[selinux-policy/f13/master] - Allow s-c-samba to read usr files - Make kernel_t domain MLS trusted for lowering the level of fil
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 7 14:03:19 UTC 2011
commit acb8f5cc3f258a80090d99ecde7a615c41944b3b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 7 15:02:53 2011 +0000
- Allow s-c-samba to read usr files
- Make kernel_t domain MLS trusted for lowering the level of files
- Add label for /var/lib/tftpboot/grub directory
- Fixes for iscsi policy
- Allow dmesg to read system state
- squid apache script connects to the squid port
- /var/stockmaniac/templates_cache contains log files
- Allow radius to communicate with postgresql
- Add transition from unconfined_java_t to wine_t
booleans-targeted.conf | 2 +-
policy-F13.patch | 511 ++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 13 ++-
3 files changed, 378 insertions(+), 148 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index b05b5e2..f2e22cd 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -24,7 +24,7 @@ allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
-allow_gssd_read_tmp = false
+allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
diff --git a/policy-F13.patch b/policy-F13.patch
index 3a8918f..53d5d35 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -517,8 +517,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.19/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2010-06-21 21:23:21.779174421 +0200
-@@ -51,6 +51,12 @@
++++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2011-01-03 08:59:40.202042256 +0100
+@@ -24,6 +24,7 @@
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
++kernel_read_system_state(dmesg_t)
+ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
+
+@@ -51,6 +52,12 @@
userdom_use_user_terminals(dmesg_t)
optional_policy(`
@@ -1937,7 +1945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.19/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2010-05-28 09:41:59.960611623 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2011-01-07 10:32:51.757290974 +0100
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
@@ -2046,16 +2054,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
-@@ -132,6 +161,8 @@
+@@ -132,6 +161,10 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
+term_list_ptys(rpm_t)
++# needed in MLS
++term_use_console(rpm_t)
+
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +186,7 @@
+@@ -155,6 +188,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -2063,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,7 +206,19 @@
+@@ -174,7 +208,19 @@
')
optional_policy(`
@@ -2084,7 +2094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
optional_policy(`
-@@ -182,36 +226,19 @@
+@@ -182,36 +228,19 @@
')
optional_policy(`
@@ -2125,7 +2135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +249,15 @@
+@@ -222,12 +251,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -2141,7 +2151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +269,9 @@
+@@ -239,6 +271,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -2151,7 +2161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
dev_list_sysfs(rpm_script_t)
-@@ -254,7 +287,9 @@
+@@ -254,7 +289,9 @@
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
@@ -2161,7 +2171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +307,19 @@
+@@ -272,14 +309,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -2181,7 +2191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,8 +331,10 @@
+@@ -291,8 +333,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -2192,7 +2202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-@@ -308,12 +350,15 @@
+@@ -308,12 +352,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -2208,7 +2218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
')
-@@ -326,13 +371,26 @@
+@@ -326,13 +373,26 @@
')
optional_policy(`
@@ -2247,6 +2257,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
optional_policy(`
mount_exec(sectoolm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.19/policy/modules/admin/shorewall.fc
+--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.fc 2011-01-04 15:04:49.174051690 +0100
+@@ -11,4 +11,6 @@
+ /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
++/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
++
+ /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-09-09 13:43:11.957085205 +0200
@@ -2877,16 +2897,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-26 10:37:40.688650931 +0200
-@@ -199,6 +199,7 @@
-
- term_use_all_ttys(groupadd_t)
- term_use_all_ptys(groupadd_t)
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2011-01-07 10:29:10.209292372 +0100
+@@ -197,8 +197,8 @@
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_terms(groupadd_t)
+term_use_generic_ptys(groupadd_t)
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -209,6 +210,7 @@
+@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
@@ -2894,7 +2917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
-@@ -256,7 +258,8 @@
+@@ -256,7 +257,8 @@
# Passwd local policy
#
@@ -2904,7 +2927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
-@@ -294,6 +297,8 @@
+@@ -294,6 +296,8 @@
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
@@ -2913,7 +2936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
-@@ -303,6 +308,9 @@
+@@ -303,6 +307,9 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -2923,7 +2946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
domain_use_interactive_fds(passwd_t)
-@@ -315,6 +323,7 @@
+@@ -315,6 +322,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -2931,7 +2954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
-@@ -333,6 +342,7 @@
+@@ -333,6 +341,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2939,6 +2962,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
nscd_domtrans(passwd_t)
+@@ -384,6 +393,7 @@
+
+ term_use_all_ttys(sysadm_passwd_t)
+ term_use_all_ptys(sysadm_passwd_t)
++term_use_all_terms(sysadm_passwd_t)
+
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
@@ -427,7 +437,7 @@
# Useradd local policy
#
@@ -2956,7 +2987,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -498,12 +509,8 @@
+@@ -471,6 +482,7 @@
+
+ term_use_all_ttys(useradd_t)
+ term_use_all_ptys(useradd_t)
++term_use_all_terms(useradd_t)
+
+ auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+@@ -498,12 +510,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2970,7 +3009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
mta_manage_spool(useradd_t)
-@@ -527,6 +534,12 @@
+@@ -527,6 +535,12 @@
')
optional_policy(`
@@ -4337,7 +4376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.19/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-05-28 09:41:59.978610931 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2011-01-04 15:08:31.384041746 +0100
@@ -21,6 +21,7 @@
type gpg_agent_t, gpg_agent_exec_t;
type gpg_agent_tmp_t;
@@ -4346,7 +4385,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
')
role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
-@@ -50,13 +51,19 @@
+@@ -32,6 +33,8 @@
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
+
++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
++
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+ allow gpg_helper_t $2:fifo_file write;
+@@ -50,13 +53,19 @@
# Transition from the user domain to the agent domain.
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
@@ -4370,7 +4418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
')
')
-@@ -78,6 +85,43 @@
+@@ -78,6 +87,43 @@
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -4414,7 +4462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
########################################
## <summary>
## Send generic signals to user gpg processes.
-@@ -95,3 +139,65 @@
+@@ -95,3 +141,65 @@
allow $1 gpg_t:process signal;
')
@@ -7005,8 +7053,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.19/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sambagui.te 2010-05-28 09:42:00.003610619 +0200
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sambagui.te 2011-01-04 14:04:57.892041466 +0100
+@@ -0,0 +1,63 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -7041,11 +7089,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
++files_read_usr_files(sambagui_t)
+files_search_var_lib(sambagui_t)
-+files_search_usr(sambagui_t)
-+
-+# reading shadow by pdbedit
-+#auth_read_shadow(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
@@ -8793,7 +8838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.7.19/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2010-08-13 07:59:10.406085311 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2011-01-03 14:33:53.133051854 +0100
@@ -85,6 +85,7 @@
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
@@ -8802,6 +8847,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalize
apache_read_log(webalizer_t)
apache_manage_sys_content(webalizer_t)
+@@ -104,3 +105,8 @@
+ optional_policy(`
+ nscd_socket_use(webalizer_t)
+ ')
++
++optional_policy(`
++ squid_manage_logs(webalizer_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.19/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/wine.fc 2010-05-28 09:42:00.014611294 +0200
@@ -9134,7 +9188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-09-01 11:58:19.510084657 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-03 14:29:17.539042734 +0100
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -9315,6 +9369,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
########################################
#
+@@ -266,5 +293,5 @@
+ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+ # Bind to any network address.
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
++allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+ allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.m4 2010-07-14 10:38:30.694409837 +0200
@@ -11991,7 +12052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-11-23 10:17:21.568398712 +0100
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-07 10:48:13.921042668 +0100
@@ -46,15 +46,6 @@
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -12043,7 +12104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,19 +273,29 @@
+@@ -270,19 +273,30 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -12060,6 +12121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
++mls_file_downgrade(kernel_t)
+
+logging_manage_generic_logs(kernel_t)
@@ -12073,7 +12135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +372,10 @@
+@@ -359,6 +373,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -12967,6 +13029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+kernel_read_fs_sysctls(sysadm_t)
+modutils_read_module_deps(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
+Binary files nsaserefpolicy/policy/modules/roles/.sysadm.te.swp and serefpolicy-3.7.19/policy/modules/roles/.sysadm.te.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc 2010-05-28 09:42:00.047610527 +0200
@@ -14659,7 +14722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
admin_pattern($1, abrt_var_cache_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-08-04 15:15:53.954335601 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2011-01-07 14:18:16.592043328 +0100
@@ -1,11 +1,19 @@
-policy_module(abrt, 1.0.1)
@@ -14792,7 +14855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -103,22 +152,129 @@
+@@ -103,22 +152,130 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -14849,6 +14912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
++ rpm_manage_log(abrt_t)
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
@@ -16973,8 +17037,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-11-10 09:41:46.688398097 +0100
-@@ -27,13 +27,13 @@
++++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2011-01-04 16:26:00.197041921 +0100
+@@ -27,19 +27,21 @@
#
# Local policy
#
@@ -16987,10 +17051,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:process signal;
++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
bitlbee_read_config(bitlbee_t)
-@@ -81,6 +81,10 @@
+ # tmp files
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t )
++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+@@ -53,6 +55,7 @@
+ corenet_udp_sendrecv_generic_node(bitlbee_t)
+ corenet_tcp_sendrecv_generic_if(bitlbee_t)
+ corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_bind_generic_node(bitlbee_t)
+ # Allow bitlbee to connect to jabber servers
+ corenet_tcp_connect_jabber_client_port(bitlbee_t)
+ corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+@@ -81,6 +84,10 @@
libs_legacy_use_shared_libs(bitlbee_t)
@@ -19038,8 +19119,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.19/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.fc 2010-12-01 13:47:05.132292116 +0100
-@@ -1,7 +1,32 @@
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.fc 2011-01-07 11:32:18.772301640 +0100
+@@ -1,7 +1,33 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -19053,6 +19134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -25654,8 +25736,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-12-16 10:26:52.090042381 +0100
-@@ -0,0 +1,123 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2011-01-07 14:17:21.054042273 +0100
+@@ -0,0 +1,141 @@
+
+policy_module(mpd,1.0.0)
+
@@ -25711,6 +25793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
++manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
@@ -25726,6 +25809,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
++# needed by pulseaudio
++kernel_getattr_proc(mpd_t)
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
@@ -25739,6 +25824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+corenet_tcp_bind_soundd_port(mpd_t)
+
+dev_read_sound(mpd_t)
++dev_write_sound(mpd_t)
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
@@ -25767,7 +25853,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
+
+optional_policy(`
-+ dbus_system_bus_client(mpd_t)
++ consolekit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(mpd_t)
+')
+
+optional_policy(`
@@ -25777,8 +25867,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
+
+optional_policy(`
++ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
+ udev_read_db(mpd_t)
+')
++
++
++optional_policy(`
++ xserver_dontaudit_stream_connect(mpd_t)
++ xserver_dontaudit_read_xdm_pid(mpd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.19/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-08-17 15:06:26.581085303 +0200
@@ -26032,7 +26132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-12-03 10:28:21.175042789 +0100
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2011-01-04 15:53:26.314042349 +0100
@@ -21,8 +21,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -26044,7 +26144,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -57,15 +57,16 @@
+@@ -51,21 +51,24 @@
+
+ # newalias required this, not sure if it is needed in 'if' file
+ allow system_mail_t self:capability { dac_override fowner };
++allow system_mail_t self:process setsched;
++
+ allow system_mail_t self:fifo_file rw_fifo_file_perms;
+
+ read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -26065,7 +26173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -75,10 +76,15 @@
+@@ -75,10 +78,15 @@
selinux_getattr_fs(system_mail_t)
@@ -26081,15 +26189,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -89,6 +95,7 @@
+@@ -89,6 +97,7 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-+ apache_dontaudit_write_tmp_files(system_mail_t)
++ apache_dontaudit_rw_tmp_files(system_mail_t)
')
optional_policy(`
-@@ -100,6 +107,11 @@
+@@ -100,6 +109,11 @@
')
optional_policy(`
@@ -26101,7 +26209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -107,6 +119,9 @@
+@@ -107,6 +121,9 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -26111,7 +26219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -120,12 +135,8 @@
+@@ -120,12 +137,8 @@
')
optional_policy(`
@@ -26125,7 +26233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -142,7 +153,12 @@
+@@ -142,7 +155,12 @@
')
optional_policy(`
@@ -26138,7 +26246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -154,18 +170,6 @@
+@@ -154,18 +172,6 @@
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -26157,7 +26265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -185,6 +189,10 @@
+@@ -185,6 +191,10 @@
')
optional_policy(`
@@ -26168,7 +26276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,7 +224,8 @@
+@@ -216,7 +226,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -26178,7 +26286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -245,6 +254,10 @@
+@@ -245,6 +256,10 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -26189,7 +26297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
#
# User send mail local policy
-@@ -288,3 +301,33 @@
+@@ -288,3 +303,33 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -32126,7 +32234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-08-30 19:31:22.527085108 +0200
++++ serefpolicy-3.7.19/policy/modules/services/radius.te 2011-01-03 10:47:38.474042362 +0100
@@ -37,7 +37,7 @@
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
@@ -32136,7 +32244,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;
-@@ -131,6 +131,7 @@
+@@ -79,6 +79,7 @@
+ corenet_udp_bind_radius_port(radiusd_t)
+ corenet_tcp_connect_mysqld_port(radiusd_t)
+ corenet_tcp_connect_snmp_port(radiusd_t)
++corenet_tcp_connect_postgresql_port(radiusd_t)
+ corenet_sendrecv_radius_server_packets(radiusd_t)
+ corenet_sendrecv_radacct_server_packets(radiusd_t)
+ corenet_sendrecv_mysqld_client_packets(radiusd_t)
+@@ -131,6 +132,7 @@
optional_policy(`
samba_read_var_files(radiusd_t)
@@ -36031,7 +36147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
gen_require(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/squid.te 2010-05-28 09:42:00.191611098 +0200
++++ serefpolicy-3.7.19/policy/modules/services/squid.te 2011-01-03 09:56:23.355040924 +0100
@@ -14,6 +14,13 @@
## </desc>
gen_tunable(squid_connect_any, false)
@@ -36077,7 +36193,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
optional_policy(`
apache_content_template(squid)
-@@ -186,8 +202,3 @@
+@@ -165,6 +181,7 @@
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(httpd_squid_script_t)
+
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+
+@@ -186,8 +203,3 @@
optional_policy(`
udev_read_db(squid_t)
')
@@ -36088,16 +36212,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-05-28 09:42:00.192610961 +0200
-@@ -1,4 +1,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2011-01-04 16:00:55.694041145 +0100
+@@ -1,4 +1,9 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +17,6 @@
+@@ -14,3 +19,6 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -36472,7 +36598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-12-01 13:29:39.056062288 +0100
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-04 16:02:58.400042759 +0100
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -36560,7 +36686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -282,32 +287,39 @@
+@@ -282,36 +287,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -36601,28 +36727,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
-+')
-+
-+optional_policy(`
-+ daemontools_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
-@@ -315,7 +327,12 @@
+- kerberos_keytab_template(sshd, sshd_t)
++ amanda_search_lib(sshd_t)
')
optional_policy(`
-- daemontools_service_domain(sshd_t, sshd_exec_t)
+@@ -319,10 +327,27 @@
+ ')
+
+ optional_policy(`
++ kerberos_keytab_template(sshd, sshd_t)
++')
++
++optional_policy(`
+ ftp_dyntransition_sftpd(sshd_t)
+ ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
+ gitosis_manage_lib_files(sshd_t)
- ')
-
- optional_policy(`
-@@ -323,6 +340,10 @@
++')
++
++optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
@@ -36633,7 +36763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +354,18 @@
+@@ -333,10 +358,18 @@
')
optional_policy(`
@@ -37525,7 +37655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-16 17:06:29.681386750 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-01-07 14:27:09.212042336 +0100
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -37786,7 +37916,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +440,8 @@
+@@ -318,6 +388,10 @@
+ ')
+
+ optional_policy(`
++ dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+@@ -370,6 +444,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -37795,7 +37936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +479,19 @@
+@@ -407,6 +483,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -37815,7 +37956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +512,7 @@
+@@ -427,6 +516,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -37823,7 +37964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +520,12 @@
+@@ -434,10 +524,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -37836,7 +37977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +533,11 @@
+@@ -445,6 +537,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -37848,7 +37989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +555,13 @@
+@@ -462,8 +559,13 @@
')
optional_policy(`
@@ -38026,7 +38167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-09-23 13:20:56.798386762 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2011-01-07 14:00:01.543041896 +0100
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -38308,16 +38449,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +867,7 @@
+@@ -805,7 +867,25 @@
')
files_search_pids($1)
- allow $1 xdm_var_run_t:file read_file_perms;
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++#####################################
++## <summary>
++## Dontaudit Read XDM pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++ gen_require(`
++ type xdm_var_run_t;
++ ')
++
++ dontaudit $1 xdm_var_run_t:file read_file_perms;
')
########################################
-@@ -897,7 +959,7 @@
+@@ -897,7 +977,7 @@
')
logging_search_logs($1)
@@ -38326,7 +38485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -916,7 +978,7 @@
+@@ -916,7 +996,7 @@
type xserver_log_t;
')
@@ -38335,7 +38494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -964,6 +1026,44 @@
+@@ -964,6 +1044,44 @@
########################################
## <summary>
@@ -38380,7 +38539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1052,7 +1152,7 @@
+@@ -1052,7 +1170,7 @@
type xdm_tmp_t;
')
@@ -38389,7 +38548,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1210,7 +1310,7 @@
+@@ -1187,6 +1305,25 @@
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ ')
+
++#####################################
++## <summary>
++## Dontaudit attempts to connect to xserver
++## over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_stream_connect',`
++ gen_require(`
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read X server temporary files.
+@@ -1210,7 +1347,7 @@
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -38398,7 +38583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## </summary>
## <param name="domain">
## <summary>
-@@ -1224,9 +1324,20 @@
+@@ -1224,9 +1361,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -38419,7 +38604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1361,330 @@
+@@ -1250,3 +1398,330 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -40597,7 +40782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-09-09 10:54:48.345085410 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-07 14:44:25.100042432 +0100
@@ -1,5 +1,5 @@
-policy_module(init, 1.14.2)
@@ -40671,15 +40856,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -121,6 +139,7 @@
+@@ -121,6 +139,8 @@
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
++dev_read_urand(init_t)
+dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -169,6 +188,8 @@
+@@ -169,6 +189,8 @@
miscfiles_read_localization(init_t)
@@ -40688,7 +40874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -192,10 +213,23 @@
+@@ -192,10 +214,23 @@
')
optional_policy(`
@@ -40712,7 +40898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -213,7 +247,7 @@
+@@ -213,7 +248,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -40721,7 +40907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -242,6 +276,7 @@
+@@ -242,6 +277,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -40729,7 +40915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -259,13 +294,22 @@
+@@ -259,13 +295,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -40753,7 +40939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -299,6 +343,7 @@
+@@ -299,6 +344,7 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -40761,7 +40947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -325,8 +370,10 @@
+@@ -325,8 +371,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -40773,7 +40959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -342,6 +389,8 @@
+@@ -342,6 +390,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -40782,7 +40968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +401,8 @@
+@@ -352,6 +402,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -40791,7 +40977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -364,6 +415,7 @@
+@@ -364,6 +416,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -40799,7 +40985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -395,15 +447,16 @@
+@@ -395,15 +448,16 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -40818,7 +41004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
-@@ -437,6 +490,10 @@
+@@ -437,6 +491,10 @@
dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
@@ -40829,7 +41015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# openrc uses tmpfs for its state data
fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
-@@ -471,7 +528,7 @@
+@@ -471,7 +529,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -40838,7 +41024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -495,6 +552,12 @@
+@@ -495,6 +553,12 @@
fs_read_tmpfs_symlinks(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
@@ -40851,7 +41037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
-@@ -517,6 +580,23 @@
+@@ -517,6 +581,23 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -40875,7 +41061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -528,6 +608,8 @@
+@@ -528,6 +609,8 @@
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
@@ -40884,7 +41070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -542,6 +624,35 @@
+@@ -542,6 +625,35 @@
')
')
@@ -40920,7 +41106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +665,8 @@
+@@ -554,6 +666,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -40929,7 +41115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -578,6 +691,11 @@
+@@ -578,6 +692,11 @@
')
optional_policy(`
@@ -40941,7 +41127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -594,6 +712,7 @@
+@@ -594,6 +713,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -40949,7 +41135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -695,7 +814,13 @@
+@@ -695,7 +815,13 @@
')
optional_policy(`
@@ -40963,7 +41149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +843,10 @@
+@@ -718,6 +844,10 @@
')
optional_policy(`
@@ -40974,7 +41160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -739,6 +868,10 @@
+@@ -739,6 +869,10 @@
')
optional_policy(`
@@ -40985,7 +41171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -760,8 +893,6 @@
+@@ -760,8 +894,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -40994,7 +41180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -770,14 +901,21 @@
+@@ -770,14 +902,21 @@
')
optional_policy(`
@@ -41016,7 +41202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +928,7 @@
+@@ -790,6 +929,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -41024,7 +41210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +937,19 @@
+@@ -798,11 +938,19 @@
')
optional_policy(`
@@ -41045,7 +41231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +959,25 @@
+@@ -812,6 +960,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -41071,7 +41257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +1003,35 @@
+@@ -837,3 +1004,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -41561,8 +41747,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.19/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-11-08 16:19:07.128446678 +0100
-@@ -77,9 +77,12 @@
++++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2011-01-03 08:55:36.369042409 +0100
+@@ -32,7 +32,9 @@
+ #
+
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
++dontaudit iscsid_t self:capability { sys_ptrace };
+ allow iscsid_t self:process { setrlimit setsched signal };
++
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow iscsid_t self:unix_dgram_socket create_socket_perms;
+@@ -65,6 +67,7 @@
+
+ kernel_read_network_state(iscsid_t)
+ kernel_read_system_state(iscsid_t)
++kernel_setsched(iscsid_t)
+
+ corenet_all_recvfrom_unlabeled(iscsid_t)
+ corenet_all_recvfrom_netlabel(iscsid_t)
+@@ -77,9 +80,12 @@
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -41575,7 +41779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
files_read_etc_files(iscsid_t)
-@@ -92,5 +95,5 @@
+@@ -92,5 +98,5 @@
miscfiles_read_localization(iscsid_t)
optional_policy(`
@@ -41598,7 +41802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-11-11 16:35:19.332397032 +0100
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2011-01-03 15:19:24.272041163 +0100
@@ -127,17 +127,23 @@
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41668,7 +41872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +320,153 @@
+@@ -319,14 +320,155 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -41821,6 +42025,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/plugins/video_filter/libvideo_filter_wrapper_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/qutim/libplugman\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41977,7 +42183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.19/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2010-05-28 09:42:00.501610645 +0200
++++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2011-01-03 10:28:54.454042244 +0100
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -41989,7 +42195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -54,14 +58,16 @@
+@@ -54,18 +58,24 @@
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -42010,9 +42216,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
-@@ -69,3 +75,5 @@
+ /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -44582,7 +44790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-10-05 17:05:56.764651628 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2011-01-07 10:38:30.725042747 +0100
@@ -1,11 +1,18 @@
-policy_module(sysnetwork, 1.10.3)
@@ -44693,7 +44901,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +338,8 @@
+@@ -291,6 +323,10 @@
+ term_dontaudit_use_ptmx(ifconfig_t)
+ term_dontaudit_use_generic_ptys(ifconfig_t)
+
++# needed in signle user mode in MLS
++# bug #667071
++term_read_console(ifconfig_t)
++
+ files_dontaudit_read_root_files(ifconfig_t)
+
+ init_use_fds(ifconfig_t)
+@@ -306,6 +342,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -44702,7 +44921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +362,8 @@
+@@ -328,6 +366,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -44711,7 +44930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -348,6 +384,7 @@
+@@ -348,6 +388,7 @@
optional_policy(`
unconfined_dontaudit_rw_pipes(ifconfig_t)
@@ -44719,7 +44938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -360,3 +397,9 @@
+@@ -360,3 +401,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 50853c9..8baf4da 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,17 @@ exit 0
%endif
%changelog
+* Fri Jan 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-81
+- Allow s-c-samba to read usr files
+- Make kernel_t domain MLS trusted for lowering the level of files
+- Add label for /var/lib/tftpboot/grub directory
+- Fixes for iscsi policy
+- Allow dmesg to read system state
+- squid apache script connects to the squid port
+- /var/stockmaniac/templates_cache contains log files
+- Allow radius to communicate with postgresql
+- Add transition from unconfined_java_t to wine_t
+
* Wed Dec 22 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-80
- Allow apache to read cobbler lib files
More information about the scm-commits
mailing list