rpms/selinux-policy-strict/devel policy-20050404.patch, 1.5, 1.6 selinux-policy-strict.spec, 1.270, 1.271
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Apr 9 11:08:40 UTC 2005
- Previous message (by thread): rpms/selinux-policy-targeted/devel .cvsignore, 1.101, 1.102 policy-20050404.patch, 1.4, 1.5 selinux-policy-targeted.spec, 1.267, 1.268 sources, 1.106, 1.107
- Next message (by thread): rpms/selinux-policy-strict/devel .cvsignore, 1.105, 1.106 sources, 1.111, 1.112
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2101
Modified Files:
policy-20050404.patch selinux-policy-strict.spec
Log Message:
* Fri Apr 8 2005 Dan Walsh <dwalsh at redhat.com> 1.23.9-1
- Create separate secadm_r/secadm_t domain
policy-20050404.patch:
appconfig/default_type | 1
assert.te | 4 -
attrib.te | 14 +++++
domains/admin.te | 23 +++++----
domains/misc/kernel.te | 2
domains/program/checkpolicy.te | 5 -
domains/program/load_policy.te | 4 -
domains/program/modutil.te | 2
domains/program/newrole.te | 1
domains/program/restorecon.te | 3 -
domains/program/setfiles.te | 3 -
domains/program/unused/NetworkManager.te | 7 ++
domains/program/unused/cups.te | 12 +---
domains/program/unused/dmidecode.te | 1
domains/program/unused/howl.te | 2
domains/program/unused/kudzu.te | 1
domains/program/unused/snmpd.te | 3 +
domains/program/unused/updfstab.te | 1
domains/user.te | 2
file_contexts/distros.fc | 4 +
macros/admin_macros.te | 75 ++++++++++++++++++-----------
macros/base_user_macros.te | 9 ---
macros/program/dbusd_macros.te | 4 +
macros/program/gift_macros.te | 2
macros/program/mplayer_macros.te | 10 ++-
macros/user_macros.te | 78 +++++++++++++++++++++----------
targeted/domains/program/modutil.te | 17 ------
tunables/distro.tun | 2
tunables/tunable.tun | 12 ++--
users | 2
30 files changed, 185 insertions(+), 121 deletions(-)
Index: policy-20050404.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050404.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20050404.patch 6 Apr 2005 18:30:27 -0000 1.5
+++ policy-20050404.patch 9 Apr 2005 11:08:37 -0000 1.6
@@ -1,224 +1,535 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.8/domains/program/unused/apache.te
---- nsapolicy/domains/program/unused/apache.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/domains/program/unused/apache.te 2005-04-06 07:32:56.000000000 -0400
-@@ -119,6 +119,12 @@
- allow httpd_t port_type:tcp_socket name_connect;
- }
-
-+##########################################
-+# Legacy: remove when it's fixed #
-+# Allow libphp5.so with text relocations #
-+##########################################
-+allow httpd_t texrel_shlib_t:file execmod;
-+
- #########################################
- # Allow httpd to search users directories
- #########################################
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.8/domains/program/unused/hald.te
---- nsapolicy/domains/program/unused/hald.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/domains/program/unused/hald.te 2005-04-06 07:31:54.000000000 -0400
-@@ -31,7 +31,6 @@
- allow hald_t usr_t:file { getattr read };
-
- allow hald_t bin_t:file getattr;
--allow hald_t self:netlink_socket create_socket_perms;
- allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow hald_t self:netlink_route_socket r_netlink_socket_perms;
- allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.8/domains/program/unused/NetworkManager.te
---- nsapolicy/domains/program/unused/NetworkManager.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.8/domains/program/unused/NetworkManager.te 2005-04-06 12:01:45.000000000 -0400
-@@ -0,0 +1,82 @@
-+#DESC NetworkManager -
-+#
-+# Authors: Dan Walsh <dwalsh at redhat.com>
-+#
-+#
-+
-+#################################
-+#
-+# Rules for the NetworkManager_t domain.
-+#
-+# NetworkManager_t is the domain for the NetworkManager daemon.
-+# NetworkManager_exec_t is the type of the NetworkManager executable.
-+#
-+daemon_domain(NetworkManager, `, nscd_client_domain' )
-+
-+can_network(NetworkManager_t)
-+allow NetworkManager_t port_type:tcp_socket name_connect;
-+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
-+allow NetworkManager_t dhcpc_t:process signal;
-+
-+can_ypbind(NetworkManager_t)
-+uses_shlib(NetworkManager_t)
-+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
-+
-+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
-+
-+allow NetworkManager_t self:process { setcap getsched };
-+allow NetworkManager_t self:fifo_file rw_file_perms;
-+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
-+allow NetworkManager_t self:file { getattr read };
-+allow NetworkManager_t self:packet_socket create_socket_perms;
-+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-+
-+
-+#
-+# Communicate with Caching Name Server
-+#
-+allow NetworkManager_t named_zone_t:dir search;
-+rw_dir_create_file(NetworkManager_t, named_cache_t)
-+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
-+allow named_t NetworkManager_t:udp_socket { read write };
-+allow NetworkManager_t named_t:process signal;
-+
-+allow NetworkManager_t selinux_config_t:dir search;
-+allow NetworkManager_t selinux_config_t:file { getattr read };
-+
-+ifdef(`dbusd.te', `
-+dbusd_client(system, NetworkManager)
-+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
-+ifdef(`hald.te', `
-+allow NetworkManager_t hald_t:dbus send_msg;
-+allow hald_t NetworkManager_t:dbus send_msg;
-+')
-+allow NetworkManager_t initrc_t:dbus send_msg;
-+allow initrc_t NetworkManager_t:dbus send_msg;
+diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/default_type policy-1.23.9/appconfig/default_type
+--- nsapolicy/appconfig/default_type 2005-02-24 14:51:10.000000000 -0500
++++ policy-1.23.9/appconfig/default_type 2005-04-08 14:14:56.000000000 -0400
+@@ -1,3 +1,4 @@
++secadm_r:secadm_t
+ sysadm_r:sysadm_t
+ staff_r:staff_t
+ user_r:user_t
+diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.9/assert.te
+--- nsapolicy/assert.te 2005-03-24 08:58:24.000000000 -0500
++++ policy-1.23.9/assert.te 2005-04-08 13:18:44.000000000 -0400
+@@ -30,7 +30,7 @@
+ # Verify that only the insmod_t and kernel_t domains
+ # have the sys_module capability.
+ #
+-neverallow {domain -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') -unrestricted } self:capability sys_module;
++neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
+
+ #
+ # Verify that executable types, the system dynamic loaders, and the
+@@ -146,7 +146,7 @@
+ #
+ # Verify that only the admin domains and initrc_t have setenforce.
+ #
+-neverallow { domain -admin -initrc_t -unrestricted } security_t:security setenforce;
++neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
+
+ #
+ # Verify that only the kernel and load_policy_t have load_policy.
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.9/attrib.te
+--- nsapolicy/attrib.te 2005-02-24 14:51:10.000000000 -0500
++++ policy-1.23.9/attrib.te 2005-04-08 13:17:39.000000000 -0400
+@@ -110,6 +110,10 @@
+ # and an allow rule to permit it
+ attribute privmodule;
+
++# The privsysmod attribute identifies every domain that can have the
++# sys_module capability
++attribute privsysmod;
++
+ # The privmem attribute identifies every domain that can
+ # access kernel memory devices.
+ # This attribute is used in the TE assertions to verify
+@@ -169,6 +173,12 @@
+ # XXX used in different assertions within assert.te.
+ attribute admin;
+
++# The secadmin attribute identifies every security administrator domain.
++# It is used in TE assertions when verifying that only administrator
++# domains have certain permissions.
++# This attribute is presently associated with sysadm_t and secadm_t
++attribute secadmin;
++
+ # The userdomain attribute identifies every user domain, presently
+ # user_t and sysadm_t. It is used in TE rules that should be applied
+ # to all user domains.
+@@ -190,6 +200,10 @@
+ # unpriviledged user
+ attribute user_tty_type;
+
++# The admin_tty_type identifies every type for a tty or pty owned by a
++# priviledged user
++attribute admin_tty_type;
++
+ # The user_crond_domain attribute identifies every user_crond domain, presently
+ # user_crond_t and sysadm_crond_t. It is used in TE rules that should be
+ # applied to all user domains.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.23.9/domains/admin.te
+--- nsapolicy/domains/admin.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.9/domains/admin.te 2005-04-08 13:10:05.000000000 -0400
+@@ -17,19 +17,22 @@
+ # sysadm_t is also granted permissions specific to administrator domains.
+ admin_domain(sysadm)
+
+-# Allow administrator domains to set the enforcing flag.
+-can_setenforce(sysadm_t)
+-
+-# Allow administrator domains to set policy booleans.
+-can_setbool(sysadm_t)
+-
+-# Allow administrator domains to set security parameters
+-can_setsecparam(sysadm_t)
+-
+ # for su
+ allow sysadm_t userdomain:fd use;
+
+-define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
++ifdef(`separate_secadm', `', `
++security_manager_domain(sysadm_t)
+')
+
+ # Add/remove user home directories
+ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
-+allow NetworkManager_t usr_t:file { getattr read };
-+
-+ifdef(`ifconfig.te', `
-+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
-+')dnl end if def ifconfig
-+
-+allow NetworkManager_t { sbin_t bin_t }:dir search;
-+allow NetworkManager_t bin_t:lnk_file read;
-+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
-+
-+# in /etc created by NetworkManager will be labelled net_conf_t.
-+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
-+
-+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
-+allow NetworkManager_t proc_t:file { getattr read };
-+
-+allow NetworkManager_t { domain -unrestricted }:dir search;
-+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
-+dontaudit NetworkManager_t unrestricted:dir search;
-+dontaudit NetworkManager_t unrestricted:file { getattr read };
-+
-+allow NetworkManager_t howl_t:process signal;
-+allow NetworkManager_t initrc_var_run_t:file { getattr read };
-+
-+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.8/file_contexts/distros.fc
---- nsapolicy/file_contexts/distros.fc 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/file_contexts/distros.fc 2005-04-06 07:32:56.000000000 -0400
++limited_user_role(secadm)
++typeattribute secadm_t admin;
++role secadm_r types secadm_t;
++security_manager_domain(secadm_t)
++r_dir_file(secadm_t, { var_t var_log_t })
++
++typeattribute secadm_tty_device_t admin_tty_type;
++typeattribute secadm_devpts_t admin_tty_type;
++
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.9/domains/misc/kernel.te
+--- nsapolicy/domains/misc/kernel.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.9/domains/misc/kernel.te 2005-04-08 13:24:08.000000000 -0400
+@@ -11,7 +11,7 @@
+ # kernel_t is the domain of kernel threads.
+ # It is also the target type when checking permissions in the system class.
+ #
+-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ;
++type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer') ;
+ role system_r types kernel_t;
+ general_domain_access(kernel_t)
+ general_proc_read_access(kernel_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/checkpolicy.te policy-1.23.9/domains/program/checkpolicy.te
+--- nsapolicy/domains/program/checkpolicy.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.9/domains/program/checkpolicy.te 2005-04-08 12:03:53.000000000 -0400
+@@ -12,6 +12,7 @@
+ type checkpolicy_t, domain;
+ role sysadm_r types checkpolicy_t;
+ role system_r types checkpolicy_t;
++role secadm_r types checkpolicy_t;
+
+ type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
+
+@@ -19,7 +20,7 @@
+ #
+ # Rules
+
+-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
++domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
+
+ # able to create and modify binary policy files
+ allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+@@ -50,8 +51,6 @@
+ uses_shlib(checkpolicy_t)
+ allow checkpolicy_t self:capability dac_override;
+
+-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
+-
+ ##########################
+ # Allow users to execute checkpolicy without a domain transition
+ # so it can be used without privilege to write real binary policy file
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.23.9/domains/program/load_policy.te
+--- nsapolicy/domains/program/load_policy.te 2005-04-04 10:21:10.000000000 -0400
++++ policy-1.23.9/domains/program/load_policy.te 2005-04-08 12:03:53.000000000 -0400
+@@ -11,6 +11,7 @@
+
+ type load_policy_t, domain;
+ role sysadm_r types load_policy_t;
++role secadm_r types load_policy_t;
+ role system_r types load_policy_t;
+
+ type load_policy_exec_t, file_type, exec_type, sysadmfile;
+@@ -19,7 +20,7 @@
+ #
+ # Rules
+
+-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
++domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
+
+ allow load_policy_t console_device_t:chr_file { read write };
+
+@@ -55,6 +56,5 @@
+
+ allow load_policy_t fs_t:filesystem getattr;
+
+-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
+ read_locale(load_policy_t)
+ r_dir_file(load_policy_t, selinux_config_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.9/domains/program/modutil.te
+--- nsapolicy/domains/program/modutil.te 2005-03-11 15:31:06.000000000 -0500
++++ policy-1.23.9/domains/program/modutil.te 2005-04-08 13:19:08.000000000 -0400
@@ -69,7 +69,7 @@
- # Some of them should be fixed and removed from this list
+ # Rules for the insmod_t domain.
+ #
- # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
--# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
-+# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
- /usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t
- /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
- /usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t
-@@ -123,6 +123,8 @@
- /usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t
- /usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t
- /usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t
-+/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t
-+/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t
-
- # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
- /usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.8/file_contexts/program/NetworkManager.fc
---- nsapolicy/file_contexts/program/NetworkManager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.8/file_contexts/program/NetworkManager.fc 2005-04-06 07:31:54.000000000 -0400
-@@ -0,0 +1,2 @@
-+# NetworkManager
-+/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.8/macros/base_user_macros.te
---- nsapolicy/macros/base_user_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/macros/base_user_macros.te 2005-04-06 07:32:06.000000000 -0400
-@@ -124,8 +124,6 @@
- # Use the type when relabeling pty devices.
- type_change $1_t server_pty:chr_file $1_devpts_t;
+-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
++type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, privsysmod' )
+ ;
+ role system_r types insmod_t;
+ role sysadm_r types insmod_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.23.9/domains/program/newrole.te
+--- nsapolicy/domains/program/newrole.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.9/domains/program/newrole.te 2005-04-08 12:03:53.000000000 -0400
+@@ -17,3 +17,4 @@
+ allow newrole_t var_run_t:dir r_dir_perms;
+ allow newrole_t initrc_var_run_t:file rw_file_perms;
+
++role secadm_r types newrole_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.9/domains/program/restorecon.te
+--- nsapolicy/domains/program/restorecon.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.9/domains/program/restorecon.te 2005-04-08 12:03:53.000000000 -0400
+@@ -17,11 +17,12 @@
+
+ role system_r types restorecon_t;
+ role sysadm_r types restorecon_t;
++role secadm_r types restorecon_t;
+
+ allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
+ allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+
+-domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
++domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
+ allow restorecon_t { userdomain init_t privfd }:fd use;
+
+ uses_shlib(restorecon_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.23.9/domains/program/setfiles.te
+--- nsapolicy/domains/program/setfiles.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.9/domains/program/setfiles.te 2005-04-08 12:03:53.000000000 -0400
+@@ -17,13 +17,14 @@
+
+ role system_r types setfiles_t;
+ role sysadm_r types setfiles_t;
++role secadm_r types setfiles_t;
+
+ allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
+ allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
+
+ allow setfiles_t self:unix_dgram_socket create_socket_perms;
+
+-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
++domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
+ allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
+
+ uses_shlib(setfiles_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.9/domains/program/unused/cups.te
+--- nsapolicy/domains/program/unused/cups.te 2005-04-04 10:21:10.000000000 -0400
++++ policy-1.23.9/domains/program/unused/cups.te 2005-04-09 06:17:21.000000000 -0400
+@@ -168,7 +168,11 @@
--tmpfs_domain($1)
--
- ifdef(`cardmgr.te', `
- # to allow monitoring of pcmcia status
- allow $1_t cardmgr_var_run_t:file { getattr read };
-@@ -282,6 +280,9 @@
- #
- dontaudit $1_t usr_t:file setattr;
+ allow cupsd_t printconf_t:file { getattr read };
-+# Use X
-+x_client_domain($1, $1)
-+
- ifdef(`xserver.te', `
- # for /tmp/.ICE-unix
- file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
-@@ -291,13 +292,7 @@
- ifdef(`xdm.te', `
- # Connect to the X server run by the X Display Manager.
- can_unix_connect($1_t, xdm_t)
--allow $1_t xdm_tmp_t:sock_file rw_file_perms;
--allow $1_t xdm_tmp_t:dir r_dir_perms;
--allow $1_t xdm_tmp_t:file { getattr read };
--allow $1_t xdm_xserver_tmp_t:sock_file { read write };
--allow $1_t xdm_xserver_tmp_t:dir search;
--allow $1_t xdm_xserver_t:unix_stream_socket connectto;
--# certain apps want to read xdm.pid file
-+# certain apps want to read xdm.pid file
- r_dir_file($1_t, xdm_var_run_t)
- allow $1_t xdm_var_lib_t:file { getattr read };
- allow xdm_t $1_home_dir_t:dir getattr;
-@@ -305,9 +300,6 @@
- file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
- ')
++ifdef(`dbusd.te', `
+ dbusd_client(system, cupsd)
++allow cupsd_t system_dbusd_t:dbus send_msg;
++allow cupsd_t userdomain:dbus send_msg;
++')
+
+ ifdef(`hald.te', `
--# for shared memory
--allow xdm_xserver_t $1_tmpfs_t:file { read write };
+@@ -210,12 +214,10 @@
+ dbusd_client(system, cupsd_config)
+ allow cupsd_config_t userdomain:dbus send_msg;
+ allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
+-allow cupsd_t system_dbusd_t:dbus send_msg;
++allow cupsd_t hald_t:dbus send_msg;
+ allow userdomain cupsd_config_t:dbus send_msg;
+ allow cupsd_config_t hald_t:dbus send_msg;
+ allow hald_t cupsd_config_t:dbus send_msg;
+-allow cupsd_t userdomain:dbus send_msg;
+-allow cupsd_t hald_t:dbus send_msg;
+ allow hald_t cupsd_t:dbus send_msg;
+ ')dnl end if dbusd.te
+
+@@ -255,7 +257,3 @@
+ allow cupsd_t initrc_t:dbus send_msg;
+ allow initrc_t cupsd_t:dbus send_msg;
+ ')
-
- ')dnl end ifdef xdm.te
+-ifdef(`targeted_policy', `
+-allow cupsd_t unconfined_t:dbus send_msg;
+-')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dmidecode.te policy-1.23.9/domains/program/unused/dmidecode.te
+--- nsapolicy/domains/program/unused/dmidecode.te 2005-04-07 13:17:30.000000000 -0400
++++ policy-1.23.9/domains/program/unused/dmidecode.te 2005-04-08 12:03:54.000000000 -0400
+@@ -8,6 +8,7 @@
+
+ # Allow execution by the sysadm
+ role sysadm_r types dmidecode_t;
++role system_r types dmidecode_t;
+ domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
+
+ uses_shlib(dmidecode_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.23.9/domains/program/unused/howl.te
+--- nsapolicy/domains/program/unused/howl.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.9/domains/program/unused/howl.te 2005-04-08 13:20:47.000000000 -0400
+@@ -3,7 +3,7 @@
+ # Author: Russell Coker <rcoker at redhat.com>
+ #
- # Access the sound device.
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.8/macros/global_macros.te
---- nsapolicy/macros/global_macros.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.8/macros/global_macros.te 2005-04-06 08:25:01.000000000 -0400
-@@ -433,11 +433,14 @@
+-daemon_domain(howl)
++daemon_domain(howl, `, privsysmod')
+ r_dir_file(howl_t, proc_net_t)
+ can_network_server(howl_t)
+ can_ypbind(howl_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.9/domains/program/unused/kudzu.te
+--- nsapolicy/domains/program/unused/kudzu.te 2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.9/domains/program/unused/kudzu.te 2005-04-08 12:03:54.000000000 -0400
+@@ -105,3 +105,4 @@
+ domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
')
- define(`tmpfs_domain', `
-+ifdef(`$1_tmpfs_t_defined',`', `
-+define(`$1_tmpfs_t_defined')
- type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
- # Use this type when creating tmpfs/shm objects.
- file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
- allow $1_tmpfs_t tmpfs_t:filesystem associate;
++allow kudzu_t initrc_t:unix_stream_socket connectto;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.9/domains/program/unused/NetworkManager.te
+--- nsapolicy/domains/program/unused/NetworkManager.te 2005-04-07 22:22:55.000000000 -0400
++++ policy-1.23.9/domains/program/unused/NetworkManager.te 2005-04-09 05:56:10.000000000 -0400
+@@ -20,7 +20,7 @@
+
+ can_ypbind(NetworkManager_t)
+ uses_shlib(NetworkManager_t)
+-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
++allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+
+ allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+@@ -47,9 +47,13 @@
+ ifdef(`dbusd.te', `
+ dbusd_client(system, NetworkManager)
+ allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
++ifdef(`hald.te', `
+ allow NetworkManager_t hald_t:dbus send_msg;
+ allow hald_t NetworkManager_t:dbus send_msg;
')
++allow NetworkManager_t initrc_t:dbus send_msg;
++allow initrc_t NetworkManager_t:dbus send_msg;
+')
- define(`var_lib_domain', `
- type $1_var_lib_t, file_type, sysadmfile;
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.8/macros/program/apache_macros.te
---- nsapolicy/macros/program/apache_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/macros/program/apache_macros.te 2005-04-06 07:31:54.000000000 -0400
-@@ -136,8 +136,8 @@
- r_dir_file(httpd_t, httpd_$1_script_ro_t)
- create_dir_file(httpd_t, httpd_$1_script_rw_t)
- ra_dir_file(httpd_t, httpd_$1_script_ra_t)
--r_dir_file(httpd_t, httpd_$1_content_t)
- }
-+r_dir_file(httpd_t, httpd_$1_content_t)
+ allow NetworkManager_t usr_t:file { getattr read };
+@@ -66,6 +70,7 @@
+
+ allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+ allow NetworkManager_t proc_t:file { getattr read };
++r_dir_file(NetworkManager_t, proc_net_t)
+
+ allow NetworkManager_t { domain -unrestricted }:dir search;
+ allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.9/domains/program/unused/snmpd.te
+--- nsapolicy/domains/program/unused/snmpd.te 2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.9/domains/program/unused/snmpd.te 2005-04-08 12:03:54.000000000 -0400
+@@ -63,6 +63,9 @@
+ dontaudit snmpd_t rpc_pipefs_t:dir getattr;
+ allow snmpd_t rpc_pipefs_t:dir getattr;
+ read_sysctl(snmpd_t)
++allow snmpd_t sysctl_net_t:dir search;
++allow snmpd_t sysctl_net_t:file { getattr read };
++
+ dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
+ allow snmpd_t sysfs_t:dir { getattr read search };
+ ifdef(`amanda.te', `
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.23.9/domains/program/unused/updfstab.te
+--- nsapolicy/domains/program/unused/updfstab.te 2005-03-11 15:31:06.000000000 -0500
++++ policy-1.23.9/domains/program/unused/updfstab.te 2005-04-08 12:03:54.000000000 -0400
+@@ -72,3 +72,4 @@
+ dontaudit updfstab_t home_root_t:dir { getattr search };
+ dontaudit updfstab_t { home_dir_type home_type }:dir search;
+ allow updfstab_t fs_t:filesystem { getattr };
++allow updfstab_t tmpfs_t:dir getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.9/domains/user.te
+--- nsapolicy/domains/user.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.9/domains/user.te 2005-04-08 12:03:54.000000000 -0400
+@@ -126,6 +126,8 @@
+ role_tty_type_change(sysadm, user)
+ role_tty_type_change(staff, sysadm)
+ role_tty_type_change(sysadm, staff)
++role_tty_type_change(sysadm, secadm)
++role_tty_type_change(staff, secadm)
+
+ # "ps aux" and "ls -l /dev/pts" make too much noise without this
+ dontaudit unpriv_userdomain ptyfile:chr_file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.9/file_contexts/distros.fc
+--- nsapolicy/file_contexts/distros.fc 2005-04-07 22:22:55.000000000 -0400
++++ policy-1.23.9/file_contexts/distros.fc 2005-04-08 12:03:54.000000000 -0400
+@@ -98,10 +98,12 @@
+ /usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t
+-/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+ /usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t
++
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+ /usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.23.9/macros/admin_macros.te
+--- nsapolicy/macros/admin_macros.te 2005-03-11 15:31:07.000000000 -0500
++++ policy-1.23.9/macros/admin_macros.te 2005-04-08 13:14:02.000000000 -0400
+@@ -20,12 +20,12 @@
+ type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
+
+ # Type and access for pty devices.
+-can_create_pty($1)
++can_create_pty($1, `, admin_tty_type')
+
+ tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }')
+
+ # Type for tty devices.
+-type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
++type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
+
+ # Inherit rules for ordinary users.
+ base_user_domain($1)
+@@ -36,11 +36,6 @@
+ ifdef(`userhelper.te', `userhelper_domain($1)')
+ ifdef(`sudo.te', `sudo_domain($1)')
+
+-# Violates the goal of limiting write access to checkpolicy.
+-# But presently necessary for installing the file_contexts file.
+-create_dir_file($1_t, policy_config_t)
+-r_dir_file($1_t, selinux_config_t)
+-
+ # Let admin stat the shadow file.
+ allow $1_t shadow_t:file getattr;
+
+@@ -54,9 +49,6 @@
+ # Use capabilities other than sys_module.
+ allow $1_t self:capability ~sys_module;
+
+-# Get security policy decisions.
+-can_getsecurity($1_t)
+-
+ # Use system operations.
+ allow $1_t kernel_t:system *;
+
+@@ -82,12 +74,6 @@
+ allow $1_t mtrr_device_t:file getattr;
+ allow $1_t fs_type:dir getattr;
+
+-# Set an exec context, e.g. for runcon.
+-can_setexec($1_t)
+-
+-# Set a context other than the default one for newly created files.
+-can_setfscreate($1_t)
+-
+ # Access removable devices.
+ allow $1_t removable_device_t:devfile_class_set rw_file_perms;
+
+@@ -124,18 +110,6 @@
+ # Run programs from /usr/src.
+ can_exec($1_t, src_t)
+
+-# Run admin programs that require different permissions in their own domain.
+-# These rules were moved into the appropriate program domain file.
+-
+-# added by mayerf at tresys.com
+-# The following rules are temporary until such time that a complete
+-# policy management infrastructure is in place so that an administrator
+-# cannot directly manipulate policy files with arbitrary programs.
+-#
+-allow $1_t policy_src_t:file create_file_perms;
+-allow $1_t policy_src_t:lnk_file create_lnk_perms;
+-allow $1_t policy_src_t:dir create_dir_perms;
+-
+ # Relabel all files.
+ # Actually this will not allow relabeling ALL files unless you change
+ # sysadmfile to file_type (and change the assertion in assert.te that
+@@ -205,3 +179,48 @@
+ allow $1_t domain:socket_class_set getattr;
+ allow $1_t eventpollfs_t:file getattr;
')
- define(`apache_user_domain', `
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.23.8/macros/program/dbusd_macros.te
++
++define(`security_manager_domain', `
++
++typeattribute $1 secadmin;
++# Allow administrator domains to set the enforcing flag.
++can_setenforce($1)
++
++# Allow administrator domains to set policy booleans.
++can_setbool($1)
++
++# Get security policy decisions.
++can_getsecurity($1)
++
++# Allow administrator domains to set security parameters
++can_setsecparam($1)
++
++# Run admin programs that require different permissions in their own domain.
++# These rules were moved into the appropriate program domain file.
++
++# added by mayerf at tresys.com
++# The following rules are temporary until such time that a complete
++# policy management infrastructure is in place so that an administrator
++# cannot directly manipulate policy files with arbitrary programs.
++#
++allow $1 policy_src_t:file create_file_perms;
++allow $1 policy_src_t:lnk_file create_lnk_perms;
++allow $1 policy_src_t:dir create_dir_perms;
++
++# Violates the goal of limiting write access to checkpolicy.
++# But presently necessary for installing the file_contexts file.
++create_dir_file($1, policy_config_t)
++r_dir_file($1, selinux_config_t)
++
++# Set an exec context, e.g. for runcon.
++can_setexec($1)
++
++# Set a context other than the default one for newly created files.
++can_setfscreate($1)
++
++create_dir_file($1, { default_context_t file_context_t selinux_config_t })
++
++allow $1 { default_context_t file_context_t selinux_config_t }:file { relabelfrom relabelto };
++
++')
++
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.9/macros/base_user_macros.te
+--- nsapolicy/macros/base_user_macros.te 2005-04-07 22:22:55.000000000 -0400
++++ policy-1.23.9/macros/base_user_macros.te 2005-04-08 12:03:54.000000000 -0400
+@@ -103,16 +103,9 @@
+ # Bind to a Unix domain socket in /tmp.
+ allow $1_t $1_tmp_t:unix_stream_socket name_bind;
+
+-# Access ttys.
+-allow $1_t privfd:fd use;
+-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+-
+ # Use the type when relabeling terminal devices.
+ type_change $1_t tty_device_t:chr_file $1_tty_device_t;
+
+-# read localization information
+-read_locale($1_t)
+-
+ # Debian login is from shadow utils and does not allow resetting the perms.
+ # have to fix this!
+ type_change $1_t ttyfile:chr_file $1_tty_device_t;
+@@ -124,6 +117,8 @@
+ # Use the type when relabeling pty devices.
+ type_change $1_t server_pty:chr_file $1_devpts_t;
+
++tmpfs_domain($1)
++
+ ifdef(`cardmgr.te', `
+ # to allow monitoring of pcmcia status
+ allow $1_t cardmgr_var_run_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.23.9/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.8/macros/program/dbusd_macros.te 2005-04-06 12:03:45.000000000 -0400
++++ policy-1.23.9/macros/program/dbusd_macros.te 2005-04-08 12:03:54.000000000 -0400
@@ -41,6 +41,10 @@
allow $1_dbusd_t self:file { getattr read };
allow $1_dbusd_t proc_t:file read;
@@ -230,48 +541,10 @@
ifdef(`pamconsole.te', `
r_dir_file($1_dbusd_t, pam_var_console_t)
')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.8/macros/program/games_domain.te
---- nsapolicy/macros/program/games_domain.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.8/macros/program/games_domain.te 2005-04-06 08:32:36.000000000 -0400
-@@ -20,7 +20,7 @@
- role $1_r types $1_games_t;
-
- # X access, /tmp files
--x_client_domain($1, games)
-+x_client_domain($1_games, $1)
- tmp_domain($1_games)
-
- uses_shlib($1_games_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.8/macros/program/gift_macros.te
---- nsapolicy/macros/program/gift_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/macros/program/gift_macros.te 2005-04-06 14:24:33.000000000 -0400
-@@ -18,7 +18,7 @@
- role $1_r types $1_gift_t;
-
- # X access, Home files
--x_client_domain($1, gift)
-+x_client_domain($1_gift, $1)
- home_domain($1, gift)
-
- uses_shlib($1_gift_t)
-@@ -26,12 +26,15 @@
- read_sysctl($1_gift_t)
- access_terminal($1_gift_t, $1)
-
-+# Allow the user domain to signal/ps.
-+can_ps($1_t, $1_gift_t)
-+allow $1_t $1_gift_t:process signal_perms;
-+
- # Self permissions
- allow $1_gift_t self:process getsched;
-
- # Fonts, icons
- r_dir_file($1_gift_t, usr_t)
--r_dir_file($1_gift_t, fonts_t)
-
- # Launch gift daemon
- allow $1_gift_t bin_t:dir search;
-@@ -92,7 +95,7 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.9/macros/program/gift_macros.te
+--- nsapolicy/macros/program/gift_macros.te 2005-04-07 22:22:55.000000000 -0400
++++ policy-1.23.9/macros/program/gift_macros.te 2005-04-08 12:03:54.000000000 -0400
+@@ -95,7 +95,7 @@
# Read /proc/meminfo
allow $1_giftd_t proc_t:dir search;
@@ -280,107 +553,10 @@
# Read /etc/mtab
allow $1_giftd_t etc_runtime_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.8/macros/program/java_macros.te
---- nsapolicy/macros/program/java_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/macros/program/java_macros.te 2005-04-06 07:37:13.000000000 -0400
-@@ -32,7 +32,6 @@
- allow $1_javaplugin_t port_type:tcp_socket name_connect;
- can_ypbind($1_javaplugin_t)
- allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
--allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow $1_javaplugin_t self:fifo_file rw_file_perms;
- allow $1_javaplugin_t etc_runtime_t:file { getattr read };
- allow $1_javaplugin_t fs_t:filesystem getattr;
-@@ -58,36 +57,9 @@
- if (allow_execmem) {
- allow $1_javaplugin_t self:process execmem;
- }
--# Allow connections to X server.
--ifdef(`xserver.te', `
-
--ifdef(`xdm.te', `
--# for when /tmp/.X11-unix is created by the system
--allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
--allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
--allow $1_javaplugin_t xdm_tmp_t:dir search;
--allow $1_javaplugin_t xdm_tmp_t:sock_file write;
--')
--
--ifdef(`startx.te', `
--# for when /tmp/.X11-unix is created by the X server
--allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
--
--# for /tmp/.X0-lock
--allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
--
--allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
--can_unix_connect($1_javaplugin_t, $2_xserver_t)
--')dnl end startx
--
--can_unix_connect($1_javaplugin_t, xdm_xserver_t)
--allow xdm_xserver_t $1_javaplugin_t:fd use;
--allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
--dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
--
--')dnl end xserver
--
--allow $1_javaplugin_t self:shm create_shm_perms;
-+# Connect to X server
-+x_client_domain($1_javaplugin, $2)
-
- uses_shlib($1_javaplugin_t)
- read_locale($1_javaplugin_t)
-@@ -121,4 +93,5 @@
-
- # Do not audit read/getattr of .fonts-cache-1
- dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
-+
- ')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.8/macros/program/mozilla_macros.te
---- nsapolicy/macros/program/mozilla_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/macros/program/mozilla_macros.te 2005-04-06 07:32:06.000000000 -0400
-@@ -26,7 +26,7 @@
-
- # X access, Home files
- home_domain($1, mozilla)
--x_client_domain($1, mozilla)
-+x_client_domain($1_mozilla, $1)
-
- # Browse files
- file_browse_domain($1_mozilla_t)
-@@ -43,6 +43,10 @@
- allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
- allow $1_mozilla_t $1_t:process signull;
-
-+# Allow the user domain to signal/ps.
-+can_ps($1_t, $1_mozilla_t)
-+allow $1_t $1_mozilla_t:process signal_perms;
-+
- # Fork, set resource limits and scheduling info.
- allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
-
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.8/macros/program/mplayer_macros.te
---- nsapolicy/macros/program/mplayer_macros.te 2005-03-21 22:32:19.000000000 -0500
-+++ policy-1.23.8/macros/program/mplayer_macros.te 2005-04-06 14:24:33.000000000 -0400
-@@ -15,6 +15,10 @@
- # Read global config
- r_dir_file($1_$2_t, mplayer_etc_t)
-
-+# Allow the user domain to signal/ps.
-+can_ps($1_t, $1_$2_t)
-+allow $1_t $1_$2_t:process signal_perms;
-+
- # Read data in /usr/share (fonts, icons..)
- r_dir_file($1_$2_t, usr_t)
-
-@@ -72,22 +76,24 @@
-
- # Home access, X access, Browse files
- home_domain($1, mplayer)
--x_client_domain($1, mplayer)
-+x_client_domain($1_mplayer, $1)
- file_browse_domain($1_mplayer_t)
-
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.9/macros/program/mplayer_macros.te
+--- nsapolicy/macros/program/mplayer_macros.te 2005-04-07 22:22:55.000000000 -0400
++++ policy-1.23.9/macros/program/mplayer_macros.te 2005-04-08 12:03:54.000000000 -0400
+@@ -82,16 +82,18 @@
# Mplayer common stuff
mplayer_common($1, mplayer)
@@ -403,234 +579,129 @@
r_dir_file($1_mplayer_t, removable_t);
# Legacy domain issues
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.8/macros/program/ssh_agent_macros.te
---- nsapolicy/macros/program/ssh_agent_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.8/macros/program/ssh_agent_macros.te 2005-04-06 07:32:40.000000000 -0400
-@@ -63,7 +63,7 @@
- allow $1_ssh_agent_t self:capability setgid;
-
- # access the random devices
--allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
-+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
- # for ssh-add
- can_unix_connect($1_t, $1_ssh_agent_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.8/macros/program/ssh_macros.te
---- nsapolicy/macros/program/ssh_macros.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.8/macros/program/ssh_macros.te 2005-04-06 07:32:06.000000000 -0400
-@@ -129,18 +129,8 @@
- # allow ps to show ssh
- can_ps($1_t, $1_ssh_t)
-
--ifdef(`xserver.te', `
--# Communicate with the X server.
--ifdef(`startx.te', `
--can_unix_connect($1_ssh_t, $1_xserver_t)
--allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
--allow $1_ssh_t $1_xserver_tmp_t:dir search;
--')dnl end if startx
--ifdef(`xdm.te', `
--allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
--allow $1_ssh_t { xdm_tmp_t }:sock_file write;
--')
--')dnl end if xserver
-+# Connect to X server
-+x_client_domain($1_ssh, $1)
-
- ifdef(`ssh-agent.te', `
- ssh_agent_domain($1)
-@@ -167,16 +157,6 @@
- allow $1_ssh_keysign_t self:file { getattr read };
- allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
-
--ifdef(`xdm.te', `
--# should be able to remove these two later
--allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
--allow $1_ssh_t xdm_xserver_tmp_t:dir search;
--allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
--allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
--allow $1_ssh_t xdm_xserver_t:fd use;
--allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
--allow $1_ssh_t xdm_t:fd use;
--')dnl end if xdm.te
- ')dnl end macro definition
- ', `
-
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.8/macros/program/tvtime_macros.te
---- nsapolicy/macros/program/tvtime_macros.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.8/macros/program/tvtime_macros.te 2005-04-06 07:32:06.000000000 -0400
-@@ -26,13 +26,17 @@
-
- # X access, Home files
- home_domain($1, tvtime)
--x_client_domain($1, tvtime)
-+x_client_domain($1_tvtime, $1)
-
- uses_shlib($1_tvtime_t)
- read_locale($1_tvtime_t)
- read_sysctl($1_tvtime_t)
- access_terminal($1_tvtime_t, $1)
-
-+# Allow the user domain to signal/ps.
-+can_ps($1_t, $1_tvtime_t)
-+allow $1_t $1_tvtime_t:process signal_perms;
-+
- # Read /etc/tvtime
- allow $1_tvtime_t etc_t:file { getattr read };
-
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.8/macros/program/x_client_macros.te
---- nsapolicy/macros/program/x_client_macros.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.8/macros/program/x_client_macros.te 2005-04-06 07:32:06.000000000 -0400
-@@ -1,5 +1,5 @@
- #
--# Macros for X client programs ($2 etc)
-+# Macros for X client programs
- #
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.9/macros/user_macros.te
+--- nsapolicy/macros/user_macros.te 2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.9/macros/user_macros.te 2005-04-08 12:03:54.000000000 -0400
+@@ -23,12 +23,6 @@
+
+ tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
+
+-# Type and access for pty devices.
+-can_create_pty($1, `, userpty_type, user_tty_type')
+-
+-#Type for tty devices.
+-type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
+-
+ base_user_domain($1)
+ # do not allow privhome access to sysadm_home_dir_t
+@@ -112,19 +106,67 @@
#
-@@ -8,6 +8,9 @@
- # and Timothy Fraser
+ # Domains for ordinary users.
#
-
-+# Allows clients to write to the X server's shm
-+bool allow_write_xshm false;
+-undefine(`full_user_role')
+-define(`full_user_role', `
+-
++undefine(`limited_user_role')
++define(`limited_user_role', `
+ # user_t/$1_t is an unprivileged users domain.
+-type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
++type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
++
++#Type for tty devices.
++type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
++# Type and access for pty devices.
++can_create_pty($1, `, userpty_type, user_tty_type')
++
++# Access ttys.
++allow $1_t privfd:fd use;
++allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+
+-attribute $1_file_type;
+ # Grant read/search permissions to some of /proc.
+ r_dir_file($1_t, proc_t)
+ r_dir_file($1_t, proc_net_t)
+
+ base_file_read_access($1_t)
+
++# Execute from the system shared libraries.
++uses_shlib($1_t)
++
++# Read /etc.
++r_dir_file($1_t, etc_t)
++allow $1_t etc_runtime_t:file r_file_perms;
++allow $1_t etc_runtime_t:lnk_file { getattr read };
++
++allow $1_t self:process { fork sigchld setpgid signal_perms };
++
++# read localization information
++read_locale($1_t)
++
++read_sysctl($1_t)
++can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
++
++allow $1_t self:dir search;
++allow $1_t self:file { getattr read };
++allow secadm_t self:fifo_file rw_file_perms;
++
++allow $1_t self:lnk_file read;
++allow $1_t self:unix_stream_socket create_socket_perms;
++allow $1_t urandom_device_t:chr_file { getattr read };
++dontaudit $1_t { var_spool_t var_log_t }:dir search;
++
++# Read /dev directories and any symbolic links.
++allow $1_t device_t:dir r_dir_perms;
++allow $1_t device_t:lnk_file { getattr read };
++allow $1_t devtty_t:chr_file { read write };
+
- define(`xsession_domain', `
-
- # Connect to xserver
-@@ -23,73 +26,73 @@
- # Signal Xserver
- allow $1_t $2_xserver_t:process signal;
-
--# Use file descriptors created by each other.
--allow $1_t $2_xserver_t:fd use;
-+# Xserver read/write client shm
- allow $2_xserver_t $1_t:fd use;
--
--# Xserver read/write parent shm
- allow $2_xserver_t $1_t:shm rw_shm_perms;
- allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
-
--# Parent read xserver shm
-+# Client read xserver shm
-+allow $1_t $2_xserver_t:fd use;
- allow $1_t $2_xserver_t:shm r_shm_perms;
- allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
-+
-+# Client write xserver shm
-+if (allow_write_xshm) {
-+allow $1_t $2_xserver_t:shm rw_shm_perms;
-+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
-+}
++')
+
- ')
-
- #
--# x_client_domain(user, app)
-+# x_client_domain(client, role)
- #
--# Defines common X access rules for the user_app_t domain
-+# Defines common X access rules for the client domain
- #
- define(`x_client_domain',`
-
--allow $1_$2_t self:unix_dgram_socket create_socket_perms;
--allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+# Create socket to communicate with X server
-+allow $1_t self:unix_dgram_socket create_socket_perms;
-+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
-
-+# Read .Xauthority file
- ifdef(`xauth.te',`
--allow $1_$2_t $1_xauth_home_t:file { getattr read };
-+allow $1_t home_root_t:dir { search getattr };
-+allow $1_t $2_xauth_home_t:file { getattr read };
- ')
++undefine(`full_user_role')
++define(`full_user_role', `
++
++limited_user_role($1)
++
++typeattribute $1_t web_client_domain;
++
++attribute $1_file_type;
++
+ can_exec($1_t, usr_t)
--# Allow the user domain to send any signal to the $2 process.
--can_ps($1_t, $1_$2_t)
--allow $1_t $1_$2_t:process signal_perms;
--
- # for .xsession-errors
--dontaudit $1_$2_t $1_home_t:file write;
-+dontaudit $1_t $2_home_t:file write;
-
- # for X over a ssh tunnel
- ifdef(`ssh.te', `
--can_tcp_connect($1_$2_t, sshd_t)
-+can_tcp_connect($1_t, sshd_t)
- ')
+ # Read directories and files with the readable_t type.
+@@ -143,13 +185,6 @@
+ allow $1_t var_lib_t:dir r_dir_perms;
+ allow $1_t var_lib_t:file { getattr read };
--# Read the home directory, e.g. for .Xauthority and to get to config files
--allow $1_$2_t home_root_t:dir { search getattr };
+-read_sysctl($1_t)
-
- # Use a separate type for tmpfs/shm pseudo files.
--tmpfs_domain($1_$2)
+-# Read /etc.
+-r_dir_file($1_t, etc_t)
+-allow $1_t etc_runtime_t:file r_file_perms;
+-allow $1_t etc_runtime_t:lnk_file { getattr read };
-
--allow $1_$2_t self:shm create_shm_perms;
-+tmpfs_domain($1)
-+allow $1_t self:shm create_shm_perms;
+ # for running depmod as part of the kernel packaging process
+ allow $1_t modules_conf_t:file { getattr read };
- # allow X client to read all font files
--r_dir_file($1_$2_t, fonts_t)
-+r_dir_file($1_t, fonts_t)
-
- # Allow connections to X server.
- ifdef(`xserver.te', `
--allow $1_$2_t tmp_t:dir search;
-+allow $1_t tmp_t:dir search;
-
- ifdef(`xdm.te', `
--xsession_domain($1_$2, xdm)
-+xsession_domain($1, xdm)
-
- # for when /tmp/.X11-unix is created by the system
--allow $1_$2_t xdm_t:fifo_file rw_file_perms;
--allow $1_$2_t xdm_tmp_t:dir search;
--allow $1_$2_t xdm_tmp_t:sock_file { read write };
--allow $1_$2_t xdm_t:fd use;
--dontaudit $1_$2_t xdm_t:tcp_socket { read write };
-+allow $1_t xdm_t:fifo_file rw_file_perms;
-+allow $1_t xdm_tmp_t:dir search;
-+allow $1_t xdm_tmp_t:sock_file { read write };
-+allow $1_t xdm_t:fd use;
-+dontaudit $1_t xdm_t:tcp_socket { read write };
- ')
+@@ -165,16 +200,9 @@
- ifdef(`startx.te', `
--xsession_domain($1_$2, $1)
-+xsession_domain($1, $2)
- ')dnl end startx
-
- ')dnl end xserver
-diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.8/man/man8/httpd_selinux.8
---- nsapolicy/man/man8/httpd_selinux.8 2005-03-24 08:58:29.000000000 -0500
-+++ policy-1.23.8/man/man8/httpd_selinux.8 2005-04-06 07:31:54.000000000 -0400
-@@ -75,6 +75,21 @@
- setsebool -P httpd_unified 0
-
- .TP
-+httpd can be configured to turn off internal scripting (PHP). PHP and other
-+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
-+.br
-+
-+setsebool -P httpd_builtin_scripting 0
-+
-+.TP
-+httpd scripts by default are not allowed to connect out to the network.
-+This would prevent a hacker from breaking into you httpd server and attacking
-+other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
-+.br
-+
-+setsebool -P httpd_can_network_connect 1
-+
-+.TP
- You can disable SELinux protection for the httpd daemon by executing:
- .br
+ r_dir_file($1_t,sysfs_t)
+
+-# Read /dev directories and any symbolic links.
+-allow $1_t device_t:dir r_dir_perms;
+-allow $1_t device_t:lnk_file { getattr read };
+-
+ # Do not audit write denials to /etc/ld.so.cache.
+ dontaudit $1_t ld_so_cache_t:file write;
-diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.8/targeted/domains/program/modutil.te
+-# Execute from the system shared libraries.
+-uses_shlib($1_t)
+-
+ # $1_t is also granted permissions specific to user domains.
+ user_domain($1)
+
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.9/targeted/domains/program/modutil.te
--- nsapolicy/targeted/domains/program/modutil.te 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.8/targeted/domains/program/modutil.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.23.9/targeted/domains/program/modutil.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
@@ -649,9 +720,9 @@
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.8/tunables/distro.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.9/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.8/tunables/distro.tun 2005-04-06 07:31:54.000000000 -0400
++++ policy-1.23.9/tunables/distro.tun 2005-04-08 12:03:54.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -661,9 +732,9 @@
dnl define(`distro_suse')
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.8/tunables/tunable.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.9/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.8/tunables/tunable.tun 2005-04-06 07:31:54.000000000 -0400
++++ policy-1.23.9/tunables/tunable.tun 2005-04-08 12:03:54.000000000 -0400
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
@@ -698,3 +769,15 @@
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
+diff --exclude-from=exclude -N -u -r nsapolicy/users policy-1.23.9/users
+--- nsapolicy/users 2005-03-17 10:18:56.000000000 -0500
++++ policy-1.23.9/users 2005-04-08 12:05:58.000000000 -0400
+@@ -41,7 +41,7 @@
+
+ # The sysadm_r user also needs to be permitted system_r if we are to allow
+ # direct execution of daemons
+-user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
++user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') };
+
+ # sample for administrative user
+ #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.270
retrieving revision 1.271
diff -u -r1.270 -r1.271
--- selinux-policy-strict.spec 6 Apr 2005 18:30:27 -0000 1.270
+++ selinux-policy-strict.spec 9 Apr 2005 11:08:37 -0000 1.271
@@ -10,8 +10,8 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.8
-Release: 2
+Version: 1.23.9
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -220,8 +220,15 @@
exit 0
%changelog
+* Fri Apr 8 2005 Dan Walsh <dwalsh at redhat.com> 1.23.9-1
+- Create separate secadm_r/secadm_t domain
+
* Wed Apr 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.8-2
- Move to a later kernel version
+- Update from NSA
+ * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
+ of x_client apps.
+ * Added dmidecode policy from Ivan Gyurdiev.
* Wed Apr 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.8-1
- Update from NSA
- Previous message (by thread): rpms/selinux-policy-targeted/devel .cvsignore, 1.101, 1.102 policy-20050404.patch, 1.4, 1.5 selinux-policy-targeted.spec, 1.267, 1.268 sources, 1.106, 1.107
- Next message (by thread): rpms/selinux-policy-strict/devel .cvsignore, 1.105, 1.106 sources, 1.111, 1.112
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list