec($1, bootloader_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute bootloader interactively and do
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.9.7/policy/modules/admin/brctl.if
--- nsaserefpolicy/policy/modules/admin/brctl.if 2010-10-12 22:42:51.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/admin/brctl.if 2010-11-05 14:02:26.402658425 +0100
@@ -499,7 +527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.9.7/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/logwatch.te 2010-11-05 14:02:26.409649726 +0100
++++ serefpolicy-3.9.7/policy/modules/admin/logwatch.te 2010-11-18 15:49:39.362399015 +0100
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -520,7 +548,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -92,11 +98,20 @@
+@@ -73,6 +79,8 @@
+ term_dontaudit_getattr_pty_dirs(logwatch_t)
+ term_dontaudit_list_ptys(logwatch_t)
+
++mls_file_read_to_clearance(logwatch_t)
++
+ auth_use_nsswitch(logwatch_t)
+ auth_dontaudit_read_shadow(logwatch_t)
+
+@@ -92,11 +100,20 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -7300,8 +7337,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.9.7/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/wm.if 2010-11-05 14:02:26.508650234 +0100
-@@ -75,6 +75,10 @@
++++ serefpolicy-3.9.7/policy/modules/apps/wm.if 2010-11-18 15:50:46.683399390 +0100
+@@ -42,6 +42,7 @@
+ allow $1_wm_t self:process getsched;
+ allow $1_wm_t self:shm create_shm_perms;
+
++ allow $3 $1_wm_t:process { signal sigchld signull };
+ allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process { signal sigchld };
+@@ -54,6 +55,8 @@
+
+ kernel_read_system_state($1_wm_t)
+
++ application_signull($1_wm_t)
++
+ corecmd_bin_domtrans($1_wm_t, $3)
+ corecmd_shell_domtrans($1_wm_t, $3)
+
+@@ -75,6 +78,10 @@
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
@@ -8412,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/usr/lib/debug <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.9.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/files.if 2010-11-10 11:26:54.709398361 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/files.if 2010-11-18 11:00:55.859398928 +0100
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8512,7 +8566,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -2435,6 +2505,24 @@
+@@ -1836,6 +1906,25 @@
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+ ')
+
++#####################################
++## <summary>
++## Read symbolic links
++## in the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_boot_symlinks',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ read_lnk_files_pattern($1, boot_t, boot_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write symbolic links
+@@ -2435,6 +2524,24 @@
########################################
## <summary>
@@ -8537,7 +8617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2605,6 +2693,24 @@
+@@ -2605,6 +2712,24 @@
########################################
## <summary>
@@ -8562,7 +8642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3086,6 +3192,7 @@
+@@ -3086,6 +3211,7 @@
')
allow $1 home_root_t:dir getattr;
@@ -8570,7 +8650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3106,6 +3213,7 @@
+@@ -3106,6 +3232,7 @@
')
dontaudit $1 home_root_t:dir getattr;
@@ -8578,7 +8658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3347,6 +3455,24 @@
+@@ -3347,6 +3474,24 @@
allow $1 mnt_t:dir list_dir_perms;
')
@@ -8603,7 +8683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3420,6 +3546,24 @@
+@@ -3420,6 +3565,24 @@
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -8628,7 +8708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3855,100 @@
+@@ -3711,6 +3874,100 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8729,7 +8809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Allow the specified type to associate
-@@ -3896,6 +4134,32 @@
+@@ -3896,6 +4153,32 @@
########################################
## <summary>
@@ -8762,7 +8842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3950,6 +4214,24 @@
+@@ -3950,6 +4233,24 @@
########################################
## <summary>
@@ -8787,7 +8867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4109,6 +4391,13 @@
+@@ -4109,6 +4410,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8801,7 +8881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4718,6 +5007,24 @@
+@@ -4718,6 +5026,24 @@
########################################
## <summary>
@@ -8826,7 +8906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5053,6 +5360,24 @@
+@@ -5053,6 +5379,24 @@
########################################
## <summary>
@@ -8851,7 +8931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5138,12 +5463,12 @@
+@@ -5138,12 +5482,12 @@
## </param>
#
interface(`files_delete_generic_locks',`
@@ -8868,7 +8948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5189,6 +5514,27 @@
+@@ -5189,6 +5533,27 @@
########################################
## <summary>
@@ -8896,7 +8976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5317,6 +5663,43 @@
+@@ -5317,6 +5682,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8940,7 +9020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5524,6 +5907,62 @@
+@@ -5524,6 +5926,62 @@
########################################
## <summary>
@@ -9003,7 +9083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +5980,44 @@
+@@ -5541,6 +5999,44 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9048,7 +9128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5826,3 +6303,247 @@
+@@ -5826,3 +6322,247 @@
typeattribute $1 files_unconfined_type;
')
@@ -12439,7 +12519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.9.7/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/abrt.te 2010-11-10 09:28:03.892147900 +0100
++++ serefpolicy-3.9.7/policy/modules/services/abrt.te 2010-11-18 15:36:30.856398611 +0100
@@ -5,6 +5,14 @@
# Declarations
#
@@ -12455,7 +12535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -50,13 +58,14 @@
+@@ -50,15 +58,17 @@
allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
@@ -12470,8 +12550,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+dontaudit abrt_t self:netlink_audit_socket create_socket_perms;
# abrt etc files
++list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
-@@ -69,6 +78,7 @@
+
+ # log file
+@@ -69,6 +79,7 @@
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -12479,7 +12562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +92,7 @@
+@@ -82,7 +93,7 @@
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -12488,15 +12571,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -114,6 +124,7 @@
+@@ -113,7 +124,8 @@
+ domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
- files_read_etc_files(abrt_t)
+-files_read_etc_files(abrt_t)
++files_read_config_files(abrt_t)
+files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +132,8 @@
+@@ -121,6 +133,8 @@
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -12505,7 +12590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +144,7 @@
+@@ -131,7 +145,7 @@
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -12514,7 +12599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +153,15 @@
+@@ -140,6 +154,15 @@
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -12530,7 +12615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +172,11 @@
+@@ -150,6 +173,11 @@
')
optional_policy(`
@@ -12542,7 +12627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -178,12 +205,18 @@
+@@ -178,12 +206,18 @@
')
optional_policy(`
@@ -12562,7 +12647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +236,7 @@
+@@ -203,6 +237,7 @@
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -12570,7 +12655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +250,8 @@
+@@ -216,7 +251,8 @@
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -12580,7 +12665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +259,18 @@
+@@ -224,4 +260,18 @@
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -13752,7 +13837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2010-11-15 17:44:58.604398337 +0100
++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2010-11-18 16:15:19.918398880 +0100
@@ -18,130 +18,195 @@
# Declarations
#
@@ -14269,16 +14354,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +688,7 @@
+@@ -528,7 +688,18 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
++ dirsrvadmin_read_config(httpd_t)
++ dirsrv_manage_log(httpd_t)
++ dirsrv_manage_var_run(httpd_t)
++ dirsrv_read_share(httpd_t)
++ dirsrv_signal(httpd_t)
++ dirsrv_signull(httpd_t)
++ dirsrvadmin_manage_config(httpd_t)
++ dirsrvadmin_manage_tmp(httpd_t)
++')
++
++optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +697,12 @@
+@@ -537,8 +708,12 @@
')
optional_policy(`
@@ -14292,7 +14388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -556,7 +720,13 @@
+@@ -556,7 +731,13 @@
')
optional_policy(`
@@ -14306,7 +14402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +737,7 @@
+@@ -567,6 +748,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -14314,7 +14410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,6 +748,16 @@
+@@ -577,6 +759,16 @@
')
optional_policy(`
@@ -14331,7 +14427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +772,11 @@
+@@ -591,6 +783,11 @@
')
optional_policy(`
@@ -14343,7 +14439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +789,11 @@
+@@ -603,6 +800,11 @@
yam_read_content(httpd_t)
')
@@ -14355,7 +14451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache helper local policy
-@@ -618,6 +809,10 @@
+@@ -618,6 +820,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -14366,7 +14462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -654,28 +849,27 @@
+@@ -654,28 +860,27 @@
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14407,7 +14503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -699,17 +893,22 @@
+@@ -699,17 +904,22 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14433,7 +14529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +939,20 @@
+@@ -740,10 +950,20 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14455,7 +14551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +978,25 @@
+@@ -769,6 +989,25 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -14481,7 +14577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +1020,13 @@
+@@ -792,9 +1031,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -14495,7 +14591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1035,33 @@
+@@ -803,6 +1046,33 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -14529,7 +14625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1081,7 @@
+@@ -822,7 +1092,7 @@
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14538,7 +14634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1089,20 @@
+@@ -830,6 +1100,20 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14559,7 +14655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1115,20 @@
+@@ -842,10 +1126,20 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14580,7 +14676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -891,11 +1174,21 @@
+@@ -891,11 +1185,21 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -16191,7 +16287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.9.7/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cgroup.te 2010-11-05 14:02:26.608900014 +0100
++++ serefpolicy-3.9.7/policy/modules/services/cgroup.te 2010-11-18 15:44:40.719397699 +0100
@@ -22,8 +22,8 @@
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -16208,7 +16304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
#
-allow cgconfig_t self:capability { chown sys_admin };
-+allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
++allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
@@ -17861,7 +17957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.9.7/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cron.te 2010-11-05 14:02:26.624900225 +0100
++++ serefpolicy-3.9.7/policy/modules/services/cron.te 2010-11-18 15:49:20.364398664 +0100
@@ -10,18 +10,18 @@
#
@@ -18133,15 +18229,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +449,7 @@
+@@ -386,6 +449,9 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
++
++mls_file_read_to_clearance(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -408,8 +472,10 @@
+@@ -408,8 +474,10 @@
seutil_read_config(system_cronjob_t)
@@ -18153,7 +18251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -434,6 +500,8 @@
+@@ -434,6 +502,8 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -18162,7 +18260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -441,6 +509,14 @@
+@@ -441,6 +511,14 @@
')
optional_policy(`
@@ -18177,7 +18275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -451,15 +527,24 @@
+@@ -451,15 +529,24 @@
')
optional_policy(`
@@ -18202,7 +18300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -475,7 +560,7 @@
+@@ -475,7 +562,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -18211,7 +18309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -490,6 +575,7 @@
+@@ -490,6 +577,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -18219,7 +18317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -497,7 +583,13 @@
+@@ -497,7 +585,13 @@
')
optional_policy(`
@@ -18233,7 +18331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,9 +682,12 @@
+@@ -590,9 +684,12 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -19300,8 +19398,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.te serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te
--- nsaserefpolicy/policy/modules/services/dirsrv-admin.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te 2010-11-15 14:18:25.095399878 +0100
-@@ -0,0 +1,92 @@
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv-admin.te 2010-11-18 16:13:31.926400100 +0100
+@@ -0,0 +1,94 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -19340,6 +19438,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+
+files_exec_etc_files(dirsrvadmin_t)
+
++libs_exec_ld_so(dirsrvadmin_t)
++
+logging_search_logs(dirsrvadmin_t)
+
+miscfiles_read_localization(dirsrvadmin_t)
@@ -23003,7 +23103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.9.7/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/lircd.te 2010-11-05 14:02:26.699654572 +0100
++++ serefpolicy-3.9.7/policy/modules/services/lircd.te 2010-11-18 15:51:50.996400048 +0100
@@ -24,6 +24,7 @@
#
@@ -23021,7 +23121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
# /dev/lircd socket
dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
-@@ -44,7 +45,7 @@
+@@ -44,13 +45,13 @@
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -23030,6 +23130,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
+ dev_rw_input_dev(lircd_t)
+
+-files_read_etc_files(lircd_t)
++files_read_config_files(lircd_t)
+ files_list_var(lircd_t)
+ files_manage_generic_locks(lircd_t)
+ files_read_all_locks(lircd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.9.7/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2010-10-12 22:42:49.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/lpd.if 2010-11-05 14:02:26.700653599 +0100
@@ -34998,6 +35105,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
daemontools_read_svc(ucspitcp_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.9.7/policy/modules/services/ulogd.fc
+--- nsaserefpolicy/policy/modules/services/ulogd.fc 2010-10-12 22:42:49.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/services/ulogd.fc 2010-11-18 15:54:36.152398675 +0100
+@@ -1,7 +1,7 @@
+ /etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+ /etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+-/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
++/usr/lib(64)?/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
+ /usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+ /var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.9.7/policy/modules/services/ulogd.if
--- nsaserefpolicy/policy/modules/services/ulogd.if 2010-10-12 22:42:48.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/ulogd.if 2010-11-05 14:02:26.841650103 +0100
@@ -35053,18 +35172,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.9.7/policy/modules/services/ulogd.te
--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/ulogd.te 2010-11-05 14:02:26.842649409 +0100
-@@ -31,6 +31,9 @@
++++ serefpolicy-3.9.7/policy/modules/services/ulogd.te 2010-11-18 15:54:25.278399433 +0100
+@@ -29,8 +29,13 @@
+ # ulogd local policy
+ #
- allow ulogd_t self:capability net_admin;
+-allow ulogd_t self:capability net_admin;
++allow ulogd_t self:capability { net_admin sys_nice };
++allow ulogd_t self:process { setsched };
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
++allow ulogd_t self:netlink_socket create_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -43,6 +46,19 @@
+@@ -43,6 +48,19 @@
manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
@@ -37655,8 +37779,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.9.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2010-11-05 14:02:26.872901044 +0100
-@@ -26,27 +26,43 @@
++++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2010-11-18 11:00:04.226398724 +0100
+@@ -26,27 +26,50 @@
#
## <desc>
@@ -37689,13 +37813,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
gen_tunable(xdm_sysadm_login, false)
## <desc>
--## <p>
+ ## <p>
-## Support X userspace object manager
--## </p>
++## Allows xdm to execute bootloader
+ ## </p>
+ ## </desc>
++gen_tunable(xdm_exec_bootloader, false)
++
++## <desc>
+## <p>
+## Support X userspace object manager
+## </p>
- ## </desc>
++## </desc>
gen_tunable(xserver_object_manager, false)
+## <desc>
@@ -37710,7 +37839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
attribute x_domain;
# X Events
-@@ -104,26 +120,30 @@
+@@ -104,26 +127,30 @@
type remote_t;
xserver_object_types_template(remote)
@@ -37742,7 +37871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
-@@ -131,22 +151,26 @@
+@@ -131,22 +158,26 @@
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
@@ -37769,7 +37898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -161,15 +185,21 @@
+@@ -161,15 +192,21 @@
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -37793,7 +37922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -177,13 +207,27 @@
+@@ -177,13 +214,27 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -37822,7 +37951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -196,15 +240,9 @@
+@@ -196,15 +247,9 @@
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -37840,7 +37969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,9 +272,17 @@
+@@ -234,9 +279,17 @@
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -37858,7 +37987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -246,50 +292,109 @@
+@@ -246,50 +299,109 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -37973,7 +38102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -301,20 +406,32 @@
+@@ -301,20 +413,32 @@
# XDM Local policy
#
@@ -38010,7 +38139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -322,43 +439,69 @@
+@@ -322,43 +446,69 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -38087,7 +38216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,18 +510,26 @@
+@@ -367,18 +517,26 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -38115,7 +38244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -390,18 +541,22 @@
+@@ -390,18 +548,22 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -38139,7 +38268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +565,23 @@
+@@ -410,18 +572,23 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -38166,7 +38295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +592,17 @@
+@@ -432,9 +599,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -38184,7 +38313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +611,36 @@
+@@ -443,28 +618,36 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -38223,7 +38352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,9 +649,30 @@
+@@ -473,9 +656,30 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -38254,14 +38383,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -504,11 +701,17 @@
+@@ -503,12 +707,24 @@
+ # allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
- optional_policy(`
-+ accountsd_read_lib_files(xdm_t)
++tunable_policy(`xdm_exec_bootloader',`
++ bootloader_exec(xdm_t)
++ files_read_boot_files(xdm_t)
++ files_read_boot_symlinks(xdm_t)
+')
+
+optional_policy(`
++ accountsd_read_lib_files(xdm_t)
++')
++
+ optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
@@ -38272,7 +38408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +719,49 @@
+@@ -516,12 +732,49 @@
')
optional_policy(`
@@ -38322,7 +38458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,28 +779,63 @@
+@@ -539,28 +792,63 @@
')
optional_policy(`
@@ -38395,7 +38531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -572,6 +847,10 @@
+@@ -572,6 +860,10 @@
')
optional_policy(`
@@ -38406,7 +38542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +875,7 @@
+@@ -596,7 +888,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -38415,7 +38551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +889,14 @@
+@@ -610,6 +902,14 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -38430,7 +38566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +916,19 @@
+@@ -629,12 +929,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -38452,7 +38588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +936,7 @@
+@@ -642,6 +949,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -38460,7 +38596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +963,6 @@
+@@ -668,7 +976,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -38468,7 +38604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +972,17 @@
+@@ -678,11 +985,17 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -38486,7 +38622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +993,13 @@
+@@ -693,8 +1006,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -38500,7 +38636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1021,14 @@
+@@ -716,11 +1034,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -38515,7 +38651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1081,28 @@
+@@ -773,12 +1094,28 @@
')
optional_policy(`
@@ -38545,7 +38681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1111,10 @@
+@@ -787,6 +1124,10 @@
')
optional_policy(`
@@ -38556,7 +38692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1130,10 @@
+@@ -802,10 +1143,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -38570,7 +38706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1141,7 @@
+@@ -813,7 +1154,7 @@
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -38579,7 +38715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1154,9 @@
+@@ -826,6 +1167,9 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -38589,7 +38725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1164,11 @@
+@@ -833,6 +1177,11 @@
fs_manage_nfs_symlinks(xserver_t)
')
@@ -38601,7 +38737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1177,14 @@
+@@ -841,11 +1190,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -38618,7 +38754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -853,6 +1192,10 @@
+@@ -853,6 +1205,10 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -38629,7 +38765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1239,7 @@
+@@ -896,7 +1252,7 @@
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -38638,7 +38774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1293,31 @@
+@@ -950,11 +1306,31 @@
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -38670,7 +38806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1339,32 @@
+@@ -976,18 +1352,32 @@
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -39274,7 +39410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.9.7/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2010-11-05 14:02:26.891654584 +0100
++++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2010-11-18 15:56:35.329397897 +0100
@@ -57,6 +57,8 @@
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -39319,7 +39455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -119,6 +130,10 @@
+@@ -119,13 +130,20 @@
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -39330,8 +39466,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
-@@ -126,6 +141,8 @@
+
files_read_etc_files($1)
++ files_read_config_files($1)
fs_list_auto_mountpoints($1)
+ fs_manage_cgroup_dirs($1)
@@ -39339,7 +39476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +158,7 @@
+@@ -141,6 +159,7 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -39347,7 +39484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +169,39 @@
+@@ -151,8 +170,39 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -39389,7 +39526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -365,13 +414,15 @@
+@@ -365,13 +415,15 @@
')
optional_policy(`
@@ -39406,7 +39543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +469,7 @@
+@@ -418,6 +470,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -39414,7 +39551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -694,7 +746,7 @@
+@@ -694,7 +747,7 @@
')
files_search_etc($1)
@@ -39423,7 +39560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +788,25 @@
+@@ -736,6 +789,25 @@
allow $1 faillog_t:file rw_file_perms;
')
@@ -39449,7 +39586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
#######################################
## <summary>
## Read the last logins log.
-@@ -874,6 +945,26 @@
+@@ -874,6 +946,26 @@
########################################
## <summary>
@@ -39476,7 +39613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -896,6 +987,26 @@
+@@ -896,6 +988,26 @@
########################################
## <summary>
@@ -39503,7 +39640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Read PAM PID files.
## </summary>
## <param name="domain">
-@@ -1500,6 +1611,8 @@
+@@ -1500,6 +1612,8 @@
#
interface(`auth_use_nsswitch',`
@@ -39512,7 +39649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1644,15 @@
+@@ -1531,7 +1645,15 @@
')
optional_policy(`
@@ -42124,7 +42261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.9.7/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/logging.te 2010-11-05 14:02:26.935900275 +0100
++++ serefpolicy-3.9.7/policy/modules/system/logging.te 2010-11-15 18:53:42.100148434 +0100
@@ -60,6 +60,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -42220,7 +42357,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(syslogd_t)
-@@ -488,6 +518,10 @@
+@@ -422,6 +452,7 @@
+ # /initrd is not umounted before minilog starts
+ files_dontaudit_search_isid_type_dirs(syslogd_t)
+ files_read_kernel_symbol_table(syslogd_t)
++files_search_spool(syslogd_t)
+
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+@@ -488,6 +519,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 526acae..10f87a7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
%endif
%changelog
+* Thu Nov 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-12
+- Add xdm_exec_bootloader boolean
+- Allow cgconfig fsetid capability
+- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
+- Allow wm to send signull to all applications and receive them from users
+- lircd patch from field
+- Patch for Stephen Beahm for ulogd policy
+- Turn on pyzor policy
+
* Mon Nov 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-11
- Allow mysqld-safe to send system log messages
- Fix label for lxdm.sock
More information about the scm-commits
mailing list