From 625a8fb5a8e3fd0bf7580fd2a51ef96c5197cc53 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 8 Jan 2008 11:07:27 +0000 Subject: [PATCH] - Add pid_t typemap for swig bindings --- libselinux-rhat.patch | 3399 ----------------------------------------- libselinux.spec | 5 +- 2 files changed, 4 insertions(+), 3400 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 94b6762..928b6a2 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -501,3402 +501,3 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselin if (rc < 0) { fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, strerror(errno)); -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te ---- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500 -@@ -30,6 +30,10 @@ - type inetd_child_var_run_t; - files_pid_file(inetd_child_var_run_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh) -+') -+ - ######################################## - # - # Local policy -@@ -84,6 +88,7 @@ - corenet_udp_bind_ftp_port(inetd_t) - corenet_tcp_bind_inetd_child_port(inetd_t) - corenet_udp_bind_inetd_child_port(inetd_t) -+corenet_tcp_bind_ircd_port(inetd_t) - corenet_udp_bind_ktalkd_port(inetd_t) - corenet_tcp_bind_printer_port(inetd_t) - corenet_udp_bind_rlogind_port(inetd_t) -@@ -137,6 +142,7 @@ - miscfiles_read_localization(inetd_t) - - # xinetd needs MLS override privileges to work -+mls_fd_use_all_levels(inetd_t) - mls_fd_share_all_levels(inetd_t) - mls_socket_read_to_clearance(inetd_t) - mls_socket_write_to_clearance(inetd_t) -@@ -164,6 +170,7 @@ - ') - - optional_policy(` -+ unconfined_domain(inetd_t) - unconfined_domtrans(inetd_t) - ') - -@@ -180,6 +187,9 @@ - # for identd - allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - allow inetd_child_t self:capability { setuid setgid }; -+allow inetd_child_t self:dir search; -+allow inetd_child_t self:{ lnk_file file } { getattr read }; -+ - files_search_home(inetd_child_t) - - manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) -@@ -226,3 +236,7 @@ - optional_policy(` - unconfined_domain(inetd_child_t) - ') -+ -+optional_policy(` -+ inetd_service_domain(inetd_child_t,bin_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te ---- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500 -@@ -22,7 +22,7 @@ - files_pid_file(innd_var_run_t) - - type news_spool_t; --files_type(news_spool_t) -+files_mountpoint(news_spool_t) - - ######################################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc ---- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -16,3 +16,4 @@ - - /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) - /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) -+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if ---- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/kerberos.if 2007-12-19 05:38:09.000000000 -0500 -@@ -43,7 +43,13 @@ - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - -+ #kerberos libraries are attempting to set the correct file context -+ dontaudit $1 self:process setfscreate; -+ seutil_dontaudit_read_file_contexts($1) -+ - tunable_policy(`allow_kerberos',` -+ fs_rw_tmpfs_files($1) -+ - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - -@@ -61,11 +67,7 @@ - corenet_tcp_connect_ocsp_port($1) - corenet_sendrecv_kerberos_client_packets($1) - corenet_sendrecv_ocsp_client_packets($1) -- -- sysnet_read_config($1) -- sysnet_dns_name_resolve($1) - ') -- - optional_policy(` - tunable_policy(`allow_kerberos',` - pcscd_stream_connect($1) -@@ -172,3 +174,51 @@ - allow $1 krb5kdc_conf_t:file read_file_perms; - - ') -+ -+######################################## -+## -+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kerberos_manage_host_rcache',` -+ gen_require(` -+ type krb5_host_rcache_t; -+ ') -+ -+ tunable_policy(`allow_kerberos',` -+ files_search_tmp($1) -+ allow $1 self:process setfscreate; -+ selinux_validate_context($1) -+ seutil_read_file_contexts($1) -+ allow $1 krb5_host_rcache_t:file manage_file_perms; -+ ') -+ # creates files as system_u no matter what the selinux user -+ domain_obj_id_change_exemption($1) -+') -+ -+######################################## -+## -+## Connect to krb524 service -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kerberos_524_connect',` -+ tunable_policy(`allow_kerberos',` -+ allow $1 self:udp_socket create_socket_perms; -+ corenet_all_recvfrom_unlabeled($1) -+ corenet_udp_sendrecv_all_if($1) -+ corenet_udp_sendrecv_all_nodes($1) -+ corenet_udp_sendrecv_kerberos_master_port($1) -+ corenet_udp_bind_all_nodes($1) -+ ') -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/kerberos.te 2007-12-19 05:38:09.000000000 -0500 -@@ -54,6 +54,9 @@ - type krb5kdc_var_run_t; - files_pid_file(krb5kdc_var_run_t) - -+type krb5_host_rcache_t; -+files_tmp_file(krb5_host_rcache_t) -+ - ######################################## - # - # kadmind local policy -@@ -62,7 +65,7 @@ - # Use capabilities. Surplus capabilities may be allowed. - allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; - dontaudit kadmind_t self:capability sys_tty_config; --allow kadmind_t self:process signal_perms; -+allow kadmind_t self:process { setfscreate signal_perms }; - allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; - allow kadmind_t self:unix_dgram_socket { connect create write }; - allow kadmind_t self:tcp_socket connected_stream_socket_perms; -@@ -91,6 +94,7 @@ - kernel_read_kernel_sysctls(kadmind_t) - kernel_list_proc(kadmind_t) - kernel_read_proc_symlinks(kadmind_t) -+kernel_read_system_state(kadmind_t) - - corenet_all_recvfrom_unlabeled(kadmind_t) - corenet_all_recvfrom_netlabel(kadmind_t) -@@ -118,6 +122,9 @@ - domain_use_interactive_fds(kadmind_t) - - files_read_etc_files(kadmind_t) -+files_read_usr_symlinks(kadmind_t) -+files_read_usr_files(kadmind_t) -+files_read_var_files(kadmind_t) - - libs_use_ld_so(kadmind_t) - libs_use_shared_libs(kadmind_t) -@@ -127,6 +134,7 @@ - miscfiles_read_localization(kadmind_t) - - sysnet_read_config(kadmind_t) -+sysnet_use_ldap(kadmind_t) - - userdom_dontaudit_use_unpriv_user_fds(kadmind_t) - userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) -@@ -137,6 +145,7 @@ - - optional_policy(` - seutil_sigchld_newrole(kadmind_t) -+ seutil_read_file_contexts(kadmind_t) - ') - - optional_policy(` -@@ -151,7 +160,7 @@ - # Use capabilities. Surplus capabilities may be allowed. - allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; - dontaudit krb5kdc_t self:capability sys_tty_config; --allow krb5kdc_t self:process { setsched getsched signal_perms }; -+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; - allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; - allow krb5kdc_t self:tcp_socket create_stream_socket_perms; - allow krb5kdc_t self:udp_socket create_socket_perms; -@@ -223,6 +232,7 @@ - miscfiles_read_localization(krb5kdc_t) - - sysnet_read_config(krb5kdc_t) -+sysnet_use_ldap(krb5kdc_t) - - userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) - userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -@@ -233,6 +243,7 @@ - - optional_policy(` - seutil_sigchld_newrole(krb5kdc_t) -+ seutil_read_file_contexts(krb5kdc_t) - ') - - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if ---- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500 -@@ -336,10 +336,8 @@ - ') - - files_search_spool($1) -+ manage_dirs_pattern($1,print_spool_t,print_spool_t) - manage_files_pattern($1,print_spool_t,print_spool_t) -- -- # cjp: cups wants setattr -- allow $1 print_spool_t:dir setattr; - ') - - ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500 -@@ -211,6 +211,7 @@ - type mailman_data_t; - ') - -+ manage_dirs_pattern($1,mailman_data_t,mailman_data_t) - manage_files_pattern($1,mailman_data_t,mailman_data_t) - ') - -@@ -252,6 +253,25 @@ - - ####################################### - ## -+## read -+## mailman logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailman_read_log',` -+ gen_require(` -+ type mailman_log_t; -+ ') -+ -+ read_files_pattern($1,mailman_log_t,mailman_log_t) -+') -+ -+####################################### -+## - ## Append to mailman logs. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500 -@@ -53,10 +53,9 @@ - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) -+ apache_read_config(mailman_cgi_t) -+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) - -- optional_policy(` -- nscd_socket_use(mailman_cgi_t) -- ') - ') - - ######################################## -@@ -65,6 +64,10 @@ - # - - allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -+allow mailman_mail_t initrc_t:process signal; -+allow mailman_mail_t self:capability { setuid setgid }; -+ -+files_search_spool(mailman_mail_t) - - mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.5/policy/modules/services/mailscanner.fc ---- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -0,0 +1,2 @@ -+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.5/policy/modules/services/mailscanner.if ---- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.if 2007-12-19 05:38:09.000000000 -0500 -@@ -0,0 +1,59 @@ -+## Anti-Virus and Anti-Spam Filter -+ -+######################################## -+## -+## Search mailscanner spool directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_search_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ allow $1 mailscanner_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## read mailscanner spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_read_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## mailscanner spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_manage_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.5/policy/modules/services/mailscanner.te ---- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.te 2007-12-19 05:38:09.000000000 -0500 -@@ -0,0 +1,5 @@ -+ -+policy_module(mailscanner,1.0.0) -+ -+type mailscanner_spool_t; -+files_type(mailscanner_spool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500 -@@ -133,6 +133,12 @@ - sendmail_create_log($1_mail_t) - ') - -+ optional_policy(` -+ exim_read_log($1_mail_t) -+ exim_append_log($1_mail_t) -+ exim_manage_spool_files($1_mail_t) -+ ') -+ - ') - - ####################################### -@@ -217,6 +223,15 @@ - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_mail_t) - fs_manage_cifs_symlinks($1_mail_t) -+ fs_manage_cifs_files(mailserver_delivery) -+ fs_manage_cifs_symlinks(mailserver_delivery) -+ ') -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files($1_mail_t) -+ fs_manage_nfs_symlinks($1_mail_t) -+ fs_manage_nfs_files(mailserver_delivery) -+ fs_manage_nfs_symlinks(mailserver_delivery) - ') - - optional_policy(` -@@ -305,6 +320,42 @@ - - ######################################## - ## -+## Make the specified type usable for a mta_send_mail. -+## -+## -+## -+## Type to be used as a mail client. -+## -+## -+# -+interface(`mta_mailclient',` -+ gen_require(` -+ attribute mailclient_exec_type; -+ ') -+ -+ typeattribute $1 mailclient_exec_type; -+') -+ -+######################################## -+## -+## Make the specified type readable for a system_mail_t -+## -+## -+## -+## Type to be used as a mail client. -+## -+## -+# -+interface(`mta_mailcontent',` -+ gen_require(` -+ attribute mailcontent_type; -+ ') -+ -+ typeattribute $1 mailcontent_type; -+') -+ -+######################################## -+## - ## Modified mailserver interface for - ## sendmail daemon use. - ## -@@ -383,11 +434,13 @@ - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1,mail_spool_t,mail_spool_t) - read_files_pattern($1,mail_spool_t,mail_spool_t) -+ append_files_pattern($1,mail_spool_t,mail_spool_t) - create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) - read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) - - optional_policy(` - dovecot_manage_spool($1) -+ dovecot_domtrans_deliver($1) - ') - - optional_policy(` -@@ -422,6 +475,7 @@ - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) -+ apache_append_log($1) - ') - ') - -@@ -438,20 +492,18 @@ - interface(`mta_send_mail',` - gen_require(` - attribute mta_user_agent; -- type system_mail_t, sendmail_exec_t; -+ type system_mail_t; -+ attribute mailclient_exec_type; - ') - -- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; -- domain_auto_trans($1, sendmail_exec_t, system_mail_t) -- -- allow $1 system_mail_t:fd use; -- allow system_mail_t $1:fd use; -- allow system_mail_t $1:fifo_file rw_file_perms; -- allow system_mail_t $1:process sigchld; -+ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms; -+ domtrans_pattern($1, mailclient_exec_type, system_mail_t) -+ allow system_mail_t mailclient_exec_type:file entrypoint; - - allow mta_user_agent $1:fd use; - allow mta_user_agent $1:process sigchld; - allow mta_user_agent $1:fifo_file { read write }; -+ - ') - - ######################################## -@@ -586,6 +638,25 @@ - files_search_etc($1) - allow $1 etc_aliases_t:file { rw_file_perms setattr }; - ') -+######################################## -+## -+## manage mail aliases. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`mta_manage_aliases',` -+ gen_require(` -+ type etc_aliases_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 etc_aliases_t:file manage_file_perms; -+') - - ####################################### - ## -@@ -837,6 +908,25 @@ - - ######################################## - ## -+## read mail queue files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_read_queue',` -+ gen_require(` -+ type mqueue_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete - ## mail queue files. - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500 -@@ -6,6 +6,8 @@ - # Declarations - # - -+attribute mailcontent_type; -+attribute mailclient_exec_type; - attribute mta_user_agent; - attribute mailserver_delivery; - attribute mailserver_domain; -@@ -27,6 +29,7 @@ - - type sendmail_exec_t; - application_executable_file(sendmail_exec_t) -+mta_mailclient(sendmail_exec_t) - - mta_base_mail_template(system) - role system_r types system_mail_t; -@@ -40,27 +43,40 @@ - allow system_mail_t self:capability { dac_override }; - - read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) -+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) - - kernel_read_system_state(system_mail_t) - kernel_read_network_state(system_mail_t) - -+dev_read_sysfs(system_mail_t) - dev_read_rand(system_mail_t) - dev_read_urand(system_mail_t) - -+fs_rw_anon_inodefs_files(system_mail_t) -+ -+selinux_getattr_fs(system_mail_t) -+ - init_use_script_ptys(system_mail_t) - - userdom_use_sysadm_terms(system_mail_t) - userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) -+userdom_dontaudit_search_all_users_home_content(system_mail_t) -+ -+optional_policy(` -+ apcupsd_read_tmp_files(system_mail_t) -+') - - optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) -+ apache_search_bugzilla_dirs(system_mail_t) - - # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) - ') - - optional_policy(` -@@ -73,6 +89,7 @@ - - optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) -+ cron_read_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) - ') - -@@ -81,6 +98,11 @@ - ') - - optional_policy(` -+ exim_domtrans(system_mail_t) -+ exim_manage_log(system_mail_t) -+') -+ -+optional_policy(` - logrotate_read_tmp_files(system_mail_t) - ') - -@@ -136,6 +158,14 @@ - ') - - optional_policy(` -+ clamav_stream_connect(sendmail_t) -+') -+ -+optional_policy(` -+ spamd_stream_connect(system_mail_t) -+') -+ -+optional_policy(` - smartmon_read_tmp_files(system_mail_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500 -@@ -6,6 +6,7 @@ - /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - - /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) --/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) -+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) --/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500 -@@ -37,14 +37,18 @@ - allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; - allow munin_t self:tcp_socket create_stream_socket_perms; - allow munin_t self:udp_socket create_socket_perms; -+allow munin_t self:fifo_file manage_fifo_file_perms; -+ -+can_exec(munin_t, munin_exec_t) - - allow munin_t munin_etc_t:dir list_dir_perms; - read_files_pattern(munin_t,munin_etc_t,munin_etc_t) - read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) - files_search_etc(munin_t) - --allow munin_t munin_log_t:file manage_file_perms; --logging_log_filetrans(munin_t,munin_log_t,file) -+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -+manage_files_pattern(munin_t, munin_log_t, munin_log_t) -+logging_log_filetrans(munin_t,munin_log_t,{ file dir }) - - manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) - manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) -@@ -73,6 +77,7 @@ - corenet_udp_sendrecv_all_nodes(munin_t) - corenet_tcp_sendrecv_all_ports(munin_t) - corenet_udp_sendrecv_all_ports(munin_t) -+corenet_tcp_connect_munin_port(munin_t) - - dev_read_sysfs(munin_t) - dev_read_urand(munin_t) -@@ -91,6 +96,7 @@ - - logging_send_syslog_msg(munin_t) - -+miscfiles_read_fonts(munin_t) - miscfiles_read_localization(munin_t) - - sysnet_read_config(munin_t) -@@ -118,3 +124,9 @@ - optional_policy(` - udev_read_db(munin_t) - ') -+ -+#============= http munin policy ============== -+apache_content_template(munin) -+ -+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.5/policy/modules/services/mysql.fc ---- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mysql.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -22,3 +22,5 @@ - /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) - - /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) -+ -+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.5/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mysql.if 2007-12-19 05:38:09.000000000 -0500 -@@ -157,3 +157,79 @@ - logging_search_logs($1) - allow $1 mysqld_log_t:file { write append setattr ioctl }; - ') -+ -+######################################## -+## -+## Execute mysql server in the mysqld domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`mysql_script_domtrans',` -+ gen_require(` -+ type mysqld_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,mysqld_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate an mysql environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the mysql domain. -+## -+## -+## -+## -+## The type of the terminal allow the mysql domain to use. -+## -+## -+## -+# -+interface(`mysql_admin',` -+ -+ gen_require(` -+ type mysqld_t; -+ type mysqld_var_run_t; -+ type mysqld_tmp_t; -+ type mysqld_db_t; -+ type mysqld_etc_t; -+ type mysqld_log_t; -+ type mysqld_script_exec_t; -+ ') -+ -+ allow $1 mysqld_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, mysqld_t, mysqld_t) -+ -+ # Allow $1 to restart the apache service -+ mysql_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 mysqld_script_exec_t system_r; -+ allow $2 system_r; -+ -+ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t) -+ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t) -+ -+ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t) -+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) -+ -+ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t) -+ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t) -+ -+ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t) -+ manage_files_pattern($1,mysqld_log_t,mysqld_log_t) -+ -+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t) -+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 16:45:48.000000000 -0500 -@@ -1,4 +1,3 @@ -- - policy_module(mysql,1.6.0) - - ######################################## -@@ -25,6 +24,9 @@ - type mysqld_tmp_t; - files_tmp_file(mysqld_tmp_t) - -+type mysqld_script_exec_t; -+init_script_type(mysqld_script_exec_t) -+ - ######################################## - # - # Local policy -@@ -33,7 +35,8 @@ - allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; - dontaudit mysqld_t self:capability sys_tty_config; - allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; --allow mysqld_t self:fifo_file { read write }; -+allow mysqld_t self:fifo_file rw_fifo_file_perms; -+allow mysqld_t self:shm create_shm_perms; - allow mysqld_t self:unix_stream_socket create_stream_socket_perms; - allow mysqld_t self:tcp_socket create_stream_socket_perms; - allow mysqld_t self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -4,13 +4,15 @@ - /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - --/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) --/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - - /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -+ - ifdef(`distro_debian',` - /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) --/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) - ') -+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.5/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nagios.if 2007-12-19 05:38:09.000000000 -0500 -@@ -44,25 +44,6 @@ - - ######################################## - ## --## Execute the nagios CGI with --## a domain transition. --## --## --## --## Domain allowed access. --## --## --# --interface(`nagios_domtrans_cgi',` -- gen_require(` -- type nagios_cgi_t, nagios_cgi_exec_t; -- ') -- -- domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t) --') -- --######################################## --## - ## Execute the nagios NRPE with - ## a domain transition. - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.5/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nagios.te 2007-12-19 05:38:09.000000000 -0500 -@@ -8,11 +8,7 @@ - - type nagios_t; - type nagios_exec_t; --init_daemon_domain(nagios_t, nagios_exec_t) -- --type nagios_cgi_t; --type nagios_cgi_exec_t; --init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) -+init_daemon_domain(nagios_t,nagios_exec_t) - - type nagios_etc_t; - files_config_file(nagios_etc_t) -@@ -26,9 +22,12 @@ - type nagios_var_run_t; - files_pid_file(nagios_var_run_t) - -+type nagios_spool_t; -+files_type(nagios_spool_t) -+ - type nrpe_t; - type nrpe_exec_t; --init_daemon_domain(nrpe_t, nrpe_exec_t) -+init_daemon_domain(nrpe_t,nrpe_exec_t) - - type nrpe_etc_t; - files_config_file(nrpe_etc_t) -@@ -60,6 +59,8 @@ - manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) - files_pid_filetrans(nagios_t, nagios_var_run_t, file) - -+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -+ - kernel_read_system_state(nagios_t) - kernel_read_kernel_sysctls(nagios_t) - -@@ -130,42 +131,31 @@ - # - # Nagios CGI local policy - # -+apache_content_template(nagios) -+typealias httpd_nagios_script_t alias nagios_cgi_t; -+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; - --allow nagios_cgi_t self:process signal_perms; --allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -- --read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -- --allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+allow httpd_nagios_script_t self:process signal_perms; - --allow nagios_cgi_t nagios_log_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - --kernel_read_system_state(nagios_cgi_t) -+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) - --corecmd_exec_bin(nagios_cgi_t) -+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - --domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) - --files_read_etc_files(nagios_cgi_t) --files_read_etc_runtime_files(nagios_cgi_t) --files_read_kernel_symbol_table(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - --libs_use_ld_so(nagios_cgi_t) --libs_use_shared_libs(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) - --logging_send_syslog_msg(nagios_cgi_t) --logging_search_logs(nagios_cgi_t) -- --miscfiles_read_localization(nagios_cgi_t) -- --optional_policy(` -- apache_append_log(nagios_cgi_t) --') -+logging_send_syslog_msg(httpd_nagios_script_t) - - ######################################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500 -@@ -1,7 +1,9 @@ - /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - - /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500 -@@ -97,3 +97,21 @@ - allow $1 NetworkManager_t:dbus send_msg; - allow NetworkManager_t $1:dbus send_msg; - ') -+ -+######################################## -+## -+## Send a generic signal to NetworkManager -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_signal',` -+ gen_require(` -+ type NetworkManager_t; -+ ') -+ -+ allow $1 NetworkManager_t:process signal; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500 -@@ -13,6 +13,9 @@ - type NetworkManager_var_run_t; - files_pid_file(NetworkManager_var_run_t) - -+type NetworkManager_log_t; -+logging_log_file(NetworkManager_log_t) -+ - ######################################## - # - # Local policy -@@ -20,7 +23,7 @@ - - # networkmanager will ptrace itself if gdb is installed - # and it receives a unexpected signal (rh bug #204161) --allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; - dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; - allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; - allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -38,6 +41,9 @@ - manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) - files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) - -+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) -+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) -+ - kernel_read_system_state(NetworkManager_t) - kernel_read_network_state(NetworkManager_t) - kernel_read_kernel_sysctls(NetworkManager_t) -@@ -86,6 +92,8 @@ - init_read_utmp(NetworkManager_t) - init_domtrans_script(NetworkManager_t) - -+auth_use_nsswitch(NetworkManager_t) -+ - libs_use_ld_so(NetworkManager_t) - libs_use_shared_libs(NetworkManager_t) - -@@ -129,8 +137,11 @@ - ') - - optional_policy(` -+ allow NetworkManager_t self:dbus send_msg; -+ - dbus_system_bus_client_template(NetworkManager,NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) -+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) - ') - - optional_policy(` -@@ -138,12 +149,9 @@ - ') - - optional_policy(` -- nis_use_ypbind(NetworkManager_t) --') -- --optional_policy(` -- nscd_socket_use(NetworkManager_t) - nscd_signal(NetworkManager_t) -+ nscd_script_domtrans(NetworkManager_t) -+ nscd_domtrans(NetworkManager_t) - ') - - optional_policy(` -@@ -155,6 +163,7 @@ - ppp_domtrans(NetworkManager_t) - ppp_read_pid_files(NetworkManager_t) - ppp_signal(NetworkManager_t) -+ ppp_read_config(NetworkManager_t) - ') - - optional_policy(` -@@ -166,11 +175,6 @@ - ') - - optional_policy(` -- # Read gnome-keyring -- unconfined_read_home_content_files(NetworkManager_t) --') -- --optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_signal(NetworkManager_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -4,6 +4,7 @@ - /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - - /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - - /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) - /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.5/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/nis.if 2007-12-19 05:38:09.000000000 -0500 -@@ -49,8 +49,8 @@ - corenet_udp_bind_all_nodes($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) -- corenet_tcp_bind_reserved_port($1) -- corenet_udp_bind_reserved_port($1) -+ corenet_dontaudit_tcp_bind_all_reserved_ports($1) -+ corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) -@@ -87,6 +87,25 @@ - - ######################################## - ## -+## Use the nis to authenticate passwords -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+# -+interface(`nis_authenticate',` -+ tunable_policy(`allow_ypbind',` -+ nis_use_ypbind_uncond($1) -+ corenet_tcp_bind_all_rpc_ports($1) -+ corenet_udp_bind_all_rpc_ports($1) -+ ') -+') -+ -+######################################## -+## - ## Execute ypbind in the ypbind domain. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.5/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nis.te 2007-12-19 05:38:09.000000000 -0500 -@@ -113,6 +113,17 @@ - userdom_dontaudit_use_unpriv_user_fds(ypbind_t) - userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) - -+ -+optional_policy(` -+ dbus_system_bus_client_template(ypbind,ypbind_t) -+ dbus_connect_system_bus(ypbind_t) -+ init_dbus_chat_script(ypbind_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(ypbind_t) -+ ') -+') -+ - optional_policy(` - seutil_sigchld_newrole(ypbind_t) - ') -@@ -126,6 +137,7 @@ - # yppasswdd local policy - # - -+allow yppasswdd_t self:capability dac_override; - dontaudit yppasswdd_t self:capability sys_tty_config; - allow yppasswdd_t self:fifo_file rw_fifo_file_perms; - allow yppasswdd_t self:process { setfscreate signal_perms }; -@@ -156,8 +168,8 @@ - corenet_udp_sendrecv_all_ports(yppasswdd_t) - corenet_tcp_bind_all_nodes(yppasswdd_t) - corenet_udp_bind_all_nodes(yppasswdd_t) --corenet_tcp_bind_reserved_port(yppasswdd_t) --corenet_udp_bind_reserved_port(yppasswdd_t) -+corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -+corenet_udp_bind_all_rpc_ports(yppasswdd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) - corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) - corenet_sendrecv_generic_server_packets(yppasswdd_t) -@@ -247,6 +259,8 @@ - corenet_udp_bind_all_nodes(ypserv_t) - corenet_tcp_bind_reserved_port(ypserv_t) - corenet_udp_bind_reserved_port(ypserv_t) -+corenet_tcp_bind_all_rpc_ports(ypserv_t) -+corenet_udp_bind_all_rpc_ports(ypserv_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) - corenet_sendrecv_generic_server_packets(ypserv_t) -@@ -315,6 +329,8 @@ - corenet_udp_bind_all_nodes(ypxfr_t) - corenet_tcp_bind_reserved_port(ypxfr_t) - corenet_udp_bind_reserved_port(ypxfr_t) -+corenet_tcp_bind_all_rpc_ports(ypxfr_t) -+corenet_udp_bind_all_rpc_ports(ypxfr_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - corenet_tcp_connect_all_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.5/policy/modules/services/nscd.fc ---- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nscd.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -9,3 +9,5 @@ - /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) - - /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -+ -+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.5/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/nscd.if 2007-12-19 05:38:09.000000000 -0500 -@@ -70,15 +70,14 @@ - interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; -- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; -+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_t:fd use; -- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -- -+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - files_search_pids($1) - stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) - dontaudit $1 nscd_var_run_t:file { getattr read }; -@@ -204,3 +203,22 @@ - role $2 types nscd_t; - dontaudit nscd_t $3:chr_file rw_term_perms; - ') -+ -+######################################## -+## -+## Execute nscd server in the ntpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`nscd_script_domtrans',` -+ gen_require(` -+ type nscd_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,nscd_script_exec_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.5/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/nscd.te 2007-12-19 05:38:09.000000000 -0500 -@@ -23,19 +23,22 @@ - type nscd_log_t; - logging_log_file(nscd_log_t) - -+type nscd_script_exec_t; -+init_script_type(nscd_script_exec_t) -+ - ######################################## - # - # Local policy - # - --allow nscd_t self:capability { kill setgid setuid audit_write }; -+allow nscd_t self:capability { kill setgid setuid }; - dontaudit nscd_t self:capability sys_tty_config; --allow nscd_t self:process { getattr setsched signal_perms }; -+allow nscd_t self:process { getattr setcap setsched signal_perms }; - allow nscd_t self:fifo_file { read write }; - allow nscd_t self:unix_stream_socket create_stream_socket_perms; - allow nscd_t self:unix_dgram_socket create_socket_perms; - allow nscd_t self:netlink_selinux_socket create_socket_perms; --allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+ - allow nscd_t self:tcp_socket create_socket_perms; - allow nscd_t self:udp_socket create_socket_perms; - -@@ -50,6 +53,8 @@ - manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) - files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) - -+can_exec(nscd_t, nscd_exec_t) -+ - kernel_read_kernel_sysctls(nscd_t) - kernel_list_proc(nscd_t) - kernel_read_proc_symlinks(nscd_t) -@@ -73,6 +78,8 @@ - corenet_udp_sendrecv_all_nodes(nscd_t) - corenet_tcp_sendrecv_all_ports(nscd_t) - corenet_udp_sendrecv_all_ports(nscd_t) -+corenet_udp_bind_all_nodes(nscd_t) -+corenet_udp_bind_all_nodes(nscd_t) - corenet_tcp_connect_all_ports(nscd_t) - corenet_sendrecv_all_client_packets(nscd_t) - corenet_rw_tun_tap_dev(nscd_t) -@@ -93,6 +100,7 @@ - libs_use_ld_so(nscd_t) - libs_use_shared_libs(nscd_t) - -+logging_send_audit_msgs(nscd_t) - logging_send_syslog_msg(nscd_t) - - miscfiles_read_localization(nscd_t) -@@ -114,3 +122,12 @@ - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) - ') -+ -+optional_policy(` -+ tunable_policy(`samba_domain_controller',` -+ samba_append_log(nscd_t) -+ samba_dontaudit_use_fds(nscd_t) -+ ') -+ samba_read_config(nscd_t) -+ samba_read_var_files(nscd_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.5/policy/modules/services/ntp.fc ---- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/ntp.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -17,3 +17,8 @@ - /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - - /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) -+ -+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) -+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) -+ -+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2007-12-19 05:38:09.000000000 -0500 -@@ -53,3 +53,22 @@ - corecmd_search_bin($1) - domtrans_pattern($1,ntpdate_exec_t,ntpd_t) - ') -+ -+######################################## -+## -+## Execute ntp server in the ntpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`ntp_script_domtrans',` -+ gen_require(` -+ type ntpd_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,ntpd_script_exec_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.5/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/ntp.te 2007-12-19 05:38:09.000000000 -0500 -@@ -25,6 +25,12 @@ - type ntpdate_exec_t; - init_system_domain(ntpd_t,ntpdate_exec_t) - -+type ntpd_key_t; -+files_type(ntpd_key_t) -+ -+type ntpd_script_exec_t; -+init_script_type(ntpd_script_exec_t) -+ - ######################################## - # - # Local policy -@@ -36,6 +42,7 @@ - dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; - allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; - allow ntpd_t self:fifo_file { read write getattr }; -+allow ntpd_t self:shm create_shm_perms; - allow ntpd_t self:unix_dgram_socket create_socket_perms; - allow ntpd_t self:unix_stream_socket create_socket_perms; - allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -49,6 +56,8 @@ - manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) - logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) - -+read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) -+ - # for some reason it creates a file in /tmp - manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) - manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) -@@ -82,6 +91,8 @@ - - fs_getattr_all_fs(ntpd_t) - fs_search_auto_mountpoints(ntpd_t) -+# Necessary to communicate with gpsd devices -+fs_rw_tmpfs_files(ntpd_t) - - auth_use_nsswitch(ntpd_t) - -@@ -105,6 +116,10 @@ - - miscfiles_read_localization(ntpd_t) - -+sysnet_dontaudit_dhcpc_use_fds(ntpd_t) -+ -+term_use_ptmx(ntpd_t) -+ - userdom_dontaudit_use_unpriv_user_fds(ntpd_t) - userdom_list_sysadm_home_dirs(ntpd_t) - userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) -@@ -120,6 +135,10 @@ - ') - - optional_policy(` -+ hal_dontaudit_write_log(ntpd_t) -+') -+ -+optional_policy(` - logrotate_exec(ntpd_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500 -@@ -15,6 +15,7 @@ - type oddjob_mkhomedir_t; - type oddjob_mkhomedir_exec_t; - domain_type(oddjob_mkhomedir_t) -+domain_obj_id_change_exemption(oddjob_mkhomedir_t) - init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -@@ -68,20 +69,38 @@ - # oddjob_mkhomedir local policy - # - -+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -+allow oddjob_mkhomedir_t self:process setfscreate; - allow oddjob_mkhomedir_t self:fifo_file { read write }; - allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - - files_read_etc_files(oddjob_mkhomedir_t) - -+kernel_read_system_state(oddjob_mkhomedir_t) -+ -+auth_use_nsswitch(oddjob_mkhomedir_t) -+ - libs_use_ld_so(oddjob_mkhomedir_t) - libs_use_shared_libs(oddjob_mkhomedir_t) - -+logging_send_syslog_msg(oddjob_mkhomedir_t) -+ - miscfiles_read_localization(oddjob_mkhomedir_t) - -+selinux_get_fs_mount(oddjob_mkhomedir_t) -+selinux_validate_context(oddjob_mkhomedir_t) -+selinux_compute_access_vector(oddjob_mkhomedir_t) -+selinux_compute_create_context(oddjob_mkhomedir_t) -+selinux_compute_relabel_context(oddjob_mkhomedir_t) -+selinux_compute_user_contexts(oddjob_mkhomedir_t) -+ -+seutil_read_config(oddjob_mkhomedir_t) -+seutil_read_file_contexts(oddjob_mkhomedir_t) -+seutil_read_default_contexts(oddjob_mkhomedir_t) -+ - # Add/remove user home directories -+userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t) - userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t) --userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t) --userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) --userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) --userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) -+userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t) -+userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t) - userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te ---- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500 -@@ -22,6 +22,7 @@ - allow openct_t self:process signal_perms; - - manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) -+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) - files_pid_filetrans(openct_t,openct_var_run_t,file) - - kernel_read_kernel_sysctls(openct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.5/policy/modules/services/openvpn.fc ---- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/openvpn.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -11,5 +11,5 @@ - # - # /var - # --/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) -+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) - /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2007-12-19 05:38:09.000000000 -0500 -@@ -8,7 +8,7 @@ - - ## - ##

--## Allow openvpn to read home directories -+## Allow openvpn service access to users home directories - ##

- ## - gen_tunable(openvpn_enable_homedirs,false) -@@ -35,7 +35,7 @@ - # openvpn local policy - # - --allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config }; -+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; - allow openvpn_t self:process { signal getsched }; - - allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -110,3 +110,12 @@ - - networkmanager_dbus_chat(openvpn_t) - ') -+ -+ -+# Need to interact with terminals if config option "auth-user-pass" is used -+userdom_use_sysadm_terms(openvpn_t) -+ -+optional_policy(` -+ unconfined_use_terminals(openvpn_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.5/policy/modules/services/pcscd.te ---- nsaserefpolicy/policy/modules/services/pcscd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/pcscd.te 2007-12-19 05:38:09.000000000 -0500 -@@ -45,6 +45,7 @@ - files_read_etc_files(pcscd_t) - files_read_etc_runtime_files(pcscd_t) - -+term_use_unallocated_ttys(pcscd_t) - term_dontaudit_getattr_pty_dirs(pcscd_t) - - libs_use_ld_so(pcscd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.5/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/pegasus.te 2007-12-19 05:38:09.000000000 -0500 -@@ -42,6 +42,7 @@ - allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; - allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; - -+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) - manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) - manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) - filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) -@@ -95,13 +96,12 @@ - - auth_use_nsswitch(pegasus_t) - auth_domtrans_chk_passwd(pegasus_t) -+auth_read_shadow(pegasus_t) - - domain_use_interactive_fds(pegasus_t) - domain_read_all_domains_state(pegasus_t) - --files_read_etc_files(pegasus_t) --files_list_var_lib(pegasus_t) --files_read_var_lib_files(pegasus_t) -+files_read_all_files(pegasus_t) - files_read_var_lib_symlinks(pegasus_t) - - hostname_exec(pegasus_t) -@@ -113,19 +113,16 @@ - libs_use_shared_libs(pegasus_t) - - logging_send_audit_msgs(pegasus_t) -+logging_send_syslog_msg(pegasus_t) - - miscfiles_read_localization(pegasus_t) - --sysnet_read_config(pegasus_t) -+sysnet_domtrans_ifconfig(pegasus_t) - - userdom_dontaudit_use_unpriv_user_fds(pegasus_t) - userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) - - optional_policy(` -- logging_send_syslog_msg(pegasus_t) --') -- --optional_policy(` - rpm_exec(pegasus_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc ---- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2007-12-19 09:37:14.000000000 -0500 -@@ -0,0 +1,6 @@ -+ -+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) -+ -+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) -+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if ---- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/polkit.if 2007-12-19 05:38:09.000000000 -0500 -@@ -0,0 +1,60 @@ -+ -+## policy for polkit_auth -+ -+######################################## -+## -+## Execute a domain transition to run polkit_auth. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_auth',` -+ gen_require(` -+ type polkit_auth_t; -+ type polkit_auth_exec_t; -+ ') -+ -+ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t) -+') -+ -+######################################## -+## -+## Search polkit lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polkit_search_lib',` -+ gen_require(` -+ type polkit_var_lib_t; -+ ') -+ -+ allow $1 polkit_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## read polkit lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polkit_read_lib',` -+ gen_require(` -+ type polkit_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te ---- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500 -@@ -0,0 +1,63 @@ -+policy_module(polkit_auth,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type polkit_auth_t; -+type polkit_auth_exec_t; -+domain_type(polkit_auth_t) -+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) -+ -+type polkit_var_lib_t; -+files_type(polkit_var_lib_t) -+ -+type polkit_var_run_t; -+files_pid_file(polkit_var_run_t) -+ -+######################################## -+# -+# polkit_auth local policy -+# -+ -+allow polkit_auth_t self:process getattr; -+ -+allow polkit_auth_t self:unix_dgram_socket create_socket_perms; -+allow polkit_auth_t self:fifo_file rw_file_perms; -+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_auth_t, polkit_auth_exec_t) -+corecmd_search_bin(polkit_auth_t) -+ -+domain_use_interactive_fds(polkit_auth_t) -+ -+files_read_etc_files(polkit_auth_t) -+files_read_usr_files(polkit_auth_t) -+ -+auth_use_nsswitch(polkit_auth_t) -+ -+libs_use_ld_so(polkit_auth_t) -+libs_use_shared_libs(polkit_auth_t) -+ -+miscfiles_read_localization(polkit_auth_t) -+ -+logging_send_syslog_msg(polkit_auth_t) -+ -+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) -+ -+# pid file -+manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) -+manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) -+files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir }) -+ -+optional_policy(` -+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t) -+ consolekit_dbus_chat(polkit_auth_t) -+') -+ -+optional_policy(` -+ hal_getattr(polkit_auth_t) -+ hal_read_state(polkit_auth_t) -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -29,12 +29,10 @@ - /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) - /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) - /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) - ') - /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) - /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500 -@@ -416,7 +416,7 @@ - ## - ## - # --interface(`postfix_create_pivate_sockets',` -+interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') -@@ -427,6 +427,26 @@ - - ######################################## - ## -+## manage named socket in a postfix private directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_manage_private_sockets',` -+ gen_require(` -+ type postfix_private_t; -+ ') -+ -+ allow $1 postfix_private_t:dir list_dir_perms; -+ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t) -+') -+ -+ -+######################################## -+## - ## Execute the master postfix program in the - ## postfix_master domain. - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500 -@@ -6,6 +6,14 @@ - # Declarations - # - -+## -+##

-+## Allow postfix_local domain full write access to mail_spool directories -+## -+##

-+## -+gen_tunable(allow_postfix_local_write_mail_spool,false) -+ - attribute postfix_user_domains; - # domains that transition to the - # postfix user domains -@@ -27,6 +35,10 @@ - postfix_server_domain_template(local) - mta_mailserver_delivery(postfix_local_t) - -+tunable_policy(`allow_postfix_local_write_mail_spool', ` -+ mta_rw_spool(postfix_local_t) -+') -+ - type postfix_local_tmp_t; - files_tmp_file(postfix_local_tmp_t) - -@@ -34,6 +46,7 @@ - type postfix_map_t; - type postfix_map_exec_t; - application_domain(postfix_map_t,postfix_map_exec_t) -+role system_r types postfix_map_t; - - type postfix_map_tmp_t; - files_tmp_file(postfix_map_tmp_t) -@@ -99,6 +112,7 @@ - allow postfix_master_t self:fifo_file rw_fifo_file_perms; - allow postfix_master_t self:tcp_socket create_stream_socket_perms; - allow postfix_master_t self:udp_socket create_socket_perms; -+allow postfix_master_t self:process setrlimit; - - allow postfix_master_t postfix_etc_t:file rw_file_perms; - -@@ -174,6 +188,7 @@ - - mta_rw_aliases(postfix_master_t) - mta_read_sendmail_bin(postfix_master_t) -+mta_getattr_spool(postfix_master_t) - - optional_policy(` - cyrus_stream_connect(postfix_master_t) -@@ -248,6 +263,10 @@ - - corecmd_exec_bin(postfix_cleanup_t) - -+optional_policy(` -+ mailman_read_data_files(postfix_cleanup_t) -+') -+ - ######################################## - # - # Postfix local local policy -@@ -273,6 +292,8 @@ - - files_read_etc_files(postfix_local_t) - -+logging_dontaudit_search_logs(postfix_local_t) -+ - mta_read_aliases(postfix_local_t) - mta_delete_spool(postfix_local_t) - # For reading spamassasin -@@ -285,6 +306,8 @@ - optional_policy(` - # for postalias - mailman_manage_data_files(postfix_local_t) -+ mailman_append_log(postfix_local_t) -+ mailman_read_log(postfix_local_t) - ') - - optional_policy(` -@@ -295,8 +318,7 @@ - # - # Postfix map local policy - # -- --allow postfix_map_t self:capability setgid; -+allow postfix_map_t self:capability { dac_override setgid setuid }; - allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_map_t self:unix_dgram_socket create_socket_perms; - allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -346,8 +368,6 @@ - - miscfiles_read_localization(postfix_map_t) - --seutil_read_config(postfix_map_t) -- - tunable_policy(`read_default_t',` - files_list_default(postfix_map_t) - files_read_default_files(postfix_map_t) -@@ -360,6 +380,11 @@ - locallogin_dontaudit_use_fds(postfix_map_t) - ') - -+optional_policy(` -+# for postalias -+ mailman_manage_data_files(postfix_map_t) -+') -+ - ######################################## - # - # Postfix pickup local policy -@@ -392,6 +417,10 @@ - rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) - - optional_policy(` -+ dovecot_domtrans_deliver(postfix_pipe_t) -+') -+ -+optional_policy(` - procmail_domtrans(postfix_pipe_t) - ') - -@@ -400,6 +429,10 @@ - ') - - optional_policy(` -+ mta_manage_spool(postfix_pipe_t) -+') -+ -+optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) - ') - -@@ -532,9 +565,6 @@ - # connect to master process - stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) - --# Connect to policy server --corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) -- - # for prng_exch - allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; - allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -557,6 +587,10 @@ - sasl_connect(postfix_smtpd_t) - ') - -+optional_policy(` -+ dovecot_auth_stream_connect(postfix_smtpd_t) -+') -+ - ######################################## - # - # Postfix virtual local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc ---- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -38,3 +38,5 @@ - ') - - /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) -+ -+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.5/policy/modules/services/postgresql.if ---- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postgresql.if 2007-12-19 05:38:09.000000000 -0500 -@@ -120,3 +120,77 @@ - # Some versions of postgresql put the sock file in /tmp - allow $1 postgresql_tmp_t:sock_file write; - ') -+ -+######################################## -+## -+## Execute postgresql server in the posgresql domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`postgresql_script_domtrans',` -+ gen_require(` -+ type postgresql_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,postgresql_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate an postgresql environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the postgresql domain. -+## -+## -+## -+## -+## The type of the terminal allow the postgresql domain to use. -+## -+## -+## -+# -+interface(`postgresql_admin',` -+ gen_require(` -+ type postgresql_t; -+ type postgresql_var_run_t; -+ type postgresql_tmp_t; -+ type postgresql_db_t; -+ type postgresql_etc_t; -+ type postgresql_log_t; -+ ') -+ -+ allow $1 postgresql_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postgresql_t, postgresql_t) -+ -+ # Allow $1 to restart the apache service -+ postgresql_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 postgresql_script_exec_t system_r; -+ allow $2 system_r; -+ -+ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t) -+ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t) -+ -+ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t) -+ manage_files_pattern($1,postgresql_db_t,postgresql_db_t) -+ -+ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t) -+ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t) -+ -+ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t) -+ manage_files_pattern($1,postgresql_log_t,postgresql_log_t) -+ -+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t) -+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2007-12-19 05:38:09.000000000 -0500 -@@ -27,6 +27,9 @@ - type postgresql_var_run_t; - files_pid_file(postgresql_var_run_t) - -+type postgresql_script_exec_t; -+init_script_type(postgresql_script_exec_t) -+ - ######################################## - # - # postgresql Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc ---- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -25,7 +25,7 @@ - # - # /var - # --/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0) -+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) - /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) - /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) - # Fix pptp sockets -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 17:30:15.000000000 -0500 -@@ -162,6 +162,8 @@ - init_read_utmp(pppd_t) - init_dontaudit_write_utmp(pppd_t) - -+auth_use_nsswitch(pppd_t) -+ - libs_use_ld_so(pppd_t) - libs_use_shared_libs(pppd_t) - -@@ -194,14 +196,12 @@ - - optional_policy(` - mta_send_mail(pppd_t) -+ mta_mailcontent(pppd_etc_t) -+ mta_mailcontent(pppd_etc_rw_t) - ') - - optional_policy(` -- nis_use_ypbind(pppd_t) --') -- --optional_policy(` -- nscd_socket_use(pppd_t) -+ networkmanager_signal(pppd_t) - ') - - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if ---- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500 -@@ -39,3 +39,22 @@ - corecmd_search_bin($1) - can_exec($1,procmail_exec_t) - ') -+ -+######################################## -+## -+## Read procmail tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`procmail_read_tmp_files',` -+ gen_require(` -+ type procmail_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 procmail_tmp_t:file read_file_perms; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500 -@@ -129,7 +129,9 @@ - corenet_udp_bind_generic_port(procmail_t) - corenet_dontaudit_udp_bind_all_ports(procmail_t) - -- spamassassin_exec(procmail_t) -- spamassassin_exec_client(procmail_t) -- spamassassin_read_lib_files(procmail_t) -+ spamassassin_domtrans(procmail_t) -+') -+ -+optional_policy(` -+ mailscanner_read_spool(procmail_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -1,6 +1,6 @@ - /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) - --HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) -+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:user_pyzor_home_t,s0) - - /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) - /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500 -@@ -25,16 +25,18 @@ - # - template(`pyzor_per_role_template',` - gen_require(` -- type pyzord_t; -+ type pyzor_t; -+ type user_pyzor_home_t; - ') - -- type $1_pyzor_home_t; -- userdom_user_home_content($1, $1_pyzor_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_pyzor_home_t alias $1_pyzor_home_t; -+ ') - -- manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) -- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) -- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) -- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) -+ manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) -+ manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) -+ manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) -+ userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file }) - ') - - ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500 -@@ -28,6 +28,9 @@ - type pyzor_var_lib_t; - files_type(pyzor_var_lib_t) - -+type user_pyzor_home_t; -+userdom_user_home_content(user,user_pyzor_home_t) -+ - ######################################## - # - # Pyzor local policy -@@ -68,6 +71,8 @@ - - miscfiles_read_localization(pyzor_t) - -+mta_read_queue(pyzor_t) -+ - userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) - - optional_policy(` -@@ -76,8 +81,13 @@ - ') - - optional_policy(` -+ procmail_read_tmp_files(pyzor_t) -+') -+ -+optional_policy(` - spamassassin_signal_spamd(pyzor_t) - spamassassin_read_spamd_tmp_files(pyzor_t) -+ userdom_read_user_home_content_files(unconfined,pyzor_t) - ') - - ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te ---- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500 -@@ -85,6 +85,8 @@ - libs_use_ld_so(qmail_inject_t) - libs_use_shared_libs(qmail_inject_t) - -+miscfiles_read_localization(qmail_inject_t) -+ - qmail_read_config(qmail_inject_t) - - ######################################## -@@ -106,15 +108,25 @@ - - kernel_read_system_state(qmail_local_t) - -+corecmd_exec_bin(qmail_local_t) - corecmd_exec_shell(qmail_local_t) -+can_exec(qmail_local_t, qmail_local_exec_t) - - files_read_etc_files(qmail_local_t) - files_read_etc_runtime_files(qmail_local_t) - -+auth_use_nsswitch(qmail_local_t) -+ -+logging_send_syslog(qmail_local_t) -+ - mta_append_spool(qmail_local_t) - - qmail_domtrans_queue(qmail_local_t) - -+optional_policy(` -+ spamassassin_domtrans_spamc(qmail_local_t) -+') -+ - ######################################## - # - # qmail-lspawn local policy -@@ -155,6 +167,10 @@ - manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) - rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) - -+corecmd_exec_bin(qmail_queue_t) -+ -+logging_send_syslog(qmail_queue_t) -+ - optional_policy(` - daemontools_ipc_domain(qmail_queue_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc ---- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -1,4 +1,4 @@ --HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) -+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0) - - /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2007-12-19 05:38:09.000000000 -0500 -@@ -137,6 +137,7 @@ - template(`razor_per_role_template',` - gen_require(` - type razor_exec_t; -+ type user_razor_home_t, user_razor_tmp_t; - ') - - type $1_razor_t; -@@ -145,12 +146,10 @@ - razor_common_domain_template($1_razor) - role $3 types $1_razor_t; - -- type $1_razor_home_t alias $1_razor_rw_t; -- files_poly_member($1_razor_home_t) -- userdom_user_home_content($1,$1_razor_home_t) -- -- type $1_razor_tmp_t; -- files_tmp_file($1_razor_tmp_t) -+ ifelse(`$1',`user',`',` -+ typealias user_razor_home_t alias $1_razor_home_t; -+ typealias user_razor_tmp_t alias $1_razor_tmp_t; -+ ') - - ############################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/razor.te 2007-12-19 05:38:09.000000000 -0500 -@@ -23,6 +23,12 @@ - - razor_common_domain_template(razor) - -+type user_razor_home_t; -+userdom_user_home_content(user,user_razor_home_t) -+ -+type user_razor_tmp_t; -+files_tmp_file(user_razor_tmp_t) -+ - ######################################## - # - # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.5/policy/modules/services/remotelogin.if ---- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.if 2007-12-19 05:38:09.000000000 -0500 -@@ -18,3 +18,20 @@ - auth_domtrans_login_program($1,remote_login_t) - ') - -+######################################## -+## -+## allow Domain to signal remote login domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`remotelogin_signal',` -+ gen_require(` -+ type remote_login_t; -+ ') -+ -+ allow $1 remote_login_t:process signal; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.5/policy/modules/services/remotelogin.te ---- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.te 2007-12-19 05:38:09.000000000 -0500 -@@ -85,6 +85,7 @@ - - miscfiles_read_localization(remote_login_t) - -+userdom_read_all_users_home_dirs_symlinks(remote_login_t) - userdom_use_unpriv_users_fds(remote_login_t) - userdom_search_all_users_home_content(remote_login_t) - # Only permit unprivileged user domains to be entered via rlogin, -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.5/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rlogin.te 2007-12-19 05:38:09.000000000 -0500 -@@ -36,6 +36,8 @@ - allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty(rlogind_t,rlogind_devpts_t) - -+domain_interactive_fd(rlogind_t) -+ - # for /usr/lib/telnetlogin - can_exec(rlogind_t, rlogind_exec_t) - -@@ -82,23 +84,21 @@ - - miscfiles_read_localization(rlogind_t) - --seutil_dontaudit_search_config(rlogind_t) -+seutil_read_config(rlogind_t) - - userdom_setattr_unpriv_users_ptys(rlogind_t) - # cjp: this is egregious - userdom_read_all_users_home_content_files(rlogind_t) - - remotelogin_domtrans(rlogind_t) -+remotelogin_signal(rlogind_t) - - optional_policy(` -+ kerberos_use(rlogind_t) - kerberos_read_keytab(rlogind_t) -+ kerberos_manage_host_rcache(rlogind_t) - ') - - optional_policy(` - tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) - ') -- --ifdef(`TODO',` --# Allow krb5 rlogind to use fork and open /dev/tty for use --allow rlogind_t userpty_type:chr_file setattr; --') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.5/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rpcbind.te 2007-12-19 05:38:09.000000000 -0500 -@@ -21,11 +21,13 @@ - # rpcbind local policy - # - --allow rpcbind_t self:capability setuid; -+allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; - allow rpcbind_t self:fifo_file rw_file_perms; - allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; - allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; - allow rpcbind_t self:udp_socket create_socket_perms; -+# BROKEN ... -+dontaudit rpcbind_t self:udp_socket listen; - allow rpcbind_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) -@@ -37,6 +39,7 @@ - manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) - -+kernel_read_system_state(rpcbind_t) - kernel_read_network_state(rpcbind_t) - - corenet_all_recvfrom_unlabeled(rpcbind_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.5/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rpc.if 2007-12-19 05:38:09.000000000 -0500 -@@ -88,8 +88,11 @@ - # bind to arbitary unused ports - corenet_tcp_bind_generic_port($1_t) - corenet_udp_bind_generic_port($1_t) -- corenet_udp_bind_reserved_port($1_t) -+ corenet_dontaudit_tcp_bind_all_ports($1_t) -+ corenet_dontaudit_udp_bind_all_ports($1_t) - corenet_sendrecv_generic_server_packets($1_t) -+ corenet_tcp_bind_all_rpc_ports($1_t) -+ corenet_udp_bind_all_rpc_ports($1_t) - - fs_rw_rpc_named_pipes($1_t) - fs_search_auto_mountpoints($1_t) -@@ -208,6 +211,24 @@ - - ######################################## - ## -+## Execute domain in nfsd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`rpc_domtrans_rpcd',` -+ gen_require(` -+ type rpcd_t, rpcd_exec_t; -+ ') -+ -+ domtrans_pattern($1,rpcd_exec_t,rpcd_t) -+') -+ -+######################################## -+## - ## Read NFS exported content. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2007-12-19 05:38:09.000000000 -0500 -@@ -60,10 +60,14 @@ - manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) - files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) - -+corecmd_exec_bin(rpcd_t) -+ - kernel_read_system_state(rpcd_t) --kernel_search_network_state(rpcd_t) -+kernel_read_network_state(rpcd_t) - # for rpc.rquotad - kernel_read_sysctl(rpcd_t) -+kernel_rw_fs_sysctls(rpcd_t) -+kernel_getattr_core_if(nfsd_t) - - fs_list_rpc(rpcd_t) - fs_read_rpc_files(rpcd_t) -@@ -77,11 +81,17 @@ - miscfiles_read_certs(rpcd_t) - - seutil_dontaudit_search_config(rpcd_t) -+selinux_dontaudit_read_fs(rpcd_t) - - optional_policy(` - nis_read_ypserv_config(rpcd_t) - ') - -+# automount -> mount -> rpcd -+optional_policy(` -+ automount_dontaudit_use_fds(rpcd_t) -+') -+ - ######################################## - # - # NFSD local policy -@@ -92,9 +102,13 @@ - allow nfsd_t exports_t:file { getattr read }; - allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - -+dev_dontaudit_getattr_all_blk_files(nfsd_t) -+dev_dontaudit_getattr_all_chr_files(nfsd_t) -+ - # for /proc/fs/nfs/exports - should we have a new type? - kernel_read_system_state(nfsd_t) - kernel_read_network_state(nfsd_t) -+kernel_dontaudit_getattr_core_if(nfsd_t) - - corenet_tcp_bind_all_rpc_ports(nfsd_t) - corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -124,6 +138,7 @@ - tunable_policy(`nfs_export_all_rw',` - fs_read_noxattr_fs_files(nfsd_t) - auth_manage_all_files_except_shadow(nfsd_t) -+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir }) - ') - - tunable_policy(`nfs_export_all_ro',` -@@ -144,6 +159,7 @@ - manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) - files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - -+kernel_read_system_state(gssd_t) - kernel_read_network_state(gssd_t) - kernel_read_network_state_symlinks(gssd_t) - kernel_search_network_sysctl(gssd_t) -@@ -157,8 +173,13 @@ - files_list_tmp(gssd_t) - files_read_usr_symlinks(gssd_t) - -+auth_read_cache(gssd_t) -+ - miscfiles_read_certs(gssd_t) - -+userdom_dontaudit_search_users_home_dirs(rpcd_t) -+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t) -+ - tunable_policy(`allow_gssd_read_tmp',` - userdom_list_unpriv_users_tmp(gssd_t) - userdom_read_unpriv_users_tmp_files(gssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.5/policy/modules/services/rshd.te ---- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rshd.te 2007-12-19 05:38:09.000000000 -0500 -@@ -16,7 +16,7 @@ - # - # Local policy - # --allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; -+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; - allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; - allow rshd_t self:fifo_file rw_fifo_file_perms; - allow rshd_t self:tcp_socket create_stream_socket_perms; -@@ -33,6 +33,9 @@ - corenet_udp_sendrecv_all_ports(rshd_t) - corenet_tcp_bind_all_nodes(rshd_t) - corenet_tcp_bind_rsh_port(rshd_t) -+corenet_tcp_bind_all_rpc_ports(rshd_t) -+corenet_tcp_connect_all_ports(rshd_t) -+corenet_tcp_connect_all_rpc_ports(rshd_t) - corenet_sendrecv_rsh_server_packets(rshd_t) - - dev_read_urand(rshd_t) -@@ -44,20 +47,22 @@ - selinux_compute_relabel_context(rshd_t) - selinux_compute_user_contexts(rshd_t) - --auth_domtrans_chk_passwd(rshd_t) -+auth_login_pgm_domain(rshd_t) -+auth_write_login_records(rshd_t) - - corecmd_read_bin_symlinks(rshd_t) - - files_list_home(rshd_t) - files_read_etc_files(rshd_t) --files_search_tmp(rshd_t) -+files_manage_generic_tmp_dirs(rshd_t) - --auth_use_nsswitch(rshd_t) -+init_rw_utmp(rshd_t) - - libs_use_ld_so(rshd_t) - libs_use_shared_libs(rshd_t) - - logging_send_syslog_msg(rshd_t) -+logging_search_logs(rshd_t) - - miscfiles_read_localization(rshd_t) - -@@ -78,6 +83,8 @@ - - optional_policy(` - kerberos_use(rshd_t) -+ kerberos_read_keytab(rshd_t) -+ kerberos_manage_host_rcache(rshd_t) - ') - - optional_policy(` -@@ -86,4 +93,5 @@ - - optional_policy(` - unconfined_shell_domtrans(rshd_t) -+ unconfined_signal(rshd_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.5/policy/modules/services/rsync.fc ---- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rsync.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -1,2 +1,4 @@ - - /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) -+ -+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.5/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rsync.te 2007-12-19 05:38:09.000000000 -0500 -@@ -31,6 +31,9 @@ - type rsync_data_t; - files_type(rsync_data_t) - -+type rsync_log_t; -+logging_log_file(rsync_log_t) -+ - type rsync_tmp_t; - files_tmp_file(rsync_tmp_t) - -@@ -42,7 +45,7 @@ - # Local policy - # - --allow rsync_t self:capability sys_chroot; -+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; - allow rsync_t self:process signal_perms; - allow rsync_t self:fifo_file rw_fifo_file_perms; - allow rsync_t self:tcp_socket create_stream_socket_perms; -@@ -52,7 +55,6 @@ - # cjp: this should probably only be inetd_child_t rules? - # search home and kerberos also. - allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow rsync_t self:capability { setuid setgid }; - #end for identd - - allow rsync_t rsync_data_t:dir list_dir_perms; -@@ -95,7 +97,8 @@ - libs_use_shared_libs(rsync_t) - - logging_send_syslog_msg(rsync_t) --logging_dontaudit_search_logs(rsync_t) -+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) -+logging_log_filetrans(rsync_t,rsync_log_t,file) - - miscfiles_read_localization(rsync_t) - miscfiles_read_public_files(rsync_t) -@@ -117,7 +120,6 @@ - ') - - tunable_policy(`rsync_export_all_ro',` -- allow rsync_t self:capability dac_override; - fs_read_noxattr_fs_files(rsync_t) - auth_read_all_files_except_shadow(rsync_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.5/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/samba.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -15,6 +15,7 @@ - /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) - /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) - /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) -+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) - /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) - - /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -@@ -30,6 +31,8 @@ - /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - -+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) -+ - /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) - - /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/samba.if 2007-12-19 05:38:09.000000000 -0500 -@@ -331,6 +331,25 @@ - - ######################################## - ## -+## dontaudit the specified domain to -+## write samba /var files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`samba_dontaudit_write_var_files',` -+ gen_require(` -+ type samba_var_t; -+ ') -+ -+ dontaudit $1 samba_var_t:file write; -+') -+ -+######################################## -+## - ## Allow the specified domain to - ## read and write samba /var files. - ## -@@ -348,6 +367,7 @@ - files_search_var($1) - files_search_var_lib($1) - manage_files_pattern($1,samba_var_t,samba_var_t) -+ manage_lnk_files_pattern($1,samba_var_t,samba_var_t) - ') - - ######################################## -@@ -492,3 +512,102 @@ - allow $1 samba_var_t:dir search_dir_perms; - stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) - ') -+ -+######################################## -+## -+## Create a set of derived types for apache -+## web content. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`samba_helper_template',` -+ gen_require(` -+ type smbd_t; -+ ') -+ #This type is for samba helper scripts -+ type samba_$1_script_t; -+ domain_type(samba_$1_script_t) -+ role system_r types samba_$1_script_t; -+ -+ # This type is used for executable scripts files -+ type samba_$1_script_exec_t; -+ corecmd_shell_entry_type(samba_$1_script_t) -+ domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t) -+ -+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) -+ allow smbd_t samba_$1_script_exec_t:file ioctl; -+ -+') -+ -+######################################## -+## -+## Allow the specified domain to read samba's shares -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`samba_read_share_files',` -+ gen_require(` -+ type samba_share_t; -+ ') -+ -+ read_files_pattern($1, samba_share_t, samba_share_t) -+') -+ -+######################################## -+## -+## Execute a domain transition to run smbcontrol. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`samba_domtrans_smbcontrol',` -+ gen_require(` -+ type smbcontrol_t; -+ type smbcontrol_exec_t; -+ ') -+ -+ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t) -+') -+ -+ -+######################################## -+## -+## Execute smbcontrol in the smbcontrol domain, and -+## allow the specified role the smbcontrol domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the smbcontrol domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`samba_run_smbcontrol',` -+ gen_require(` -+ type smbcontrol_t; -+ ') -+ -+ samba_domtrans_smbcontrol($1) -+ role $2 types smbcontrol_t; -+ dontaudit smbcontrol_t $3:chr_file rw_term_perms; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2007-12-19 05:38:09.000000000 -0500 -@@ -26,28 +26,28 @@ - - ## - ##

--## Allow samba to share users home directories. -+## Allow Samba to share users home directories - ##

- ## - gen_tunable(samba_enable_home_dirs,false) - - ## - ##

--## Allow samba to share any file/directory read only. -+## Allow Samba to share any file/directory read only - ##

- ## - gen_tunable(samba_export_all_ro,false) - - ## - ##

--## Allow samba to share any file/directory read/write. -+## Allow Samba to share any file/directory read/write - ##

- ## - gen_tunable(samba_export_all_rw,false) - - ## - ##

--## Allow samba to run unconfined scripts -+## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory - ##

- ## - gen_tunable(samba_run_unconfined,false) -@@ -139,6 +139,11 @@ - type winbind_var_run_t; - files_pid_file(winbind_var_run_t) - -+type smbcontrol_t; -+type smbcontrol_exec_t; -+application_domain(smbcontrol_t, smbcontrol_exec_t) -+role system_r types smbcontrol_t; -+ - ######################################## - # - # Samba net local policy -@@ -193,6 +198,8 @@ - - miscfiles_read_localization(samba_net_t) - -+samba_read_var_files(samba_net_t) -+ - userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) - - optional_policy(` -@@ -213,7 +220,7 @@ - allow smbd_t self:msgq create_msgq_perms; - allow smbd_t self:sem create_sem_perms; - allow smbd_t self:shm create_shm_perms; --allow smbd_t self:sock_file read_file_perms; -+allow smbd_t self:sock_file read_sock_file_perms; - allow smbd_t self:tcp_socket create_stream_socket_perms; - allow smbd_t self:udp_socket create_socket_perms; - allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -221,10 +228,8 @@ - - allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - --create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) --create_files_pattern(smbd_t,samba_log_t,samba_log_t) --allow smbd_t samba_log_t:dir setattr; --dontaudit smbd_t samba_log_t:dir remove_name; -+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t) -+manage_files_pattern(smbd_t,samba_log_t,samba_log_t) - - allow smbd_t samba_net_tmp_t:file getattr; - -@@ -251,7 +256,7 @@ - manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) - files_pid_filetrans(smbd_t,smbd_var_run_t,file) - --allow smbd_t winbind_var_run_t:sock_file { read write getattr }; -+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; - - kernel_getattr_core_if(smbd_t) - kernel_getattr_message_if(smbd_t) -@@ -340,6 +345,17 @@ - tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) -+ fs_manage_nfs_symlinks(smbd_t) -+ fs_manage_nfs_named_pipes(smbd_t) -+ fs_manage_nfs_named_sockets(smbd_t) -+') -+ -+optional_policy(` -+ kerberos_read_keytab(smbd_t) -+') -+ -+optional_policy(` -+ lpd_exec_lpr(smbd_t) - ') - - optional_policy(` -@@ -391,7 +407,7 @@ - allow nmbd_t self:msgq create_msgq_perms; - allow nmbd_t self:sem create_sem_perms; - allow nmbd_t self:shm create_shm_perms; --allow nmbd_t self:sock_file read_file_perms; -+allow nmbd_t self:sock_file read_sock_file_perms; - allow nmbd_t self:tcp_socket create_stream_socket_perms; - allow nmbd_t self:udp_socket create_socket_perms; - allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -403,8 +419,7 @@ - read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) - - manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) --append_files_pattern(nmbd_t,samba_log_t,samba_log_t) --allow nmbd_t samba_log_t:file unlink; -+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t) - - read_files_pattern(nmbd_t,samba_log_t,samba_log_t) - create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -439,6 +454,7 @@ - dev_getattr_mtrr_dev(nmbd_t) - - fs_getattr_all_fs(nmbd_t) -+fs_list_inotifyfs(nmbd_t) - fs_search_auto_mountpoints(nmbd_t) - - domain_use_interactive_fds(nmbd_t) -@@ -522,6 +538,7 @@ - storage_raw_write_fixed_disk(smbmount_t) - - term_list_ptys(smbmount_t) -+term_use_controlling_term(smbmount_t) - - corecmd_list_bin(smbmount_t) - -@@ -546,28 +563,37 @@ - - userdom_use_all_users_fds(smbmount_t) - -+optional_policy(` -+ cups_read_rw_config(smbmount_t) -+') -+ - ######################################## - # - # SWAT Local policy - # - --allow swat_t self:capability { setuid setgid }; --allow swat_t self:process signal_perms; -+allow swat_t self:capability { setuid setgid sys_resource }; -+allow swat_t self:process { setrlimit signal_perms }; - allow swat_t self:fifo_file rw_file_perms; - allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - allow swat_t self:tcp_socket create_stream_socket_perms; - allow swat_t self:udp_socket create_socket_perms; - --allow swat_t nmbd_exec_t:file { execute read }; -+allow swat_t self:unix_stream_socket connectto; -+can_exec(swat_t, smbd_exec_t) -+allow swat_t smbd_port_t:tcp_socket name_bind; -+allow swat_t smbd_t:process { signal signull }; -+allow swat_t smbd_var_run_t:file { lock unlink }; -+ -+can_exec(swat_t, nmbd_exec_t) -+allow swat_t nmbd_port_t:udp_socket name_bind; -+allow swat_t nmbd_t:process { signal signull }; -+allow swat_t nmbd_var_run_t:file { lock read unlink }; - - rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) - - append_files_pattern(swat_t,samba_log_t,samba_log_t) - --allow swat_t smbd_exec_t:file execute ; -- --allow swat_t smbd_t:process signull; -- - allow swat_t smbd_var_run_t:file read; - - manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -577,7 +603,9 @@ - manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) - files_pid_filetrans(swat_t,swat_var_run_t,file) - --allow swat_t winbind_exec_t:file execute; -+can_exec(swat_t, winbind_exec_t) -+allow swat_t winbind_var_run_t:dir { write add_name remove_name }; -+allow swat_t winbind_var_run_t:sock_file { create unlink }; - - kernel_read_kernel_sysctls(swat_t) - kernel_read_system_state(swat_t) -@@ -602,6 +630,7 @@ - - dev_read_urand(swat_t) - -+files_list_var_lib(swat_t) - files_read_etc_files(swat_t) - files_search_home(swat_t) - files_read_usr_files(swat_t) -@@ -614,6 +643,7 @@ - libs_use_shared_libs(swat_t) - - logging_send_syslog_msg(swat_t) -+logging_send_audit_msgs(swat_t) - logging_search_logs(swat_t) - - miscfiles_read_localization(swat_t) -@@ -631,6 +661,17 @@ - kerberos_use(swat_t) - ') - -+init_read_utmp(swat_t) -+init_dontaudit_write_utmp(swat_t) -+ -+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) -+create_files_pattern(swat_t,samba_log_t,samba_log_t) -+ -+manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t) -+ -+manage_files_pattern(swat_t,samba_var_t,samba_var_t) -+files_list_var_lib(swat_t) -+ - ######################################## - # - # Winbind local policy -@@ -679,6 +720,8 @@ - manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) - files_pid_filetrans(winbind_t,winbind_var_run_t,file) - -+corecmd_exec_bin(winbind_t) -+ - kernel_read_kernel_sysctls(winbind_t) - kernel_list_proc(winbind_t) - kernel_read_proc_symlinks(winbind_t) -@@ -766,6 +809,7 @@ - optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) -+ squid_rw_stream_sockets(winbind_helper_t) - ') - - ######################################## -@@ -790,3 +834,37 @@ - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ') - ') -+ -+######################################## -+# -+# smbcontrol local policy -+# -+ -+## internal communication is often done using fifo and unix sockets. -+allow smbcontrol_t self:fifo_file rw_file_perms; -+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_read_etc_files(smbcontrol_t) -+ -+libs_use_ld_so(smbcontrol_t) -+libs_use_shared_libs(smbcontrol_t) -+ -+miscfiles_read_localization(smbcontrol_t) -+ -+files_search_var_lib(smbcontrol_t) -+samba_read_config(smbcontrol_t) -+samba_rw_var_files(smbcontrol_t) -+samba_search_var(smbcontrol_t) -+samba_read_winbind_pid(smbcontrol_t) -+ -+allow smbcontrol_t smbd_t:process signal; -+domain_use_interactive_fds(smbcontrol_t) -+allow smbd_t smbcontrol_t:process { signal signull }; -+ -+allow nmbd_t smbcontrol_t:process signal; -+allow smbcontrol_t nmbd_t:process { signal signull }; -+ -+allow smbcontrol_t winbind_t:process { signal signull }; -+allow winbind_t smbcontrol_t:process signal; -+ -+allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.5/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/sasl.te 2007-12-19 05:38:09.000000000 -0500 -@@ -107,6 +107,10 @@ - ') - - optional_policy(` -+ nis_authenticate(saslauthd_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(saslauthd_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.5/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/sendmail.if 2007-12-19 05:38:09.000000000 -0500 -@@ -149,3 +149,85 @@ - - logging_log_filetrans($1,sendmail_log_t,file) - ') -+ -+######################################## -+## -+## Execute the sendmail program in the sendmail domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the sendmail domain. -+## -+## -+## -+## -+## The type of the terminal allow the sendmail domain to use. -+## -+## -+## -+# -+interface(`sendmail_run',` -+ gen_require(` -+ type sendmail_t; -+ ') -+ -+ sendmail_domtrans($1) -+ role $2 types sendmail_t; -+ allow sendmail_t $3:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Execute sendmail in the unconfined sendmail domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sendmail_domtrans_unconfined',` -+ gen_require(` -+ type unconfined_sendmail_t, sendmail_exec_t; -+ ') -+ -+ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t) -+') -+ -+######################################## -+## -+## Execute sendmail in the unconfined sendmail domain, and -+## allow the specified role the unconfined sendmail domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the unconfined sendmail domain. -+## -+## -+## -+## -+## The type of the terminal allow the unconfined sendmail domain to use. -+## -+## -+## -+# -+interface(`sendmail_run_unconfined',` -+ gen_require(` -+ type unconfined_sendmail_t; -+ ') -+ -+ sendmail_domtrans_unconfined($1) -+ role $2 types unconfined_sendmail_t; -+ allow unconfined_sendmail_t $3:chr_file rw_file_perms; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500 -@@ -20,13 +20,17 @@ - mta_mailserver_delivery(sendmail_t) - mta_mailserver_sender(sendmail_t) - -+type unconfined_sendmail_t; -+application_domain(unconfined_sendmail_t,sendmail_exec_t) -+role system_r types unconfined_sendmail_t; -+ - ######################################## - # - # Sendmail local policy - # - --allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; --allow sendmail_t self:process signal; -+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -+allow sendmail_t self:process { signal signull }; - allow sendmail_t self:fifo_file rw_fifo_file_perms; - allow sendmail_t self:unix_stream_socket create_stream_socket_perms; - allow sendmail_t self:unix_dgram_socket create_socket_perms; -@@ -47,6 +51,7 @@ - kernel_read_kernel_sysctls(sendmail_t) - # for piping mail to a command - kernel_read_system_state(sendmail_t) -+kernel_read_network_state(sendmail_t) - - corenet_all_recvfrom_unlabeled(sendmail_t) - corenet_all_recvfrom_netlabel(sendmail_t) -@@ -97,20 +102,35 @@ - - userdom_dontaudit_use_unpriv_user_fds(sendmail_t) - userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) -+userdom_read_all_users_home_content_files(sendmail_t) - - mta_read_config(sendmail_t) - mta_etc_filetrans_aliases(sendmail_t) - # Write to /etc/aliases and /etc/mail. --mta_rw_aliases(sendmail_t) -+mta_manage_aliases(sendmail_t) - # Write to /var/spool/mail and /var/spool/mqueue. - mta_manage_queue(sendmail_t) - mta_manage_spool(sendmail_t) -+mta_sendmail_exec(sendmail_t) -+ -+optional_policy(` -+ cron_read_pipes(sendmail_t) -+') - - optional_policy(` - clamav_search_lib(sendmail_t) - ') - - optional_policy(` -+ cyrus_stream_connect(sendmail_t) -+ clamav_stream_connect(sendmail_t) -+') -+ -+optional_policy(` -+ munin_dontaudit_search_lib(sendmail_t) -+') -+ -+optional_policy(` - postfix_exec_master(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) -@@ -125,24 +145,25 @@ - ') - - optional_policy(` -+ sasl_connect(sendmail_t) -+') -+ -+optional_policy(` -+ spamd_stream_connect(sendmail_t) -+') -+ -+optional_policy(` - udev_read_db(sendmail_t) - ') - --ifdef(`TODO',` --allow sendmail_t etc_mail_t:dir rw_dir_perms; --allow sendmail_t etc_mail_t:file manage_file_perms; --# for the start script to run make -C /etc/mail --allow initrc_t etc_mail_t:dir rw_dir_perms; --allow initrc_t etc_mail_t:file manage_file_perms; --allow system_mail_t initrc_t:fd use; --allow system_mail_t initrc_t:fifo_file write; -- --# When sendmail runs as user_mail_domain, it needs some extra permissions --# to update /etc/mail/statistics. --allow user_mail_domain etc_mail_t:file rw_file_perms; -+######################################## -+# -+# Unconfined sendmail local policy -+# Allow unconfined domain to run newalias and have transitions work -+# - --# Silently deny attempts to access /root. --dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; -+optional_policy(` -+ mta_etc_filetrans_aliases(unconfined_sendmail_t) -+ unconfined_domain(unconfined_sendmail_t) -+') - --dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; --') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500 -@@ -27,8 +27,8 @@ - # setroubleshootd local policy - # - --allow setroubleshootd_t self:capability { dac_override sys_tty_config }; --allow setroubleshootd_t self:process { signull signal getattr getsched }; -+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; - allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; - allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; - allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -52,7 +52,9 @@ - - kernel_read_kernel_sysctls(setroubleshootd_t) - kernel_read_system_state(setroubleshootd_t) -+kernel_read_net_sysctls(setroubleshootd_t) - kernel_read_network_state(setroubleshootd_t) -+kernel_dontaudit_list_all_proc(setroubleshootd_t) - - corecmd_exec_bin(setroubleshootd_t) - corecmd_exec_shell(setroubleshootd_t) -@@ -73,7 +75,7 @@ - - files_read_usr_files(setroubleshootd_t) - files_read_etc_files(setroubleshootd_t) --files_getattr_all_dirs(setroubleshootd_t) -+files_list_all(setroubleshootd_t) - files_getattr_all_files(setroubleshootd_t) - - fs_getattr_all_dirs(setroubleshootd_t) -@@ -110,6 +112,7 @@ - optional_policy(` - dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) - dbus_connect_system_bus(setroubleshootd_t) -+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t) - ') - - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/snmp.te 2007-12-19 05:38:09.000000000 -0500 -@@ -81,8 +81,7 @@ - files_read_usr_files(snmpd_t) - files_read_etc_runtime_files(snmpd_t) - files_search_home(snmpd_t) --files_getattr_boot_dirs(snmpd_t) --files_dontaudit_getattr_home_dir(snmpd_t) -+auth_read_all_dirs_except_shadow(snmpd_t) - - fs_getattr_all_dirs(snmpd_t) - fs_getattr_all_fs(snmpd_t) diff --git a/libselinux.spec b/libselinux.spec index 8105b10..ea2f91f 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -2,7 +2,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.0.46 -Release: 3%{?dist} +Release: 4%{?dist} License: Public Domain Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz @@ -123,6 +123,9 @@ exit 0 %{_libdir}/python*/site-packages/selinux.py* %changelog +* Tue Jan 8 2008 Dan Walsh - 2.0.46-4 +- Add pid_t typemap for swig bindings + * Thu Jan 3 2008 Dan Walsh - 2.0.46-3 - smp_mflag