[selinux-policy/f13/master] - Fixes for newrole_t domain related to namespace.init - Add puppetmaster_uses_db boolean - Add orac
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 19 18:28:51 UTC 2011
commit 14f4c11b823ee8bbfc9fbf562da568e452845c74
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 19 19:28:50 2011 +0000
- Fixes for newrole_t domain related to namespace.init
- Add puppetmaster_uses_db boolean
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
- sandbox fixes
- Add sepgsql fixes from KaiGai Kohei
policy-F13.patch | 1168 +++++++++++++++++++++++++++++++++++++++++++++++----
selinux-policy.spec | 10 +-
2 files changed, 1105 insertions(+), 73 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index cbd7ab5..ebd6186 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1,12 +1,144 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/sepgsql_contexts serefpolicy-3.7.19/config/appconfig-mcs/sepgsql_contexts
+--- nsaserefpolicy/config/appconfig-mcs/sepgsql_contexts 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/config/appconfig-mcs/sepgsql_contexts 2011-01-19 19:02:35.494057572 +0100
+@@ -0,0 +1,40 @@
++#
++# Initial security label for SE-PostgreSQL (MCS)
++#
++
++# <databases>
++db_database * system_u:object_r:sepgsql_db_t:s0
++
++# <schemas>
++db_schema *.* system_u:object_r:sepgsql_schema_t:s0
++
++# <tables>
++db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
++db_table *.*.* system_u:object_r:sepgsql_table_t:s0
++
++# <column>
++db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0
++db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0
++
++# <sequences>
++db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0
++
++# <views>
++db_view *.*.* system_u:object_r:sepgsql_view_t:s0
++
++# <procedures>
++db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0
++
++# <tuples>
++db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
++db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0
++
++# <blobs>
++db_blobs *.* system_u:object_r:sepgsql_blob_t:s0
++
++# <language>
++db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.* system_u:object_r:sepgsql_lang_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/sepgsql_contexts serefpolicy-3.7.19/config/appconfig-mls/sepgsql_contexts
+--- nsaserefpolicy/config/appconfig-mls/sepgsql_contexts 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/config/appconfig-mls/sepgsql_contexts 2011-01-19 19:02:35.494057572 +0100
+@@ -0,0 +1,40 @@
++#
++# Initial security label for SE-PostgreSQL (MLS)
++#
++
++# <databases>
++db_database * system_u:object_r:sepgsql_db_t:s0
++
++# <schemas>
++db_schema *.* system_u:object_r:sepgsql_schema_t:s0
++
++# <tables>
++db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
++db_table *.*.* system_u:object_r:sepgsql_table_t:s0
++
++# <column>
++db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0
++db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0
++
++# <sequences>
++db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0
++
++# <views>
++db_view *.*.* system_u:object_r:sepgsql_view_t:s0
++
++# <procedures>
++db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0
++
++# <tuples>
++db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
++db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0
++
++# <blobs>
++db_blobs *.* system_u:object_r:sepgsql_blob_t:s0
++
++# <language>
++db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0
++db_language *.* system_u:object_r:sepgsql_lang_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/sepgsql_contexts serefpolicy-3.7.19/config/appconfig-standard/sepgsql_contexts
+--- nsaserefpolicy/config/appconfig-standard/sepgsql_contexts 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/config/appconfig-standard/sepgsql_contexts 2011-01-19 19:02:35.495292665 +0100
+@@ -0,0 +1,40 @@
++#
++# Initial security label for SE-PostgreSQL (none-MLS)
++#
++
++# <databases>
++db_database * system_u:object_r:sepgsql_db_t
++
++# <schemas>
++db_schema *.* system_u:object_r:sepgsql_schema_t
++
++# <tables>
++db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t
++db_table *.*.* system_u:object_r:sepgsql_table_t
++
++# <column>
++db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t
++db_column *.*.*.* system_u:object_r:sepgsql_table_t
++
++# <sequences>
++db_sequence *.*.* system_u:object_r:sepgsql_seq_t
++
++# <views>
++db_view *.*.* system_u:object_r:sepgsql_view_t
++
++# <procedures>
++db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t
++
++# <tuples>
++db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t
++db_tuple *.*.* system_u:object_r:sepgsql_table_t
++
++# <blobs>
++db_blobs *.* system_u:object_r:sepgsql_blob_t
++
++# <language>
++db_language *.sql system_u:object_r:sepgsql_safe_lang_t
++db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t
++db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t
++db_language *.plperl system_u:object_r:sepgsql_safe_lang_t
++db_language *.* system_u:object_r:sepgsql_lang_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/Makefile
--- nsaserefpolicy/Makefile 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/Makefile 2010-05-28 09:41:59.942610848 +0200
++++ serefpolicy-3.7.19/Makefile 2011-01-19 19:02:35.498308180 +0100
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -31,6 +163,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere
.SH BOOLEANS
.PP
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.7.19/policy/flask/access_vectors
+--- nsaserefpolicy/policy/flask/access_vectors 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/flask/access_vectors 2011-01-19 19:02:35.500042367 +0100
+@@ -816,3 +816,32 @@
+
+ class x_keyboard
+ inherits x_device
++
++class db_schema
++inherits database
++{
++ search
++ add_name
++ remove_name
++}
++
++class db_view
++inherits database
++{
++ expand
++}
++
++class db_sequence
++inherits database
++{
++ get_value
++ next_value
++ set_value
++}
++
++class db_language
++inherits database
++{
++ implement
++ execute
++}
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-3.7.19/policy/flask/security_classes
+--- nsaserefpolicy/policy/flask/security_classes 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/flask/security_classes 2011-01-19 19:02:35.501042440 +0100
+@@ -125,4 +125,10 @@
+ class x_pointer # userspace
+ class x_keyboard # userspace
+
++# More Database stuff
++class db_schema # userspace
++class db_view # userspace
++class db_sequence # userspace
++class db_language # userspace
++
+ # FLASK
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/global_tunables 2011-01-18 18:06:48.149053065 +0100
@@ -85,7 +267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
--- nsaserefpolicy/policy/mcs 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/mcs 2010-09-23 12:57:46.199386949 +0200
++++ serefpolicy-3.7.19/policy/mcs 2011-01-19 19:02:35.502042304 +0100
@@ -86,10 +86,10 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -99,7 +281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
-@@ -101,6 +101,9 @@
+@@ -101,13 +101,16 @@
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -109,9 +291,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
#
# MCS policy for SELinux-enabled databases
#
+
+ # Any database object must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
++mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+ mlsconstrain { db_tuple } { insert relabelto }
+@@ -117,6 +120,9 @@
+ mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
+ ( h1 dom h2 );
+
++mlsconstrain db_language { drop getattr setattr relabelfrom execute }
++ ( h1 dom h2 );
++
+ mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
+ ( h1 dom h2 );
+
+@@ -126,9 +132,18 @@
+ mlsconstrain db_tuple { relabelfrom select update delete use }
+ ( h1 dom h2 );
+
+-mlsconstrain db_procedure { drop getattr setattr execute install }
++mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
++ ( h1 dom h2 );
++
++mlsconstrain db_view { drop getattr setattr relabelfrom expand }
++ ( h1 dom h2 );
++
++mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
+ ( h1 dom h2 );
+
++mlsconstrain db_language { drop getattr setattr relabelfrom execute }
++ ( h1 dom h2 );
++
+ mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
+ ( h1 dom h2 );
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
--- nsaserefpolicy/policy/mls 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/mls 2010-05-28 09:41:59.943612109 +0200
++++ serefpolicy-3.7.19/policy/mls 2011-01-19 19:02:35.504042381 +0100
@@ -208,12 +208,14 @@
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
@@ -127,6 +347,124 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.1
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
+@@ -725,13 +727,13 @@
+ #
+
+ # make sure these database classes are "single level"
+-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
++mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+ ( l2 eq h2 );
+ mlsconstrain { db_tuple } { insert relabelto }
+ ( l2 eq h2 );
+
+ # new database labels must be dominated by the relabeling subjects clearance
+-mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }
++mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
+ ( h1 dom h2 );
+
+ # the database "read" ops (note the check is dominance of the low level)
+@@ -741,6 +743,12 @@
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
++mlsconstrain { db_schema } { getattr search }
++ (( l1 dom l2 ) or
++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsdbread ) or
++ ( t2 == mlstrustedobject ));
++
+ mlsconstrain { db_table } { getattr use select lock }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+@@ -753,12 +761,30 @@
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
++mlsconstrain { db_sequence } { getattr get_value next_value }
++ (( l1 dom l2 ) or
++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsdbread ) or
++ ( t2 == mlstrustedobject ));
++
++mlsconstrain { db_view } { getattr expand }
++ (( l1 dom l2 ) or
++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsdbread ) or
++ ( t2 == mlstrustedobject ));
++
+ mlsconstrain { db_procedure } { getattr execute install }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
++mlsconstrain { db_language } { getattr execute }
++ (( l1 dom l2 ) or
++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsdbread ) or
++ ( t2 == mlstrustedobject ));
++
+ mlsconstrain { db_blob } { getattr read export }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+@@ -779,6 +805,13 @@
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
++mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name }
++ (( l1 eq l2 ) or
++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
++ ( t1 == mlsdbwrite ) or
++ ( t2 == mlstrustedobject ));
++
+ mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+@@ -793,6 +826,20 @@
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
++mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value }
++ (( l1 eq l2 ) or
++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
++ ( t1 == mlsdbwrite ) or
++ ( t2 == mlstrustedobject ));
++
++mlsconstrain { db_view } { create drop setattr relabelfrom }
++ (( l1 eq l2 ) or
++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
++ ( t1 == mlsdbwrite ) or
++ ( t2 == mlstrustedobject ));
++
+ mlsconstrain { db_procedure } { create drop setattr relabelfrom }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+@@ -800,6 +847,13 @@
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
++mlsconstrain { db_language } { create drop setattr relabelfrom }
++ (( l1 eq l2 ) or
++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
++ ( t1 == mlsdbwrite ) or
++ ( t2 == mlstrustedobject ));
++
+ mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+@@ -815,7 +869,7 @@
+ ( t2 == mlstrustedobject ));
+
+ # the database upgrade/downgrade rule
+-mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }
++mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.7.19/policy/modules/admin/accountsd.fc
--- nsaserefpolicy/policy/modules/admin/accountsd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.fc 2010-05-28 09:41:59.944611136 +0200
@@ -12112,7 +12450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-18 18:03:04.576041170 +0100
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-19 19:02:35.507042391 +0100
@@ -534,6 +534,37 @@
########################################
@@ -12235,7 +12573,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
########################################
## <summary>
## Do not audit attempts by caller to get attributes for
-@@ -2792,6 +2877,24 @@
+@@ -2775,16 +2860,24 @@
+ gen_require(`
+ type unlabeled_t;
+ class db_database { setattr relabelfrom };
++ class db_schema { setattr relabelfrom };
+ class db_table { setattr relabelfrom };
++ class db_sequence { setattr relabelfrom };
++ class db_view { setattr relabelfrom };
+ class db_procedure { setattr relabelfrom };
++ class db_language { setattr relabelfrom };
+ class db_column { setattr relabelfrom };
+ class db_tuple { update relabelfrom };
+ class db_blob { setattr relabelfrom };
+ ')
+
+ allow $1 unlabeled_t:db_database { setattr relabelfrom };
++ allow $1 unlabeled_t:db_schema { setattr relabelfrom };
+ allow $1 unlabeled_t:db_table { setattr relabelfrom };
++ allow $1 unlabeled_t:db_sequence { setattr relabelfrom };
++ allow $1 unlabeled_t:db_view { setattr relabelfrom };
+ allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
++ allow $1 unlabeled_t:db_language { setattr relabelfrom };
+ allow $1 unlabeled_t:db_column { setattr relabelfrom };
+ allow $1 unlabeled_t:db_tuple { update relabelfrom };
+ allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+@@ -2792,6 +2885,24 @@
########################################
## <summary>
@@ -12260,7 +12623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2807,3 +2910,23 @@
+@@ -2807,3 +2918,23 @@
typeattribute $1 kern_unconfined;
')
@@ -12913,7 +13276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-08-13 09:46:40.562085238 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-01-19 18:18:43.216042333 +0100
@@ -28,17 +28,29 @@
corecmd_exec_shell(sysadm_t)
@@ -12963,19 +13326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -86,9 +101,11 @@
- auditadm_role_change(sysadm_r)
- ')
-
-+ifndef(`distro_redhat',`
- optional_policy(`
- auth_role(sysadm_r, sysadm_t)
- ')
-+')
-
- optional_policy(`
- backup_run(sysadm_t, sysadm_r)
-@@ -98,17 +115,25 @@
+@@ -98,17 +113,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -13001,7 +13352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +151,18 @@
+@@ -126,16 +149,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -13022,7 +13373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +192,11 @@
+@@ -165,9 +190,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -13034,7 +13385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +206,7 @@
+@@ -177,6 +204,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -13042,7 +13393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +222,7 @@
+@@ -192,6 +220,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -13050,7 +13401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +236,13 @@
+@@ -205,6 +234,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -13064,7 +13415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +250,18 @@
+@@ -212,12 +248,18 @@
')
optional_policy(`
@@ -13083,7 +13434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +271,11 @@
+@@ -227,9 +269,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -13095,7 +13446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +298,10 @@
+@@ -252,8 +296,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -13106,7 +13457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +309,7 @@
+@@ -261,6 +307,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -13114,7 +13465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -275,6 +324,10 @@
+@@ -275,6 +322,10 @@
')
optional_policy(`
@@ -13125,7 +13476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -308,8 +361,14 @@
+@@ -308,8 +359,14 @@
')
optional_policy(`
@@ -13140,7 +13491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +378,11 @@
+@@ -319,9 +376,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -13152,7 +13503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +392,11 @@
+@@ -331,9 +390,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -13164,7 +13515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +421,14 @@
+@@ -358,8 +419,14 @@
')
optional_policy(`
@@ -13179,7 +13530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +451,11 @@
+@@ -382,9 +449,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -13191,7 +13542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +464,21 @@
+@@ -393,17 +462,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -13213,7 +13564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +492,11 @@
+@@ -417,9 +490,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -13225,7 +13576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +504,15 @@
+@@ -427,9 +502,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -13241,7 +13592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +523,30 @@
+@@ -440,13 +521,30 @@
')
optional_policy(`
@@ -18891,6 +19242,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.7.19/policy/modules/services/clamav.fc
+--- nsaserefpolicy/policy/modules/services/clamav.fc 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.fc 2011-01-19 17:06:42.240041373 +0100
+@@ -10,6 +10,7 @@
+
+ /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.7.19/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/clamav.if 2010-10-18 15:38:09.251650866 +0200
@@ -19434,7 +19796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-12-01 13:47:12.420292540 +0100
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2011-01-19 17:25:53.443041687 +0100
@@ -1,12 +1,12 @@
## <summary>Cobbler installation server.</summary>
## <desc>
@@ -19503,7 +19865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
-+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
')
@@ -30853,7 +31215,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-10-13 09:17:37.947649885 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2011-01-19 11:28:09.917041062 +0100
+@@ -35,7 +35,7 @@
+ role system_r types postfix_$1_t;
+
+ dontaudit postfix_$1_t self:capability sys_tty_config;
+- allow postfix_$1_t self:process { signal_perms setpgid };
++ allow postfix_$1_t self:process { signal_perms setpgid setsched };
+ allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket connectto;
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -31688,8 +32059,241 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.19/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postgresql.if 2010-09-16 15:28:46.998386775 +0200
-@@ -312,10 +312,8 @@
++++ serefpolicy-3.7.19/policy/modules/services/postgresql.if 2011-01-19 19:02:35.510042541 +0100
+@@ -10,7 +10,7 @@
+ ## </summary>
+ ## </param>
+ ## <param name="user_domain">
+-## <summary>
++## <summary>
+ ## The type of the user domain.
+ ## </summary>
+ ## </param>
+@@ -18,18 +18,24 @@
+ interface(`postgresql_role',`
+ gen_require(`
+ class db_database all_db_database_perms;
++ class db_schema all_db_schema_perms;
+ class db_table all_db_table_perms;
++ class db_sequence all_db_sequence_perms;
++ class db_view all_db_view_perms;
+ class db_procedure all_db_procedure_perms;
++ class db_language all_db_language_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
+
+ attribute sepgsql_client_type, sepgsql_database_type;
+- attribute sepgsql_sysobj_table_type;
++ attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
+
+ type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+ type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
++ type user_sepgsql_schema_t, user_sepgsql_seq_t;
+ type user_sepgsql_sysobj_t, user_sepgsql_table_t;
++ type user_sepgsql_view_t;
+ ')
+
+ ########################################
+@@ -45,30 +51,44 @@
+ # Client local policy
+ #
+
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+
+- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
++ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
++ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+
+ allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
+- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
++ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated
++ type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+
+ allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
+ type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+
++ allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
++ type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
++
++ allow $2 user_sepgsql_view_t:db_view { getattr expand };
++ type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
++
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
++ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated
++ type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+
+ allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+
+ allow $2 sepgsql_trusted_proc_t:process transition;
+ type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++
++ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
++ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
++ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
++ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
++ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ ')
+ ')
+
+ ########################################
+@@ -109,6 +129,24 @@
+
+ ########################################
+ ## <summary>
++## Marks as a SE-PostgreSQL schema object type
++## </summary>
++## <param name="type">
++## <summary>
++## Type marked as a schema object type.
++## </summary>
++## </param>
++#
++interface(`postgresql_schema_object',`
++ gen_require(`
++ attribute sepgsql_schema_type;
++ ')
++
++ typeattribute $1 sepgsql_schema_type;
++')
++
++########################################
++## <summary>
+ ## Marks as a SE-PostgreSQL table/column/tuple object type
+ ## </summary>
+ ## <param name="type">
+@@ -146,6 +184,42 @@
+
+ ########################################
+ ## <summary>
++## Marks as a SE-PostgreSQL sequence type
++## </summary>
++## <param name="type">
++## <summary>
++## Type marked as a sequence type.
++## </summary>
++## </param>
++#
++interface(`postgresql_sequence_object',`
++ gen_require(`
++ attribute sepgsql_sequence_type;
++ ')
++
++ typeattribute $1 sepgsql_sequence_type;
++')
++
++########################################
++## <summary>
++## Marks as a SE-PostgreSQL view object type
++## </summary>
++## <param name="type">
++## <summary>
++## Type marked as a view object type.
++## </summary>
++## </param>
++#
++interface(`postgresql_view_object',`
++ gen_require(`
++ attribute sepgsql_view_type;
++ ')
++
++ typeattribute $1 sepgsql_view_type;
++')
++
++########################################
++## <summary>
+ ## Marks as a SE-PostgreSQL procedure object type
+ ## </summary>
+ ## <param name="type">
+@@ -164,6 +238,24 @@
+
+ ########################################
+ ## <summary>
++## Marks as a SE-PostgreSQL procedural language object type
++## </summary>
++## <param name="type">
++## <summary>
++## Type marked as a procedural language object type.
++## </summary>
++## </param>
++#
++interface(`postgresql_language_object',`
++ gen_require(`
++ attribute sepgsql_language_type;
++ ')
++
++ typeattribute $1 sepgsql_language_type;
++')
++
++########################################
++## <summary>
+ ## Marks as a SE-PostgreSQL binary large object type
+ ## </summary>
+ ## <param name="type">
+@@ -195,7 +287,7 @@
+ type postgresql_db_t;
+ ')
+
+- allow $1 postgresql_db_t:dir search;
++ allow $1 postgresql_db_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -207,6 +299,7 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
+ interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+@@ -214,7 +307,7 @@
+
+ allow $1 postgresql_db_t:dir rw_dir_perms;
+ allow $1 postgresql_db_t:file rw_file_perms;
+- allow $1 postgresql_db_t:lnk_file { getattr read };
++ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -223,7 +316,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The type of the process performing this action.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+@@ -241,7 +334,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -304,7 +397,6 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`postgresql_stream_connect',`
+ gen_require(`
+@@ -312,10 +404,8 @@
')
files_search_pids($1)
@@ -31698,42 +32302,452 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
- # Some versions of postgresql put the sock file in /tmp
- allow $1 postgresql_tmp_t:sock_file write;
+ files_search_tmp($1)
-+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
-@@ -439,14 +437,19 @@
+@@ -332,18 +422,25 @@
+ interface(`postgresql_unpriv_client',`
+ gen_require(`
+ class db_database all_db_database_perms;
++ class db_schema all_db_schema_perms;
+ class db_table all_db_table_perms;
++ class db_sequence all_db_sequence_perms;
++ class db_view all_db_view_perms;
+ class db_procedure all_db_procedure_perms;
++ class db_language all_db_language_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
+
+ attribute sepgsql_client_type;
+- attribute sepgsql_database_type, sepgsql_sysobj_table_type;
++ attribute sepgsql_database_type, sepgsql_schema_type;
++ attribute sepgsql_sysobj_table_type;
+
+ type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+ type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
++ type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
+ type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
++ type unpriv_sepgsql_view_t;
+ ')
+
+ ########################################
+@@ -362,25 +459,40 @@
+ allow $1 sepgsql_trusted_proc_t:process transition;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
++ allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
+
++ allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
++ type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
++
+ allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+- type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
++ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated
++ type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
++
++ allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
++ type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
++
++ allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
++ type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+ type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
++ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated
++ type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
++
+ ')
+
+ ########################################
+@@ -420,13 +532,10 @@
+ #
+ interface(`postgresql_admin',`
+ gen_require(`
+- attribute sepgsql_admin_type;
+- attribute sepgsql_client_type;
+-
+- type postgresql_t, postgresql_var_run_t;
+- type postgresql_tmp_t, postgresql_db_t;
+- type postgresql_etc_t, postgresql_log_t;
+- type postgresql_initrc_exec_t;
++ attribute sepgsql_admin_type, sepgsql_client_type;
++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
++ type postgresql_etc_t;
+ ')
+
+ typeattribute $1 sepgsql_admin_type;
+@@ -439,14 +548,19 @@
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
-+ files_search_pids($1)
++ files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
-+ files_search_var_lib($1)
++ files_list_var_lib($1)
admin_pattern($1, postgresql_db_t)
-+ files_search_etc($1)
++ files_list_etc($1)
admin_pattern($1, postgresql_etc_t)
-+ logging_search_logs($1)
++ logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
-+ files_search_tmp($1)
++ files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.19/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2010-09-15 15:43:14.862386997 +0200
-@@ -251,7 +251,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2011-01-19 19:02:35.513051840 +0100
+@@ -1,5 +1,4 @@
+-
+-policy_module(postgresql, 1.10.2)
++policy_module(postgresql, 1.12.1)
+
+ gen_require(`
+ class db_database all_db_database_perms;
+@@ -8,6 +7,10 @@
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
++ class db_schema all_db_schema_perms;
++ class db_view all_db_view_perms;
++ class db_sequence all_db_sequence_perms;
++ class db_language all_db_language_perms;
+ ')
+
+ #################################
+@@ -16,16 +19,16 @@
+ #
+
+ ## <desc>
+-## <p>
+-## Allow unprived users to execute DDL statement
+-## </p>
++## <p>
++## Allow unprived users to execute DDL statement
++## </p>
+ ## </desc>
+ gen_tunable(sepgsql_enable_users_ddl, true)
+
+ ## <desc>
+-## <p>
+-## Allow database admins to execute DML statement
+-## </p>
++## <p>
++## Allow database admins to execute DML statement
++## </p>
+ ## </desc>
+ gen_tunable(sepgsql_unconfined_dbadm, true)
+
+@@ -61,9 +64,13 @@
+
+ # database objects attribute
+ attribute sepgsql_database_type;
++attribute sepgsql_schema_type;
+ attribute sepgsql_table_type;
+ attribute sepgsql_sysobj_table_type;
++attribute sepgsql_sequence_type;
++attribute sepgsql_view_type;
+ attribute sepgsql_procedure_type;
++attribute sepgsql_language_type;
+ attribute sepgsql_blob_type;
+ attribute sepgsql_module_type;
+
+@@ -77,6 +84,12 @@
+ type sepgsql_fixed_table_t;
+ postgresql_table_object(sepgsql_fixed_table_t)
+
++type sepgsql_lang_t;
++postgresql_language_object(sepgsql_lang_t)
++
++type sepgsql_priv_lang_t;
++postgresql_language_object(sepgsql_priv_lang_t)
++
+ type sepgsql_proc_exec_t;
+ typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
+ postgresql_procedure_object(sepgsql_proc_exec_t)
+@@ -87,12 +100,21 @@
+ type sepgsql_ro_table_t;
+ postgresql_table_object(sepgsql_ro_table_t)
+
++type sepgsql_safe_lang_t;
++postgresql_language_object(sepgsql_safe_lang_t)
++
++type sepgsql_schema_t;
++postgresql_schema_object(sepgsql_schema_t)
++
+ type sepgsql_secret_blob_t;
+ postgresql_blob_object(sepgsql_secret_blob_t)
+
+ type sepgsql_secret_table_t;
+ postgresql_table_object(sepgsql_secret_table_t)
+
++type sepgsql_seq_t;
++postgresql_sequence_object(sepgsql_seq_t)
++
+ type sepgsql_sysobj_t;
+ postgresql_system_table_object(sepgsql_sysobj_t)
+
+@@ -102,6 +124,9 @@
+ type sepgsql_trusted_proc_exec_t;
+ postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
+
++type sepgsql_view_t;
++postgresql_view_object(sepgsql_view_t)
++
+ # Trusted Procedure Domain
+ type sepgsql_trusted_proc_t;
+ domain_type(sepgsql_trusted_proc_t)
+@@ -115,12 +140,21 @@
+ type unpriv_sepgsql_proc_exec_t;
+ postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
+
++type unpriv_sepgsql_schema_t;
++postgresql_schema_object(unpriv_sepgsql_schema_t);
++
++type unpriv_sepgsql_seq_t;
++postgresql_sequence_object(unpriv_sepgsql_seq_t)
++
+ type unpriv_sepgsql_sysobj_t;
+ postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
+
+ type unpriv_sepgsql_table_t;
+ postgresql_table_object(unpriv_sepgsql_table_t)
+
++type unpriv_sepgsql_view_t;
++postgresql_view_object(unpriv_sepgsql_view_t)
++
+ # Types for UBAC
+ type user_sepgsql_blob_t;
+ typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
+@@ -132,6 +166,16 @@
+ typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
+ postgresql_procedure_object(user_sepgsql_proc_exec_t)
+
++type user_sepgsql_schema_t;
++typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t };
++typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t };
++postgresql_schema_object(user_sepgsql_schema_t)
++
++type user_sepgsql_seq_t;
++typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t };
++typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t };
++postgresql_sequence_object(user_sepgsql_seq_t)
++
+ type user_sepgsql_sysobj_t;
+ typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
+ typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
+@@ -142,6 +186,11 @@
+ typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
+ postgresql_table_object(user_sepgsql_table_t)
+
++type user_sepgsql_view_t;
++typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t };
++typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t };
++postgresql_view_object(user_sepgsql_view_t)
++
+ ########################################
+ #
+ # postgresql Local policy
+@@ -166,9 +215,15 @@
+ # Database/Loadable module
+ allow sepgsql_database_type sepgsql_module_type:db_database load_module;
+
++allow postgresql_t sepgsql_schema_type:db_schema *;
++
+ allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
+ type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
+
++allow postgresql_t sepgsql_sequence_type:db_sequence *;
++
++allow postgresql_t sepgsql_view_type:db_view *;
++
+ allow postgresql_t sepgsql_procedure_type:db_procedure *;
+ type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
+
+@@ -186,7 +241,7 @@
+ read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+ read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
+ can_exec(postgresql_t, postgresql_exec_t )
+
+ allow postgresql_t postgresql_lock_t:file manage_file_perms;
+@@ -203,9 +258,10 @@
+ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+ manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
++files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+@@ -251,8 +307,7 @@
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
-files_manage_etc_files(postgresql_t)
+-files_search_etc(postgresql_t)
+files_read_etc_files(postgresql_t)
- files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
+
+@@ -314,6 +369,8 @@
+ allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
+ type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
+
++allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };
++
+ allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
+ allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
+ allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
+@@ -333,9 +390,22 @@
+ allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
+ allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+
++allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value };
++
++allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };
++
+ allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
+ allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
+
++allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
++allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute };
++
++# Only DBA can implement SQL procedures using `unsafe' procedural languages.
++# The `unsafe' one provides a capability to access internal data structure,
++# so we don't allow user-defined function being implemented using `unsafe' one.
++allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement };
++allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement };
++
+ allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+ allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
+ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
+@@ -353,6 +423,12 @@
+ # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
+ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+
++# Note that permission of creation/deletion are eventually controlled by
++# create or drop permission of individual objects within shared schemas.
++# So, it just allows to create/drop user specific types.
++tunable_policy(`sepgsql_enable_users_ddl',`
++ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
++')
+
+ ########################################
+ #
+@@ -362,16 +438,33 @@
+ allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
+ type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
+
++allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };
++type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t;
++
+ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
+ allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
+ allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
+
+-type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
++type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated
++type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t;
++
++allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };
++
++type_transition sepgsql_admin_type sepgsql_schema_type:db_schema sepgsql_seq_t;
++
++allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };
++
++type_transition sepgsql_admin_type sepgsql_view_type:db_view sepgsql_view_t;
+
+ allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
+
+-type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
++type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated
++type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
++
++allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };
++
++type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t;
+
+ allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
+
+@@ -384,12 +477,18 @@
+ tunable_policy(`sepgsql_unconfined_dbadm',`
+ allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
++ allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
++
+ allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
++ allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *;
++ allow sepgsql_admin_type sepgsql_view_type:db_view *;
+
+ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
+ allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+ allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
++ allow sepgsql_admin_type sepgsql_language_type:db_language ~implement;
++
+ allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
+ ')
+
+@@ -401,11 +500,21 @@
+ allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
+ type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
+
+-type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
+-type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
++allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;
++
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated
++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t;
++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t;
++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t;
++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t;
+ type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+ allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
++allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *;
++allow sepgsql_unconfined_type sepgsql_view_type:db_view *;
+
+ # unconfined domain is not allowed to invoke user defined procedure directly.
+ # They have to confirm and relabel it at first.
+@@ -413,6 +522,8 @@
+ allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+ allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
++allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;
++
+ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+
+ allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.19/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ppp.if 2010-10-13 09:40:56.718900943 +0200
@@ -44262,7 +45276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-12-20 16:32:51.450041217 +0100
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2011-01-19 17:28:25.370292769 +0100
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -44353,7 +45367,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -261,25 +266,25 @@
+@@ -235,6 +240,7 @@
+ domain_sigchld_interactive_fds(newrole_t)
+
+ files_read_etc_files(newrole_t)
++files_list_var(newrole_t)
+ files_read_var_files(newrole_t)
+ files_read_var_symlinks(newrole_t)
+
+@@ -261,25 +267,25 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -44385,7 +45407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -313,6 +318,8 @@
+@@ -313,6 +319,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -44394,7 +45416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +343,8 @@
+@@ -336,6 +344,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -44403,7 +45425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +363,7 @@
+@@ -354,7 +364,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -44412,7 +45434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +384,8 @@
+@@ -375,6 +385,8 @@
mls_rangetrans_source(run_init_t)
@@ -44421,7 +45443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
-@@ -383,7 +394,6 @@
+@@ -383,7 +395,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -44429,7 +45451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +416,10 @@
+@@ -406,6 +417,10 @@
')
')
@@ -44440,7 +45462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +435,22 @@
+@@ -421,61 +436,22 @@
# semodule local policy
#
@@ -44510,7 +45532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +459,24 @@
+@@ -484,12 +460,24 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -44535,7 +45557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,112 +486,54 @@
+@@ -499,112 +487,54 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -48580,7 +49602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-14 14:36:19.658040682 +0100
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-19 17:11:07.574292106 +0100
@@ -29,18 +29,18 @@
## <desc>
@@ -48605,7 +49627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <desc>
## <p>
-@@ -54,11 +54,20 @@
+@@ -54,11 +54,22 @@
# all user domains
attribute userdomain;
@@ -48625,10 +49647,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
++files_poly_member(admin_home_t)
++files_poly_parent(admin_home_t)
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +81,7 @@
+@@ -72,6 +83,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -48636,7 +49660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -85,10 +95,11 @@
+@@ -85,10 +97,11 @@
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)
@@ -48649,7 +49673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
-@@ -97,3 +108,41 @@
+@@ -97,3 +110,41 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1e9b31f..24cd46e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 83%{?dist}
+Release: 84%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -153,6 +153,7 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' .
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
+%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
@@ -470,6 +471,13 @@ exit 0
%endif
%changelog
+* Tue Jan 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-84
+- Fixes for newrole_t domain related to namespace.init
+- Add puppetmaster_uses_db boolean
+- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
+- sandbox fixes
+- Add sepgsql fixes from KaiGai Kohei
+
* Tue Jan 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-83
- Allow newrole to run namespace
- Add puppetmaster_uses_db boolean
More information about the scm-commits
mailing list