[selinux-policy: 1585/3172] patch from erich Sat, 02 Sep 2006 03:37:44 +0200

Thu Oct 7 21:22:12 UTC 2010

commit 13d7cec671c7c840f8f24e24501a9b5838e3e687
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 4 18:22:12 2006 +0000

    patch from erich Sat, 02 Sep 2006 03:37:44 +0200

 Changelog                            |    1 +
 policy/modules/admin/apt.te          |    8 ++++++--
 policy/modules/admin/sxid.te         |    3 ++-
 policy/modules/admin/usermanage.te   |    3 ++-
 policy/modules/kernel/devices.fc     |    5 +++++
 policy/modules/kernel/devices.te     |    2 +-
 policy/modules/kernel/files.fc       |    2 ++
 policy/modules/kernel/files.te       |    2 +-
 policy/modules/services/amavis.fc    |    4 ++++
 policy/modules/services/amavis.te    |    3 ++-
 policy/modules/services/hal.te       |    3 ++-
 policy/modules/services/ldap.fc      |    4 ++++
 policy/modules/services/ldap.te      |    2 +-
 policy/modules/services/openvpn.te   |    4 ++--
 policy/modules/services/rpc.te       |    3 ++-
 policy/modules/services/tor.te       |    7 ++++++-
 policy/modules/system/fstools.fc     |    2 ++
 policy/modules/system/fstools.te     |   10 +++++++++-
 policy/modules/system/libraries.fc   |   16 +++++++++++++++-
 policy/modules/system/libraries.te   |    2 +-
 policy/modules/system/selinuxutil.fc |    4 ----
 policy/modules/system/selinuxutil.te |    3 ++-
 22 files changed, 72 insertions(+), 21 deletions(-)
---

diff --git a/Changelog b/Changelog
index 13813bd..89f9ae3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Debian updates from Erich Schubert.
 - Add nscd_socket_use() to auth_use_nsswitch().
 - Remove old selopt rules.
 - Full support for netfilter_contexts.
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 995ede0..9067dea 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
 
-policy_module(apt,1.0.1)
+policy_module(apt,1.0.2)
 
 ########################################
 #
@@ -10,7 +10,6 @@ type apt_t;
 type apt_exec_t;
 init_system_domain(apt_t,apt_exec_t)
 domain_system_change_exemption(apt_t)
-domain_getattr_all_domains(apt_t)
 role system_r types apt_t;
 
 type apt_tmp_t;
@@ -91,10 +90,15 @@ corenet_sendrecv_all_client_packets(apt_t)
 
 dev_read_urand(apt_t)
 
+domain_getattr_all_domains(apt_t)
+domain_use_interactive_fds(apt_t)
+
 files_exec_usr_files(apt_t)
 files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
+fs_dontaudit_getattr_all_fs(apt_t)
+
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
 
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index f79f8fd..5a2f043 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -1,5 +1,5 @@
 
-policy_module(sxid,1.0.2)
+policy_module(sxid,1.0.3)
 
 ########################################
 #
@@ -69,6 +69,7 @@ fs_list_all(sxid_t)
 term_dontaudit_use_console(sxid_t)
 
 auth_read_all_files_except_shadow(sxid_t)
+auth_dontaudit_getattr_shadow(sxid_t)
 
 init_use_fds(sxid_t)
 init_use_script_ptys(sxid_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 49ebcf1..6e3d737 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.9)
+policy_module(usermanage,1.3.10)
 
 ########################################
 #
@@ -170,6 +170,7 @@ files_read_etc_runtime_files(crack_t)
 files_read_usr_files(crack_t)
 
 corecmd_exec_bin(crack_t)
+corecmd_dontaudit_search_sbin(crack_t)
 
 libs_use_ld_so(crack_t)
 libs_use_shared_libs(crack_t)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 9a25b78..1aa840b 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -98,6 +98,11 @@ ifdef(`distro_suse', `
 
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 
+ifdef(`distro_debian',`
+# used by udev init script as temporary mount point
+/lib/udev/devices	-d		gen_context(system_u:object_r:device_t,s0)
+')
+
 ifdef(`distro_gentoo',`
 # used by init scripts to initally populate udev /dev
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index c5575ad..3150795 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.19)
+policy_module(devices,1.1.20)
 
 ########################################
 #
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index e80a186..61d1524 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -120,6 +120,7 @@ HOME_ROOT/lost\+found/.*		<<none>>
 #
 # Mount points; do not relabel subdirectories, since
 # we don't want to change any removable media by default.
+/media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
 /media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /media/[^/]*/.*			<<none>>
 
@@ -131,6 +132,7 @@ HOME_ROOT/lost\+found/.*		<<none>>
 #
 # /mnt
 #
+/mnt(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
 /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /mnt/[^/]*/.*			<<none>>
 
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 9901261..d397dca 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.14)
+policy_module(files,1.2.15)
 
 ########################################
 #
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
index 31b1ab7..4533c2d 100644
--- a/policy/modules/services/amavis.fc
+++ b/policy/modules/services/amavis.fc
@@ -4,6 +4,10 @@
 
 /usr/sbin/amavisd.*		--	gen_context(system_u:object_r:amavis_exec_t,s0)
 
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+')
+
 /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 1908b92..e8f7662 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.0.7)
+policy_module(amavis,1.0.8)
 
 ########################################
 #
@@ -143,6 +143,7 @@ logging_send_syslog_msg(amavis_t)
 miscfiles_read_localization(amavis_t)
 
 sysnet_dns_name_resolve(amavis_t)
+sysnet_use_ldap(amavis_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
 
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index e2adeef..bc7634e 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.12)
+policy_module(hal,1.3.13)
 
 ########################################
 #
@@ -47,6 +47,7 @@ kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctls(hald_t)
 kernel_read_fs_sysctls(hald_t)
+kernel_read_irq_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index d740147..53d71e0 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -3,6 +3,10 @@
 
 /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
+ifdef(`distro_debian',`
+/usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
+')
+
 /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
 /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
 
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index fb1482b..a0ad0bb 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.2.6)
+policy_module(ldap,1.2.7)
 
 ########################################
 #
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index dcdafd6..67548c8 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
 
-policy_module(openvpn,1.0.4)
+policy_module(openvpn,1.0.5)
 
 ########################################
 #
@@ -28,7 +28,7 @@ files_pid_file(openvpn_var_run_t)
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { net_admin setgid setuid };
+allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index b052590..318ec0a 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.12)
+policy_module(rpc,1.2.13)
 
 ########################################
 #
@@ -44,6 +44,7 @@ allow rpcd_t rpcd_var_run_t:file manage_file_perms;
 allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
 
+kernel_read_system_state(rpcd_t) 
 kernel_search_network_state(rpcd_t) 
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index aa9c4a5..814c162 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
 
-policy_module(tor,1.0.3)
+policy_module(tor,1.0.4)
 
 ########################################
 #
@@ -61,6 +61,8 @@ allow tor_t tor_var_run_t:sock_file manage_file_perms;
 allow tor_t tor_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
 
+kernel_read_system_state(tor_t)
+
 # networking basics
 corenet_non_ipsec_sendrecv(tor_t)
 corenet_tcp_sendrecv_all_if(tor_t)
@@ -82,6 +84,9 @@ dev_read_urand(tor_t)
 domain_use_interactive_fds(tor_t)
 
 files_read_etc_files(tor_t)
+files_read_etc_runtime_files(tor_t)
+
+term_dontaudit_use_console(tor_t)
 
 # comm with init
 init_use_fds(tor_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index dcd5ba6..9f64242 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -38,3 +38,5 @@
 /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 8d24711..0ef6d0b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.3.3)
+policy_module(fstools,1.3.4)
 
 ########################################
 #
@@ -12,6 +12,9 @@ init_system_domain(fsadm_t,fsadm_exec_t)
 mls_file_read_up(fsadm_t)
 role system_r types fsadm_t;
 
+type fsadm_log_t;
+logging_log_file(fsadm_log_t)
+
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
@@ -44,6 +47,11 @@ allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
 allow fsadm_t fsadm_tmp_t:file create_file_perms;
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
 
+# log files
+allow fsadm_t fsadm_log_t:file manage_file_perms;
+allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(fsadm_t,fsadm_log_t,file)
+
 # Enable swapping to files
 allow fsadm_t swapfile_t:file { read write getattr swapon };
 
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 76cf6f7..bc9a6ac 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,6 +1,15 @@
 #
 # /emul
 #
+ifdef(`distro_debian',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)*	-- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
 ifdef(`distro_gentoo',`
 /emul/linux/x86/usr(/.*)?/lib(/.*)?		gen_context(system_u:object_r:lib_t,s0)
 /emul/linux/x86/usr(/.*)?/lib/.+\.so(\.[^/]*)*	-- gen_context(system_u:object_r:shlib_t,s0)
@@ -42,6 +51,11 @@ ifdef(`distro_redhat',`
 /lib/security/pam_poldi\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /lib64/security/pam_poldi\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+ifdef(`distro_debian',`
+/lib32					-l	gen_context(system_u:object_r:lib_t,s0)
+/lib64					-l	gen_context(system_u:object_r:lib_t,s0)
+')
+
 ifdef(`distro_gentoo',`
 /lib32(/.*)?					gen_context(system_u:object_r:lib_t,s0)
 /lib32/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
@@ -64,7 +78,7 @@ ifdef(`distro_gentoo',`
 /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_gentoo',`
-# despite the extensions, they're actually libs
+# despite the extensions, they are actually libs
 /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
 /opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
 
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1206d2c..1aad262 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.12)
+policy_module(libraries,1.3.13)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 1d5d4d2..2e6f4c7 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -41,10 +41,6 @@
 /usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
-ifdef(`distro_debian', `
-/usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
-')
-
 #
 # /var/run
 #
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 02e30cb..8b2ede9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.14)
+policy_module(selinuxutil,1.2.15)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -576,6 +576,7 @@ dev_read_urand(semanage_t)
 domain_use_interactive_fds(semanage_t)
 
 files_read_etc_files(semanage_t)
+files_read_etc_runtime_files(semanage_t)
 files_read_usr_files(semanage_t)
 files_list_pids(semanage_t)
 
