rpms/selinux-policy/F-12 booleans-targeted.conf, 1.57, 1.58 policy-F12.patch, 1.115, 1.116 selinux-policy.spec, 1.948, 1.949
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 22 19:59:11 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv32595
Modified Files:
booleans-targeted.conf policy-F12.patch selinux-policy.spec
Log Message:
* Thu Oct 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-32
- Allow unconfined_execmem_t to transition to sandbox
- Allow postfix_cleanup to read etc_alias
- Allow consolekit to signal udev
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/booleans-targeted.conf,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -p -r1.57 -r1.58
--- booleans-targeted.conf 20 Oct 2009 22:59:51 -0000 1.57
+++ booleans-targeted.conf 22 Oct 2009 19:59:10 -0000 1.58
@@ -108,7 +108,7 @@ httpd_tty_comm = false
# Run CGI in the main httpd domain
#
-httpd_unified = false
+httpd_unified = true
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 2
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 320 ++++++
policy/modules/admin/rpm.te | 95 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 34
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 2
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 61 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 31
policy/modules/apps/execmem.if | 74 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 +
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 112 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50
policy/modules/apps/livecd.te | 26
policy/modules/apps/loadkeys.te | 4
policy/modules/apps/mono.if | 101 +-
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 +++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 184 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 7
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 31
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 36
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 255 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 151 ++
policy/modules/kernel/domain.te | 88 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 +++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 9
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 ++++++++++++
policy/modules/roles/unconfineduser.te | 411 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 37
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 58 +
policy/modules/services/abrt.te | 26
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 38
policy/modules/services/apache.if | 410 +++++---
policy/modules/services/apache.te | 445 +++++++-
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 9
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 24
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 20
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 42
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 58 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 22
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 +++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 1
policy/modules/services/lircd.te | 12
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 3
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 10
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 115 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 17
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +++++
policy/modules/services/plymouth.te | 96 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64 -
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++++++
policy/modules/services/rhcs.te | 394 +++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 16
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 102 +-
policy/modules/services/setroubleshoot.te | 81 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 184 ++-
policy/modules/services/ssh.te | 77 -
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 12
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 165 +++
policy/modules/services/virt.te | 286 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 37
policy/modules/services/xserver.if | 588 ++++++++++-
policy/modules/services/xserver.te | 336 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 207 +++-
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 ++-
policy/modules/system/init.te | 285 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 58 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 160 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 29
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 77 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1515 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 47
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
368 files changed, 17912 insertions(+), 2717 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -p -r1.115 -r1.116
--- policy-F12.patch 21 Oct 2009 15:55:49 -0000 1.115
+++ policy-F12.patch 22 Oct 2009 19:59:10 -0000 1.116
@@ -1953,7 +1953,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-09 10:34:56.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-22 14:59:29.000000000 -0400
@@ -0,0 +1,74 @@
+## <summary>execmem domain</summary>
+
@@ -3260,13 +3260,11 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2009-10-12 09:30:06.000000000 -0400
-@@ -0,0 +1,13 @@
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2009-10-22 11:45:47.000000000 -0400
+@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
@@ -5001,8 +4999,16 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.32/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-09-30 16:12:48.000000000 -0400
-@@ -79,6 +79,11 @@
++++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-10-22 14:51:34.000000000 -0400
+@@ -45,6 +45,7 @@
+
+ allow $1_screen_t self:capability { setuid setgid fsetid };
+ allow $1_screen_t self:process signal_perms;
++ allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+ allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+ allow $1_screen_t self:udp_socket create_socket_perms;
+ # Internal screen networking
+@@ -79,6 +80,11 @@
relabel_files_pattern($3, screen_home_t, screen_home_t)
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
@@ -5014,6 +5020,14 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
+@@ -117,6 +123,7 @@
+ fs_search_auto_mountpoints($1_screen_t)
+ fs_getattr_xattr_fs($1_screen_t)
+
++ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+ auth_dontaudit_read_shadow($1_screen_t)
+ auth_dontaudit_exec_utempter($1_screen_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc
--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc 2009-10-21 09:33:05.000000000 -0400
@@ -6181,7 +6195,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-10-22 14:59:27.000000000 -0400
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -6383,7 +6397,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-10-21 16:43:26.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6454,7 +6468,7 @@ diff -b -B --ignore-all-space --exclude-
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,66 @@
+@@ -153,3 +174,70 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6479,6 +6493,10 @@ diff -b -B --ignore-all-space --exclude-
+# these seem questionable:
+
+optional_policy(`
++ abrt_signull(domain)
++')
++
++optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_dontaudit_leaks(domain)
@@ -8786,7 +8804,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-17 07:22:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-22 14:38:40.000000000 -0400
@@ -0,0 +1,411 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9114,7 +9132,7 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
-+ xserver_rw_shm(unconfined_t)
++ xserver_role(unconfined_r, unconfined_t)
+')
+
+########################################
@@ -9129,6 +9147,10 @@ diff -b -B --ignore-all-space --exclude-
+rpm_transition_script(unconfined_execmem_t)
+
+optional_policy(`
++ sandbox_transition(unconfined_execmem_t, unconfined_r)
++')
++
++optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
@@ -9143,10 +9165,6 @@ diff -b -B --ignore-all-space --exclude-
+ hal_dbus_chat(unconfined_execmem_t)
+')
+
-+optional_policy(`
-+ xserver_rw_shm(unconfined_execmem_t)
-+')
-+
+########################################
+#
+# Unconfined notrans Local policy
@@ -9444,8 +9462,8 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2009-10-14 08:42:20.000000000 -0400
-@@ -75,6 +75,46 @@
++++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2009-10-21 16:42:52.000000000 -0400
+@@ -75,6 +75,64 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
@@ -9489,13 +9507,31 @@ diff -b -B --ignore-all-space --exclude-
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
++########################################
++## <summary>
++## Send a null signal to abrt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_signull',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:process signull;
++')
++
#####################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-21 10:05:17.000000000 -0400
-@@ -75,6 +75,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-22 14:59:56.000000000 -0400
+@@ -75,11 +75,14 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -9503,7 +9539,14 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(abrt_t)
-@@ -101,17 +102,32 @@
+ dev_read_urand(abrt_t)
+
++domain_signull_all_domains(abrt_t)
++
+ files_getattr_all_files(abrt_t)
+ files_read_etc_files(abrt_t)
+ files_read_usr_files(abrt_t)
+@@ -101,17 +104,32 @@
userdom_read_user_home_content_files(abrt_t)
optional_policy(`
@@ -10522,7 +10565,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-10-09 12:09:39.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-10-21 12:45:10.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -11231,7 +11274,7 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +982,12 @@
+@@ -754,11 +982,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -11244,9 +11287,13 @@ diff -b -B --ignore-all-space --exclude-
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +996,74 @@
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_t)
+- userdom_search_user_home_dirs(httpd_suexec_t)
+- userdom_search_user_home_dirs(httpd_user_script_t)
++ userdom_search_user_home_content(httpd_t)
++ userdom_search_user_home_content(httpd_suexec_t)
++ userdom_search_user_home_content(httpd_user_script_t)
')
+
+tunable_policy(`httpd_read_user_content',`
@@ -12103,7 +12150,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-10-11 07:54:38.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-10-22 09:04:43.000000000 -0400
@@ -62,12 +62,15 @@
init_telinit(consolekit_t)
@@ -12142,7 +12189,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
-@@ -108,10 +115,20 @@
+@@ -108,10 +115,21 @@
optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
@@ -12155,6 +12202,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
+ udev_domtrans(consolekit_t)
+ udev_read_db(consolekit_t)
++ udev_signal(consolekit_t)
+')
+
+optional_policy(`
@@ -12446,7 +12494,16 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.32/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.fc 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/cron.fc 2009-10-22 11:35:47.000000000 -0400
+@@ -14,7 +14,7 @@
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
@@ -45,3 +45,7 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -13360,7 +13417,7 @@ diff -b -B --ignore-all-space --exclude-
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-10-22 11:15:43.000000000 -0400
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -13444,12 +13501,16 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +156,22 @@
+@@ -134,14 +156,26 @@
udev_read_db(devicekit_disk_t)
')
+
+optional_policy(`
++ virt_read_images(devicekit_disk_t)
++')
++
++optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
@@ -13468,7 +13529,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +181,7 @@
+@@ -151,6 +185,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -13476,7 +13537,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +190,7 @@
+@@ -159,6 +194,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -13484,7 +13545,7 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +199,17 @@
+@@ -167,12 +203,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -13502,7 +13563,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +217,11 @@
+@@ -180,8 +221,11 @@
')
optional_policy(`
@@ -13515,7 +13576,7 @@ diff -b -B --ignore-all-space --exclude-
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +243,23 @@
+@@ -203,17 +247,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -14802,7 +14863,16 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg($1_milter_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-10-19 09:11:09.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-10-22 10:43:01.000000000 -0400
+@@ -16,7 +16,7 @@
+ #
+ # ModemManager local policy
+ #
+-
++allow modemmanager_t self:process signal;
+ allow modemmanager_t self:fifo_file rw_file_perms;
+ allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -24,6 +24,7 @@
kernel_read_system_state(modemmanager_t)
@@ -17348,7 +17418,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2009-10-21 16:53:07.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -17509,7 +17579,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +268,16 @@
+@@ -240,11 +268,18 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -17519,6 +17589,8 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(postfix_cleanup_t)
++mta_read_aliases(postfix_cleanup_t)
++
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
@@ -17526,7 +17598,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Postfix local local policy
-@@ -253,10 +286,6 @@
+@@ -253,10 +288,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -17537,7 +17609,7 @@ diff -b -B --ignore-all-space --exclude-
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -270,18 +299,29 @@
+@@ -270,18 +301,29 @@
files_read_etc_files(postfix_local_t)
@@ -17567,7 +17639,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -292,8 +332,7 @@
+@@ -292,8 +334,7 @@
#
# Postfix map local policy
#
@@ -17577,7 +17649,7 @@ diff -b -B --ignore-all-space --exclude-
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +379,15 @@
+@@ -340,14 +381,15 @@
miscfiles_read_localization(postfix_map_t)
@@ -17597,7 +17669,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Postfix pickup local policy
-@@ -372,6 +412,7 @@
+@@ -372,6 +414,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -17605,7 +17677,7 @@ diff -b -B --ignore-all-space --exclude-
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -379,6 +420,12 @@
+@@ -379,6 +422,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -17618,7 +17690,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +435,15 @@
+@@ -388,6 +437,15 @@
')
optional_policy(`
@@ -17634,7 +17706,7 @@ diff -b -B --ignore-all-space --exclude-
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +471,10 @@
+@@ -415,6 +473,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -17645,7 +17717,7 @@ diff -b -B --ignore-all-space --exclude-
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +484,11 @@
+@@ -424,8 +486,11 @@
')
optional_policy(`
@@ -17659,7 +17731,7 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -451,6 +514,15 @@
+@@ -451,6 +516,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -17675,7 +17747,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +536,7 @@
+@@ -464,6 +538,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -17683,7 +17755,7 @@ diff -b -B --ignore-all-space --exclude-
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -505,7 +578,7 @@
+@@ -505,7 +580,7 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -17692,7 +17764,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +608,18 @@
+@@ -535,9 +610,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -17711,7 +17783,7 @@ diff -b -B --ignore-all-space --exclude-
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +641,22 @@
+@@ -559,20 +643,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -17741,7 +17813,7 @@ diff -b -B --ignore-all-space --exclude-
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.32/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-10-21 11:42:45.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-10-21 12:55:04.000000000 -0400
@@ -2,6 +2,8 @@
# /etc
#
@@ -17751,6 +17823,34 @@ diff -b -B --ignore-all-space --exclude-
#
# /usr
+@@ -9,13 +11,11 @@
+ /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+-/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+-
+-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ ifdef(`distro_debian', `
+-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/lib(64)?/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ ')
+
+ ifdef(`distro_redhat', `
+@@ -38,8 +38,6 @@
+ /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+ /var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+
+-ifdef(`distro_redhat', `
+-/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-')
+-
+ /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
++
++/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.32/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/postgresql.if 2009-09-30 16:12:48.000000000 -0400
@@ -21997,7 +22097,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-20 18:38:58.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-22 14:44:38.000000000 -0400
@@ -136,7 +136,7 @@
')
@@ -22038,10 +22138,55 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -312,6 +314,41 @@
+@@ -304,8 +306,79 @@
+ ')
- ########################################
- ## <summary>
+ tunable_policy(`virt_use_samba',`
+- fs_manage_nfs_files($1)
+ fs_manage_cifs_files($1)
++ fs_manage_cifs_files($1)
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++## <summary>
++## Allow domain to read virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_read_images',`
++ gen_require(`
++ type virt_var_lib_t;
++ attribute virt_image_type;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir list_dir_perms;
++ list_dirs_pattern($1, virt_image_type, virt_image_type)
++ read_files_pattern($1, virt_image_type, virt_image_type)
++ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
++ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++
++ tunable_policy(`virt_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ fs_read_nfs_symlinks($1)
++ ')
++
++ tunable_policy(`virt_use_samba',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
@@ -22060,7 +22205,7 @@ diff -b -B --ignore-all-space --exclude-
+ list_dirs_pattern($1, virt_content_t, virt_content_t)
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
-+ rw_blk_files_pattern($1, virt_content_t, virt_content_t)
++ read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
@@ -22071,16 +22216,10 @@ diff -b -B --ignore-all-space --exclude-
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
-+ fs_read_cifs_symlinks($1)
-+ ')
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an virt environment
- ## </summary>
-@@ -346,3 +383,79 @@
+ fs_read_cifs_symlinks($1)
+ ')
+ ')
+@@ -346,3 +419,79 @@
virt_manage_log($1)
')
@@ -22162,7 +22301,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-20 18:29:08.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-22 13:55:08.000000000 -0400
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
@@ -22346,7 +22485,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -130,7 +215,14 @@
+@@ -130,7 +215,16 @@
logging_send_syslog_msg(virtd_t)
@@ -22358,10 +22497,12 @@ diff -b -B --ignore-all-space --exclude-
+userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
++userdom_relabel_user_home_files(virtd_t)
++userdom_setattr_user_home_content_files(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +260,36 @@
+@@ -168,22 +262,36 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -22403,7 +22544,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -196,8 +302,162 @@
+@@ -196,8 +304,162 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -22590,7 +22731,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-10-08 09:26:09.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-10-22 11:39:22.000000000 -0400
@@ -3,12 +3,17 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -22621,6 +22762,19 @@ diff -b -B --ignore-all-space --exclude-
#
# /opt
#
+@@ -47,10 +47,10 @@
+ # /tmp
+ #
+
+-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.ICE-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
+ /tmp/\.ICE-unix/.* -s <<none>>
+ /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
+-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
+ /tmp/\.X11-unix/.* -s <<none>>
+
+ #
@@ -61,7 +61,9 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -22668,7 +22822,18 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-10-13 17:35:30.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-10-22 11:38:18.000000000 -0400
+@@ -89,8 +89,8 @@
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xserver_tmp_t:dir search;
++ allow $2 xserver_tmp_t:sock_file { read write };
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Client read xserver shm
@@ -211,6 +211,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -22686,7 +22851,16 @@ diff -b -B --ignore-all-space --exclude-
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -308,12 +309,12 @@
+@@ -299,7 +300,7 @@
+ interface(`xserver_user_client',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ ')
+
+@@ -308,14 +309,14 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -22698,10 +22872,14 @@ diff -b -B --ignore-all-space --exclude-
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
+- allow $1 xdm_tmp_t:dir search;
+- allow $1 xdm_tmp_t:sock_file { read write };
+ allow $1 xdm_t:fifo_file rw_fifo_file_perms;
- allow $1 xdm_tmp_t:dir search;
- allow $1 xdm_tmp_t:sock_file { read write };
++ allow $1 xserver_tmp_t:dir search;
++ allow $1 xserver_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
@@ -367,7 +368,6 @@
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
@@ -22752,9 +22930,12 @@ diff -b -B --ignore-all-space --exclude-
')
#######################################
-@@ -486,11 +481,12 @@
+@@ -484,13 +479,14 @@
+ #
+ template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ class x_screen all_x_screen_perms;
')
@@ -22768,15 +22949,19 @@ diff -b -B --ignore-all-space --exclude-
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -498,7 +494,7 @@
+@@ -498,9 +494,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file { read write };
+ allow $2 xdm_t:fifo_file rw_fifo_file_perms;
- allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xserver_tmp_t:dir search_dir_perms;
++ allow $2 xserver_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
@@ -526,6 +522,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
@@ -22797,11 +22982,47 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -827,6 +827,7 @@
+@@ -764,11 +764,11 @@
+ #
+ interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
+ ')
+
files_search_tmp($1)
- allow $1 xdm_tmp_t:dir list_dir_perms;
- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ allow $1 xdm_tmp_t:sock_file unlink;
+- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xdm_t)
+ ')
+
+ ########################################
+@@ -802,10 +802,10 @@
+ #
+ interface(`xserver_setattr_xdm_tmp_dirs',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir setattr;
++ allow $1 xserver_tmp_t:dir setattr;
+ ')
+
+ ########################################
+@@ -821,12 +821,13 @@
+ #
+ interface(`xserver_create_xdm_tmp_sockets',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+ files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir list_dir_perms;
+- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ allow $1 xserver_tmp_t:dir list_dir_perms;
++ create_sock_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
++ allow $1 xserver_tmp_t:sock_file unlink;
')
########################################
@@ -22955,6 +23176,76 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write the X server
## log files.
## </summary>
+@@ -1014,11 +1135,11 @@
+ #
+ interface(`xserver_read_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+ files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ read_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
+ ')
+
+ ########################################
+@@ -1033,11 +1154,11 @@
+ #
+ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
++ dontaudit $1 xserver_tmp_t:dir search_dir_perms;
++ dontaudit $1 xserver_tmp_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -1052,11 +1173,11 @@
+ #
+ interface(`xserver_rw_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
++ allow $1 xserver_tmp_t:dir search_dir_perms;
++ allow $1 xserver_tmp_t:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -1071,10 +1192,10 @@
+ #
+ interface(`xserver_manage_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ manage_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
+ ')
+
+ ########################################
+@@ -1089,10 +1210,10 @@
+ #
+ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xserver_tmp_t:sock_file getattr;
+ ')
+
+ ########################################
@@ -1107,10 +1228,11 @@
#
interface(`xserver_domtrans',`
@@ -23122,7 +23413,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+interface(`xserver_use_xdm',`
+ gen_require(`
-+ type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
+ type xdm_xproperty_t;
+ type xdm_home_t;
+ class x_client all_x_client_perms;
@@ -23284,7 +23575,7 @@ diff -b -B --ignore-all-space --exclude-
+ allow $2 $1:x_drawable all_x_drawable_perms;
+ allow $1 $2:x_resource all_x_resource_perms;
+ allow $2 $1:x_resource all_x_resource_perms;
- ')
++')
+
+#######################################
+## <summary>
@@ -23345,7 +23636,7 @@ diff -b -B --ignore-all-space --exclude-
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
-+ ')
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
@@ -23353,7 +23644,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-10-08 08:58:37.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-10-22 11:37:53.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -23449,20 +23740,19 @@ diff -b -B --ignore-all-space --exclude-
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -174,6 +185,12 @@
+@@ -174,13 +185,21 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+-type xdm_tmp_t;
+-files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias ice_tmp_t;
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
-+
- type xdm_tmp_t;
- files_tmp_file(xdm_tmp_t)
- typealias xdm_tmp_t alias ice_tmp_t;
-@@ -181,6 +198,12 @@
+
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
@@ -23475,7 +23765,14 @@ diff -b -B --ignore-all-space --exclude-
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -202,8 +225,8 @@
+@@ -196,14 +215,14 @@
+ ubac_constrained(xserver_t)
+
+ type xserver_tmp_t;
+-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
++typealias xserver_tmp_t alias { xdm_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+ typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ files_tmp_file(xserver_tmp_t)
ubac_constrained(xserver_tmp_t)
type xserver_tmpfs_t;
@@ -23486,7 +23783,7 @@ diff -b -B --ignore-all-space --exclude-
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -250,19 +273,21 @@
+@@ -250,19 +269,21 @@
# Xauth local policy
#
@@ -23511,7 +23808,7 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
files_read_etc_files(xauth_t)
-@@ -300,20 +325,31 @@
+@@ -300,20 +321,31 @@
# XDM Local policy
#
@@ -23546,12 +23843,20 @@ diff -b -B --ignore-all-space --exclude-
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -329,22 +365,39 @@
- manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+@@ -325,26 +357,43 @@
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++manage_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++manage_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++manage_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++files_tmp_filetrans(xdm_t, xserver_tmp_t, { file dir sock_file })
++relabelfrom_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++relabelfrom_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -23589,7 +23894,7 @@ diff -b -B --ignore-all-space --exclude-
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +411,7 @@
+@@ -358,6 +407,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -23597,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +420,14 @@
+@@ -366,10 +416,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -23613,7 +23918,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +447,13 @@
+@@ -389,11 +443,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23627,7 +23932,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +461,7 @@
+@@ -401,6 +457,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -23635,7 +23940,7 @@ diff -b -B --ignore-all-space --exclude-
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +474,17 @@
+@@ -413,14 +470,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -23655,7 +23960,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +495,13 @@
+@@ -431,9 +491,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23669,7 +23974,7 @@ diff -b -B --ignore-all-space --exclude-
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +510,7 @@
+@@ -442,6 +506,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23677,7 +23982,7 @@ diff -b -B --ignore-all-space --exclude-
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +519,7 @@
+@@ -450,6 +515,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -23685,7 +23990,7 @@ diff -b -B --ignore-all-space --exclude-
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +530,11 @@
+@@ -460,10 +526,11 @@
logging_read_generic_logs(xdm_t)
@@ -23699,7 +24004,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +543,9 @@
+@@ -472,6 +539,9 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23709,7 +24014,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +578,12 @@
+@@ -504,10 +574,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -23722,7 +24027,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -515,12 +591,46 @@
+@@ -515,12 +587,46 @@
')
optional_policy(`
@@ -23769,7 +24074,7 @@ diff -b -B --ignore-all-space --exclude-
hostname_exec(xdm_t)
')
-@@ -542,6 +652,38 @@
+@@ -542,6 +648,38 @@
')
optional_policy(`
@@ -23808,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +692,9 @@
+@@ -550,8 +688,9 @@
')
optional_policy(`
@@ -23820,7 +24125,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +703,6 @@
+@@ -560,7 +699,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -23828,7 +24133,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +713,10 @@
+@@ -571,6 +709,10 @@
')
optional_policy(`
@@ -23839,7 +24144,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +733,9 @@
+@@ -587,10 +729,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23851,7 +24156,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +747,12 @@
+@@ -602,9 +743,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23864,7 +24169,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +764,14 @@
+@@ -616,13 +760,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -23880,7 +24185,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +784,19 @@
+@@ -635,9 +780,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23900,7 +24205,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +830,6 @@
+@@ -671,7 +826,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23908,7 +24213,7 @@ diff -b -B --ignore-all-space --exclude-
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +839,12 @@
+@@ -681,9 +835,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23922,7 +24227,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +859,12 @@
+@@ -698,8 +855,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23935,7 +24240,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +886,7 @@
+@@ -721,6 +882,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -23943,7 +24248,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +909,7 @@
+@@ -743,7 +905,7 @@
')
ifdef(`enable_mls',`
@@ -23952,7 +24257,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +941,20 @@
+@@ -775,12 +937,20 @@
')
optional_policy(`
@@ -23974,7 +24279,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -807,7 +981,7 @@
+@@ -807,12 +977,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -23982,8 +24287,16 @@ diff -b -B --ignore-all-space --exclude-
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
- manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,9 +1002,14 @@
+-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
++manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
++manage_lnk_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
++manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+
+ # Run xkbcomp.
+ allow xserver_t xkb_var_lib_t:lnk_file read;
+@@ -828,9 +998,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23998,7 +24311,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1024,14 @@
+@@ -845,11 +1020,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -24014,7 +24327,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -882,6 +1064,8 @@
+@@ -882,6 +1060,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -24023,7 +24336,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1090,8 @@
+@@ -906,6 +1086,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24032,7 +24345,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1159,49 @@
+@@ -973,17 +1155,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28578,8 +28891,8 @@ diff -b -B --ignore-all-space --exclude-
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.32/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-10-11 07:54:27.000000000 -0400
-@@ -168,4 +168,25 @@
++++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-10-22 09:04:35.000000000 -0400
+@@ -168,4 +168,43 @@
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
@@ -28604,10 +28917,28 @@ diff -b -B --ignore-all-space --exclude-
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
++')
++
++########################################
++## <summary>
++## Send signal to udev process
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`udev_signal',`
++ gen_require(`
++ type udev_t;
++ ')
++
++ allow $1 udev_t:process signal;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2009-09-30 17:17:54.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/udev.te 2009-10-22 09:03:07.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29494,7 +29825,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-21 10:57:55.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-22 13:55:01.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30770,7 +31101,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1636,25 @@
+@@ -1503,6 +1636,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -30792,11 +31123,28 @@ diff -b -B --ignore-all-space --exclude-
+
+ allow $1 user_home_t:file relabelto;
+')
++########################################
++## <summary>
++## Relabel user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_relabel_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file { relabelto relabelfrom };
++')
+
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1729,8 @@
+@@ -1577,6 +1746,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30805,7 +31153,32 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1670,6 +1824,7 @@
+@@ -1619,6 +1790,24 @@
+
+ ########################################
+ ## <summary>
++## Set the attributes of user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_setattr_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file setattr;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ## </summary>
+@@ -1670,6 +1859,7 @@
type user_home_dir_t, user_home_t;
')
@@ -30813,7 +31186,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1952,32 @@
+@@ -1797,19 +1987,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -30853,7 +31226,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2012,7 @@
+@@ -1844,6 +2047,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30861,11 +31234,60 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2560,7 @@
+@@ -2391,7 +2595,7 @@
+
+ ########################################
+ ## <summary>
+-## Read user tmpfs files.
++## Read/Write user tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2399,19 +2603,20 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_user_tmpfs_files',`
++interface(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+ ')
########################################
## <summary>
-## Read user tmpfs files.
++## Get the attributes of a user domain tty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2419,38 +2624,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_rw_user_tmpfs_files',`
++interface(`userdom_getattr_user_ttys',`
+ gen_require(`
+- type user_tmpfs_t;
++ type user_tty_device_t;
+ ')
+
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ allow $1 user_tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of a user domain tty.
-## </summary>
-## <param name="domain">
-## <summary>
@@ -30873,24 +31295,22 @@ diff -b -B --ignore-all-space --exclude-
-## </summary>
-## </param>
-#
--interface(`userdom_read_user_tmpfs_files',`
+-interface(`userdom_getattr_user_ttys',`
- gen_require(`
-- type user_tmpfs_t;
+- type user_tty_device_t;
- ')
-
-- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
+- allow $1 user_tty_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
--## Read user tmpfs files.
-+## Read/Write user tmpfs files.
+-## Do not audit attempts to get the attributes of a user domain tty.
++## Do not audit attempts to get the attributes of a user domain tty.
## </summary>
## <param name="domain">
## <summary>
-@@ -2749,7 +2898,7 @@
+@@ -2749,7 +2933,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -30899,7 +31319,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2914,32 @@
+@@ -2765,11 +2949,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -30934,59 +31354,17 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,12 +3067,12 @@
+@@ -2897,7 +3102,25 @@
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to use user ttys.
-+## Delete all users files in /tmp
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2910,17 +3080,17 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_delete_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ allow $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2928,12 +3098,31 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_use_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Read the process state of all user domains.
++## Delete all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
@@ -30994,9 +31372,16 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
- gen_require(`
- attribute userdomain;
++interface(`userdom_delete_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+@@ -2934,6 +3157,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -31004,7 +31389,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3253,578 @@
+@@ -3064,3 +3288,578 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.948
retrieving revision 1.949
diff -u -p -r1.948 -r1.949
--- selinux-policy.spec 21 Oct 2009 15:55:49 -0000 1.948
+++ selinux-policy.spec 22 Oct 2009 19:59:10 -0000 1.949
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 31%{?dist}
+Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -369,10 +369,6 @@ SELinux Reference policy minimum base mo
packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2"
%loadpolicy minimum $packages
if [ $1 -eq 1 ]; then
-semanage -S minimum -i - << __eof
-login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
-login -m -s unconfined_u -r s0-s0:c0.c1023 root
-__eof
restorecon -R /root /var/log /var/run 2> /dev/null
else
%relabel minimum
@@ -449,6 +445,11 @@ exit 0
%endif
%changelog
+* Thu Oct 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-32
+- Allow unconfined_execmem_t to transition to sandbox
+- Allow postfix_cleanup to read etc_alias
+- Allow consolekit to signal udev
+
* Wed Oct 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-31
- Allow unconfined_execmem_t to transition to sandbox
- Add sectool policy
More information about the fedora-extras-commits
mailing list