[selinux-policy/f14/master] - Allow foghor to read snmp lib files - Other fixes for foghorn policy - Make sysadm security admin
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Apr 11 11:37:07 UTC 2011
commit bff3b3c8634c68acc3b896f3fcd0347f983ad03f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Apr 11 13:38:03 2011 +0000
- Allow foghor to read snmp lib files
- Other fixes for foghorn policy
- Make sysadm security admin
- Fix ssh_sysadm_login boolean
- Fix seunshare interface
- Add allow_sysadm_manage_security boolean
- Add label for /dev/dlm.*
- Allow auditadm_screen_t and secadm_screen_t dac_override capability
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow procmail and system_mail_t to user fifo_file passed into it from postfix_master
- Fixes for nslcd policy
- Allow rgmanager to send the kill signal to all users
policy-F14.patch | 389 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 17 ++-
2 files changed, 277 insertions(+), 129 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 1035747..40bbee7 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1005,7 +1005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.9.7/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/logwatch.te 2011-02-25 17:40:38.964548895 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/logwatch.te 2011-04-11 08:13:10.417000002 +0000
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1026,7 +1026,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -73,6 +79,8 @@
+@@ -58,6 +64,7 @@
+ files_read_var_symlinks(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
++files_read_system_conf_files(logwatch_t)
+ files_read_usr_files(logwatch_t)
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+@@ -73,6 +80,8 @@
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
@@ -1035,7 +1043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
auth_use_nsswitch(logwatch_t)
auth_dontaudit_read_shadow(logwatch_t)
-@@ -92,11 +100,20 @@
+@@ -92,11 +101,20 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -2720,8 +2728,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.9.7/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/execmem.fc 2011-02-25 17:40:39.071546259 +0000
-@@ -0,0 +1,50 @@
++++ serefpolicy-3.9.7/policy/modules/apps/execmem.fc 2011-04-04 18:45:16.701000002 +0000
+@@ -0,0 +1,51 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2772,6 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)?/gimp/2\.0/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.9.7/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/apps/execmem.if 2011-03-20 21:09:28.797630001 +0000
@@ -8812,16 +8821,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.9.7/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2011-02-25 17:40:39.340539639 +0000
-@@ -17,6 +17,7 @@
++++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2011-04-04 18:47:26.703000001 +0000
+@@ -17,8 +17,10 @@
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -159,6 +160,7 @@
+ /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -159,6 +161,7 @@
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -8829,7 +8841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/pts(/.*)? <<none>>
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -176,13 +178,12 @@
+@@ -176,13 +179,12 @@
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
@@ -8845,7 +8857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -191,3 +192,8 @@
+@@ -191,3 +193,8 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -27172,7 +27184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.9.7/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mta.if 2011-02-25 17:40:40.186518814 +0000
++++ serefpolicy-3.9.7/policy/modules/services/mta.if 2011-04-05 17:25:27.561000001 +0000
@@ -37,9 +37,9 @@
## is the prefix for user_t).
## </summary>
@@ -27184,7 +27196,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
-@@ -158,6 +158,7 @@
+@@ -104,6 +104,7 @@
+
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
++ postfix_rw_master_pipes($1_mail_t)
+ ')
+
+ optional_policy(`
+@@ -158,6 +159,7 @@
## User domain for the role
## </summary>
## </param>
@@ -27192,7 +27212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
#
interface(`mta_role',`
gen_require(`
-@@ -169,7 +170,7 @@
+@@ -169,7 +171,7 @@
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -27201,7 +27221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
-@@ -220,6 +221,25 @@
+@@ -220,6 +222,25 @@
application_executable_file($1)
')
@@ -27227,7 +27247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +326,6 @@
+@@ -306,7 +327,6 @@
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -27235,7 +27255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +349,6 @@
+@@ -330,12 +350,6 @@
')
typeattribute $1 mta_user_agent;
@@ -27248,7 +27268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -350,9 +363,8 @@
+@@ -350,9 +364,8 @@
#
interface(`mta_send_mail',`
gen_require(`
@@ -27259,7 +27279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +374,10 @@
+@@ -362,6 +375,10 @@
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -27270,7 +27290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -391,12 +407,15 @@
+@@ -391,12 +408,15 @@
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -27288,7 +27308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -409,7 +428,6 @@
+@@ -409,7 +429,6 @@
## </summary>
## </param>
#
@@ -27296,7 +27316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +438,24 @@
+@@ -420,6 +439,24 @@
########################################
## <summary>
@@ -27321,7 +27341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -474,7 +510,8 @@
+@@ -474,7 +511,8 @@
type etc_mail_t;
')
@@ -27331,7 +27351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -552,7 +589,7 @@
+@@ -552,7 +590,7 @@
')
files_search_etc($1)
@@ -27340,7 +27360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
#######################################
-@@ -646,8 +683,8 @@
+@@ -646,8 +684,8 @@
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -27351,7 +27371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
#######################################
-@@ -697,8 +734,8 @@
+@@ -697,8 +735,8 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -27362,7 +27382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +875,7 @@
+@@ -838,7 +876,7 @@
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -27371,7 +27391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -899,3 +936,50 @@
+@@ -899,3 +937,50 @@
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -28490,7 +28510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.9.7/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2011-03-04 12:16:25.177413008 +0000
++++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2011-04-11 08:30:43.735000002 +0000
@@ -12,6 +12,12 @@
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
@@ -28504,16 +28524,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,7 +41,7 @@
+@@ -35,8 +41,10 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
++#bug in kernel
++dontaudit NetworkManager_t self:capability sys_module;
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-@@ -44,7 +50,7 @@
+ allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+@@ -44,7 +52,7 @@
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
@@ -28522,7 +28545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +58,19 @@
+@@ -52,9 +60,19 @@
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -28542,7 +28565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -140,23 +156,34 @@
+@@ -140,23 +158,34 @@
sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
@@ -28577,7 +28600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -172,12 +199,14 @@
+@@ -172,12 +201,14 @@
')
optional_policy(`
@@ -28593,7 +28616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
')
-@@ -194,6 +223,10 @@
+@@ -194,6 +225,10 @@
')
optional_policy(`
@@ -28604,7 +28627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
hal_write_log(NetworkManager_t)
')
-@@ -202,6 +235,13 @@
+@@ -202,6 +237,13 @@
')
optional_policy(`
@@ -28618,7 +28641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +259,7 @@
+@@ -219,6 +261,7 @@
')
optional_policy(`
@@ -28626,7 +28649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +304,7 @@
+@@ -263,6 +306,7 @@
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -28940,6 +28963,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.9.7/policy/modules/services/nslcd.te
+--- nsaserefpolicy/policy/modules/services/nslcd.te 2010-10-12 20:42:49.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/nslcd.te 2011-04-05 17:31:41.086000002 +0000
+@@ -16,7 +16,7 @@
+ files_pid_file(nslcd_var_run_t)
+
+ type nslcd_conf_t;
+-files_type(nslcd_conf_t)
++files_config_file(nslcd_conf_t)
+
+ ########################################
+ #
+@@ -24,7 +24,7 @@
+ #
+
+ allow nslcd_t self:capability { setgid setuid dac_override };
+-allow nslcd_t self:process signal;
++allow nslcd_t self:process { setsched signal };
+ allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow nslcd_t nslcd_conf_t:file read_file_perms;
+@@ -37,9 +37,13 @@
+ kernel_read_system_state(nslcd_t)
+
+ files_read_etc_files(nslcd_t)
++files_read_usr_symlinks(nslcd_t)
++files_list_tmp(nslcd_t)
+
+ auth_use_nsswitch(nslcd_t)
+
+ logging_send_syslog_msg(nslcd_t)
+
+ miscfiles_read_localization(nslcd_t)
++
++userdom_read_user_tmp_files(nslcd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.9.7/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/ntop.te 2011-02-25 17:40:40.212518174 +0000
@@ -31069,7 +31127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.9.7/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-03-25 10:18:09.630630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-04-05 17:25:41.674000001 +0000
@@ -35,7 +35,7 @@
role system_r types postfix_$1_t;
@@ -31169,7 +31227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ type postfix_master_t;
+ ')
+
-+ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;;
+')
+
########################################
@@ -32747,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.9.7/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/procmail.te 2011-02-25 17:40:40.400513547 +0000
++++ serefpolicy-3.9.7/policy/modules/services/procmail.te 2011-04-05 17:26:37.834000001 +0000
@@ -10,6 +10,9 @@
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;
@@ -32794,17 +32852,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -128,6 +137,10 @@
- ')
-
- optional_policy(`
-+ nagios_search_spool(procmail_t)
+@@ -125,6 +134,11 @@
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
++ postfix_rw_master_pipes(procmail_t)
+')
+
+optional_policy(`
- pyzor_domtrans(procmail_t)
- pyzor_signal(procmail_t)
++ nagios_search_spool(procmail_t)
')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.9.7/policy/modules/services/psad.if
--- nsaserefpolicy/policy/modules/services/psad.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/psad.if 2011-02-25 17:40:40.401513522 +0000
@@ -34575,7 +34634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.9.7/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-03-18 14:41:41.637630000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-04-11 08:55:38.770000002 +0000
@@ -6,13 +6,15 @@
#
@@ -34665,7 +34724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
optional_policy(`
-@@ -116,11 +129,23 @@
+@@ -116,11 +129,30 @@
######################################
#
@@ -34673,13 +34732,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+#
+
+allow foghorn_t self:process { signal };
++allow foghorn_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(foghorn_t)
++files_read_usr_files(foghorn_t)
+
+optional_policy(`
+ dbus_connect_system_bus(foghorn_t)
+')
+
++optional_policy(`
++ snmp_read_snmp_var_lib_files(foghorn_t)
++ snmp_stream_connect(foghorn_t)
++')
++
+######################################
+#
# gfs_controld local policy
@@ -34690,7 +34756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +164,6 @@
+@@ -139,10 +171,6 @@
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -34701,7 +34767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +175,10 @@
+@@ -154,9 +182,10 @@
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -34713,7 +34779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +190,7 @@
+@@ -168,8 +197,7 @@
# qdiskd local policy
#
@@ -34723,7 +34789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +220,8 @@
+@@ -199,6 +227,8 @@
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -34732,7 +34798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +230,6 @@
+@@ -207,10 +237,6 @@
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -34743,7 +34809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +242,28 @@
+@@ -223,18 +249,28 @@
# rhcs domains common policy
#
@@ -35959,7 +36025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.9.7/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/samba.te 2011-02-25 17:40:40.507510913 +0000
++++ serefpolicy-3.9.7/policy/modules/services/samba.te 2011-04-04 12:20:36.217000002 +0000
@@ -152,9 +152,6 @@
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -35982,7 +36048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -37591,7 +37657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.9.7/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-03-18 14:48:21.552630000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-04-04 15:42:53.154000001 +0000
@@ -32,10 +32,10 @@
## </param>
#
@@ -37801,7 +37867,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +489,9 @@
+@@ -421,6 +433,10 @@
+ ')
+
+ optional_policy(`
++ ssh_run_keygen($3,$2)
++ ')
++
++ optional_policy(`
+ xserver_use_xdm_fds($1_ssh_agent_t)
+ xserver_rw_xdm_pipes($1_ssh_agent_t)
+ ')
+@@ -477,8 +493,9 @@
type sshd_t;
')
@@ -37812,7 +37889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +507,7 @@
+@@ -494,7 +511,7 @@
type sshd_t;
')
@@ -37821,7 +37898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -586,6 +599,24 @@
+@@ -586,6 +603,24 @@
########################################
## <summary>
@@ -37846,7 +37923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +649,7 @@
+@@ -618,7 +653,7 @@
type sshd_key_t;
')
@@ -37855,7 +37932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
files_search_pids($1)
')
-@@ -680,6 +711,32 @@
+@@ -680,6 +715,32 @@
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -37888,7 +37965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +752,7 @@
+@@ -695,7 +756,7 @@
type sshd_key_t;
')
@@ -37897,7 +37974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
######################################
-@@ -735,3 +792,21 @@
+@@ -735,3 +796,21 @@
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -37921,7 +37998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.9.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-03-18 14:47:55.862630000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-04-11 09:27:44.859000002 +0000
@@ -6,26 +6,32 @@
#
@@ -38050,7 +38127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -169,14 +175,18 @@
+@@ -169,14 +175,21 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -38059,6 +38136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
++# 692457
++userdom_search_admin_dir(sshd_t)
++userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -38074,7 +38154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -209,7 +219,7 @@
+@@ -209,7 +222,7 @@
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -38083,7 +38163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +242,44 @@
+@@ -232,33 +245,44 @@
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -38137,7 +38217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -266,11 +287,24 @@
+@@ -266,11 +290,24 @@
')
optional_policy(`
@@ -38163,7 +38243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -284,6 +318,11 @@
+@@ -284,6 +321,11 @@
')
optional_policy(`
@@ -38175,7 +38255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +331,26 @@
+@@ -292,26 +334,26 @@
')
ifdef(`TODO',`
@@ -38221,7 +38301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
') dnl endif TODO
########################################
-@@ -322,14 +361,18 @@
+@@ -322,14 +364,19 @@
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -38237,11 +38317,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +396,7 @@
+@@ -350,10 +397,12 @@
+
+ logging_send_syslog_msg(ssh_keygen_t)
+
++userdom_search_admin_dir(ssh_keygen_t)
++userdom_search_user_home_dirs(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -39840,7 +39926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.9.7/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-03-04 12:27:33.713412996 +0000
++++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-04-11 08:31:17.362000002 +0000
@@ -5,80 +5,97 @@
# Declarations
#
@@ -40038,11 +40124,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
xen_rw_image_files(svirt_t)
')
-@@ -174,22 +210,31 @@
+@@ -174,22 +210,33 @@
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
++#kernel bug
++dontaudit virtd_t self:capability sys_module;
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom
@@ -40073,7 +40161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +245,14 @@
+@@ -200,8 +247,14 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -40090,7 +40178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +271,7 @@
+@@ -220,6 +273,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -40098,7 +40186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -243,18 +295,27 @@
+@@ -243,18 +297,27 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -40127,7 +40215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +323,18 @@
+@@ -262,6 +325,18 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -40146,7 +40234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -285,16 +358,31 @@
+@@ -285,16 +360,31 @@
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -40178,7 +40266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +401,10 @@
+@@ -313,6 +403,10 @@
')
optional_policy(`
@@ -40189,7 +40277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -365,6 +457,8 @@
+@@ -365,6 +459,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -40198,7 +40286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -394,14 +488,26 @@
+@@ -394,14 +490,26 @@
# virtual domains common policy
#
@@ -40227,7 +40315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +528,7 @@
+@@ -422,6 +530,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -40235,7 +40323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +536,12 @@
+@@ -429,10 +538,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -40248,7 +40336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +549,11 @@
+@@ -440,6 +551,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -40260,7 +40348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +571,117 @@
+@@ -457,8 +573,117 @@
')
optional_policy(`
@@ -43392,7 +43480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.9.7/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2011-02-25 17:40:40.786504046 +0000
++++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2011-04-05 18:00:16.036000001 +0000
@@ -57,6 +57,8 @@
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -43548,10 +43636,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +795,25 @@
- allow $1 faillog_t:file rw_file_perms;
- ')
+@@ -733,7 +792,26 @@
+ ')
+ logging_search_logs($1)
+- allow $1 faillog_t:file rw_file_perms;
++ rw_files_pattern($1, faillog_t, faillog_t)
++')
++
+########################################
+## <summary>
+## Manage the login failure log.
@@ -43569,11 +43661,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file manage_file_perms;
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Read the last logins log.
@@ -874,6 +952,26 @@
########################################
@@ -46335,7 +46425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.9.7/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-03-25 09:51:10.512630001 +0000
++++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-04-04 17:55:37.936000002 +0000
@@ -19,6 +19,11 @@
files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
@@ -46356,7 +46446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -179,6 +185,8 @@
+@@ -179,10 +185,13 @@
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -46365,7 +46455,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -234,7 +242,12 @@
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_socket_write_all_levels(auditd_t)
+
+ seutil_dontaudit_read_config(auditd_t)
+
+@@ -234,7 +243,12 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -46378,7 +46473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +257,26 @@
+@@ -244,14 +258,26 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -46406,9 +46501,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -266,9 +291,16 @@
+@@ -265,10 +291,19 @@
+
files_read_etc_files(audisp_remote_t)
++mls_socket_write_all_levels(audisp_remote_t)
++
logging_send_syslog_msg(audisp_remote_t)
+logging_send_audit_msgs(audisp_remote_t)
+
@@ -46423,7 +46521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -338,7 +370,7 @@
+@@ -338,7 +373,7 @@
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -46432,7 +46530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
# setrlimit for syslog-ng
-@@ -369,9 +401,15 @@
+@@ -369,9 +404,15 @@
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -46448,7 +46546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +450,7 @@
+@@ -412,6 +453,7 @@
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -46456,7 +46554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(syslogd_t)
-@@ -422,6 +461,7 @@
+@@ -422,6 +464,7 @@
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
@@ -46464,7 +46562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
-@@ -488,6 +528,10 @@
+@@ -488,6 +531,10 @@
')
optional_policy(`
@@ -48003,7 +48101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.9.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2011-02-25 17:40:40.927500574 +0000
++++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2011-04-04 18:44:52.443000002 +0000
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.14.0)
+policy_module(selinuxutil, 1.14.1)
@@ -48087,7 +48185,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
miscfiles_read_localization(load_policy_t)
-@@ -204,7 +218,7 @@
+@@ -183,6 +197,7 @@
+
+ userdom_use_user_terminals(load_policy_t)
+ userdom_use_all_users_fds(load_policy_t)
++userdom_dontaudit_read_user_tmp_files(load_policy_t)
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -204,7 +219,7 @@
# Newrole local policy
#
@@ -48096,7 +48202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +230,7 @@
+@@ -216,7 +231,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -48105,7 +48211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -234,6 +248,7 @@
+@@ -234,6 +249,7 @@
domain_sigchld_interactive_fds(newrole_t)
files_read_etc_files(newrole_t)
@@ -48113,7 +48219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +275,30 @@
+@@ -260,25 +276,30 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -48150,7 +48256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +332,8 @@
+@@ -312,6 +333,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -48159,7 +48265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -335,6 +357,8 @@
+@@ -335,6 +358,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -48168,7 +48274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +377,7 @@
+@@ -353,7 +378,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -48177,7 +48283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -380,6 +404,8 @@
+@@ -380,6 +405,8 @@
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -48186,7 +48292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +431,15 @@
+@@ -405,6 +432,15 @@
')
')
@@ -48202,7 +48308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,190 +455,92 @@
+@@ -420,190 +456,92 @@
# semodule local policy
#
@@ -49299,8 +49405,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.9.7/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-02-25 17:40:40.949500032 +0000
-@@ -52,6 +52,7 @@
++++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-04-11 08:34:05.273000002 +0000
+@@ -37,6 +37,8 @@
+ #
+
+ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
++#kernel bug
++dontaudit udev_t self:capability sys_module;
+ dontaudit udev_t self:capability sys_tty_config;
+ allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow udev_t self:process { execmem setfscreate };
+@@ -52,6 +54,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -49308,7 +49423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -72,7 +73,8 @@
+@@ -72,7 +75,8 @@
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
@@ -49318,7 +49433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -111,15 +113,20 @@
+@@ -111,15 +115,20 @@
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -49340,7 +49455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
mcs_ptrace_all(udev_t)
-@@ -186,6 +193,7 @@
+@@ -186,6 +195,7 @@
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -49348,7 +49463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
term_search_ptys(udev_t)
-@@ -216,11 +224,16 @@
+@@ -216,11 +226,16 @@
')
optional_policy(`
@@ -49365,7 +49480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
optional_policy(`
-@@ -233,6 +246,10 @@
+@@ -233,6 +248,10 @@
')
optional_policy(`
@@ -49376,7 +49491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
lvm_domtrans(udev_t)
')
-@@ -259,6 +276,10 @@
+@@ -259,6 +278,10 @@
')
optional_policy(`
@@ -49387,7 +49502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +294,11 @@
+@@ -273,6 +296,11 @@
')
optional_policy(`
@@ -50166,7 +50281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.debug(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-03-20 21:07:58.120630001 +0000
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-04-04 18:03:36.285000001 +0000
@@ -30,8 +30,9 @@
')
@@ -51799,7 +51914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3135,3 +3493,855 @@
+@@ -3135,3 +3493,873 @@
allow $1 userdomain:dbus send_msg;
')
@@ -52655,6 +52770,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ domain_transition_pattern($1, user_tmp_t, $2)
+ type_transition $1 user_tmp_t:process $2;
+')
++
++#######################################
++## <summary>
++## Send kill signals to all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_kill_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process sigkill;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.9.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-10-12 20:42:50.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/system/userdomain.te 2011-02-25 17:40:40.957499835 +0000
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3077b1c..30efe56 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,21 @@ exit 0
%endif
%changelog
+* Mon Apr 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-39
+- Allow foghor to read snmp lib files
+- Other fixes for foghorn policy
+- Make sysadm security admin
+- Fix ssh_sysadm_login boolean
+- Fix seunshare interface
+- Add allow_sysadm_manage_security boolean
+- Add label for /dev/dlm.*
+- Allow auditadm_screen_t and secadm_screen_t dac_override capability
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow procmail and system_mail_t to user fifo_file passed into it from postfix_master
+- Fixes for nslcd policy
+- Allow rgmanager to send the kill signal to all users
+
* Fri Mar 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-38
- Add support for a new cluster service - foghorn
- Add /var/spool/audit support for new version of audit
More information about the scm-commits
mailing list