rpms/selinux-policy/F-7 policy-20070501.patch, 1.51, 1.52 selinux-policy.spec, 1.491, 1.492
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Sep 4 20:19:00 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8125
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Tue Sep 4 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-41
- Allow ktalkd to look at terminals
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- policy-20070501.patch 22 Aug 2007 14:14:52 -0000 1.51
+++ policy-20070501.patch 4 Sep 2007 20:18:57 -0000 1.52
@@ -467,6 +467,17 @@
role system_r types dmesg_t;
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-2.6.4/policy/modules/admin/dmidecode.te
+--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-05-07 14:51:05.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/dmidecode.te 2007-08-30 10:26:28.000000000 -0400
+@@ -22,6 +22,7 @@
+
+ # Allow dmidecode to read /dev/mem
+ dev_read_raw_memory(dmidecode_t)
++dev_search_sysfs(dmidecode_t)
+
+ mls_file_read_up(dmidecode_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.6.4/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-05-07 14:51:05.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/admin/kudzu.te 2007-08-07 09:42:35.000000000 -0400
@@ -1266,6 +1277,15 @@
-ifdef(`targeted_policy',`',`
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
-')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.6.4/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/apps/java.fc 2007-08-27 09:50:36.000000000 -0400
+@@ -22,3 +22,5 @@
+ /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.6.4/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/java.if 2007-08-07 09:42:35.000000000 -0400
@@ -1465,7 +1485,7 @@
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-09-04 15:55:30.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1488,7 +1508,16 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +254,7 @@
+@@ -164,6 +170,8 @@
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+@@ -248,6 +256,7 @@
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -1496,7 +1525,7 @@
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +263,13 @@
+@@ -256,3 +265,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -1510,6 +1539,7 @@
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.6.4/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-08-07 09:42:35.000000000 -0400
@@ -1604,7 +1634,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-04 13:41:27.000000000 -0400
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -1643,7 +1673,15 @@
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
-@@ -159,6 +165,9 @@
+@@ -152,6 +158,7 @@
+ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
+ network_port(vnc, tcp,5900,s0)
++network_port(wccp, udp,2048,s0)
+ network_port(xen, tcp,8002,s0)
+ network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+ network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
+@@ -159,6 +166,9 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -1970,7 +2008,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-14 08:16:29.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-27 09:57:21.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2073,7 +2111,7 @@
')
########################################
-@@ -3310,6 +3346,24 @@
+@@ -3310,6 +3346,43 @@
########################################
## <summary>
@@ -2095,10 +2133,29 @@
+
+########################################
+## <summary>
++## dontaudit Add and remove entries from /usr directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_usr_dirs',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ dontaudit $1 usr_t:dir rw_dir_perms;
++')
++
++
++########################################
++## <summary>
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3386,6 +3440,24 @@
+@@ -3386,6 +3459,24 @@
########################################
## <summary>
@@ -2123,7 +2180,7 @@
## Read symbolic links in /usr.
## </summary>
## <param name="domain">
-@@ -3432,6 +3504,24 @@
+@@ -3432,6 +3523,24 @@
########################################
## <summary>
@@ -2148,7 +2205,7 @@
## Do not audit attempts to search /usr/src.
## </summary>
## <param name="domain">
-@@ -3637,7 +3727,7 @@
+@@ -3637,7 +3746,7 @@
type var_t;
')
@@ -2157,7 +2214,7 @@
')
########################################
-@@ -3993,7 +4083,7 @@
+@@ -3993,7 +4102,7 @@
type var_lock_t;
')
@@ -2166,7 +2223,7 @@
')
########################################
-@@ -4012,7 +4102,7 @@
+@@ -4012,7 +4121,7 @@
type var_t, var_lock_t;
')
@@ -2175,7 +2232,7 @@
')
########################################
-@@ -4181,7 +4271,7 @@
+@@ -4181,7 +4290,7 @@
type var_run_t;
')
@@ -2184,7 +2241,7 @@
')
########################################
-@@ -4529,6 +4619,8 @@
+@@ -4529,6 +4638,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2193,7 +2250,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4551,6 +4643,8 @@
+@@ -4551,6 +4662,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2202,7 +2259,7 @@
')
########################################
-@@ -4588,3 +4682,28 @@
+@@ -4588,3 +4701,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -2380,7 +2437,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-08-27 09:16:30.000000000 -0400
@@ -43,6 +43,11 @@
#
# Non-persistent/pseudo filesystems
@@ -2393,7 +2450,7 @@
type bdev_t;
fs_type(bdev_t)
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
-@@ -54,17 +59,29 @@
+@@ -54,17 +59,30 @@
type capifs_t;
fs_type(capifs_t)
@@ -2417,13 +2474,14 @@
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
++allow fusefs_t fs_t:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -83,6 +100,11 @@
+@@ -83,6 +101,11 @@
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -2435,7 +2493,7 @@
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-@@ -105,6 +127,16 @@
+@@ -105,6 +128,16 @@
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
@@ -2829,7 +2887,7 @@
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-13 19:33:33.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-30 13:53:01.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3080,7 +3138,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-20 18:21:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-27 09:57:52.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
@@ -3266,7 +3324,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -463,6 +526,10 @@
+@@ -463,6 +526,18 @@
')
optional_policy(`
@@ -3274,10 +3332,18 @@
+')
+
+optional_policy(`
++ dbus_system_bus_client_template(httpd,httpd_t)
++ dbus_send_system_bus(httpd_t)
++ tunable_policy(`allow_httpd_dbus_avahi',`
++ avahi_dbus_chat(httpd_t)
++ ')
++')
++
++optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
-@@ -486,7 +553,6 @@
+@@ -486,7 +561,6 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -3285,7 +3351,15 @@
')
optional_policy(`
-@@ -606,6 +672,10 @@
+@@ -506,6 +580,7 @@
+ ')
+
+ optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+@@ -606,6 +681,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3296,7 +3370,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +738,12 @@
+@@ -668,6 +747,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3309,7 +3383,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -685,18 +761,6 @@
+@@ -685,18 +770,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3328,7 +3402,7 @@
########################################
#
# Apache system script local policy
-@@ -706,7 +770,8 @@
+@@ -706,7 +779,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3338,7 +3412,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +785,64 @@
+@@ -720,21 +794,64 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3358,15 +3432,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -3408,23 +3482,23 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +862,8 @@
+@@ -754,14 +871,8 @@
# Apache unconfined script local policy
#
-unconfined_domain(httpd_unconfined_script_t)
-
--optional_policy(`
+ optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-')
-
- optional_policy(`
+-optional_policy(`
- nscd_socket_use(httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
')
########################################
-@@ -784,7 +886,26 @@
+@@ -784,7 +895,19 @@
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3437,6 +3511,8 @@
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
++mta_send_mail(httpd_bugzilla_script_t)
++
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
@@ -3444,15 +3520,6 @@
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
-+')
-+
-+
-+optional_policy(`
-+ dbus_system_bus_client_template(httpd,httpd_t)
-+ dbus_send_system_bus(httpd_t)
-+ tunable_policy(`allow_httpd_dbus_avahi',`
-+ avahi_dbus_chat(httpd_t)
-+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-2.6.4/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-07 14:51:01.000000000 -0400
@@ -5289,7 +5356,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-09-04 11:12:55.000000000 -0400
@@ -5,6 +5,7 @@
#
# Declarations
@@ -5298,6 +5365,15 @@
## <desc>
## <p>
+@@ -62,7 +63,7 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+ dontaudit kadmind_t self:capability sys_tty_config;
+-allow kadmind_t self:process signal_perms;
++allow kadmind_t self:process { setfscreate signal_perms };
+ allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow kadmind_t self:unix_dgram_socket { connect create write };
+ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -91,6 +92,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
@@ -5324,7 +5400,15 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -227,6 +233,7 @@
+@@ -142,6 +148,7 @@
+
+ optional_policy(`
+ seutil_sigchld_newrole(kadmind_t)
++ seutil_read_file_contexts(kadmind_t)
+ ')
+
+ optional_policy(`
+@@ -227,6 +234,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -5332,7 +5416,7 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -248,3 +255,36 @@
+@@ -248,3 +256,36 @@
optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -5369,6 +5453,37 @@
+ pcscd_stream_connect(kerberosclient)
+ ')
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-2.6.4/policy/modules/services/ktalk.te
+--- nsaserefpolicy/policy/modules/services/ktalk.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ktalk.te 2007-09-04 09:20:32.000000000 -0400
+@@ -49,6 +49,8 @@
+ manage_files_pattern(ktalkd_t,ktalkd_var_run_t,ktalkd_var_run_t)
+ files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
+
++auth_use_nsswitch(ktalkd_t)
++
+ kernel_read_kernel_sysctls(ktalkd_t)
+ kernel_read_system_state(ktalkd_t)
+ kernel_read_network_state(ktalkd_t)
+@@ -75,17 +77,9 @@
+
+ miscfiles_read_localization(ktalkd_t)
+
+-sysnet_read_config(ktalkd_t)
+-
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(ktalkd_t)
+ term_dontaudit_use_unallocated_ttys(ktalkd_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(ktalkd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(ktalkd_t)
+-')
++term_search_ptys(ktalkd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.6.4/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/lpd.if 2007-08-07 09:42:35.000000000 -0400
@@ -5613,8 +5728,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-08-07 09:42:35.000000000 -0400
-@@ -4,13 +4,13 @@
++++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-09-01 07:24:41.000000000 -0400
+@@ -4,13 +4,14 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -5625,6 +5740,7 @@
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
@@ -5633,7 +5749,7 @@
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-09-04 12:41:37.000000000 -0400
@@ -10,10 +10,6 @@
type nagios_exec_t;
init_daemon_domain(nagios_t,nagios_exec_t)
@@ -5645,7 +5761,26 @@
type nagios_etc_t;
files_config_file(nagios_etc_t)
-@@ -73,8 +69,10 @@
+@@ -26,6 +22,9 @@
+ type nagios_var_run_t;
+ files_pid_file(nagios_var_run_t)
+
++type nagios_spool_t;
++files_type(nagios_spool_t)
++
+ type nrpe_t;
+ type nrpe_exec_t;
+ init_daemon_domain(nrpe_t,nrpe_exec_t)
+@@ -60,6 +59,8 @@
+ manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
+ files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+
++rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++
+ kernel_read_system_state(nagios_t)
+ kernel_read_kernel_sysctls(nagios_t)
+
+@@ -73,8 +74,10 @@
corenet_udp_sendrecv_all_nodes(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
@@ -5656,7 +5791,7 @@
domain_use_interactive_fds(nagios_t)
# for ps
-@@ -97,8 +95,6 @@
+@@ -97,8 +100,6 @@
miscfiles_read_localization(nagios_t)
@@ -5665,7 +5800,7 @@
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
-@@ -121,7 +117,7 @@
+@@ -121,7 +122,7 @@
')
optional_policy(`
@@ -5674,7 +5809,7 @@
')
optional_policy(`
-@@ -141,42 +137,31 @@
+@@ -141,42 +142,31 @@
#
# Nagios CGI local policy
#
@@ -5687,41 +5822,41 @@
-
-read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
--
++allow httpd_nagios_script_t self:process signal_perms;
+
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
-+allow httpd_nagios_script_t self:process signal_perms;
++read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
-+read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
-+read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
-
--kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
--corecmd_exec_bin(nagios_cgi_t)
+-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
--domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+-corecmd_exec_bin(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
+-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-
--libs_use_ld_so(nagios_cgi_t)
--libs_use_shared_libs(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
+-libs_use_ld_so(nagios_cgi_t)
+-libs_use_shared_libs(nagios_cgi_t)
+-
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
@@ -5951,10 +6086,61 @@
+ samba_read_var_files(nscd_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-2.6.4/policy/modules/services/ntp.fc
+--- nsaserefpolicy/policy/modules/services/ntp.fc 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ntp.fc 2007-09-04 11:51:35.000000000 -0400
+@@ -17,3 +17,8 @@
+ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+ /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
++
++/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
++/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
++
++/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-2.6.4/policy/modules/services/ntp.if
+--- nsaserefpolicy/policy/modules/services/ntp.if 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ntp.if 2007-09-04 11:52:25.000000000 -0400
+@@ -53,3 +53,22 @@
+ corecmd_search_bin($1)
+ domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
+ ')
++
++########################################
++## <summary>
++## Execute ntp server in the ntpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ntp_script_domtrans',`
++ gen_require(`
++ type ntpd_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,ntpd_script_exec_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.6.4/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-08-07 09:42:35.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-09-04 11:51:02.000000000 -0400
+@@ -25,6 +25,12 @@
+ type ntpdate_exec_t;
+ init_system_domain(ntpd_t,ntpdate_exec_t)
+
++type ntpd_key_t;
++files_type(ntpd_key_t)
++
++type ntpd_script_exec_t;
++init_script_type(ntpd_script_exec_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +42,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
@@ -5962,7 +6148,16 @@
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -81,6 +82,8 @@
+@@ -49,6 +56,8 @@
+ manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
+ logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+
++read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
++
+ # for some reason it creates a file in /tmp
+ manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+ manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+@@ -81,6 +90,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
@@ -5971,7 +6166,7 @@
auth_use_nsswitch(ntpd_t)
-@@ -106,6 +109,8 @@
+@@ -106,6 +117,8 @@
sysnet_read_config(ntpd_t)
@@ -5980,7 +6175,7 @@
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -137,6 +142,10 @@
+@@ -137,6 +150,10 @@
')
optional_policy(`
@@ -6349,8 +6544,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.6.4/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/pegasus.te 2007-08-07 09:42:35.000000000 -0400
-@@ -38,8 +38,6 @@
++++ serefpolicy-2.6.4/policy/modules/services/pegasus.te 2007-09-01 07:03:12.000000000 -0400
+@@ -38,12 +38,11 @@
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:tcp_socket create_stream_socket_perms;
@@ -6359,7 +6554,12 @@
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
-@@ -96,13 +94,13 @@
+
++manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
+ manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
+ manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
+ filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
+@@ -96,13 +95,13 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -6376,7 +6576,7 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-@@ -116,6 +114,7 @@
+@@ -116,6 +115,7 @@
miscfiles_read_localization(pegasus_t)
sysnet_read_config(pegasus_t)
@@ -6384,7 +6584,7 @@
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
-@@ -129,6 +128,7 @@
+@@ -129,6 +129,7 @@
optional_policy(`
logging_send_syslog_msg(pegasus_t)
@@ -6539,8 +6739,34 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-08-13 19:36:56.000000000 -0400
-@@ -84,6 +84,12 @@
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-09-04 16:10:20.000000000 -0400
+@@ -6,6 +6,14 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow postfix_local domain full write access to mail_spool directories
++##
++## </p>
++## </desc>
++gen_tunable(allow_postfix_local_write_mail_spool,false)
++
+ attribute postfix_user_domains;
+ # domains that transition to the
+ # postfix user domains
+@@ -27,6 +35,10 @@
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
+
++tunable_policy(`allow_postfix_local_write_mail_spool', `
++ mta_rw_spool(postfix_local_t)
++')
++
+ type postfix_local_tmp_t;
+ files_tmp_file(postfix_local_tmp_t)
+
+@@ -84,6 +96,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -6553,7 +6779,7 @@
########################################
#
# Postfix master process local policy
-@@ -169,12 +175,18 @@
+@@ -169,12 +187,18 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -6572,7 +6798,7 @@
cyrus_stream_connect(postfix_master_t)
')
-@@ -184,9 +196,17 @@
+@@ -184,9 +208,17 @@
')
optional_policy(`
@@ -6590,7 +6816,7 @@
###########################################################
#
# Partially converted rules. THESE ARE ONLY TEMPORARY
-@@ -268,6 +288,8 @@
+@@ -268,6 +300,8 @@
files_read_etc_files(postfix_local_t)
@@ -6599,7 +6825,7 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -386,7 +408,7 @@
+@@ -386,7 +420,7 @@
# Postfix pipe local policy
#
@@ -6608,7 +6834,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -395,6 +417,10 @@
+@@ -395,6 +429,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -6619,7 +6845,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -441,6 +467,10 @@
+@@ -441,6 +479,10 @@
')
optional_policy(`
@@ -6630,7 +6856,7 @@
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
')
-@@ -519,8 +549,6 @@
+@@ -519,8 +561,6 @@
# Postfix smtp delivery local policy
#
@@ -6639,7 +6865,7 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -528,6 +556,8 @@
+@@ -528,6 +568,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -6648,7 +6874,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -536,6 +566,7 @@
+@@ -536,6 +578,7 @@
#
# Postfix smtpd local policy
#
@@ -6656,7 +6882,7 @@
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
# connect to master process
-@@ -552,9 +583,45 @@
+@@ -552,9 +595,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -7456,7 +7682,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-23 17:07:33.000000000 -0400
@@ -28,6 +28,35 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -7579,10 +7805,14 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -319,6 +363,10 @@
+@@ -319,6 +363,14 @@
')
optional_policy(`
++ kerberos_read_keytab(smbd_t)
++')
++
++optional_policy(`
+ lpd_exec_lpr(smbd_t)
+')
+
@@ -7590,7 +7820,7 @@
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -339,6 +387,23 @@
+@@ -339,6 +391,23 @@
udev_read_db(smbd_t)
')
@@ -7614,7 +7844,7 @@
########################################
#
# nmbd Local policy
-@@ -352,7 +417,7 @@
+@@ -352,7 +421,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -7623,7 +7853,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -362,9 +427,12 @@
+@@ -362,9 +431,12 @@
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -7637,7 +7867,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -391,6 +459,7 @@
+@@ -391,6 +463,7 @@
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -7645,7 +7875,7 @@
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-@@ -457,6 +526,7 @@
+@@ -457,6 +530,7 @@
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -7653,7 +7883,7 @@
allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -514,7 +584,7 @@
+@@ -514,7 +588,7 @@
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
@@ -7662,7 +7892,7 @@
')
optional_policy(`
-@@ -534,7 +604,6 @@
+@@ -534,7 +608,6 @@
allow swat_t self:process signal_perms;
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -7670,7 +7900,7 @@
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -588,6 +657,7 @@
+@@ -588,6 +661,7 @@
fs_getattr_xattr_fs(swat_t)
auth_domtrans_chk_passwd(swat_t)
@@ -7678,7 +7908,7 @@
libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)
-@@ -625,19 +695,25 @@
+@@ -625,19 +699,25 @@
# Winbind local policy
#
@@ -7705,7 +7935,7 @@
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-@@ -645,6 +721,8 @@
+@@ -645,6 +725,8 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -7714,7 +7944,7 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -682,7 +760,9 @@
+@@ -682,7 +764,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -7724,7 +7954,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -695,9 +775,6 @@
+@@ -695,9 +779,6 @@
miscfiles_read_localization(winbind_t)
@@ -7734,7 +7964,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -713,10 +790,6 @@
+@@ -713,10 +794,6 @@
')
optional_policy(`
@@ -7745,7 +7975,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -736,6 +809,7 @@
+@@ -736,6 +813,7 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -7753,7 +7983,7 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -763,4 +837,25 @@
+@@ -763,4 +841,25 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -7921,7 +8151,7 @@
/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.6.4/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/snmp.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/snmp.te 2007-09-04 10:34:35.000000000 -0400
@@ -9,9 +9,6 @@
type snmpd_exec_t;
init_daemon_domain(snmpd_t,snmpd_exec_t)
@@ -7949,7 +8179,26 @@
allow snmpd_t snmpd_log_t:file manage_file_perms;
logging_log_filetrans(snmpd_t,snmpd_log_t,file)
-@@ -135,18 +130,19 @@
+@@ -50,6 +45,7 @@
+
+ kernel_read_device_sysctls(snmpd_t)
+ kernel_read_kernel_sysctls(snmpd_t)
++kernel_read_fs_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+ kernel_read_proc_symlinks(snmpd_t)
+ kernel_read_system_state(snmpd_t)
+@@ -84,9 +80,7 @@
+ files_read_etc_files(snmpd_t)
+ files_read_usr_files(snmpd_t)
+ files_read_etc_runtime_files(snmpd_t)
+-files_search_home(snmpd_t)
+-files_getattr_boot_dirs(snmpd_t)
+-files_dontaudit_getattr_home_dir(snmpd_t)
++auth_read_all_dirs_except_shadow(snmpd_t)
+
+ fs_getattr_all_dirs(snmpd_t)
+ fs_getattr_all_fs(snmpd_t)
+@@ -135,18 +129,19 @@
optional_policy(`
mta_read_config(snmpd_t)
@@ -8101,8 +8350,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-08-07 09:42:35.000000000 -0400
-@@ -108,6 +108,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-09-04 13:40:38.000000000 -0400
+@@ -91,6 +91,7 @@
+ corenet_udp_bind_gopher_port(squid_t)
+ corenet_tcp_bind_squid_port(squid_t)
+ corenet_udp_bind_squid_port(squid_t)
++corenet_udp_bind_wccp_port(squid_t)
+ corenet_tcp_connect_ftp_port(squid_t)
+ corenet_tcp_connect_gopher_port(squid_t)
+ corenet_tcp_connect_http_port(squid_t)
+@@ -108,6 +109,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -8111,7 +8368,7 @@
selinux_dontaudit_getattr_dir(squid_t)
-@@ -181,7 +183,11 @@
+@@ -181,7 +184,11 @@
udev_read_db(squid_t)
')
@@ -9005,7 +9262,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-09-04 10:57:17.000000000 -0400
@@ -9,6 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -9014,7 +9271,17 @@
role system_r types fsadm_t;
type fsadm_log_t;
-@@ -184,3 +185,9 @@
+@@ -108,8 +109,7 @@
+
+ term_use_console(fsadm_t)
+
+-corecmd_list_bin(fsadm_t)
+-corecmd_read_bin_symlinks(fsadm_t)
++corecmd_exec_bin(fsadm_t)
+ #RedHat bug #201164
+ corecmd_exec_shell(fsadm_t)
+
+@@ -184,3 +184,9 @@
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
@@ -9175,7 +9442,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.6.4/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/init.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/init.if 2007-09-04 11:59:57.000000000 -0400
@@ -194,11 +194,14 @@
gen_require(`
type initrc_t;
@@ -9191,16 +9458,164 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
-@@ -1088,7 +1091,7 @@
+@@ -554,18 +557,19 @@
+ #
+ interface(`init_spec_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute initscript;
')
- files_search_tmp($1)
-- rw_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
-+ allow $1 initrc_tmp_t:file rw_file_perms;
+ files_list_etc($1)
+- spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
++ spec_domtrans_pattern($1,initscript,initrc_t)
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 initscript:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+ ')
+
+@@ -581,18 +585,46 @@
+ #
+ interface(`init_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- domtrans_pattern($1,initrc_exec_t,initrc_t)
++ domtrans_pattern($1,initscript,initrc_t)
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 initscript:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 initscript:process s0 - mls_systemhigh;
++ ')
++')
++
++########################################
++## <summary>
++## Execute init a specific script with an automatic domain transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_script_domtrans_spec',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ files_list_etc($1)
++ domtrans_pattern($1,$2,initrc_t)
++
++ ifdef(`enable_mcs',`
++ range_transition $1 $2:process s0;
++ ')
++
++ ifdef(`enable_mls',`
++ range_transition $1 $2:process s0 - mls_systemhigh;
+ ')
+ ')
+
+@@ -623,11 +655,11 @@
+ # cjp: added for gentoo integrated run_init
+ interface(`init_script_file_domtrans',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- domain_auto_trans($1,initrc_exec_t,$2)
++ domain_auto_trans($1,initscript,$2)
')
########################################
-@@ -1248,7 +1251,7 @@
+@@ -698,11 +730,11 @@
+ #
+ interface(`init_getattr_script_files',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- allow $1 initrc_exec_t:file getattr;
++ allow $1 initscript:file getattr;
+ ')
+
+ ########################################
+@@ -717,11 +749,11 @@
+ #
+ interface(`init_exec_script_files',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- can_exec($1,initrc_exec_t)
++ can_exec($1,initscript)
+ ')
+
+ ########################################
+@@ -948,6 +980,25 @@
+
+ ########################################
+ ## <summary>
++## Send messages to init scripts over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_dbus_send_script',`
++ gen_require(`
++ type initrc_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 initrc_t:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## init scripts over dbus.
+ ## </summary>
+@@ -1026,11 +1077,11 @@
+ #
+ interface(`init_read_script_files',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_search_etc($1)
+- allow $1 initrc_exec_t:file read_file_perms;
++ allow $1 initscript:file read_file_perms;
+ ')
+
+ ########################################
+@@ -1248,7 +1299,7 @@
type initrc_var_run_t;
')
@@ -9209,7 +9624,7 @@
')
########################################
-@@ -1269,3 +1272,42 @@
+@@ -1269,3 +1320,64 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -9252,9 +9667,31 @@
+
+ allow $1 init_t:process ptrace;
+')
++
++########################################
++## <summary>
++## Make the specified type usable for initscripts
++## in a filesystem.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used for files.
++## </summary>
++## </param>
++#
++interface(`init_script_type',`
++ gen_require(`
++ type initrc_t;
++ attribute initscript;
++ ')
++
++ typeattribute $1 initscript;
++ domain_entry_file(initrc_t,$1)
++
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-09-04 12:06:53.000000000 -0400
@@ -10,13 +10,20 @@
# Declarations
#
@@ -9277,7 +9714,26 @@
')
# used for direct running of init scripts
-@@ -82,7 +89,7 @@
+@@ -28,6 +35,9 @@
+ # Mark process types as daemons
+ attribute daemon;
+
++# Mark /etc/init.d scripts types as initscripts
++attribute initscript;
++
+ #
+ # init_t is the domain of the init process.
+ #
+@@ -54,7 +64,7 @@
+ mls_trusted_object(initctl_t)
+
+ type initrc_t;
+-type initrc_exec_t;
++type initrc_exec_t, initscript;
+ domain_type(initrc_t)
+ domain_entry_file(initrc_t,initrc_exec_t)
+ role system_r types initrc_t;
+@@ -82,7 +92,7 @@
#
# Use capabilities. old rule:
@@ -9286,7 +9742,7 @@
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -198,7 +205,7 @@
+@@ -198,7 +208,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -9295,7 +9751,7 @@
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -213,8 +220,7 @@
+@@ -213,10 +223,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -9303,9 +9759,12 @@
-init_exec(initrc_t)
+init_telinit(initrc_t)
- can_exec(initrc_t,initrc_exec_t)
+-can_exec(initrc_t,initrc_exec_t)
++can_exec(initrc_t,initscript)
-@@ -508,6 +514,12 @@
+ manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
+ manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
+@@ -508,6 +517,12 @@
')
')
@@ -9318,7 +9777,7 @@
ifdef(`targeted_policy',`
domain_subj_id_change_exemption(initrc_t)
unconfined_domain(initrc_t)
-@@ -520,11 +532,22 @@
+@@ -520,11 +535,22 @@
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
@@ -9343,7 +9802,7 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -735,6 +758,9 @@
+@@ -735,6 +761,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -10539,7 +10998,16 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-08-22 08:36:58.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-09-04 11:49:43.000000000 -0400
+@@ -45,7 +45,7 @@
+ dontaudit dhcpc_t self:capability sys_tty_config;
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process signal_perms;
++allow dhcpc_t self:process { ptrace signal_perms };
+ allow dhcpc_t self:fifo_file rw_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+ allow dhcpc_t self:udp_socket create_socket_perms;
@@ -164,6 +164,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
@@ -10551,15 +11019,18 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -211,6 +215,7 @@
- # dhclient sometimes starts ntpd
- init_exec_script_files(dhcpc_t)
- ntp_domtrans(dhcpc_t)
-+ ntp_domtrans_ntpdate(dhcpc_t)
+@@ -208,9 +212,7 @@
')
optional_policy(`
-@@ -221,6 +226,7 @@
+- # dhclient sometimes starts ntpd
+- init_exec_script_files(dhcpc_t)
+- ntp_domtrans(dhcpc_t)
++ ntp_script_domtrans(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -221,6 +223,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -10567,7 +11038,7 @@
')
optional_policy(`
-@@ -259,6 +265,7 @@
+@@ -259,6 +262,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -10577,7 +11048,7 @@
allow ifconfig_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-08-31 06:15:18.000000000 -0400
@@ -18,11 +18,6 @@
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -10609,17 +11080,19 @@
kernel_read_system_state(udev_t)
kernel_getattr_core_if(udev_t)
-@@ -83,16 +80,23 @@
+@@ -82,6 +79,11 @@
+ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
-
++files_read_kernel_modules(udev_t)
++
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
-+
+
corecmd_exec_all_executables(udev_t)
- dev_rw_sysfs(udev_t)
+@@ -89,10 +91,13 @@
dev_manage_all_dev_nodes(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
@@ -10633,7 +11106,7 @@
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
-@@ -142,8 +146,14 @@
+@@ -142,8 +147,14 @@
seutil_read_file_contexts(udev_t)
seutil_domtrans_restorecon(udev_t)
@@ -10648,7 +11121,7 @@
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
-@@ -176,6 +186,10 @@
+@@ -176,6 +187,10 @@
')
optional_policy(`
@@ -10659,7 +11132,7 @@
consoletype_exec(udev_t)
')
-@@ -184,6 +198,10 @@
+@@ -184,6 +199,10 @@
')
optional_policy(`
@@ -10670,7 +11143,7 @@
hal_dgram_send(udev_t)
')
-@@ -194,5 +212,24 @@
+@@ -194,5 +213,24 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.491
retrieving revision 1.492
diff -u -r1.491 -r1.492
--- selinux-policy.spec 22 Aug 2007 14:14:52 -0000 1.491
+++ selinux-policy.spec 4 Sep 2007 20:18:57 -0000 1.492
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 40%{?dist}
+Release: 41%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -162,7 +162,7 @@
selinuxenabled; \
if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \
fixfiles -C ${FILE_CONTEXT}.pre restore; \
- restorecon -R /var/log 2> /dev/null; \
+ restorecon -R /var/log /var/run 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi;
@@ -361,6 +361,9 @@
%endif
%changelog
+* Tue Sep 4 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-41
+- Allow ktalkd to look at terminals
+
* Tue Aug 21 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-40
- Allow modutil sys_nice
- Allow automount to run smbclient
More information about the fedora-extras-commits
mailing list