[selinux-policy/f13/master] - Allow newrole to run namespace - Add puppetmaster_uses_db boolean - Add oracle ports and allow apa
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 18 17:47:20 UTC 2011
commit f0922f689400d2f9190ef5c8e406ebeed954cfdb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jan 18 18:47:17 2011 +0000
- Allow newrole to run namespace
- Add puppetmaster_uses_db boolean
- Add oracle ports and allow apache to connect to them if the connect_db bool
- sandbox fixes
policy-F13.patch | 568 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 8 +-
2 files changed, 421 insertions(+), 155 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index cdb4f4a..cbd7ab5 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -33,7 +33,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere
.PP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/global_tunables 2010-05-28 09:41:59.942610848 +0200
++++ serefpolicy-3.7.19/policy/global_tunables 2011-01-18 18:06:48.149053065 +0100
@@ -61,15 +61,6 @@
## <desc>
@@ -50,7 +50,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -104,3 +95,18 @@
+@@ -91,6 +82,13 @@
+
+ ## <desc>
+ ## <p>
++## Support fusefs home directories
++## </p>
++## </desc>
++gen_tunable(use_fusefs_home_dirs,false)
++
++## <desc>
++## <p>
+ ## Support SAMBA home directories
+ ## </p>
+ ## </desc>
+@@ -104,3 +102,18 @@
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
@@ -7221,13 +7235,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.19/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2010-05-28 09:42:00.003610619 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2011-01-18 16:44:18.484041288 +0100
@@ -0,0 +1 @@
-+# No types are sandbox_exec_t
++/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-09-23 13:00:53.092386606 +0200
-@@ -0,0 +1,338 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2011-01-18 17:53:26.407042087 +0100
+@@ -0,0 +1,332 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -7312,10 +7326,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ gen_require(`
+ attribute sandbox_domain;
+ attribute sandbox_file_type;
-+ attribute sandbox_x_type;
+ ')
+
-+ type $1_t, sandbox_domain, sandbox_x_type;
++ type $1_t, sandbox_domain;
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
@@ -7335,7 +7348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+########################################
+## <summary>
+## Creates types and rules for a basic
-+## qemu process domain.
++## sandbox process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
@@ -7347,11 +7360,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
++ type sandbox_exec_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type, sandbox_tmpfs_type;
++ attribute sandbox_type;
+ ')
+
-+ type $1_t, sandbox_x_domain;
++ type $1_t, sandbox_x_domain, sandbox_type;
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
@@ -7365,11 +7380,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
-+ type $1_devpts_t;
-+ term_pty($1_devpts_t)
-+ term_create_pty($1_t, $1_devpts_t)
-+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
-+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -7381,12 +7391,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
-+ term_search_ptys($1_t)
-+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
-+ term_create_pty($1_client_t,sandbox_devpts_t)
-+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
++ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
++ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
@@ -7568,8 +7576,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-12-01 12:29:50.015042537 +0100
-@@ -0,0 +1,426 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-01-18 16:43:18.742041999 +0100
+@@ -0,0 +1,450 @@
+policy_module(sandbox,1.0.0)
+
+dbus_stub()
@@ -7578,7 +7586,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+attribute sandbox_file_type;
+attribute sandbox_web_type;
+attribute sandbox_tmpfs_type;
-+attribute sandbox_x_type;
++attribute sandbox_type;
++
++type sandbox_exec_t;
++files_type(sandbox_exec_t)
+
+########################################
+#
@@ -7643,6 +7654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
++fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
@@ -7676,7 +7688,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# sandbox local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
@@ -7725,7 +7736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
-+dontaudit sandbox_x_domain self:process signal;
++dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+
+allow sandbox_x_domain self:shm create_shm_perms;
@@ -7734,6 +7745,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
++allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
++term_create_pty(sandbox_x_domain,sandbox_devpts_t)
++
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
@@ -7773,18 +7787,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
++term_search_ptys(sandbox_x_domain)
++
++application_dontaudit_signal(sandbox_x_domain)
++application_dontaudit_sigkill(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_nfs(sandbox_x_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(sandbox_x_domain)
++optional_policy(`
++ consolekit_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
@@ -7816,7 +7830,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
-+#============= sandbox_x_t ==============
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_auto_mountpoints(sandbox_x_domain)
++ fs_search_nfs(sandbox_xserver_t)
++ fs_read_nfs_files(sandbox_xserver_t)
++ fs_manage_nfs_dirs(sandbox_x_domain)
++ fs_manage_nfs_files(sandbox_x_domain)
++ fs_exec_nfs_files(sandbox_x_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(sandbox_xserver_t)
++ fs_read_cifs_files(sandbox_xserver_t)
++ fs_manage_cifs_dirs(sandbox_x_domain)
++ fs_manage_cifs_files(sandbox_x_domain)
++ fs_exec_cifs_files(sandbox_x_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(sandbox_xserver_t)
++ fs_read_fusefs_files(sandbox_xserver_t)
++ fs_manage_fusefs_dirs(sandbox_x_domain)
++ fs_manage_fusefs_files(sandbox_x_domain)
++ fs_exec_fusefs_files(sandbox_x_domain)
++')
++
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@@ -7850,7 +7888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_web_t self:process setsched;
+
+optional_policy(`
-+ nsplugin_read_rw_files(sandbox_web_t)
++ nsplugin_read_rw_files(sandbox_web_t)
+')
+
+########################################
@@ -7876,7 +7914,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
-+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
+corenet_tcp_sendrecv_all_if(sandbox_web_type)
@@ -7906,14 +7943,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+# Should not need other ports
++
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+files_dontaudit_list_mnt(sandbox_web_type)
+
-+#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
++# the bug in pulseaudiot, needed by fedora13
+fs_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
@@ -7943,17 +7980,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
+
+optional_policy(`
-+ consolekit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
+ hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
-+# nsplugin_manage_rw(sandbox_web_type)
+')
+
+optional_policy(`
@@ -8009,7 +8041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.19/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/screen.if 2011-01-14 14:39:47.869062903 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/screen.if 2011-01-18 16:05:04.096041318 +0100
@@ -64,6 +64,9 @@
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
@@ -8020,6 +8052,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+@@ -113,6 +116,7 @@
+ dev_read_urand($1_screen_t)
+
+ domain_use_interactive_fds($1_screen_t)
++ domain_sigchld_interactive_fds($1_screen_t)
+
+ files_search_tmp($1_screen_t)
+ files_search_home($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-28 09:42:00.006611051 +0200
@@ -9331,7 +9371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-03 14:29:17.539042734 +0100
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-17 10:37:03.828041865 +0100
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -9400,7 +9440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -124,40 +132,55 @@
+@@ -124,40 +132,56 @@
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -9435,6 +9475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
+network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
@@ -9458,7 +9499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +200,22 @@
+@@ -177,18 +201,22 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -9482,7 +9523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,23 +228,23 @@
+@@ -201,23 +229,23 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -9512,7 +9553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
########################################
#
-@@ -266,5 +293,5 @@
+@@ -266,5 +294,5 @@
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -9583,7 +9624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-10-18 15:39:59.101902148 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-01-18 17:18:36.853041461 +0100
@@ -407,7 +407,7 @@
########################################
@@ -9771,7 +9812,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2042,6 +2177,24 @@
+@@ -1823,6 +1958,24 @@
+ read_chr_files_pattern($1, device_t, kmsg_device_t)
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to read the kernel messages
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_read_kmsg',`
++ gen_require(`
++ type kmsg_device_t;
++ ')
++
++ dontaudit $1 kmsg_device_t:chr_file read;
++')
++
+ ########################################
+ ## <summary>
+ ## Write to the kernel messages device
+@@ -2042,6 +2195,24 @@
########################################
## <summary>
@@ -9796,7 +9862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
-@@ -2597,6 +2750,7 @@
+@@ -2597,6 +2768,7 @@
type mtrr_device_t;
')
@@ -9804,7 +9870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
dontaudit $1 mtrr_device_t:chr_file write;
')
-@@ -2875,24 +3029,6 @@
+@@ -2875,24 +3047,6 @@
########################################
## <summary>
@@ -9829,7 +9895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3440,6 +3576,24 @@
+@@ -3440,6 +3594,24 @@
########################################
## <summary>
@@ -9854,7 +9920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3733,6 +3887,42 @@
+@@ -3733,6 +3905,42 @@
########################################
## <summary>
@@ -9897,7 +9963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3905,6 +4095,24 @@
+@@ -3905,6 +4113,24 @@
########################################
## <summary>
@@ -11450,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-16 17:07:16.826386994 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-01-18 17:41:41.159293424 +0100
@@ -559,6 +559,24 @@
########################################
@@ -11489,10 +11555,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
- allow $1 cifs_t:filesystem getattr;
--')
--
--########################################
--## <summary>
++ allow $1 cgroup_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
-## list dirs on cgroup
-## file systems.
-## </summary>
@@ -11509,11 +11576,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
-+ allow $1 cgroup_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
@@ -11705,7 +11771,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1831,6 +1938,25 @@
+@@ -1790,6 +1897,25 @@
+ manage_files_pattern($1, fusefs_t, fusefs_t)
+ ')
+
++######################################
++## <summary>
++## Execute files on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_exec_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir list_dir_perms;
++ exec_files_pattern($1, fusefs_t, fusefs_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to create,
+@@ -1831,6 +1957,25 @@
########################################
## <summary>
@@ -11731,7 +11823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -1847,6 +1973,24 @@
+@@ -1847,6 +1992,24 @@
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -11756,7 +11848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Allow the type to associate to hugetlbfs filesystems.
-@@ -1899,6 +2043,7 @@
+@@ -1899,6 +2062,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -11764,7 +11856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2295,6 +2440,25 @@
+@@ -2295,6 +2459,25 @@
########################################
## <summary>
@@ -11790,7 +11882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2333,6 +2497,24 @@
+@@ -2333,6 +2516,24 @@
dontaudit $1 nfs_t:file append_file_perms;
')
@@ -11815,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Do not audit attempts to read or
-@@ -2349,7 +2531,7 @@
+@@ -2349,7 +2550,7 @@
type nfs_t;
')
@@ -11824,7 +11916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2537,6 +2719,24 @@
+@@ -2537,6 +2738,24 @@
########################################
## <summary>
@@ -11849,7 +11941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2745,7 +2945,7 @@
+@@ -2745,7 +2964,7 @@
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -11858,7 +11950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3812,6 +4012,24 @@
+@@ -3812,6 +4031,24 @@
rw_files_pattern($1, tmpfs_t, tmpfs_t)
')
@@ -11883,7 +11975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Read tmpfs link files.
-@@ -3870,6 +4088,24 @@
+@@ -3870,6 +4107,24 @@
########################################
## <summary>
@@ -11908,7 +12000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4432,6 +4668,44 @@
+@@ -4432,6 +4687,44 @@
########################################
## <summary>
@@ -11953,7 +12045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
## </summary>
-@@ -4549,3 +4823,24 @@
+@@ -4549,3 +4842,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -12020,7 +12112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-28 09:42:00.038610838 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-18 18:03:04.576041170 +0100
@@ -534,6 +534,37 @@
########################################
@@ -12118,7 +12210,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
## </summary>
-@@ -2792,6 +2859,24 @@
+@@ -2325,6 +2392,24 @@
+ allow $1 unlabeled_t:blk_file getattr;
+ ')
+
++#######################################
++## <summary>
++## Read and write unlabeled sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_rw_unlabeled_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:socket rw_socket_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts by caller to get attributes for
+@@ -2792,6 +2877,24 @@
########################################
## <summary>
@@ -12143,7 +12260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2807,3 +2892,23 @@
+@@ -2807,3 +2910,23 @@
typeattribute $1 kern_unconfined;
')
@@ -12169,7 +12286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-07 10:48:13.921042668 +0100
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-18 18:00:20.345042656 +0100
@@ -46,15 +46,6 @@
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -12211,7 +12328,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -256,7 +258,8 @@
+@@ -229,6 +231,8 @@
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+
++kernel_rw_unlabeled_socket(kernel_t)
++
+ # Allow unlabeled network traffic
+ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+ corenet_in_generic_if(unlabeled_t)
+@@ -256,7 +260,8 @@
selinux_load_policy(kernel_t)
@@ -12221,7 +12347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,19 +273,30 @@
+@@ -270,19 +275,30 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -12252,7 +12378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +373,10 @@
+@@ -359,6 +375,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -16166,7 +16292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-12-22 10:20:47.020041345 +0100
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-01-18 17:21:06.301042684 +0100
@@ -19,11 +19,13 @@
# Declarations
#
@@ -16489,14 +16615,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal(httpd_t)
- ')
-
++')
++
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
-+')
-+
+ ')
+
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
@@ -16641,7 +16767,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +892,18 @@
+@@ -667,6 +860,17 @@
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++
++
++ corenet_tcp_connect_oracle_port(httpd_t)
++ corenet_sendrecv_oracle_client_packets(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
++
+ ')
+
+ optional_policy(`
+@@ -699,17 +903,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -16663,7 +16807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +934,21 @@
+@@ -740,10 +945,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -16686,7 +16830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +974,12 @@
+@@ -769,6 +985,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -16699,7 +16843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -791,10 +1002,15 @@
+@@ -791,10 +1013,15 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -16715,7 +16859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1019,28 @@
+@@ -803,6 +1030,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -16744,7 +16888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1068,16 @@
+@@ -830,6 +1079,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16761,7 +16905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1090,7 @@
+@@ -842,6 +1101,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16769,7 +16913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1140,33 @@
+@@ -891,11 +1151,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -22399,8 +22543,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te
--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2010-12-01 11:30:49.108042385 +0100
-@@ -0,0 +1,176 @@
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-01-14 16:32:12.778042378 +0100
+@@ -0,0 +1,180 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -22568,6 +22712,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
++ kerberos_use(dirsrv_t)
++')
++
++optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_append_snmp_var_lib_files(dirsrv_snmp_t)
@@ -26881,7 +27029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-11-15 10:41:35.381147405 +0100
++++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2011-01-17 10:32:43.704041892 +0100
@@ -65,6 +65,7 @@
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -26890,7 +27038,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
-@@ -157,6 +158,7 @@
+@@ -86,6 +87,9 @@
+ kernel_read_system_state(mysqld_t)
+ kernel_read_kernel_sysctls(mysqld_t)
+
++corecmd_exec_bin(mysqld_t)
++corecmd_exec_shell(mysqld_t)
++
+ corenet_all_recvfrom_unlabeled(mysqld_t)
+ corenet_all_recvfrom_netlabel(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
+@@ -157,6 +161,7 @@
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -26898,7 +27056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -176,6 +178,7 @@
+@@ -176,6 +181,7 @@
domain_read_all_domains_state(mysqld_safe_t)
@@ -26906,7 +27064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -184,6 +187,8 @@
+@@ -184,6 +190,8 @@
hostname_exec(mysqld_safe_t)
@@ -31852,8 +32010,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-11-10 09:56:12.468147284 +0100
-@@ -192,7 +192,14 @@
++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2011-01-17 10:29:24.948041219 +0100
+@@ -14,6 +14,13 @@
+ ## </desc>
+ gen_tunable(puppet_manage_all_files, false)
+
++## <desc>
++## <p>
++## Alow Pupper master to use connect to mysql and postgresql database
++## </p>
++## </desc>
++gen_tunable(puppetmaster_use_db, false)
++
+ type puppet_t;
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
+@@ -192,7 +199,14 @@
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
@@ -31868,7 +32040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
-@@ -218,10 +225,13 @@
+@@ -218,10 +232,25 @@
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
@@ -31879,10 +32051,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
+mta_send_mail(puppetmaster_t)
+
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ mysql_stream_connect(puppetmaster_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ postgresql_stream_connect(puppetmaster_t)
++ ')
++')
++
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -232,3 +242,8 @@
+@@ -232,3 +261,8 @@
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -35943,7 +36127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-07-21 09:36:37.293135266 +0200
++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2011-01-18 15:53:51.928042302 +0100
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -36029,7 +36213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
########################################
-@@ -207,16 +253,33 @@
+@@ -207,16 +253,35 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -36060,10 +36244,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
++
++corecmd_exec_bin(spamc_t)
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -246,9 +309,16 @@
+@@ -246,9 +311,16 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -36080,7 +36266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -256,27 +326,40 @@
+@@ -256,27 +328,40 @@
sysnet_read_config(spamc_t)
@@ -36127,7 +36313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
########################################
-@@ -288,7 +371,7 @@
+@@ -288,7 +373,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -36136,7 +36322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -304,10 +387,17 @@
+@@ -304,10 +389,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -36155,7 +36341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +406,12 @@
+@@ -316,10 +408,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -36169,7 +36355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +461,27 @@
+@@ -369,22 +463,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -36201,7 +36387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -397,16 +494,22 @@
+@@ -397,16 +496,22 @@
')
optional_policy(`
@@ -36228,7 +36414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
-@@ -415,10 +518,6 @@
+@@ -415,10 +520,6 @@
')
optional_policy(`
@@ -36239,7 +36425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
postfix_read_config(spamd_t)
')
-@@ -433,6 +532,10 @@
+@@ -433,6 +534,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -36250,7 +36436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
-@@ -445,5 +548,9 @@
+@@ -445,5 +550,9 @@
')
optional_policy(`
@@ -40053,8 +40239,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosr
interface(`zosremote_domtrans',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.19/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/application.if 2010-08-04 15:09:32.261085029 +0200
-@@ -130,3 +130,21 @@
++++ serefpolicy-3.7.19/policy/modules/system/application.if 2011-01-18 17:37:24.656040920 +0100
+@@ -130,3 +130,76 @@
allow $1 application_domain_type:process signull;
')
@@ -40075,7 +40261,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
+ ')
+
+ allow $1 application_domain_type:process signal;
-+')
++')
++
++#######################################
++## <summary>
++## Dontaudit signull sent to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`application_dontaudit_signull',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process signull;
++')
++
++#######################################
++## <summary>
++## Dontaudit signal sent to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`application_dontaudit_signal',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process signal;
++')
++
++#######################################
++## <summary>
++## Dontaudit kill signal sent to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`application_dontaudit_sigkill',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process sigkill;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.19/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/application.te 2010-05-28 09:42:00.208611712 +0200
@@ -40968,7 +41209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-07 14:44:25.100042432 +0100
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-18 16:03:10.193041196 +0100
@@ -1,5 +1,5 @@
-policy_module(init, 1.14.2)
@@ -41125,7 +41366,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -299,6 +344,7 @@
+@@ -280,6 +325,7 @@
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_dontaudit_read_kmsg(initrc_t)
+ dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
+@@ -299,6 +345,7 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -41133,7 +41382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -325,8 +371,10 @@
+@@ -325,8 +372,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -41145,7 +41394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -342,6 +390,8 @@
+@@ -342,6 +391,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -41154,7 +41403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +402,8 @@
+@@ -352,6 +403,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -41163,7 +41412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -364,6 +416,7 @@
+@@ -364,6 +417,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -41171,7 +41420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -395,15 +448,16 @@
+@@ -395,15 +449,16 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -41190,7 +41439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
-@@ -437,6 +491,10 @@
+@@ -437,6 +492,10 @@
dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
@@ -41201,7 +41450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# openrc uses tmpfs for its state data
fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
-@@ -471,7 +529,7 @@
+@@ -471,7 +530,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -41210,7 +41459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -495,6 +553,12 @@
+@@ -495,6 +554,12 @@
fs_read_tmpfs_symlinks(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
@@ -41223,7 +41472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
-@@ -517,6 +581,23 @@
+@@ -517,6 +582,23 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -41247,7 +41496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -528,6 +609,8 @@
+@@ -528,6 +610,8 @@
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
@@ -41256,7 +41505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -542,6 +625,35 @@
+@@ -542,6 +626,35 @@
')
')
@@ -41292,7 +41541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +666,8 @@
+@@ -554,6 +667,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -41301,7 +41550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -578,6 +692,11 @@
+@@ -578,6 +693,11 @@
')
optional_policy(`
@@ -41313,7 +41562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -594,6 +713,7 @@
+@@ -594,6 +714,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -41321,7 +41570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -695,7 +815,13 @@
+@@ -695,7 +816,13 @@
')
optional_policy(`
@@ -41335,7 +41584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +844,10 @@
+@@ -718,6 +845,10 @@
')
optional_policy(`
@@ -41346,7 +41595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -739,6 +869,10 @@
+@@ -739,6 +870,10 @@
')
optional_policy(`
@@ -41357,7 +41606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -760,8 +894,6 @@
+@@ -760,8 +895,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -41366,7 +41615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -770,14 +902,21 @@
+@@ -770,14 +903,21 @@
')
optional_policy(`
@@ -41388,7 +41637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +929,7 @@
+@@ -790,6 +930,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -41396,7 +41645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +938,19 @@
+@@ -798,11 +939,19 @@
')
optional_policy(`
@@ -41417,7 +41666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +960,25 @@
+@@ -812,6 +961,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -41443,7 +41692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +1004,35 @@
+@@ -837,3 +1005,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -43612,8 +43861,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.19/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2010-08-30 20:19:44.277333391 +0200
-@@ -361,6 +361,27 @@
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2011-01-18 15:44:52.758042314 +0100
+@@ -199,6 +199,10 @@
+ role $2 types newrole_t;
+
+ auth_run_upd_passwd(newrole_t, $2)
++
++ optional_policy(`
++ namespace_init_run(newrole_t, $2)
++ ')
+ ')
+
+ ########################################
+@@ -361,6 +365,27 @@
########################################
## <summary>
@@ -43641,7 +43901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
-@@ -514,6 +535,10 @@
+@@ -514,6 +539,10 @@
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
@@ -43652,7 +43912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
########################################
-@@ -545,6 +570,53 @@
+@@ -545,6 +574,53 @@
########################################
## <summary>
@@ -43706,7 +43966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -690,6 +762,7 @@
+@@ -690,6 +766,7 @@
')
files_search_etc($1)
@@ -43714,7 +43974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -1009,6 +1082,26 @@
+@@ -1009,6 +1086,26 @@
########################################
## <summary>
@@ -43741,7 +44001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1020,7 +1113,7 @@
+@@ -1020,7 +1117,7 @@
## </param>
## <param name="role">
## <summary>
@@ -43750,7 +44010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## </summary>
## </param>
## <rolecap/>
-@@ -1038,6 +1131,54 @@
+@@ -1038,6 +1135,54 @@
########################################
## <summary>
@@ -43805,7 +44065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
## </summary>
-@@ -1149,3 +1290,194 @@
+@@ -1149,3 +1294,194 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ff2dab0..1e9b31f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 82%{?dist}
+Release: 83%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,12 @@ exit 0
%endif
%changelog
+* Tue Jan 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-83
+- Allow newrole to run namespace
+- Add puppetmaster_uses_db boolean
+- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
+- sandbox fixes
+
* Fri Jan 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-82
- Add namespace policy
- Update for screen policy to handle pipe in homedir
More information about the scm-commits
mailing list