[selinux-policy/f13/master] - Allow virt domains execute qemu_exec_t - Add support for dkim-milter - Fixes for freshclam - Allow
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 9 13:46:25 UTC 2010
commit f14eb068cd5d1b3fc44dde87395e9004bf53b1c3
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Sep 9 15:46:16 2010 +0200
- Allow virt domains execute qemu_exec_t
- Add support for dkim-milter
- Fixes for freshclam
- Allow iptables to read shorewall tmp files
- Add boolean to allow icecast to connect to any port
- Allow freshclam to execute shell and bin_t
policy-F13.patch | 1012 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 10 +-
2 files changed, 793 insertions(+), 229 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 1533331..8cdf510 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -10,6 +10,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.7.19/man/man8/ftpd_selinux.8
+--- nsaserefpolicy/man/man8/ftpd_selinux.8 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/man/man8/ftpd_selinux.8 2010-09-09 15:08:15.357085367 +0200
+@@ -15,7 +15,7 @@
+ semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
+ .TP
+ .B
+-restorecon -R -v /var/ftp
++restorecon -F -R -v /var/ftp
+ .TP
+ Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
+ .PP
+@@ -23,7 +23,7 @@
+ semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
+ .TP
+ .B
+-restorecon -R -v /var/ftp/incoming
++restorecon -F -R -v /var/ftp/incoming
+
+ .SH BOOLEANS
+ .PP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/global_tunables 2010-05-28 09:41:59.942610848 +0200
@@ -2109,7 +2130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
mount_exec(sectoolm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-08-17 10:56:22.490085133 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-09-09 13:43:11.957085205 +0200
@@ -18,47 +18,27 @@
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
')
@@ -2185,7 +2206,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
######################################
-@@ -134,9 +114,9 @@
+@@ -115,6 +95,25 @@
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ ')
+
++######################################
++## <summary>
++## Read shorewall tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_read_tmp_files',`
++ gen_require(`
++ type shorewall_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
++')
++
+ #######################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -134,9 +133,9 @@
#
interface(`shorewall_admin',`
gen_require(`
@@ -2197,7 +2244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,9 +133,6 @@
+@@ -153,9 +152,6 @@
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
@@ -3386,7 +3433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
+sysnet_read_config(gitosis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-08-24 15:33:52.995335336 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-09-09 13:47:27.008335639 +0200
@@ -1,8 +1,31 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -3396,8 +3443,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
-+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
-+/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -4732,7 +4779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.19/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/java.te 2010-05-28 09:41:59.983610743 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/java.te 2010-09-09 12:48:28.290335334 +0200
@@ -147,6 +147,15 @@
init_dbus_chat_script(unconfined_java_t)
@@ -6391,7 +6438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.19/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-05-28 09:42:00.000610955 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-09-09 13:11:47.340085075 +0200
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@@ -6407,7 +6454,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
')
########################################
-@@ -273,6 +275,67 @@
+@@ -153,6 +155,24 @@
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
+ ')
+
++#######################################
++## <summary>
++## Execute a qemu in the callers domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qemu_exec',`
++ gen_require(`
++ type qemu_exec_t;
++ ')
++
++ can_exec($1, qemu_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute qemu in the qemu domain.
+@@ -273,6 +293,67 @@
########################################
## <summary>
@@ -6475,7 +6547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
-@@ -306,3 +369,24 @@
+@@ -306,3 +387,24 @@
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -8264,7 +8336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.19/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-08 14:24:13.013626203 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-09-09 10:27:11.540085109 +0200
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -8308,6 +8380,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -121,6 +135,7 @@
+ files_list_tmp(vmware_host_t)
+ files_read_etc_files(vmware_host_t)
+ files_read_etc_runtime_files(vmware_host_t)
++files_read_usr_files(vmware_host_t)
+
+ fs_getattr_all_fs(vmware_host_t)
+ fs_search_auto_mountpoints(vmware_host_t)
+@@ -151,6 +166,10 @@
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(vmware_host_t)
++')
++
++optional_policy(`
+ udev_read_db(vmware_host_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.7.19/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2010-08-13 07:59:10.406085311 +0200
@@ -8360,8 +8451,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
xserver_role($1_r, $1_wine_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.19/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/wine.te 2010-05-28 09:42:00.016654044 +0200
-@@ -1,6 +1,14 @@
++++ serefpolicy-3.7.19/policy/modules/apps/wine.te 2010-09-09 14:18:56.313334508 +0200
+@@ -1,6 +1,13 @@
policy_module(wine, 1.6.1)
@@ -8370,13 +8461,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
+## Ignore wine mmap_zero errors
+## </p>
+## </desc>
-+#
+gen_tunable(wine_mmap_zero_ignore, false)
+
########################################
#
# Declarations
-@@ -30,7 +38,13 @@
+@@ -30,7 +37,14 @@
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
@@ -8385,6 +8475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
+tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low(wine_t)
+')
++
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
@@ -8458,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-30 20:26:39.691335235 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-09-09 10:26:47.476085401 +0200
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8502,7 +8593,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -147,6 +160,9 @@
+@@ -105,6 +118,8 @@
+ /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /lib
+ #
+@@ -147,6 +162,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -8512,7 +8612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -189,7 +205,8 @@
+@@ -189,7 +207,8 @@
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -8522,7 +8622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -216,11 +233,17 @@
+@@ -216,11 +235,17 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -8540,7 +8640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +263,7 @@
+@@ -240,6 +265,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8548,7 +8648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +321,7 @@
+@@ -297,6 +323,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -8556,7 +8656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +356,21 @@
+@@ -331,3 +358,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -9608,7 +9708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-30 19:22:32.465335135 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-09-09 09:56:22.877085209 +0200
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10026,50 +10126,99 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3520,6 +3801,82 @@
+@@ -3520,57 +3801,151 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Allow the specified type to associate
+-## to a filesystem with the type of the
+-## temporary directory (/tmp).
+## Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-## <summary>
+-## Type of the file to associate.
+-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_associate_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:filesystem associate;
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Get the attributes of the tmp directory (/tmp).
+## Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Do not audit attempts to get the
+-## attributes of the tmp directory (/tmp).
++## Relabel manageable system configuration files in /etc.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+- gen_require(`
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
-+#######################################
++#####################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
+## </summary>
@@ -10079,12 +10228,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+## </summary>
+## </param>
+#
-+interface(`files_relabelto_system_conf_files',`
++interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
-+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
@@ -10106,10 +10255,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
- ########################################
- ## <summary>
- ## Allow the specified type to associate
-@@ -3705,6 +4062,32 @@
++########################################
++## <summary>
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## temporary directory (/tmp).
++## </summary>
++## <param name="file_type">
++## <summary>
++## Type of the file to associate.
++## </summary>
++## </param>
++#
++interface(`files_associate_tmp',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ allow $1 tmp_t:filesystem associate;
++')
++
++########################################
++## <summary>
++## Get the attributes of the tmp directory (/tmp).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_getattr_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ allow $1 tmp_t:dir getattr;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the
++## attributes of the tmp directory (/tmp).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_tmp_dirs',`
++ gen_require(`
+ type tmp_t;
+ ')
+
+@@ -3705,6 +4080,32 @@
########################################
## <summary>
@@ -10142,7 +10342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3918,6 +4301,13 @@
+@@ -3918,6 +4319,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10156,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4013,6 +4403,24 @@
+@@ -4013,6 +4421,24 @@
########################################
## <summary>
@@ -10181,7 +10381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
-@@ -4026,7 +4434,7 @@
+@@ -4026,7 +4452,7 @@
type usr_t;
')
@@ -10190,7 +10390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4107,6 +4515,24 @@
+@@ -4107,6 +4533,24 @@
########################################
## <summary>
@@ -10215,7 +10415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
## </summary>
## <param name="domain">
-@@ -5032,6 +5458,43 @@
+@@ -5032,6 +5476,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10259,7 +10459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5091,6 +5554,24 @@
+@@ -5091,6 +5572,24 @@
########################################
## <summary>
@@ -10284,7 +10484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Create an object in the process ID directory, with a private type.
## </summary>
## <desc>
-@@ -5238,6 +5719,7 @@
+@@ -5238,6 +5737,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -10292,7 +10492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5306,6 +5788,24 @@
+@@ -5306,6 +5806,24 @@
########################################
## <summary>
@@ -10317,7 +10517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5494,12 +5994,15 @@
+@@ -5494,12 +6012,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -10334,7 +10534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5520,3 +6023,229 @@
+@@ -5520,3 +6041,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -10621,7 +10821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-02 13:53:43.031083801 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-09 13:45:53.856085155 +0200
@@ -559,6 +559,24 @@
########################################
@@ -10660,10 +10860,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
- allow $1 cifs_t:filesystem getattr;
--')
--
--########################################
--## <summary>
++ allow $1 cgroup_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
-## list dirs on cgroup
-## file systems.
-## </summary>
@@ -10680,11 +10881,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
-+ allow $1 cgroup_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
@@ -10861,7 +11061,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -1899,6 +2009,7 @@
+@@ -1847,6 +1957,24 @@
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ ')
+
++#######################################
++## <summary>
++## Manage hugetlbfs dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_hugetlbfs_dirs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the type to associate to hugetlbfs filesystems.
+@@ -1899,6 +2027,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -10869,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2295,6 +2406,25 @@
+@@ -2295,6 +2424,25 @@
########################################
## <summary>
@@ -10895,7 +11120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2349,7 +2479,7 @@
+@@ -2349,7 +2497,7 @@
type nfs_t;
')
@@ -10904,7 +11129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2537,6 +2667,24 @@
+@@ -2537,6 +2685,24 @@
########################################
## <summary>
@@ -10929,7 +11154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2745,7 +2893,7 @@
+@@ -2745,7 +2911,7 @@
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -10938,7 +11163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3812,6 +3960,24 @@
+@@ -3812,6 +3978,24 @@
rw_files_pattern($1, tmpfs_t, tmpfs_t)
')
@@ -10963,7 +11188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Read tmpfs link files.
-@@ -3870,6 +4036,24 @@
+@@ -3870,6 +4054,24 @@
########################################
## <summary>
@@ -10988,7 +11213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4432,6 +4616,44 @@
+@@ -4432,6 +4634,44 @@
########################################
## <summary>
@@ -11033,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
## </summary>
-@@ -4549,3 +4771,24 @@
+@@ -4549,3 +4789,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -12154,8 +12379,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-05-28 09:42:00.048612487 +0200
-@@ -0,0 +1,667 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-09-09 11:07:14.850085218 +0200
+@@ -0,0 +1,687 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
@@ -12823,10 +13048,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+ allow $1 unconfined_r;
+')
++
++#######################################
++## <summary>
++## Allow domain to attach to TUN devices created by unconfined_t users.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_attach_tun_iface',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-13 07:30:50.833085376 +0200
-@@ -0,0 +1,444 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-09-09 14:20:14.370335617 +0200
+@@ -0,0 +1,455 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -12856,6 +13101,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+## </desc>
+gen_tunable(allow_unconfined_qemu_transition, false)
+
++## <desc>
++## <p>
++## Ignore wine mmap_zero errors
++## </p>
++## </desc>
++gen_tunable(unconfined_mmap_zero_ignore, false)
++
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
@@ -12945,6 +13197,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
++tunable_policy(`wine_mmap_zero_ignore',`
++ dontaudit unconfined_usertype self:memprotect mmap_zero;
++')
++
+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
@@ -14584,7 +14840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-25 09:32:04.821085078 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-09-09 13:49:57.498085155 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -14605,7 +14861,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
-@@ -41,11 +37,11 @@
+@@ -36,16 +32,18 @@
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
++ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
++
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
@@ -14619,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
-@@ -54,7 +50,7 @@
+@@ -54,7 +52,7 @@
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
@@ -14628,7 +14891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
-@@ -86,7 +82,6 @@
+@@ -86,7 +84,6 @@
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -14636,7 +14899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -95,6 +90,7 @@
+@@ -95,6 +92,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -14644,7 +14907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +104,6 @@
+@@ -108,19 +106,6 @@
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -14664,7 +14927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,6 +123,7 @@
+@@ -140,6 +125,7 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -14672,7 +14935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi',`
-@@ -148,14 +132,19 @@
+@@ -148,14 +134,19 @@
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -14692,7 +14955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
-@@ -172,6 +161,7 @@
+@@ -172,6 +163,7 @@
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -14700,7 +14963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -182,15 +172,13 @@
+@@ -182,15 +174,13 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -14718,7 +14981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -229,6 +217,13 @@
+@@ -229,6 +219,13 @@
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -14732,7 +14995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -312,6 +307,25 @@
+@@ -312,6 +309,25 @@
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -14758,7 +15021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -400,7 +414,7 @@
+@@ -400,7 +416,7 @@
type httpd_t;
')
@@ -14767,7 +15030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -526,6 +540,25 @@
+@@ -526,6 +542,25 @@
########################################
## <summary>
## Allow the specified domain to delete
@@ -14793,7 +15056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Apache cache.
## </summary>
## <param name="domain">
-@@ -756,6 +789,28 @@
+@@ -756,6 +791,28 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -14822,7 +15085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -814,6 +869,7 @@
+@@ -814,6 +871,7 @@
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -14830,7 +15093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -836,11 +892,62 @@
+@@ -836,11 +894,62 @@
')
files_search_var($1)
@@ -14893,7 +15156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +965,11 @@
+@@ -858,6 +967,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -14905,7 +15168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1057,7 @@
+@@ -945,7 +1059,7 @@
type httpd_squirrelmail_t;
')
@@ -14914,7 +15177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -985,6 +1097,24 @@
+@@ -985,6 +1099,24 @@
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
@@ -14939,7 +15202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Read apache system content.
-@@ -1086,6 +1216,25 @@
+@@ -1086,6 +1218,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -14965,7 +15228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1251,7 @@
+@@ -1102,7 +1253,7 @@
type httpd_tmp_t;
')
@@ -14974,7 +15237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1321,7 @@
+@@ -1172,7 +1323,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -14983,7 +15246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1351,62 @@
+@@ -1202,12 +1353,62 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -15049,7 +15312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-09-01 12:22:03.915084400 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-09-09 13:07:21.400085528 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -15093,7 +15356,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
-@@ -72,6 +88,13 @@
+@@ -58,6 +74,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow httpd to connect to memcache server
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
+ ## Allow httpd to act as a relay
+ ## </p>
+ ## </desc>
+@@ -72,6 +95,13 @@
## <desc>
## <p>
@@ -15107,7 +15384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
-@@ -101,6 +124,20 @@
+@@ -101,6 +131,20 @@
## <desc>
## <p>
@@ -15128,7 +15405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
-@@ -108,6 +145,13 @@
+@@ -108,6 +152,13 @@
## <desc>
## <p>
@@ -15142,7 +15419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -131,7 +175,7 @@
+@@ -131,7 +182,7 @@
## <desc>
## <p>
@@ -15151,7 +15428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
-@@ -143,6 +187,13 @@
+@@ -143,6 +194,13 @@
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -15165,7 +15442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -218,6 +269,10 @@
+@@ -218,6 +276,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -15176,7 +15453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +281,10 @@
+@@ -226,6 +288,10 @@
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -15187,7 +15464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +292,7 @@
+@@ -233,6 +299,7 @@
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -15195,7 +15472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +346,7 @@
+@@ -286,6 +353,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -15203,7 +15480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +416,7 @@
+@@ -355,6 +423,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -15211,7 +15488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +427,10 @@
+@@ -365,8 +434,10 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -15222,7 +15499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +442,12 @@
+@@ -378,12 +449,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -15238,7 +15515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +466,10 @@
+@@ -402,6 +473,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -15249,7 +15526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -420,12 +488,23 @@
+@@ -420,12 +495,23 @@
miscfiles_manage_public_files(httpd_t)
')
@@ -15275,7 +15552,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -439,6 +518,7 @@
+@@ -433,12 +519,17 @@
+ corenet_tcp_connect_all_ports(httpd_t)
+ ')
+
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
@@ -15283,7 +15570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
-@@ -446,6 +526,16 @@
+@@ -446,6 +537,16 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -15300,7 +15587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
-@@ -456,6 +546,10 @@
+@@ -456,6 +557,10 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -15311,7 +15598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +564,25 @@
+@@ -470,11 +575,25 @@
userdom_read_user_home_content_files(httpd_t)
')
@@ -15337,7 +15624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,9 +592,22 @@
+@@ -484,9 +603,22 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -15360,7 +15647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -500,8 +621,13 @@
+@@ -500,8 +632,13 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -15374,7 +15661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -514,6 +640,9 @@
+@@ -514,6 +651,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -15384,7 +15671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +657,7 @@
+@@ -528,7 +668,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -15393,7 +15680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +666,12 @@
+@@ -537,8 +677,12 @@
')
optional_policy(`
@@ -15407,7 +15694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +690,7 @@
+@@ -557,6 +701,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -15415,7 +15702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +701,7 @@
+@@ -567,6 +712,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15423,7 +15710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +712,23 @@
+@@ -577,12 +723,23 @@
')
optional_policy(`
@@ -15447,7 +15734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +737,11 @@
+@@ -591,6 +748,11 @@
')
optional_policy(`
@@ -15459,7 +15746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +769,10 @@
+@@ -618,6 +780,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -15470,7 +15757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +854,18 @@
+@@ -699,17 +865,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15492,7 +15779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +896,21 @@
+@@ -740,10 +907,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -15515,7 +15802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +936,12 @@
+@@ -769,6 +947,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15528,7 +15815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +965,13 @@
+@@ -792,9 +976,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15542,7 +15829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +980,28 @@
+@@ -803,6 +991,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -15571,7 +15858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1029,16 @@
+@@ -830,6 +1040,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15588,7 +15875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1051,7 @@
+@@ -842,6 +1062,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15596,7 +15883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1101,33 @@
+@@ -891,11 +1112,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15614,7 +15901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
@@ -15623,7 +15910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
- ')
++')
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
@@ -17419,7 +17706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-18 14:20:22.831085034 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-09-09 11:18:18.035085273 +0200
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -17450,16 +17737,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
# log files
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
-@@ -170,6 +179,8 @@
- allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+@@ -167,9 +176,15 @@
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+ allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_system_state(freshclam_t)
++
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -177,8 +188,11 @@
+@@ -177,8 +192,11 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -17471,7 +17766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
-@@ -189,14 +203,24 @@
+@@ -189,14 +207,24 @@
auth_use_nsswitch(freshclam_t)
@@ -17496,7 +17791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# clamscam local policy
-@@ -231,6 +255,7 @@
+@@ -231,6 +259,7 @@
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
@@ -17504,7 +17799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -246,6 +271,14 @@
+@@ -246,6 +275,14 @@
mta_send_mail(clamscan_t)
@@ -20425,7 +20720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-24 14:32:28.482083467 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-09 10:57:08.707085315 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -20560,7 +20855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,18 +260,28 @@
+@@ -234,18 +260,30 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -20570,6 +20865,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
++
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
@@ -20589,7 +20886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +299,24 @@
+@@ -263,15 +301,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -22093,8 +22390,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
# Local hald dccm policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.19/policy/modules/services/icecast.te
--- nsaserefpolicy/policy/modules/services/icecast.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-08-30 20:14:45.201335228 +0200
-@@ -38,7 +38,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-09-09 12:23:45.726084993 +0200
+@@ -6,6 +6,14 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow icecast to connect to all ports, not just
++## sound ports.
++## </p>
++## </desc>
++gen_tunable(icecast_connect_any, false)
++
+ type icecast_t;
+ type icecast_exec_t;
+ init_daemon_domain(icecast_t, icecast_exec_t)
+@@ -38,7 +46,16 @@
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
@@ -22102,10 +22414,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+
corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
++
++tunable_policy(`icecast_connect_any',`
++ corenet_tcp_connect_all_ports(icecast_t)
++ corenet_tcp_bind_all_ports(icecast_t)
++ corenet_sendrecv_all_packets(icecast_t)
++')
# Init script handling
domain_use_interactive_fds(icecast_t)
-@@ -52,5 +55,9 @@
+@@ -52,5 +69,9 @@
sysnet_dns_name_resolve(icecast_t)
optional_policy(`
@@ -22799,9 +23117,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
')
allow $1 memcached_t:process { ptrace signal_perms };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.7.19/policy/modules/services/milter.fc
+--- nsaserefpolicy/policy/modules/services/milter.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/milter.fc 2010-09-09 10:52:57.640084901 +0200
+@@ -1,3 +1,6 @@
++/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
++
++/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+ /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+ /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+ /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+@@ -5,6 +8,7 @@
+ /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
++/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.19/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-05-28 09:42:00.123612272 +0200
++++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-09-09 10:52:57.640084901 +0200
@@ -37,6 +37,8 @@
files_read_etc_files($1_milter_t)
@@ -22836,10 +23172,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
## Manage spamassassin milter state
## </summary>
## <param name="domain">
+@@ -100,3 +120,22 @@
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ ')
++
++#######################################
++## <summary>
++## Delete dkim-milter PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`milter_delete_dkim_pid_files',`
++ gen_require(`
++ type dkim_milter_data_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.7.19/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-05-28 09:42:00.123612272 +0200
-@@ -81,13 +81,11 @@
++++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-09-09 10:52:57.643085262 +0200
+@@ -10,6 +10,13 @@
+ attribute milter_domains;
+ attribute milter_data_type;
+
++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
++milter_template(dkim)
++
++# type for the private key of dkim-milter
++type dkim_milter_private_key_t;
++files_type(dkim_milter_private_key_t)
++
+ # currently-supported milters are milter-greylist, milter-regex and spamass-milter
+ milter_template(greylist)
+ milter_template(regex)
+@@ -21,6 +28,23 @@
+ type spamass_milter_state_t;
+ files_type(spamass_milter_state_t)
+
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
++
++mta_read_config(dkim_milter_t)
++
+ ########################################
+ #
+ # milter-greylist local policy
+@@ -81,13 +105,11 @@
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
files_search_var_lib(spamass_milter_t)
@@ -23339,7 +23736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-08-17 15:07:58.255085184 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-09-09 11:00:37.517335104 +0200
@@ -144,6 +144,30 @@
')
')
@@ -23468,7 +23865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -390,12 +478,15 @@
+@@ -390,12 +478,51 @@
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -23485,10 +23882,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
++')
++
++#######################################
++## <summary>
++## Send system mail client a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_signal_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ allow $1 system_mail_t:process signal;
++')
++
++#######################################
++## <summary>
++## Send system mail client a kill signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_kill_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ allow $1 system_mail_t:process sigkill;
')
########################################
-@@ -454,7 +545,8 @@
+@@ -454,7 +581,8 @@
type etc_mail_t;
')
@@ -23498,7 +23931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -678,7 +770,7 @@
+@@ -678,7 +806,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -23507,7 +23940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -765,6 +857,25 @@
+@@ -765,6 +893,25 @@
#######################################
## <summary>
@@ -24420,7 +24853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-06-03 14:19:20.251161230 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-09-09 11:00:52.622085022 +0200
@@ -6,17 +6,23 @@
# Declarations
#
@@ -24540,8 +24973,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -105,10 +157,9 @@
+@@ -103,12 +155,13 @@
+ userdom_dontaudit_search_user_home_dirs(nagios_t)
+
mta_send_mail(nagios_t)
++mta_kill_system_mail(nagios_t)
++mta_signal_system_mail(nagios_t)
optional_policy(`
- netutils_domtrans_ping(nagios_t)
@@ -24553,7 +24990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
optional_policy(`
seutil_sigchld_newrole(nagios_t)
-@@ -118,61 +169,63 @@
+@@ -118,61 +171,63 @@
udev_read_db(nagios_t)
')
@@ -24649,7 +25086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
-@@ -183,11 +236,15 @@
+@@ -183,11 +238,15 @@
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
@@ -24665,7 +25102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
logging_send_syslog_msg(nrpe_t)
miscfiles_read_localization(nrpe_t)
-@@ -199,6 +256,11 @@
+@@ -199,6 +258,11 @@
')
optional_policy(`
@@ -24677,7 +25114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
seutil_sigchld_newrole(nrpe_t)
')
-@@ -209,3 +271,151 @@
+@@ -209,3 +273,151 @@
optional_policy(`
udev_read_db(nrpe_t)
')
@@ -25013,7 +25450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-28 17:38:00.689150486 +0200
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-09-09 10:04:37.547084791 +0200
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -25162,25 +25599,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -142,12 +182,29 @@
+@@ -142,12 +182,31 @@
')
optional_policy(`
- consoletype_exec(NetworkManager_t)
+ consoletype_domtrans(NetworkManager_t)
- ')
-
- optional_policy(`
-- dbus_system_bus_client(NetworkManager_t)
-- dbus_connect_system_bus(NetworkManager_t)
++')
++
++optional_policy(`
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
++ init_dbus_chat(NetworkManager_t)
++
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(NetworkManager_t)
+- dbus_connect_system_bus(NetworkManager_t)
+ dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
@@ -25195,7 +25634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +212,58 @@
+@@ -155,23 +214,58 @@
')
optional_policy(`
@@ -25229,17 +25668,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
+ policykit_domtrans_auth(NetworkManager_t)
+ policykit_read_lib(NetworkManager_t)
+ policykit_read_reload(NetworkManager_t)
+ userdom_read_all_users_state(NetworkManager_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
- ppp_read_pid_files(NetworkManager_t)
@@ -25257,7 +25696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +271,16 @@
+@@ -179,12 +273,16 @@
')
optional_policy(`
@@ -26218,7 +26657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-08-13 08:05:55.420085199 +0200
++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-09-09 11:14:32.048085808 +0200
@@ -25,6 +25,9 @@
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -26229,6 +26668,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
+@@ -49,7 +52,7 @@
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+-allow openvpn_t self:tun_socket create;
++allow openvpn_t self:tun_socket { create relabelfrom };
+ allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ can_exec(openvpn_t, openvpn_etc_t)
@@ -59,6 +62,9 @@
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
@@ -26265,6 +26713,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_user_home_content_files(openvpn_t)
+@@ -139,3 +150,7 @@
+
+ networkmanager_dbus_chat(openvpn_t)
+ ')
++
++optional_policy(`
++ unconfined_attach_tun_iface(openvpn_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 15:11:28.402085340 +0200
@@ -26562,8 +27018,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-08-09 14:39:37.318084747 +0200
-@@ -0,0 +1,226 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-09-09 13:14:39.486084912 +0200
+@@ -0,0 +1,230 @@
+
+policy_module(piranha,1.0.0)
+
@@ -26691,6 +27147,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(piranha_web_t)
++')
++
++optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
@@ -27361,7 +27821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.19/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-05-28 09:42:00.153610624 +0200
++++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-09-09 11:05:30.401085346 +0200
@@ -25,6 +25,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -27438,7 +27898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
-+allow policykit_auth_t self:capability { setgid setuid };
++allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
@@ -31092,6 +31552,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
+optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.7.19/policy/modules/services/rwho.te
+--- nsaserefpolicy/policy/modules/services/rwho.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rwho.te 2010-09-09 13:17:41.097085184 +0200
+@@ -56,6 +56,8 @@
+ init_read_utmp(rwho_t)
+ init_dontaudit_write_utmp(rwho_t)
+
++logging_send_syslog_msg(rwho_t)
++
+ miscfiles_read_localization(rwho_t)
+
+ sysnet_dns_name_resolve(rwho_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-08-10 16:58:12.349085082 +0200
@@ -33866,7 +34338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-08-10 16:18:48.565085270 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-09 13:45:21.039085272 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -33874,7 +34346,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
#
-@@ -51,12 +51,12 @@
+@@ -43,6 +43,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow virtual machine to interact with the xserver
++## </p>
++## </desc>
++gen_tunable(virt_use_xserver, false)
++
++## <desc>
++## <p>
+ ## Allow virt to use usb devices
+ ## </p>
+ ## </desc>
+@@ -51,12 +58,12 @@
virt_domain_template(svirt)
role system_r types svirt_t;
@@ -33890,7 +34376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -66,20 +66,26 @@
+@@ -66,20 +73,26 @@
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@@ -33917,7 +34403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virtd_t;
type virtd_exec_t;
-@@ -90,6 +96,11 @@
+@@ -90,6 +103,11 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -33929,7 +34415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -105,10 +116,6 @@
+@@ -105,15 +123,12 @@
allow svirt_t self:udp_socket create_socket_perms;
@@ -33940,7 +34426,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
allow svirt_t svirt_image_t:dir search_dir_perms;
-@@ -148,11 +155,13 @@
+ manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+ manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
++manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+ fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+ list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+@@ -148,11 +163,13 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -33954,7 +34446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
tunable_policy(`virt_use_sysfs',`
-@@ -161,6 +170,7 @@
+@@ -161,11 +178,18 @@
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -33962,7 +34454,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
-@@ -179,22 +189,30 @@
+
+ optional_policy(`
++ tunable_policy(`virt_use_xserver',`
++ xserver_stream_connect(svirt_t)
++ ')
++')
++
++optional_policy(`
+ xen_rw_image_files(svirt_t)
+ ')
+
+@@ -179,22 +203,30 @@
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -33996,7 +34499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,9 +223,15 @@
+@@ -205,9 +237,15 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -34012,7 +34515,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -248,18 +272,25 @@
+@@ -225,6 +263,7 @@
+ kernel_read_system_state(virtd_t)
+ kernel_read_network_state(virtd_t)
+ kernel_rw_net_sysctls(virtd_t)
++kernel_read_kernel_sysctls(virtd_t)
+ kernel_request_load_module(virtd_t)
+ kernel_search_debugfs(virtd_t)
+
+@@ -248,18 +287,27 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -34031,7 +34542,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
-files_manage_etc_files(virtd_t)
-+
++files_relabelto_system_conf_files(virtd_t)
++files_relabelfrom_system_conf_files(virtd_t)
++
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
@@ -34039,10 +34552,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -268,6 +299,15 @@
+@@ -267,6 +315,17 @@
+ fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
-
++fs_manage_hugetlbfs_dirs(virtd_t)
++fs_rw_hugetlbfs_files(virtd_t)
++
+mls_fd_share_all_levels(virtd_t)
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
@@ -34051,11 +34567,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
+mls_rangetrans_source(virtd_t)
-+
+
mcs_process_set_categories(virtd_t)
- storage_manage_fixed_disk(virtd_t)
-@@ -291,15 +331,22 @@
+@@ -291,15 +350,24 @@
logging_send_syslog_msg(virtd_t)
@@ -34075,18 +34590,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
++
++consoletype_exec(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +417,7 @@
+@@ -370,6 +438,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
+ qemu_entry_type(virt_domain)
++ qemu_exec(virt_domain)
')
optional_policy(`
-@@ -407,6 +455,19 @@
+@@ -407,6 +477,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -34106,7 +34624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +488,7 @@
+@@ -427,6 +510,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -34114,7 +34632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +496,12 @@
+@@ -434,10 +518,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -34127,7 +34645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +509,11 @@
+@@ -445,6 +531,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -34139,7 +34657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +531,13 @@
+@@ -462,8 +553,13 @@
')
optional_policy(`
@@ -36338,7 +36856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-06-15 17:06:19.819626772 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-09-09 13:09:09.505085410 +0200
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -36534,7 +37052,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1637,7 +1712,7 @@
+@@ -1335,6 +1410,27 @@
+ allow $1 initrc_t:dbus send_msg;
+ ')
+
++#######################################
++## <summary>
++## Send and receive messages from
++## init over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_dbus_chat',`
++ gen_require(`
++ type init_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
++')
++
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+@@ -1637,7 +1733,7 @@
type initrc_var_run_t;
')
@@ -36543,7 +37089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1787,56 @@
+@@ -1712,3 +1808,56 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -36602,7 +37148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-08-17 10:58:03.628085191 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-09-09 10:54:48.345085410 +0200
@@ -1,5 +1,5 @@
-policy_module(init, 1.14.2)
@@ -36954,10 +37500,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -695,7 +814,12 @@
+@@ -695,7 +814,13 @@
')
optional_policy(`
++ milter_delete_dkim_pid_files(initrc_t)
+ milter_setattr_all_dirs(initrc_t)
+')
+
@@ -36967,7 +37514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +842,10 @@
+@@ -718,6 +843,10 @@
')
optional_policy(`
@@ -36978,7 +37525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -739,6 +867,10 @@
+@@ -739,6 +868,10 @@
')
optional_policy(`
@@ -36989,7 +37536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -760,8 +892,6 @@
+@@ -760,8 +893,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -36998,7 +37545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -770,14 +900,21 @@
+@@ -770,14 +901,21 @@
')
optional_policy(`
@@ -37020,7 +37567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +927,7 @@
+@@ -790,6 +928,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -37028,7 +37575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +936,19 @@
+@@ -798,11 +937,19 @@
')
optional_policy(`
@@ -37049,7 +37596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +958,25 @@
+@@ -812,6 +959,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -37075,7 +37622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +1002,35 @@
+@@ -837,3 +1003,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -37440,7 +37987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-07-13 08:49:55.484502545 +0200
++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-09-09 13:43:36.973085060 +0200
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -37530,6 +38077,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
+@@ -124,6 +139,7 @@
+ ')
+
+ optional_policy(`
++ shorewall_read_tmp_files(iptables_t)
+ shorewall_rw_lib_files(iptables_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.19/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/iscsi.if 2010-05-28 09:42:00.221610567 +0200
@@ -41473,8 +42028,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-06-28 14:07:11.693150801 +0200
-@@ -1,4 +1,14 @@
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-09-09 13:46:56.201334848 +0200
+@@ -1,4 +1,15 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -41486,6 +42041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 414de03..e252a7f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 54%{?dist}
+Release: 55%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,14 @@ exit 0
%endif
%changelog
+* Thu Sep 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-55
+- Allow virt domains execute qemu_exec_t
+- Add support for dkim-milter
+- Fixes for freshclam
+- Allow iptables to read shorewall tmp files
+- Add boolean to allow icecast to connect to any port
+- Allow freshclam to execute shell and bin_t
+
* Thu Sep 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-54
- Allow clmvd to create tmpfs files
More information about the scm-commits
mailing list