rpms/selinux-policy/devel policy-20070102.patch,1.7,1.8
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jan 24 16:39:38 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv18929
Modified Files:
policy-20070102.patch
Log Message:
* Mon Jan 22 2007 Dan Walsh <dwalsh at redhat.com> 2.5.1-5
- Continue fixing, additional user domains
policy-20070102.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/httpd_selinux.8 | 88 +++--
man/man8/kerberos_selinux.8 | 24 -
man/man8/named_selinux.8 | 21 -
man/man8/rsync_selinux.8 | 19 -
policy/flask/access_vectors | 4
policy/global_tunables | 123 +++++---
policy/mls | 31 +-
policy/modules/admin/acct.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 5
policy/modules/admin/consoletype.te | 13
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 5
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 7
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 18 +
policy/modules/admin/su.if | 28 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/usermanage.te | 23 +
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.if | 4
policy/modules/apps/evolution.if | 135 +++++++--
policy/modules/apps/games.if | 4
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 98 ++++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 33 ++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/loadkeys.te | 13
policy/modules/apps/mozilla.if | 252 ++++++++++++++--
policy/modules/apps/mplayer.if | 83 +++++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.if | 20 +
policy/modules/apps/slocate.te | 3
policy/modules/apps/thunderbird.if | 112 ++++++-
policy/modules/apps/tvtime.if | 3
policy/modules/apps/uml.if | 5
policy/modules/apps/userhelper.if | 19 +
policy/modules/apps/vmware.if | 4
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/corecommands.fc | 10
policy/modules/kernel/corecommands.if | 52 +++
policy/modules/kernel/corenetwork.if.in | 81 +++++
policy/modules/kernel/corenetwork.te.in | 16 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.te | 1
policy/modules/kernel/domain.if | 21 +
policy/modules/kernel/domain.te | 19 +
policy/modules/kernel/files.if | 198 ++++++++++++-
policy/modules/kernel/filesystem.if | 22 +
policy/modules/kernel/filesystem.te | 3
policy/modules/kernel/kernel.if | 64 ++++
policy/modules/kernel/kernel.te | 6
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 20 +
policy/modules/kernel/terminal.te | 5
policy/modules/services/apache.fc | 9
policy/modules/services/apache.te | 9
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 19 +
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 86 +++--
policy/modules/services/cron.te | 39 ++
policy/modules/services/cups.te | 5
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 44 ++
policy/modules/services/ftp.if | 4
policy/modules/services/ftp.te | 13
policy/modules/services/hal.if | 38 ++
policy/modules/services/hal.te | 1
policy/modules/services/inetd.te | 31 +-
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 2
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 9
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 2
policy/modules/services/nis.if | 5
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15 -
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 58 +++
policy/modules/services/pcscd.te | 78 +++++
policy/modules/services/pegasus.if | 27 +
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 1
policy/modules/services/pyzor.te | 4
policy/modules/services/radvd.te | 2
policy/modules/services/razor.if | 9
policy/modules/services/rhgb.if | 76 +++++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 6
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.fc | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 2
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.if | 20 +
policy/modules/services/setroubleshoot.te | 1
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17 +
policy/modules/services/spamassassin.if | 6
policy/modules/services/spamassassin.te | 8
policy/modules/services/ssh.if | 79 ++++-
policy/modules/services/ssh.te | 160 +++++-----
policy/modules/services/uucp.te | 2
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 153 ++++++++++
policy/modules/services/xserver.te | 20 -
policy/modules/system/authlogin.if | 72 ++++
policy/modules/system/authlogin.te | 3
policy/modules/system/clock.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 6
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 14
policy/modules/system/init.if | 23 +
policy/modules/system/init.te | 35 ++
policy/modules/system/ipsec.fc | 6
policy/modules/system/ipsec.if | 19 +
policy/modules/system/ipsec.te | 111 +++++++
policy/modules/system/iptables.te | 9
policy/modules/system/libraries.fc | 4
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 13
policy/modules/system/lvm.te | 35 +-
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 79 +++++
policy/modules/system/modutils.te | 14
policy/modules/system/mount.te | 8
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 115 +++++++
policy/modules/system/selinuxutil.te | 116 ++-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 19 +
policy/modules/system/tzdata.te | 38 ++
policy/modules/system/unconfined.fc | 2
policy/modules/system/unconfined.if | 2
policy/modules/system/unconfined.te | 20 +
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 449 +++++++++++++++++++++++++++---
policy/modules/system/userdomain.te | 44 +-
policy/modules/system/xen.te | 25 +
policy/support/obj_perm_sets.spt | 2
170 files changed, 3767 insertions(+), 646 deletions(-)
Index: policy-20070102.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070102.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20070102.patch 23 Jan 2007 01:08:45 -0000 1.7
+++ policy-20070102.patch 24 Jan 2007 16:39:35 -0000 1.8
@@ -1152,6 +1152,20 @@
sysnet_exec_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-2.5.1/policy/modules/apps/ethereal.if
+--- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-01-02 12:57:22.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/apps/ethereal.if 2007-01-23 09:18:28.000000000 -0500
+@@ -34,6 +34,10 @@
+ #
+ template(`ethereal_per_role_template',`
+
++ gen_require(`
++ type ethereal_exec_t;
++ ')
++
+ ##############################
+ #
+ # Declarations
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.5.1/policy/modules/apps/evolution.if
--- nsaserefpolicy/policy/modules/apps/evolution.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/apps/evolution.if 2007-01-17 13:32:47.000000000 -0500
@@ -1452,6 +1466,20 @@
+ allow $2 $1_evolution_alarm_t:dbus send_msg;
+ allow $1_evolution_alarm_t $2:dbus send_msg;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-2.5.1/policy/modules/apps/games.if
+--- nsaserefpolicy/policy/modules/apps/games.if 2007-01-02 12:57:22.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/apps/games.if 2007-01-23 09:19:04.000000000 -0500
+@@ -33,6 +33,10 @@
+ ## </param>
+ #
+ template(`games_per_role_template',`
++ gen_require(`
++ type games_exec_t;
++ type games_data_t;
++ ')
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-2.5.1/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/apps/gnome.fc 2007-01-17 13:32:47.000000000 -0500
@@ -1463,7 +1491,7 @@
+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-2.5.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/apps/gnome.if 2007-01-17 13:32:47.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/apps/gnome.if 2007-01-23 09:18:51.000000000 -0500
@@ -35,19 +35,24 @@
template(`gnome_per_role_template',`
gen_require(`
@@ -2111,8 +2139,19 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-2.5.1/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/apps/mplayer.if 2007-01-17 13:32:47.000000000 -0500
-@@ -178,6 +178,10 @@
++++ serefpolicy-2.5.1/policy/modules/apps/mplayer.if 2007-01-23 09:18:45.000000000 -0500
+@@ -33,6 +33,10 @@
+ ## </param>
+ #
+ template(`mplayer_per_role_template',`
++ gen_require(`
++ type mencoder_exec_t;
++ type mplayer_exec_t;
++ ')
+
+ ########################################
+ #
+@@ -178,6 +182,10 @@
files_dontaudit_list_default($1_mencoder_t)
')
@@ -2123,7 +2162,7 @@
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mencoder_t)
files_list_home($1_mencoder_t)
-@@ -249,6 +253,7 @@
+@@ -249,6 +257,7 @@
allow $1_mplayer_t self:process { signal_perms getsched };
allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
@@ -2131,7 +2170,7 @@
manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
-@@ -320,6 +325,7 @@
+@@ -320,6 +329,7 @@
fs_dontaudit_getattr_all_fs($1_mplayer_t)
fs_search_auto_mountpoints($1_mplayer_t)
@@ -2139,7 +2178,7 @@
libs_use_ld_so($1_mplayer_t)
libs_use_shared_libs($1_mplayer_t)
-@@ -428,6 +434,11 @@
+@@ -428,6 +438,11 @@
')
optional_policy(`
@@ -2151,7 +2190,7 @@
alsa_read_rw_config($1_mplayer_t)
')
-@@ -435,3 +446,71 @@
+@@ -435,3 +450,71 @@
nscd_socket_use($1_mplayer_t)
')
')
@@ -2494,6 +2533,34 @@
+allow staff_thunderbird_t tmp_t:sock_file create;
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-2.5.1/policy/modules/apps/tvtime.if
+--- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-01-02 12:57:22.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/apps/tvtime.if 2007-01-23 09:18:33.000000000 -0500
+@@ -33,6 +33,9 @@
+ ## </param>
+ #
+ template(`tvtime_per_role_template',`
++ gen_require(`
++ type tvtime_exec_t;
++ ')
+
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if serefpolicy-2.5.1/policy/modules/apps/uml.if
+--- nsaserefpolicy/policy/modules/apps/uml.if 2007-01-02 12:57:22.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/apps/uml.if 2007-01-23 09:18:55.000000000 -0500
+@@ -34,6 +34,11 @@
+ #
+ template(`uml_per_role_template',`
+
++ gen_require(`
++ type uml_ro_t;
++ type uml_exec_t;
++ ')
++
+ ########################################
+ #
+ # Declarations
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-2.5.1/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/apps/userhelper.if 2007-01-17 13:32:47.000000000 -0500
@@ -2527,6 +2594,20 @@
+ ')
+ can_exec($1,userhelper_exec_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-2.5.1/policy/modules/apps/vmware.if
+--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-01-02 12:57:22.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/apps/vmware.if 2007-01-23 09:19:00.000000000 -0500
+@@ -33,6 +33,10 @@
+ ## </param>
+ #
+ template(`vmware_per_role_template',`
++ gen_require(`
++ type vmware_exec_t;
++ type vmware_sys_conf_t;
++ ')
+
+ ##############################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.5.1/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/apps/webalizer.te 2007-01-17 13:58:19.000000000 -0500
@@ -2949,7 +3030,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.5.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/kernel/files.if 2007-01-22 12:51:02.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/kernel/files.if 2007-01-24 10:58:24.000000000 -0500
@@ -350,8 +350,7 @@
########################################
@@ -3078,7 +3159,7 @@
')
########################################
-@@ -4479,3 +4537,115 @@
+@@ -4479,3 +4537,133 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3194,13 +3275,45 @@
+ allow $1 tmpfile:file r_file_perms;
+')
+
++########################################
++## <summary>
++## Create, read, write, and delete symbolic links in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_etc_symlinks',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir rw_dir_perms;
++ allow $1 etc_t:lnk_file create_lnk_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.5.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/kernel/filesystem.if 2007-01-17 13:32:47.000000000 -0500
-@@ -2740,6 +2740,25 @@
++++ serefpolicy-2.5.1/policy/modules/kernel/filesystem.if 2007-01-24 11:38:15.000000000 -0500
+@@ -1110,6 +1110,7 @@
+ type dosfs_t;
+ ')
- ########################################
- ## <summary>
++ manage_dirs_pattern($1,dosfs_t,dosfs_t)
+ manage_files_pattern($1,dosfs_t,dosfs_t)
+ ')
+
+@@ -2735,7 +2736,26 @@
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:file { read write };
++ dontaudit $1 tmpfs_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to getattr
+## generic tmpfs files.
+## </summary>
@@ -3216,13 +3329,9 @@
+ ')
+
+ dontaudit $1 tmpfs_t:file getattr;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete
- ## auto moutpoints.
- ## </summary>
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.5.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-01-02 12:57:13.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/kernel/filesystem.te 2007-01-17 14:13:14.000000000 -0500
@@ -3519,8 +3628,20 @@
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.5.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/services/apache.te 2007-01-17 13:32:47.000000000 -0500
-@@ -686,6 +686,7 @@
++++ serefpolicy-2.5.1/policy/modules/services/apache.te 2007-01-24 11:07:38.000000000 -0500
+@@ -448,6 +448,11 @@
+
+ logging_send_syslog_msg(httpd_helper_t)
+
++optional_policy(`
++ ssh_sigchld(httpd_helper_t)
++ ssh_rw_stream_sockets(httpd_helper_t)
++')
++
+ tunable_policy(`httpd_tty_comm',`
+ # cjp: this is redundant:
+ term_use_controlling_term(httpd_helper_t)
+@@ -686,6 +691,7 @@
optional_policy(`
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
@@ -3528,6 +3649,20 @@
')
########################################
+@@ -694,6 +700,8 @@
+ #
+
+ manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
++# Apache-httpd needs to be able to send signals to the log rotate procs.
++allow httpd_t httpd_rotatelogs_t:process signal_perms;
+
+ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+ kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+@@ -712,3 +720,4 @@
+ term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+ term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.5.1/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/apm.te 2007-01-17 13:32:47.000000000 -0500
@@ -3606,6 +3741,61 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.5.1/policy/modules/services/ccs.fc
+--- nsaserefpolicy/policy/modules/services/ccs.fc 2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/ccs.fc 2007-01-24 11:08:51.000000000 -0500
+@@ -6,3 +6,4 @@
+
+ /var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
+ /var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
++/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.5.1/policy/modules/services/ccs.te
+--- nsaserefpolicy/policy/modules/services/ccs.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/ccs.te 2007-01-24 11:00:57.000000000 -0500
+@@ -18,6 +18,10 @@
+ type ccs_var_log_t;
+ logging_log_file(ccs_var_log_t)
+
++# var lib files
++type ccs_var_lib_t;
++logging_log_file(ccs_var_lib_t)
++
+ # pid files
+ type ccs_var_run_t;
+ files_pid_file(ccs_var_run_t)
+@@ -27,8 +31,8 @@
+ # ccs local policy
+ #
+
+-allow ccs_t self:capability { ipc_lock sys_nice sys_resource };
+-allow ccs_t self:process { signal setrlimit setsched };
++allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
++allow ccs_t self:process { ptrace signal setrlimit setsched };
+ allow ccs_t self:fifo_file { read write };
+ allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow ccs_t self:unix_dgram_socket create_socket_perms;
+@@ -46,6 +50,11 @@
+ allow ccs_t ccs_var_log_t:dir setattr;
+ logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir })
+
++# var lib files
++manage_dirs_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t)
++manage_files_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t)
++files_var_lib_filetrans(ccs_t,ccs_var_lib_t,{ file dir })
++
+ # pid file
+ manage_dirs_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
+ manage_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
+@@ -95,3 +104,9 @@
+ optional_policy(`
+ unconfined_use_fds(ccs_t)
+ ')
++
++ifdef(`hide_broken_symptoms', `
++ # This is broken
++ corecmd_dontaudit_write_sbin(ccs_t)
++ files_manage_isid_type_files(ccs_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.5.1/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/clamav.te 2007-01-17 13:32:47.000000000 -0500
@@ -4082,6 +4272,20 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-2.5.1/policy/modules/services/ftp.if
+--- nsaserefpolicy/policy/modules/services/ftp.if 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/ftp.if 2007-01-23 09:19:24.000000000 -0500
+@@ -24,6 +24,10 @@
+ ## </param>
+ #
+ template(`ftp_per_role_template',`
++ gen_require(`
++ type ftpd_t;
++ ')
++
+ tunable_policy(`ftpd_is_daemon',`
+ userdom_manage_user_home_content_files($1,ftpd_t)
+ userdom_manage_user_home_content_symlinks($1,ftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.5.1/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/ftp.te 2007-01-17 14:08:21.000000000 -0500
@@ -4298,7 +4502,7 @@
kernel_rw_irq_sysctls(irqbalance_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.5.1/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/services/kerberos.if 2007-01-17 13:32:47.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/kerberos.if 2007-01-24 11:02:39.000000000 -0500
@@ -41,6 +41,7 @@
allow $1 krb5_conf_t:file { getattr read };
dontaudit $1 krb5_conf_t:file write;
@@ -4307,6 +4511,14 @@
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
+@@ -62,6 +63,7 @@
+
+ sysnet_read_config($1)
+ sysnet_dns_name_resolve($1)
++ pcscd_stream_connect($1)
+ ')
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.fc serefpolicy-2.5.1/policy/modules/services/ktalk.fc
--- nsaserefpolicy/policy/modules/services/ktalk.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/ktalk.fc 2007-01-17 13:32:47.000000000 -0500
@@ -4404,6 +4616,32 @@
# Allow per user lpr domain read acces for specific user.
tunable_policy(`read_untrusted_content',`
userdom_read_all_untrusted_content($1_lpr_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.5.1/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/mta.if 2007-01-23 09:19:39.000000000 -0500
+@@ -40,6 +40,11 @@
+ #
+ template(`mta_base_mail_template',`
+
++ gen_require(`
++ attribute user_mail_domain;
++ type sendmail_exec_t;
++ ')
++
+ ##############################
+ #
+ # $1_mail_t declarations
+@@ -174,6 +179,10 @@
+ ## </param>
+ #
+ template(`mta_per_role_template',`
++ gen_require(`
++ attribute mta_user_agent;
++ attribute mailserver_delivery;
++ ')
+
+ ##############################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.5.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/mta.te 2007-01-17 14:44:11.000000000 -0500
@@ -4846,6 +5084,32 @@
manage_files_pattern(radvd_t,radvd_var_run_t,radvd_var_run_t)
files_pid_filetrans(radvd_t,radvd_var_run_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-2.5.1/policy/modules/services/razor.if
+--- nsaserefpolicy/policy/modules/services/razor.if 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/razor.if 2007-01-23 09:19:30.000000000 -0500
+@@ -23,6 +23,12 @@
+ ## </param>
+ #
+ template(`razor_common_domain_template',`
++ gen_require(`
++ type razor_exec_t;
++ type razor_etc_t;
++ type razor_log_t;
++ type razor_var_lib_t;
++ ')
+
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+@@ -131,6 +137,9 @@
+ ## </param>
+ #
+ template(`razor_per_role_template',`
++ gen_require(`
++ type razor_exec_t;
++ ')
+
+ type $1_razor_t;
+ domain_type($1_razor_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-2.5.1/policy/modules/services/rhgb.if
--- nsaserefpolicy/policy/modules/services/rhgb.if 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/rhgb.if 2007-01-17 13:32:47.000000000 -0500
@@ -4949,6 +5213,36 @@
xserver_read_xdm_tmp_files(rhgb_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.5.1/policy/modules/services/ricci.te
+--- nsaserefpolicy/policy/modules/services/ricci.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/ricci.te 2007-01-24 10:59:45.000000000 -0500
+@@ -385,6 +385,8 @@
+ files_search_usr(ricci_modrpm_t)
+ files_read_etc_files(ricci_modrpm_t)
+
++kernel_read_kernel_sysctls(ricci_modrpm_t)
++
+ miscfiles_read_localization(ricci_modrpm_t)
+
+ optional_policy(`
+@@ -414,6 +416,9 @@
+ files_read_etc_files(ricci_modservice_t)
+ files_read_etc_runtime_files(ricci_modservice_t)
+ files_search_usr(ricci_modservice_t)
++# Needed for running chkconfig
++init_create_script_files(ricci_modservice_t)
++files_manage_etc_symlinks(ricci_modservice_t)
+
+ consoletype_exec(ricci_modservice_t)
+
+@@ -460,6 +465,7 @@
+ files_manage_etc_files(ricci_modstorage_t)
+ files_read_etc_runtime_files(ricci_modstorage_t)
+ files_read_usr_files(ricci_modstorage_t)
++files_read_kernel_modules(ricci_modstorage_t)
+
+ storage_raw_read_fixed_disk(ricci_modstorage_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.5.1/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/rlogin.te 2007-01-17 13:32:47.000000000 -0500
@@ -5098,6 +5392,22 @@
+ ')
+ dontaudit $1 snmpd_var_lib_t:file write;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-2.5.1/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/spamassassin.if 2007-01-23 09:19:34.000000000 -0500
+@@ -35,6 +35,12 @@
+ # toggled on activation of spamc, and similarly for spamd.
+ template(`spamassassin_per_role_template',`
+
++ gen_require(`
++ type spamc_exec_t;
++ type spamassassin_exec_t;
++ type spamd_t, spamd_tmp_t;
++ ')
++
+ ##############################
+ #
+ # Declarations
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.5.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/spamassassin.te 2007-01-17 13:32:47.000000000 -0500
@@ -6061,7 +6371,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.5.1/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/system/init.if 2007-01-17 13:32:47.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/system/init.if 2007-01-24 10:56:30.000000000 -0500
@@ -202,11 +202,14 @@
gen_require(`
type initrc_t;
@@ -6077,6 +6387,30 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
+@@ -1275,3 +1278,23 @@
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:file manage_file_perms;
+ ')
++
++########################################
++## <summary>
++## Read init scripts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_create_script_files',`
++ gen_require(`
++ type initrc_exec_t;
++ ')
++
++ files_etc_filetrans($1, initrc_exec_t, file)
++ allow $1 initrc_exec_t:file create_file_perms;
++ allow $1 initrc_exec_t:file r_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.5.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/system/init.te 2007-01-17 13:42:33.000000000 -0500
@@ -6462,16 +6796,61 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.5.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/system/lvm.te 2007-01-17 14:38:17.000000000 -0500
-@@ -44,6 +44,7 @@
++++ serefpolicy-2.5.1/policy/modules/system/lvm.te 2007-01-24 11:28:20.000000000 -0500
+@@ -44,14 +44,20 @@
# Cluster LVM daemon local policy
#
-+allow clvmd_t self:capability mknod;
++allow clvmd_t self:capability { sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
- allow clvmd_t self:process signal_perms;
+-allow clvmd_t self:process signal_perms;
++allow clvmd_t self:process { ptrace signal_perms };
allow clvmd_t self:socket create_socket_perms;
-@@ -147,7 +148,9 @@
+ allow clvmd_t self:fifo_file rw_fifo_file_perms;
+ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow clvmd_t self:tcp_socket create_stream_socket_perms;
+ allow clvmd_t self:udp_socket create_socket_perms;
+
++dev_rw_lvm_control(clvmd_t)
++dev_dontaudit_getattr_all_blk_files(clvmd_t)
++dev_dontaudit_getattr_all_chr_files(clvmd_t)
++storage_dontaudit_getattr_removable_dev(clvmd_t)
++
+ manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t)
+ files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
+
+@@ -62,9 +68,11 @@
+ kernel_list_proc(clvmd_t)
+ kernel_read_proc_symlinks(clvmd_t)
+ kernel_search_debugfs(clvmd_t)
++kernel_dontaudit_getattr_core_if(clvmd_t)
+
+ corecmd_exec_shell(clvmd_t)
+ corecmd_read_bin_symlinks(clvmd_t)
++corecmd_getattr_sbin_files(clvmd_t)
+ corecmd_read_sbin_symlinks(clvmd_t)
+
+ corenet_non_ipsec_sendrecv(clvmd_t)
+@@ -89,6 +97,7 @@
+
+ fs_getattr_all_fs(clvmd_t)
+ fs_search_auto_mountpoints(clvmd_t)
++fs_dontaudit_list_tmpfs(clvmd_t)
+
+ term_dontaudit_use_console(clvmd_t)
+
+@@ -132,6 +141,10 @@
+ ')
+
+ optional_policy(`
++ udev_read_db(clvmd_t)
++')
++
++optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+ ricci_dontaudit_use_modcluster_fds(clvmd_t)
+ ')
+@@ -147,7 +160,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -6482,7 +6861,15 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -228,6 +231,7 @@
+@@ -156,6 +171,7 @@
+ allow lvm_t self:fifo_file rw_file_perms;
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow lvm_t clvmd_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
+ manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
+@@ -228,6 +244,7 @@
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t)
@@ -6490,13 +6877,40 @@
storage_relabel_fixed_disk(lvm_t)
storage_dontaudit_read_removable_device(lvm_t)
-@@ -244,6 +248,7 @@
- term_dontaudit_getattr_pty_dirs(lvm_t)
+@@ -240,8 +257,8 @@
+ # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+ storage_manage_fixed_disk(lvm_t)
+
+-term_dontaudit_getattr_all_user_ttys(lvm_t)
+-term_dontaudit_getattr_pty_dirs(lvm_t)
++term_getattr_all_user_ttys(lvm_t)
++term_list_ptys(lvm_t)
corecmd_exec_sbin(lvm_t)
-+corecmd_dontaudit_getattr_sbin_files(lvm_t)
- domain_use_interactive_fds(lvm_t)
+@@ -274,8 +291,8 @@
+ ')
+
+ ifdef(`targeted_policy', `
+- term_dontaudit_use_unallocated_ttys(lvm_t)
+- term_dontaudit_use_generic_ptys(lvm_t)
++ term_use_unallocated_ttys(lvm_t)
++ term_use_generic_ptys(lvm_t)
+
+ files_dontaudit_read_root_files(lvm_t)
+ ')
+@@ -289,6 +306,12 @@
+ ')
+
+ optional_policy(`
++ ssh_sigchld(lvm_t)
++ ssh_rw_stream_sockets(lvm_t)
++')
++
++optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(clvmd_t)
+ gpm_dontaudit_getattr_gpmctl(lvm_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.5.1/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-01-02 12:57:49.000000000 -0500
More information about the fedora-cvs-commits
mailing list