[selinux-policy/f14/master] - Add puppetmaster_uses_db boolean - Add oracle ports and allow apache to connect to them if the con
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 19 16:42:29 UTC 2011
commit 123a240f78f2d7e056b02df2e28aaec2c048eb7e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 19 17:42:26 2011 +0000
- Add puppetmaster_uses_db boolean
- Add oracle ports and allow apache to connect to them if the connect_db bool
- sandbox fixes
- Allow shorewall to read iptables conf files
- Add sepgsql fixes from KaiGai Kohei
Makefile | 2 +-
policy-F14.patch | 578 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 10 +-
3 files changed, 382 insertions(+), 208 deletions(-)
---
diff --git a/Makefile b/Makefile
index c5bb5f8..bec48d7 100644
--- a/Makefile
+++ b/Makefile
@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/policy-F14.patch b/policy-F14.patch
index d5c1eef..7836b88 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1455,6 +1455,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.9.7/policy/modules/admin/sectoolm.te
+--- nsaserefpolicy/policy/modules/admin/sectoolm.te 2010-10-12 22:42:51.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/admin/sectoolm.te 2011-01-19 17:25:50.716042303 +0100
+@@ -84,6 +84,7 @@
+ sysnet_domtrans_ifconfig(sectoolm_t)
+
+ userdom_manage_user_tmp_sockets(sectoolm_t)
++userdom_dgram_send(sectoolm_t)
+
+ optional_policy(`
+ mount_exec(sectoolm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.9.7/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-10-12 22:42:51.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/admin/shorewall.fc 2011-01-04 15:04:51.055041119 +0100
@@ -5911,13 +5922,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.9.7/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.fc 2010-11-05 14:02:26.482928301 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.fc 2011-01-18 17:08:34.844040747 +0100
@@ -0,0 +1 @@
-+# No types are sandbox_exec_t
++/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.9.7/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.if 2010-12-15 16:04:01.881041891 +0100
-@@ -0,0 +1,342 @@
++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.if 2011-01-19 17:29:02.233041965 +0100
+@@ -0,0 +1,337 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6003,10 +6014,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ gen_require(`
+ attribute sandbox_domain;
+ attribute sandbox_file_type;
-+ attribute sandbox_x_type;
+ ')
+
-+ type $1_t, sandbox_domain, sandbox_x_type;
++ type $1_t, sandbox_domain;
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
@@ -6038,11 +6048,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
++ type sandbox_exec_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type, sandbox_tmpfs_type;
++ attribute sandbox_type;
+ ')
+
-+ type $1_t, sandbox_x_domain;
++ type $1_t, sandbox_x_domain, sandbox_type;
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
@@ -6056,11 +6068,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
-+# type $1_devpts_t;
-+# term_pty($1_devpts_t)
-+# term_create_pty($1_t, $1_devpts_t)
-+# allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
-+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -6072,9 +6079,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
-+ term_search_ptys($1_t)
-+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
-+ term_create_pty($1_client_t,sandbox_devpts_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
@@ -6088,8 +6092,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
-+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
-+ domain_entry_file($1_client_t, $1_file_t)
++ #domtrans_pattern($1_t, $1_file_t, $1_client_t)
++ #domain_entry_file($1_client_t, $1_file_t)
++ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
++ domain_entry_file($1_client_t, sandbox_exec_t)
+
+ # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t)
@@ -6262,8 +6268,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.9.7/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2010-12-15 14:57:05.228042682 +0100
-@@ -0,0 +1,450 @@
++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-01-19 17:29:06.698042209 +0100
+@@ -0,0 +1,451 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6271,7 +6277,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+attribute sandbox_file_type;
+attribute sandbox_web_type;
+attribute sandbox_tmpfs_type;
-+attribute sandbox_x_type;
++attribute sandbox_type;
++
++type sandbox_exec_t;
++files_type(sandbox_exec_t)
+
+########################################
+#
@@ -6336,6 +6345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
++fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
@@ -6369,7 +6379,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# sandbox local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
@@ -6516,29 +6525,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(sandbox_x_domain)
-+ fs_search_nfs(sandbox_xserver_t)
-+ fs_read_nfs_files(sandbox_xserver_t)
-+ fs_manage_nfs_dirs(sandbox_x_domain)
-+ fs_manage_nfs_files(sandbox_x_domain)
-+ fs_exec_nfs_files(sandbox_x_domain)
++ fs_search_nfs(sandbox_xserver_t)
++ fs_read_nfs_files(sandbox_xserver_t)
++ fs_manage_nfs_dirs(sandbox_x_domain)
++ fs_manage_nfs_files(sandbox_x_domain)
++ fs_exec_nfs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(sandbox_x_domain)
+ fs_search_cifs(sandbox_xserver_t)
-+ fs_read_cifs_files(sandbox_xserver_t)
-+ fs_manage_cifs_dirs(sandbox_x_domain)
-+ fs_manage_cifs_files(sandbox_x_domain)
-+ fs_exec_cifs_files(sandbox_x_domain)
++ fs_read_cifs_files(sandbox_xserver_t)
++ fs_manage_cifs_dirs(sandbox_x_domain)
++ fs_manage_cifs_files(sandbox_x_domain)
++ fs_exec_cifs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_search_fusefs(sandbox_x_domain)
+ fs_search_fusefs(sandbox_xserver_t)
-+ fs_read_fusefs_files(sandbox_xserver_t)
-+ fs_manage_fusefs_dirs(sandbox_x_domain)
-+ fs_manage_fusefs_files(sandbox_x_domain)
-+ fs_exec_fusefs_files(sandbox_x_domain)
++ fs_read_fusefs_files(sandbox_xserver_t)
++ fs_manage_fusefs_dirs(sandbox_x_domain)
++ fs_manage_fusefs_files(sandbox_x_domain)
++ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
+files_search_home(sandbox_x_t)
@@ -6727,7 +6734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.9.7/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/screen.if 2011-01-14 14:39:49.518042232 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/screen.if 2011-01-18 16:05:02.023042082 +0100
@@ -64,6 +64,9 @@
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
@@ -6738,6 +6745,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+@@ -113,6 +116,7 @@
+ dev_read_urand($1_screen_t)
+
+ domain_use_interactive_fds($1_screen_t)
++ domain_sigchld_interactive_fds($1_screen_t)
+
+ files_search_tmp($1_screen_t)
+ files_search_home($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.9.7/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/apps/seunshare.if 2010-11-05 14:02:26.488655314 +0100
@@ -7993,7 +8008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-01-03 14:29:15.002042415 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-01-17 10:35:04.487041547 +0100
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -8055,7 +8070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,30 +134,34 @@
+@@ -125,43 +134,56 @@
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8092,9 +8107,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
-network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -156,12 +169,20 @@
+ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -8115,7 +8131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,24 +197,28 @@
+@@ -176,24 +198,28 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -8148,7 +8164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -203,16 +228,17 @@
+@@ -203,16 +229,17 @@
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -8169,7 +8185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -274,5 +300,5 @@
+@@ -274,5 +301,5 @@
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -8214,7 +8230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.9.7/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2010-11-05 14:02:26.525900415 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-01-18 17:18:33.382042920 +0100
@@ -336,6 +336,24 @@
########################################
@@ -8408,7 +8424,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3048,24 +3192,6 @@
+@@ -1977,6 +2121,24 @@
+ read_chr_files_pattern($1, device_t, kmsg_device_t)
+ ')
+
++######################################
++## <summary>
++## Do not audit attempts to read the kernel messages
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_read_kmsg',`
++ gen_require(`
++ type kmsg_device_t;
++ ')
++
++ dontaudit $1 kmsg_device_t:chr_file read;
++')
++
+ ########################################
+ ## <summary>
+ ## Write to the kernel messages device
+@@ -3048,24 +3210,6 @@
########################################
## <summary>
@@ -8433,7 +8474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3739,24 @@
+@@ -3613,6 +3757,24 @@
########################################
## <summary>
@@ -8458,7 +8499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3755,6 +3899,24 @@
+@@ -3755,6 +3917,24 @@
########################################
## <summary>
@@ -8483,7 +8524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3924,6 +4086,24 @@
+@@ -3924,6 +4104,24 @@
########################################
## <summary>
@@ -8508,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4234,11 +4414,10 @@
+@@ -4234,11 +4432,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -10506,7 +10547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.9.7/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/kernel.if 2010-11-05 14:02:26.551900321 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/kernel.if 2011-01-19 17:02:58.261042200 +0100
@@ -698,6 +698,46 @@
########################################
@@ -10563,31 +10604,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
########################################
-@@ -2380,6 +2420,24 @@
+@@ -2378,6 +2418,24 @@
+ allow $1 unlabeled_t:blk_file getattr;
+ ')
- ########################################
- ## <summary>
-+## Read and write unlabeled sockets.
++#######################################
++## <summary>
++## Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
++ gen_require(`
++ type unlabeled_t;
++ ')
+
-+ allow $1 unlabeled_t:socket rw_socket_perms;
++ allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
## Do not audit attempts by caller to get attributes for
- ## unlabeled character devices.
- ## </summary>
@@ -2845,6 +2903,24 @@
########################################
@@ -10639,7 +10680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.9.7/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/kernel.te 2011-01-07 10:48:11.095291107 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/kernel.te 2011-01-18 18:03:07.135042561 +0100
@@ -52,6 +52,7 @@
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
@@ -10656,7 +10697,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -254,7 +256,8 @@
+@@ -219,6 +221,8 @@
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+
++kernel_rw_unlabeled_socket(kernel_t)
++
+ # Allow unlabeled network traffic
+ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+ corenet_in_generic_if(unlabeled_t)
+@@ -254,7 +258,8 @@
selinux_load_policy(kernel_t)
@@ -10666,7 +10716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +271,30 @@
+@@ -268,19 +273,30 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -10697,7 +10747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -357,6 +371,10 @@
+@@ -357,6 +373,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -14449,7 +14499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2010-12-01 13:14:54.102051595 +0100
++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-01-19 17:15:16.626291860 +0100
@@ -18,130 +18,195 @@
# Declarations
#
@@ -14813,7 +14863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -416,34 +509,71 @@
+@@ -416,34 +509,73 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -14849,6 +14899,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_t)
++ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
@@ -14887,7 +14939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +586,10 @@
+@@ -456,6 +588,10 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -14898,7 +14950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +600,12 @@
+@@ -466,8 +602,12 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -14913,7 +14965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +613,12 @@
+@@ -475,6 +615,12 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -14926,7 +14978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +628,16 @@
+@@ -484,7 +630,16 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -14943,7 +14995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +653,10 @@
+@@ -500,8 +655,10 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -14954,7 +15006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -513,7 +668,13 @@
+@@ -513,7 +670,13 @@
')
optional_policy(`
@@ -14969,7 +15021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +689,18 @@
+@@ -528,7 +691,18 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -14989,7 +15041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +709,13 @@
+@@ -537,8 +711,13 @@
')
optional_policy(`
@@ -15004,7 +15056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -556,7 +733,13 @@
+@@ -556,7 +735,13 @@
')
optional_policy(`
@@ -15018,7 +15070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +750,7 @@
+@@ -567,6 +752,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15026,7 +15078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,6 +761,16 @@
+@@ -577,6 +763,16 @@
')
optional_policy(`
@@ -15043,7 +15095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +785,11 @@
+@@ -591,6 +787,11 @@
')
optional_policy(`
@@ -15055,7 +15107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +802,11 @@
+@@ -603,6 +804,11 @@
yam_read_content(httpd_t)
')
@@ -15067,7 +15119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache helper local policy
-@@ -618,6 +822,10 @@
+@@ -618,6 +824,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -15078,7 +15130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -654,28 +862,27 @@
+@@ -654,28 +864,29 @@
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -15097,6 +15149,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
++ corenet_sendrecv_oracle_client_packets(httpd_php_t)
')
optional_policy(`
@@ -15119,7 +15173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -699,17 +906,22 @@
+@@ -699,17 +910,22 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15145,13 +15199,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +952,20 @@
+@@ -740,10 +956,22 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
@@ -15167,7 +15223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +991,25 @@
+@@ -769,6 +997,25 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15193,7 +15249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -791,10 +1032,15 @@
+@@ -791,10 +1038,15 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15209,7 +15265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1049,33 @@
+@@ -803,6 +1055,35 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -15222,6 +15278,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
@@ -15243,7 +15301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1095,7 @@
+@@ -822,7 +1103,7 @@
')
tunable_policy(`httpd_enable_homedirs',`
@@ -15252,7 +15310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1103,20 @@
+@@ -830,6 +1111,20 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15273,7 +15331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1129,20 @@
+@@ -842,10 +1137,20 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15294,7 +15352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -891,11 +1188,21 @@
+@@ -891,11 +1196,21 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15494,8 +15552,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.9.7/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/asterisk.te 2010-11-05 14:02:26.590900493 +0100
-@@ -99,6 +99,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/asterisk.te 2011-01-18 17:57:44.204042040 +0100
+@@ -77,9 +77,10 @@
+ files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
+ manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
+
+ kernel_read_system_state(asterisk_t)
+ kernel_read_kernel_sysctls(asterisk_t)
+@@ -99,6 +100,7 @@
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
@@ -15503,7 +15573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
corenet_udp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_sip_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
-@@ -109,6 +110,7 @@
+@@ -109,6 +111,7 @@
corenet_sendrecv_generic_server_packets(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
@@ -15511,7 +15581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
-@@ -147,6 +149,10 @@
+@@ -147,6 +150,10 @@
')
optional_policy(`
@@ -17184,6 +17254,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.9.7/policy/modules/services/clamav.fc
+--- nsaserefpolicy/policy/modules/services/clamav.fc 2010-10-12 22:42:48.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/services/clamav.fc 2011-01-19 17:06:20.249042113 +0100
+@@ -9,6 +9,7 @@
+ /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+ /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.9.7/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2010-10-12 22:42:48.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/clamav.if 2010-11-05 14:02:26.610899953 +0100
@@ -17615,7 +17696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.9.7/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cobbler.if 2010-11-05 14:02:26.615901791 +0100
++++ serefpolicy-3.9.7/policy/modules/services/cobbler.if 2011-01-19 17:21:29.344051558 +0100
@@ -1,12 +1,12 @@
## <summary>Cobbler installation server.</summary>
## <desc>
@@ -17675,7 +17756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
-+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
')
@@ -26182,7 +26263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.9.7/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.te 2011-01-05 10:57:13.941041475 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mysql.te 2011-01-17 10:32:45.744043083 +0100
@@ -6,9 +6,9 @@
#
@@ -26210,7 +26291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,9 +79,10 @@
+@@ -78,13 +79,17 @@
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -26222,7 +26303,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-@@ -127,8 +129,7 @@
+
++corecmd_exec_bin(mysqld_t)
++corecmd_exec_shell(mysqld_t)
++
+ corenet_all_recvfrom_unlabeled(mysqld_t)
+ corenet_all_recvfrom_netlabel(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
+@@ -127,8 +132,7 @@
userdom_read_user_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
@@ -26232,7 +26320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +156,7 @@
+@@ -155,6 +159,7 @@
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -26240,7 +26328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,6 +177,7 @@
+@@ -175,6 +180,7 @@
domain_read_all_domains_state(mysqld_safe_t)
@@ -26248,7 +26336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,11 +186,14 @@
+@@ -183,11 +189,14 @@
hostname_exec(mysqld_safe_t)
@@ -29022,7 +29110,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.9.7/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2010-11-05 14:02:26.763899933 +0100
++++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-01-19 11:29:15.403042285 +0100
+@@ -35,7 +35,7 @@
+ role system_r types postfix_$1_t;
+
+ dontaudit postfix_$1_t self:capability sys_tty_config;
+- allow postfix_$1_t self:process { signal_perms setpgid };
++ allow postfix_$1_t self:process { signal_perms setpgid setsched };
+ allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket connectto;
@@ -50,7 +50,7 @@
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -30372,23 +30469,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.9.7/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2010-11-10 09:57:59.533159507 +0100
-@@ -6,10 +6,10 @@
++++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2011-01-17 10:29:27.088040902 +0100
+@@ -6,12 +6,19 @@
#
## <desc>
--## <p>
--## Allow Puppet client to manage all file
--## types.
--## </p>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
++## </desc>
++gen_tunable(puppet_manage_all_files, false)
++
++## <desc>
+ ## <p>
+-## Allow Puppet client to manage all file
+-## types.
++## Alow Pupper master to use connect to mysql and postgresql database
+ ## </p>
## </desc>
- gen_tunable(puppet_manage_all_files, false)
+-gen_tunable(puppet_manage_all_files, false)
++gen_tunable(puppetmaster_use_db, false)
-@@ -63,7 +63,7 @@
+ type puppet_t;
+ type puppet_exec_t;
+@@ -63,7 +70,7 @@
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -30397,7 +30502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -176,24 +176,29 @@
+@@ -176,24 +183,29 @@
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -30429,7 +30534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -214,13 +219,20 @@
+@@ -214,13 +226,32 @@
files_read_etc_files(puppetmaster_t)
files_search_var_lib(puppetmaster_t)
@@ -30447,10 +30552,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
+mta_send_mail(puppetmaster_t)
+
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ mysql_stream_connect(puppetmaster_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`puppetmaster_use_db',`
++ postgresql_stream_connect(puppetmaster_t)
++ ')
++')
++
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +243,8 @@
+@@ -231,3 +262,8 @@
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -34398,7 +34515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.9.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te 2010-11-05 14:02:26.823900408 +0100
++++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te 2011-01-18 15:53:54.015042354 +0100
@@ -6,54 +6,93 @@
#
@@ -34556,7 +34673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
########################################
-@@ -206,15 +251,30 @@
+@@ -206,15 +251,32 @@
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -34584,10 +34701,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
++
++corecmd_exec_bin(spamc_t)
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +286,7 @@
+@@ -226,6 +288,7 @@
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -34595,7 +34714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +305,14 @@
+@@ -244,9 +307,14 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -34610,7 +34729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +320,40 @@
+@@ -254,27 +322,40 @@
sysnet_read_config(spamc_t)
@@ -34657,7 +34776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
########################################
-@@ -286,7 +365,7 @@
+@@ -286,7 +367,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -34666,7 +34785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +381,17 @@
+@@ -302,10 +383,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -34685,7 +34804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +400,15 @@
+@@ -314,11 +402,15 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -34703,7 +34822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +457,27 @@
+@@ -367,22 +459,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -34735,7 +34854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +494,9 @@
+@@ -399,7 +496,9 @@
')
optional_policy(`
@@ -34745,7 +34864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +505,17 @@
+@@ -408,25 +507,17 @@
')
optional_policy(`
@@ -34773,7 +34892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +526,10 @@
+@@ -437,6 +528,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -41577,7 +41696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.9.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/init.te 2010-11-05 14:02:26.913650281 +0100
++++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-01-18 16:02:55.265042266 +0100
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -41870,7 +41989,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +439,7 @@
+@@ -279,6 +427,7 @@
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_dontaudit_read_kmsg(initrc_t)
+ dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
+@@ -291,6 +440,7 @@
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -41878,7 +42005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +447,13 @@
+@@ -298,13 +448,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -41894,7 +42021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +472,10 @@
+@@ -323,8 +473,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -41906,7 +42033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +491,12 @@
+@@ -340,8 +492,12 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -41920,7 +42047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +506,8 @@
+@@ -351,6 +507,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -41929,7 +42056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +520,7 @@
+@@ -363,6 +521,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -41937,7 +42064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +538,7 @@
+@@ -380,6 +539,7 @@
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -41945,7 +42072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +553,14 @@
+@@ -394,13 +554,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -41961,7 +42088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +633,7 @@
+@@ -473,7 +634,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -41970,7 +42097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +679,19 @@
+@@ -519,6 +680,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -41990,7 +42117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -526,10 +699,17 @@
+@@ -526,10 +700,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -42008,7 +42135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -544,6 +724,35 @@
+@@ -544,6 +725,35 @@
')
')
@@ -42044,7 +42171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +765,8 @@
+@@ -556,6 +766,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -42053,7 +42180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -572,6 +783,7 @@
+@@ -572,6 +784,7 @@
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -42061,7 +42188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -584,6 +796,11 @@
+@@ -584,6 +797,11 @@
')
optional_policy(`
@@ -42073,7 +42200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +817,9 @@
+@@ -600,6 +818,9 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -42083,7 +42210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +921,13 @@
+@@ -701,7 +922,13 @@
')
optional_policy(`
@@ -42097,7 +42224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +950,10 @@
+@@ -724,6 +951,10 @@
')
optional_policy(`
@@ -42108,7 +42235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +975,10 @@
+@@ -745,6 +976,10 @@
')
optional_policy(`
@@ -42119,7 +42246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1000,6 @@
+@@ -766,8 +1001,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -42128,7 +42255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -776,14 +1008,21 @@
+@@ -776,14 +1009,21 @@
')
optional_policy(`
@@ -42150,7 +42277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1044,19 @@
+@@ -805,11 +1045,19 @@
')
optional_policy(`
@@ -42171,7 +42298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1066,25 @@
+@@ -819,6 +1067,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -42197,7 +42324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -844,3 +1110,59 @@
+@@ -844,3 +1111,59 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -42593,7 +42720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.9.7/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/iptables.te 2010-11-05 14:02:26.924654101 +0100
++++ serefpolicy-3.9.7/policy/modules/system/iptables.te 2011-01-19 17:05:39.017042745 +0100
@@ -13,9 +13,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -42675,11 +42802,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
-@@ -124,6 +135,7 @@
+@@ -124,6 +135,8 @@
optional_policy(`
shorewall_rw_lib_files(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
++ shorewall_read_config(iptables_t)
')
optional_policy(`
@@ -44578,7 +44706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.9.7/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.if 2010-11-05 14:02:26.947900049 +0100
++++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.if 2011-01-18 15:36:34.754042402 +0100
@@ -85,6 +85,10 @@
corecmd_search_bin($1)
@@ -44590,7 +44718,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
########################################
-@@ -361,6 +365,27 @@
+@@ -199,6 +203,10 @@
+ role $2 types newrole_t;
+
+ auth_run_upd_passwd(newrole_t, $2)
++
++ optional_policy(`
++ namespace_init_run(newrole_t, $2)
++ ')
+ ')
+
+ ########################################
+@@ -361,6 +369,27 @@
########################################
## <summary>
@@ -44618,7 +44757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
-@@ -514,6 +539,10 @@
+@@ -514,6 +543,10 @@
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
@@ -44629,7 +44768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
########################################
-@@ -545,6 +574,53 @@
+@@ -545,6 +578,53 @@
########################################
## <summary>
@@ -44683,7 +44822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -690,6 +766,7 @@
+@@ -690,6 +770,7 @@
')
files_search_etc($1)
@@ -44691,7 +44830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -1005,6 +1082,30 @@
+@@ -1005,6 +1086,30 @@
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, semanage_exec_t, semanage_t)
@@ -44722,7 +44861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
########################################
-@@ -1038,6 +1139,54 @@
+@@ -1038,6 +1143,54 @@
########################################
## <summary>
@@ -44777,7 +44916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
## </summary>
-@@ -1149,3 +1298,194 @@
+@@ -1149,3 +1302,194 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -44974,7 +45113,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.9.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2010-12-20 16:32:49.331042277 +0100
++++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2011-01-19 17:28:23.770042395 +0100
+@@ -1,4 +1,4 @@
+-policy_module(selinuxutil, 1.14.0)
++policy_module(selinuxutil, 1.14.1)
+
+ gen_require(`
+ bool secure_mode;
@@ -22,6 +22,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -45005,7 +45150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,9 +91,14 @@
+@@ -88,26 +91,36 @@
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
@@ -45020,7 +45165,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type semanage_store_t;
files_type(semanage_store_t)
-@@ -108,6 +116,11 @@
+ type semanage_read_lock_t;
+-files_type(semanage_read_lock_t)
++files_lock_file(semanage_read_lock_t)
+
+ type semanage_tmp_t;
+ files_tmp_file(semanage_tmp_t)
+
+ type semanage_trans_lock_t;
+-files_type(semanage_trans_lock_t)
++files_lock_file(semanage_trans_lock_t)
+
+ type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
+ type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@@ -45058,7 +45215,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -260,25 +274,25 @@
+@@ -234,6 +248,7 @@
+ domain_sigchld_interactive_fds(newrole_t)
+
+ files_read_etc_files(newrole_t)
++files_list_var(newrole_t)
+ files_read_var_files(newrole_t)
+ files_read_var_symlinks(newrole_t)
+
+@@ -260,25 +275,25 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -45090,7 +45255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +326,8 @@
+@@ -312,6 +327,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -45099,7 +45264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -335,6 +351,8 @@
+@@ -335,6 +352,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -45108,7 +45273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +371,7 @@
+@@ -353,7 +372,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -45117,7 +45282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -380,6 +398,8 @@
+@@ -380,6 +399,8 @@
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -45126,7 +45291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +425,10 @@
+@@ -405,6 +426,10 @@
')
')
@@ -45137,7 +45302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +444,22 @@
+@@ -420,190 +445,92 @@
# semodule local policy
#
@@ -45145,13 +45310,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -45162,9 +45323,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -45186,11 +45351,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
--logging_send_syslog_msg(semanage_t)
--
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -45207,7 +45372,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -483,12 +468,23 @@
++# Handle pp files created in homedir and /tmp
++userdom_read_user_home_content_files(semanage_t)
++userdom_read_user_tmp_files(semanage_t)
++
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
@@ -45223,20 +45393,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
')
-+optional_policy(`
-+ #signal mcstrans on reload
-+ init_spec_domtrans_script(semanage_t)
-+')
-+
- # cjp: need a more general way to handle this:
- ifdef(`enable_mls',`
- # read secadm tmp files
-@@ -498,112 +494,54 @@
- userdom_read_user_tmp_files(semanage_t)
- ')
-
-+userdom_search_admin_dir(semanage_t)
-+
+-# cjp: need a more general way to handle this:
+-ifdef(`enable_mls',`
+- # read secadm tmp files
+-',`
+- # Handle pp files created in homedir and /tmp
+- userdom_read_user_home_content_files(semanage_t)
+- userdom_read_user_tmp_files(semanage_t)
+-')
+####################################n####
+#
+# setsebool local policy
@@ -45251,7 +45415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-+
+
########################################
#
# Setfiles local policy
@@ -49503,7 +49667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.9.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.te 2011-01-14 14:35:13.707042269 +0100
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.te 2011-01-19 17:11:05.486042455 +0100
@@ -43,6 +43,13 @@
## <desc>
@@ -49518,7 +49682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Allow w to display everyone
## </p>
## </desc>
-@@ -59,6 +66,15 @@
+@@ -59,6 +66,17 @@
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -49530,11 +49694,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
++files_poly_member(admin_home_t)
++files_poly_parent(admin_home_t)
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,21 +87,25 @@
+@@ -71,21 +89,25 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -49561,7 +49727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
-@@ -94,3 +114,25 @@
+@@ -94,3 +116,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8f77bf1..d4bebb1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 22%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -154,6 +154,7 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' .
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
+%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
@@ -471,6 +472,13 @@ exit 0
%endif
%changelog
+* Wed Jan 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-23
+- Add puppetmaster_uses_db boolean
+- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
+- sandbox fixes
+- Allow shorewall to read iptables conf files
+- Add sepgsql fixes from KaiGai Kohei
+
* Fri Jan 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-22
- Add namespace policy
- Update for screen policy to handle pipe in homedir
More information about the scm-commits
mailing list