[selinux-policy/f14] - Backport puppet fixes from F16 - Add label for /etc/passwd\.adjunct.* - Fixes for vdagent policy
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Oct 20 11:34:59 UTC 2011
commit 63374d0ecb7362b2b1a06386c2e6ba08d3a81c2c
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Oct 20 13:34:15 2011 +0200
- Backport puppet fixes from F16
- Add label for /etc/passwd\.adjunct.*
- Fixes for vdagent policy
policy-F14.patch | 472 +++++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 7 +-
2 files changed, 404 insertions(+), 75 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index e098ac8..0dcd245 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2420,8 +2420,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.
fs_getattr_xattr_fs(tzdata_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.9.7/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/usermanage.if 2011-02-25 17:40:39.065546408 +0000
-@@ -285,6 +285,9 @@
++++ serefpolicy-3.9.7/policy/modules/admin/usermanage.if 2011-10-20 09:59:39.639042017 +0000
+@@ -168,6 +168,25 @@
+ auth_run_chk_passwd(passwd_t, $2)
+ ')
+
++#######################################
++## <summary>
++## Check access to the passwd executable
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_access_check_passwd',`
++ gen_require(`
++ type passwd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 passwd_exec_t:file { getattr_file_perms execute audit_access };
++')
++
+ ########################################
+ ## <summary>
+ ## Execute password admin functions in
+@@ -260,6 +279,25 @@
+ ')
+ ')
+
++#######################################
++## <summary>
++## Check access to the useradd executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_access_check_useradd',`
++ gen_require(`
++ type useradd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 useradd_exec_t:file { getattr_file_perms execute };
++')
++
+ ########################################
+ ## <summary>
+ ## Execute useradd in the useradd domain, and
+@@ -285,6 +323,9 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -2433,7 +2485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.9.7/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te 2011-02-25 17:40:39.065546408 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te 2011-09-19 18:39:00.111160002 +0000
@@ -88,9 +88,7 @@
# for SSP
dev_read_urand(chfn_t)
@@ -2692,8 +2744,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.9.7/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/chrome.te 2011-02-25 17:40:39.070546284 +0000
-@@ -0,0 +1,94 @@
++++ serefpolicy-3.9.7/policy/modules/apps/chrome.te 2011-09-26 10:56:42.068160000 +0000
+@@ -0,0 +1,95 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -2765,6 +2817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
++ execmem_execmod(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -2857,8 +2910,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.9.7/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/execmem.if 2011-03-20 21:09:28.797630001 +0000
-@@ -0,0 +1,115 @@
++++ serefpolicy-3.9.7/policy/modules/apps/execmem.if 2011-09-26 10:56:16.023160001 +0000
+@@ -0,0 +1,133 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -2974,6 +3027,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
++
++#######################################
++## <summary>
++## Execmod the execmem_exec applications
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`execmem_execmod',`
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ allow $1 execmem_exec_t:file execmod;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.9.7/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/apps/execmem.te 2011-02-25 17:40:39.079546063 +0000
@@ -8991,7 +9062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.9.7/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-07-26 13:18:06.208523005 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/devices.if 2011-10-04 13:01:50.646160002 +0000
@@ -336,6 +336,24 @@
########################################
@@ -9243,6 +9314,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
## <summary>
## Write to the kernel messages device
+@@ -2769,8 +2950,8 @@
+ type mtrr_device_t;
+ ')
+
+- dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file write_file_perms;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
@@ -3048,24 +3229,6 @@
########################################
@@ -9673,7 +9755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.9.7/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/files.fc 2011-03-16 13:09:36.739107001 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/files.fc 2011-10-08 22:28:05.240160001 +0000
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9682,7 +9764,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
ifdef(`distro_suse',`
-@@ -62,8 +63,16 @@
+@@ -56,14 +57,22 @@
+ /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -15737,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-05-27 14:11:36.477208002 +0000
++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-10-20 11:44:22.843904001 +0000
@@ -18,130 +18,195 @@
# Declarations
#
@@ -15982,7 +16071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+## <desc>
+## <p>
-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
++## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
@@ -17483,8 +17572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.9.7/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/boinc.te 2011-05-27 11:13:45.949208002 +0000
-@@ -0,0 +1,173 @@
++++ serefpolicy-3.9.7/policy/modules/services/boinc.te 2011-10-20 10:57:17.211041976 +0000
+@@ -0,0 +1,175 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -17638,6 +17727,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
++domain_read_all_domains_state(boinc_project_t)
++
+corecmd_exec_bin(boinc_project_t)
+corecmd_exec_shell(boinc_project_t)
+
@@ -19238,7 +19329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.9.7/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/cobbler.te 2011-02-25 17:40:39.763529226 +0000
++++ serefpolicy-3.9.7/policy/modules/services/cobbler.te 2011-10-20 10:03:23.930041981 +0000
@@ -6,13 +6,35 @@
#
@@ -19425,7 +19516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -106,16 +201,28 @@
+@@ -106,16 +201,32 @@
')
optional_policy(`
@@ -19433,6 +19524,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+')
+
+optional_policy(`
++ puppet_domtrans_puppetca(cobblerd_t)
++')
++
++optional_policy(`
rpm_exec(cobblerd_t)
')
@@ -19457,7 +19552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
########################################
-@@ -124,5 +231,6 @@
+@@ -124,5 +235,6 @@
#
apache_content_template(cobbler)
@@ -23269,7 +23364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
## Allow domain dyntransition to sftpd_anon domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.9.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ftp.te 2011-08-04 11:31:53.122523005 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ftp.te 2011-10-20 10:55:24.345042017 +0000
@@ -40,6 +40,13 @@
## <desc>
@@ -23439,6 +23534,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -408,5 +462,9 @@
+ # allow read access to /home by default
+ fs_list_nfs(sftpd_t)
+ fs_read_nfs_files(sftpd_t)
+- fs_read_nfs_symlinks(ftpd_t)
++ fs_read_nfs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(sftpd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gatekeeper.te serefpolicy-3.9.7/policy/modules/services/gatekeeper.te
--- nsaserefpolicy/policy/modules/services/gatekeeper.te 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/gatekeeper.te 2011-02-25 17:40:39.957524451 +0000
@@ -25171,7 +25277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.9.7/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2011-03-25 11:18:07.215630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2011-09-15 16:36:01.603160002 +0000
@@ -26,9 +26,9 @@
## Execute kadmind in the current domain
## </summary>
@@ -25250,6 +25356,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
kerberos_read_keytab($2)
kerberos_use($2)
+@@ -289,7 +307,7 @@
+
+ seutil_read_file_contexts($1)
+
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ files_search_tmp($1)
+ ')
+ ')
@@ -338,9 +356,8 @@
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
@@ -25845,7 +25960,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/like
files_pid_filetrans($1_t, $1_var_run_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/likewise.te serefpolicy-3.9.7/policy/modules/services/likewise.te
--- nsaserefpolicy/policy/modules/services/likewise.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/likewise.te 2011-02-25 17:40:40.090521176 +0000
++++ serefpolicy-3.9.7/policy/modules/services/likewise.te 2011-09-19 19:01:38.262160000 +0000
+@@ -137,7 +137,7 @@
+ seutil_read_config(lsassd_t)
+ seutil_read_default_contexts(lsassd_t)
+ seutil_read_file_contexts(lsassd_t)
+-seutil_run_semanage(lsassd_t, lsassd_t)
++seutil_run_semanage(lsassd_t, system_r)
+
+ sysnet_use_ldap(lsassd_t)
+ sysnet_read_config(lsassd_t)
@@ -205,7 +205,7 @@
# Likewise DC location service local policy
#
@@ -27719,7 +27843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.9.7/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mta.if 2011-04-05 17:25:27.561000001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/mta.if 2011-10-20 11:57:51.901904002 +0000
@@ -37,9 +37,9 @@
## is the prefix for user_t).
## </summary>
@@ -27825,7 +27949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -391,12 +408,15 @@
+@@ -391,12 +408,35 @@
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -27840,10 +27964,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
++')
++
++#######################################
++## <summary>
++## Check whether sendmail executable
++## files are executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_sendmail_access_check',`
++ gen_require(`
++ type sendmail_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
')
########################################
-@@ -409,7 +429,6 @@
+@@ -409,7 +449,6 @@
## </summary>
## </param>
#
@@ -27851,7 +27995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +439,24 @@
+@@ -420,6 +459,24 @@
########################################
## <summary>
@@ -27876,7 +28020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -474,7 +511,8 @@
+@@ -474,7 +531,8 @@
type etc_mail_t;
')
@@ -27886,7 +28030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -552,7 +590,7 @@
+@@ -552,7 +610,7 @@
')
files_search_etc($1)
@@ -27895,7 +28039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
#######################################
-@@ -646,8 +684,8 @@
+@@ -646,8 +704,8 @@
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -27906,7 +28050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
#######################################
-@@ -697,8 +735,8 @@
+@@ -697,8 +755,8 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -27917,7 +28061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +876,7 @@
+@@ -838,7 +896,7 @@
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -27926,7 +28070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -899,3 +937,50 @@
+@@ -899,3 +957,50 @@
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -33600,10 +33744,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
fs_getattr_all_fs(psad_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.fc serefpolicy-3.9.7/policy/modules/services/puppet.fc
+--- nsaserefpolicy/policy/modules/services/puppet.fc 2010-10-12 20:42:49.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/puppet.fc 2011-10-20 10:02:11.993042068 +0000
+@@ -3,6 +3,7 @@
+ /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.if serefpolicy-3.9.7/policy/modules/services/puppet.if
--- nsaserefpolicy/policy/modules/services/puppet.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/puppet.if 2011-08-22 13:05:03.052523003 +0000
-@@ -21,7 +21,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/puppet.if 2011-10-20 10:01:53.121041999 +0000
+@@ -8,6 +8,26 @@
+ ## </p>
+ ## </desc>
+
++#######################################
++## <summary>
++## Execute puppetca in the puppetca
++## domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`puppet_domtrans_puppetca',`
++ gen_require(`
++ type puppetca_t, puppetca_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, puppetca_exec_t, puppetca_t)
++')
++
+ ################################################
+ ## <summary>
+ ## Read / Write to Puppet temp files. Puppet uses
+@@ -21,7 +41,7 @@
## </summary>
## </param>
#
@@ -33612,7 +33794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
gen_require(`
type puppet_tmp_t;
')
-@@ -29,3 +29,22 @@
+@@ -29,3 +49,22 @@
allow $1 puppet_tmp_t:file rw_file_perms;
files_search_tmp($1)
')
@@ -33637,7 +33819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.9.7/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2011-06-27 12:42:58.153029998 +0000
++++ serefpolicy-3.9.7/policy/modules/services/puppet.te 2011-10-20 09:57:41.205042132 +0000
@@ -6,12 +6,19 @@
#
@@ -33661,7 +33843,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
type puppet_t;
type puppet_exec_t;
-@@ -63,7 +70,7 @@
+@@ -35,6 +42,13 @@
+ type puppet_var_run_t;
+ files_pid_file(puppet_var_run_t)
+
++type puppetca_t;
++type puppetca_exec_t;
++application_domain(puppetca_t, puppetca_exec_t)
++role system_r types puppetca_t;
++
++permissive puppetca_t;
++
+ type puppetmaster_t;
+ type puppetmaster_exec_t;
+ init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+@@ -63,7 +77,7 @@
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -33670,9 +33866,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -176,24 +183,29 @@
+@@ -160,6 +174,59 @@
+ usermanage_domtrans_useradd(puppet_t)
+ ')
+
++#######################################
++#
++# PuppetCA personal policy
++#
++
++allow puppetca_t self:capability { dac_override setgid setuid };
++allow puppetca_t self:fifo_file rw_fifo_file_perms;
++
++read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
++
++allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
++manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
++
++allow puppetca_t puppet_log_t:dir search_dir_perms;
++
++allow puppetca_t puppet_var_run_t:dir search_dir_perms;
++
++kernel_read_system_state(puppetca_t)
++
++kernel_read_kernel_sysctls(puppetca_t)
++
++corecmd_exec_bin(puppetca_t)
++corecmd_exec_shell(puppetca_t)
++
++dev_read_urand(puppetca_t)
++dev_search_sysfs(puppetca_t)
++
++files_read_etc_files(puppetca_t)
++files_search_var_lib(puppetca_t)
++
++selinux_validate_context(puppetca_t)
++
++logging_search_logs(puppetca_t)
++
++miscfiles_read_localization(puppetca_t)
++miscfiles_read_generic_certs(puppetca_t)
++
++seutil_read_file_contexts(puppetca_t)
++
++optional_policy(`
++ hostname_exec(puppetca_t)
++')
++
++optional_policy(`
++ mta_sendmail_access_check(puppetca_t)
++')
++
++optional_policy(`
++ usermanage_access_check_passwd(puppetca_t)
++ usermanage_access_check_useradd(puppetca_t)
++')
++
+ ########################################
+ #
+ # Pupper master personal policy
+@@ -175,25 +242,32 @@
+
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
++allow puppetmaster_t puppet_etc_t:file { relabelfrom relabelto };
-allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
-allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
@@ -33684,6 +33942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
@@ -33702,9 +33961,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -209,18 +221,38 @@
+@@ -206,21 +280,46 @@
+ corenet_tcp_bind_puppet_port(puppetmaster_t)
+ corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+
++# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
++corenet_udp_bind_generic_node(puppetmaster_t)
++corenet_udp_bind_generic_port(puppetmaster_t)
++
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
++dev_search_sysfs(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
@@ -33744,7 +34011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +263,8 @@
+@@ -231,3 +330,9 @@
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -33752,6 +34019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
+optional_policy(`
+ usermanage_domtrans_groupadd(puppetmaster_t)
+ usermanage_domtrans_useradd(puppetmaster_t)
++ usermanage_access_check_passwd(puppetmaster_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.9.7/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-10-12 20:42:48.000000000 +0000
@@ -34543,7 +34811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.9.7/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/radius.te 2011-02-25 17:40:40.411513276 +0000
++++ serefpolicy-3.9.7/policy/modules/services/radius.te 2011-10-08 22:31:24.390160001 +0000
@@ -36,7 +36,7 @@
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
@@ -34572,7 +34840,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
corenet_sendrecv_radius_server_packets(radiusd_t)
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_sendrecv_mysqld_client_packets(radiusd_t)
-@@ -129,6 +131,7 @@
+@@ -100,6 +102,7 @@
+ files_read_usr_files(radiusd_t)
+ files_read_etc_files(radiusd_t)
+ files_read_etc_runtime_files(radiusd_t)
++files_dontaudit_list_tmp(radiusd_t)
+
+ auth_use_nsswitch(radiusd_t)
+ auth_read_shadow(radiusd_t)
+@@ -129,6 +132,7 @@
')
optional_policy(`
@@ -40370,8 +40646,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.9.7/policy/modules/services/vdagent.te
--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/vdagent.te 2011-03-09 15:08:09.881980002 +0000
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.9.7/policy/modules/services/vdagent.te 2011-09-27 12:33:20.927160002 +0000
+@@ -0,0 +1,63 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -40395,6 +40671,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+#
+# vdagent local policy
+#
++
++dontaudit vdagent_t self:capability sys_admin;
+allow vdagent_t self:process { fork };
+
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
@@ -40413,6 +40691,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+domain_use_interactive_fds(vdagent_t)
+
+dev_rw_input_dev(vdagent_t)
++dev_read_sysfs(vdagent_t)
++dev_dontaudit_write_mtrr(vdagent_t)
++
++files_read_etc_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
+
@@ -42770,7 +43052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.9.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-03-20 21:15:17.322630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-10-20 11:42:57.986904034 +0000
@@ -26,27 +26,50 @@
#
@@ -43310,7 +43592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +624,36 @@
+@@ -443,28 +624,38 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -43346,10 +43628,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
++# gok
++miscfiles_dontaudit_list_public_dirs(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,9 +662,30 @@
+@@ -473,9 +664,30 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -43380,7 +43664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -503,12 +713,28 @@
+@@ -503,12 +715,28 @@
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -43409,7 +43693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +742,60 @@
+@@ -516,12 +744,60 @@
')
optional_policy(`
@@ -43470,7 +43754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,28 +813,63 @@
+@@ -539,28 +815,63 @@
')
optional_policy(`
@@ -43543,7 +43827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -572,6 +881,14 @@
+@@ -572,6 +883,14 @@
')
optional_policy(`
@@ -43558,7 +43842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +913,7 @@
+@@ -596,7 +915,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -43567,7 +43851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +927,14 @@
+@@ -610,6 +929,14 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -43582,7 +43866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +954,19 @@
+@@ -629,12 +956,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -43604,7 +43888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +974,7 @@
+@@ -642,6 +976,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -43612,7 +43896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +1001,6 @@
+@@ -668,7 +1003,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -43620,7 +43904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +1010,17 @@
+@@ -678,11 +1012,17 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -43638,7 +43922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1031,13 @@
+@@ -693,8 +1033,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -43652,7 +43936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1059,14 @@
+@@ -716,11 +1061,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -43667,7 +43951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1119,28 @@
+@@ -773,12 +1121,28 @@
')
optional_policy(`
@@ -43697,7 +43981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1149,10 @@
+@@ -787,6 +1151,10 @@
')
optional_policy(`
@@ -43708,7 +43992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1168,10 @@
+@@ -802,10 +1170,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -43722,7 +44006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1179,7 @@
+@@ -813,7 +1181,7 @@
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -43731,7 +44015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1192,9 @@
+@@ -826,6 +1194,9 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -43741,7 +44025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1202,11 @@
+@@ -833,6 +1204,11 @@
fs_manage_nfs_symlinks(xserver_t)
')
@@ -43753,7 +44037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1215,14 @@
+@@ -841,11 +1217,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -43770,7 +44054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -853,6 +1230,10 @@
+@@ -853,6 +1232,10 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -43781,7 +44065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1277,7 @@
+@@ -896,7 +1279,7 @@
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -43790,7 +44074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1331,31 @@
+@@ -950,11 +1333,31 @@
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -43822,7 +44106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1377,32 @@
+@@ -976,18 +1379,32 @@
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -44399,8 +44683,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.9.7/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/authlogin.fc 2011-08-22 09:29:03.318523005 +0000
-@@ -10,6 +10,7 @@
++++ serefpolicy-3.9.7/policy/modules/system/authlogin.fc 2011-09-12 12:58:05.249160002 +0000
+@@ -5,11 +5,13 @@
+ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -44408,7 +44698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
-@@ -27,7 +28,9 @@
+@@ -27,7 +29,9 @@
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -44418,7 +44708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
-@@ -40,6 +43,7 @@
+@@ -40,6 +44,7 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
@@ -47847,7 +48137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.9.7/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/miscfiles.if 2011-02-25 17:40:40.918500796 +0000
++++ serefpolicy-3.9.7/policy/modules/system/miscfiles.if 2011-10-20 11:25:16.648042051 +0000
@@ -414,9 +414,6 @@
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
@@ -47858,6 +48148,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
')
########################################
+@@ -593,7 +590,6 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`miscfiles_read_public_files',`
+ gen_require(`
+@@ -605,6 +601,25 @@
+ read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
+ ')
+
++#######################################
++## <summary>
++## Read public files used for file
++## transfer services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_dontaudit_list_public_dirs',`
++ gen_require(`
++ type public_content_t;
++ ')
++
++ dontaudit $1 public_content_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete public files
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.9.7/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-10-12 20:42:50.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/system/miscfiles.te 2011-02-25 17:40:40.919500772 +0000
@@ -51338,7 +51662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.debug(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-08-11 09:56:45.512523005 +0000
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-10-20 13:15:48.177904001 +0000
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 771cf47..a664ed2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 45%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,11 @@ exit 0
%endif
%changelog
+* Thu Oct 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-46
+- Backport puppet fixes from F16
+- Add label for /etc/passwd\.adjunct.*
+- Fixes for vdagent policy
+
* Mon Aug 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-45
- Backport f15 fixes
More information about the scm-commits
mailing list