rpms/selinux-policy/F-8 modules-targeted.conf, 1.70, 1.71 policy-20070703.patch, 1.126, 1.127 selinux-policy.spec, 1.571, 1.572
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Nov 8 22:08:18 UTC 2007
- Previous message (by thread): rpms/kernel/F-8 linux-2.6-wireless-pending.patch, 1.11, 1.12 config-generic, 1.35, 1.36 kernel.spec, 1.257, 1.258 linux-2.6-at76.patch, 1.3, 1.4 linux-2.6-ath5k.patch, 1.5, 1.6 linux-2.6-wireless.patch, 1.10, 1.11 linux-2.6-zd1211rw-mac80211.patch, 1.4, 1.5 linux-2.6-ath5k-fixes.patch, 1.4, NONE linux-2.6-iwlwifi-fixes.patch, 1.4, NONE linux-2.6-mac80211-decryption-noise.patch, 1.1, NONE linux-2.6-mac80211-extras.patch, 1.3, NONE linux-2.6-wireless-fixes.patch, 1.3, NONE
- Next message (by thread): rpms/dhcpv6/devel dhcpv6-0.99.0-libdhcp6client.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 dhcpv6.spec, 1.68, 1.69 sources, 1.2, 1.3 dhcpv6-0.10-IA_NA-ignore.patch, 1.1, NONE dhcpv6-0.10-device-names.patch, 1.1, NONE dhcpv6-0.10-elapsed-time.patch, 1.1, NONE dhcpv6-0.10-file-checks.patch, 1.1, NONE dhcpv6-0.10-gethwid.patch, 1.1, NONE dhcpv6-0.10-initscripts.patch, 1.4, NONE dhcpv6-0.10-libdhcp6client.patch, 1.12, NONE dhcpv6-0.10-lsb.patch, 1.2, NONE dhcpv6-0.10-man.patch, 1.1, NONE dhcpv6-0.10-no-strlcat.patch, 1.1, NONE dhcpv6-0.10-reassign-global.patch, 1.1, NONE dhcpv6-0.10-redhat.patch, 1.7, NONE dhcpv6-0.10-relay.patch, 1.2, NONE dhcpv6-0.10-remove-leases.patch, 1.1, NONE dhcpv6-0.10-retransmit-confirm.patch, 1.1, NONE dhcpv6-0.10-salen.patch, 1.4, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4503
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Thu Nov 8 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-49
- Separate xguest from guest
- Allow confined domains to output to rpm pipes
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- modules-targeted.conf 5 Nov 2007 20:47:14 -0000 1.70
+++ modules-targeted.conf 8 Nov 2007 22:07:40 -0000 1.71
@@ -1500,6 +1500,13 @@
guest = module
# Layer: users
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+#
+xguest = module
+
+# Layer: users
# Module: logadm
#
# Minimally prived root role for managing logging system
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -r1.126 -r1.127
--- policy-20070703.patch 7 Nov 2007 22:16:08 -0000 1.126
+++ policy-20070703.patch 8 Nov 2007 22:07:40 -0000 1.127
@@ -1887,7 +1887,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-08 11:42:23.000000000 -0500
@@ -139,6 +139,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
@@ -4047,7 +4047,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-06 10:14:30.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-07 17:28:12.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -4112,7 +4112,7 @@
+# Allow all domains to use fds past to them
+allow domain domain:fd use;
+optional_policy(`
-+ rpm_dontaudit_rw_pipes(domain)
++ rpm_rw_pipes(domain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-22 13:21:41.000000000 -0400
@@ -5137,7 +5137,7 @@
dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-11-08 09:26:54.000000000 -0500
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -5582,7 +5582,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-07 15:19:05.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-08 09:25:25.000000000 -0500
@@ -20,6 +20,9 @@
# Declarations
#
@@ -6453,7 +6453,14 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-11-08 09:58:52.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(clamav,1.4.1)
++policy_module(clamav,1.5.1)
+
+ ########################################
+ #
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -6467,7 +6474,7 @@
')
+optional_policy(`
-+ exim_read_spool(clamd_t)
++ exim_read_spool_files(clamd_t)
+')
+
########################################
@@ -6481,6 +6488,38 @@
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.0.8/policy/modules/services/comsat.te
+--- nsaserefpolicy/policy/modules/services/comsat.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/comsat.te 2007-11-08 13:31:19.000000000 -0500
+@@ -60,6 +60,8 @@
+ init_read_utmp(comsat_t)
+ init_dontaudit_write_utmp(comsat_t)
+
++auth_use_nsswitch(comsat_t)
++
+ libs_use_ld_so(comsat_t)
+ libs_use_shared_libs(comsat_t)
+
+@@ -67,8 +69,6 @@
+
+ miscfiles_read_localization(comsat_t)
+
+-sysnet_read_config(comsat_t)
+-
+ userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
+
+ mta_getattr_spool(comsat_t)
+@@ -77,10 +77,3 @@
+ kerberos_use(comsat_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(comsat_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(comsat_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.0.8/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/consolekit.if 2007-10-29 23:59:29.000000000 -0400
@@ -7059,7 +7098,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-08 13:32:45.000000000 -0500
@@ -48,9 +48,8 @@
type hplip_t;
type hplip_exec_t;
@@ -7260,7 +7299,39 @@
')
optional_policy(`
-@@ -525,11 +556,9 @@
+@@ -482,6 +513,8 @@
+
+ files_read_etc_files(cupsd_lpd_t)
+
++auth_use_nsswitch(cupsd_lpd_t)
++
+ libs_use_ld_so(cupsd_lpd_t)
+ libs_use_shared_libs(cupsd_lpd_t)
+
+@@ -489,22 +522,12 @@
+
+ miscfiles_read_localization(cupsd_lpd_t)
+
+-sysnet_read_config(cupsd_lpd_t)
+-
+ cups_stream_connect(cupsd_lpd_t)
+
+ optional_policy(`
+ inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(cupsd_lpd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(cupsd_lpd_t)
+-')
+-
+ ########################################
+ #
+ # HPLIP local policy
+@@ -525,11 +548,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -7275,7 +7346,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +589,9 @@
+@@ -560,7 +581,9 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -7286,7 +7357,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +618,6 @@
+@@ -587,8 +610,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -7295,7 +7366,7 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-@@ -668,3 +697,15 @@
+@@ -668,3 +689,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -7338,6 +7409,75 @@
miscfiles_read_localization(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.0.8/policy/modules/services/cyrus.te
+--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cyrus.te 2007-11-08 13:33:33.000000000 -0500
+@@ -41,7 +41,6 @@
+ allow cyrus_t self:unix_stream_socket connectto;
+ allow cyrus_t self:tcp_socket create_stream_socket_perms;
+ allow cyrus_t self:udp_socket create_socket_perms;
+-allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+ manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+@@ -95,6 +94,8 @@
+ files_read_etc_runtime_files(cyrus_t)
+ files_read_usr_files(cyrus_t)
+
++auth_use_nsswitch(cyrus_t)
++
+ libs_use_ld_so(cyrus_t)
+ libs_use_shared_libs(cyrus_t)
+ libs_exec_lib_files(cyrus_t)
+@@ -104,8 +105,6 @@
+ miscfiles_read_localization(cyrus_t)
+ miscfiles_read_certs(cyrus_t)
+
+-sysnet_read_config(cyrus_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
+ userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
+ userdom_use_unpriv_users_fds(cyrus_t)
+@@ -126,14 +125,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(cyrus_t)
+-')
+-
+-optional_policy(`
+- sasl_connect(cyrus_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(cyrus_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.0.8/policy/modules/services/dbskk.te
+--- nsaserefpolicy/policy/modules/services/dbskk.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbskk.te 2007-11-08 13:34:10.000000000 -0500
+@@ -63,6 +63,8 @@
+
+ files_read_etc_files(dbskkd_t)
+
++auth_use_nsswitch(dbskkd_t)
++
+ libs_use_ld_so(dbskkd_t)
+ libs_use_shared_libs(dbskkd_t)
+
+@@ -70,12 +72,3 @@
+
+ miscfiles_read_localization(dbskkd_t)
+
+-sysnet_read_config(dbskkd_t)
+-
+-optional_policy(`
+- nis_use_ypbind(dbskkd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(dbskkd_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.0.8/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.fc 2007-10-29 23:59:29.000000000 -0400
@@ -7834,207 +7974,217 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-10-29 23:59:29.000000000 -0400
-@@ -0,0 +1,15 @@
-+# $Id$
-+# Draft SELinux refpolicy module for the Exim MTA
-+#
-+# Devin Carraway <selinux/at/devin.com>
-+
-+/var/spool/exim4?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
-+/var/run/exim4?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
-+/var/log/exim4?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
-+/usr/sbin/exim4? gen_context(system_u:object_r:exim_exec_t,s0)
-+ifdef(`distro_debian', `
-+# work around a misparse if the word template appears without adjustment
-+/usr/sbin/update-exim4\.conf\.[t]emplate gen_context(system_u:object_r:exim_conf_update_exec_t,s0)
-+/var/lib/exim4?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
-+')
++++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-11-08 09:52:12.000000000 -0500
+@@ -0,0 +1,5 @@
+
++/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
++/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
++/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
++/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-11-05 15:39:00.000000000 -0500
-@@ -0,0 +1,157 @@
-+## <summary>Exim service</summary>
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-11-08 09:52:12.000000000 -0500
+@@ -0,0 +1,156 @@
++## <summary>Exim mail transfer agent</summary>
+
+########################################
+## <summary>
-+## Permit transitions to the exim domain
++## Execute a domain transition to run exim.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+ gen_require(`
-+ type exim_t;
-+ type exim_exec_t;
++ type exim_t, exim_exec_t;
+ ')
+
-+ corecmd_search_bin($1)
+ domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
+## <summary>
-+## Read generated exim configuration
++## Do not audit attempts to read,
++## exim tmp files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`exim_read_lib',`
++interface(`exim_dontaudit_read_tmp_files',`
+ gen_require(`
-+ type exim_var_lib_t;
++ type exim_tmp_t;
+ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t);
++ dontaudit $1 exim_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
-+## Manage generated exim configuration
++## Allow domain to read, exim tmp files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_lib',`
++interface(`exim_read_tmp_files',`
+ gen_require(`
-+ type exim_lib_t;
++ type exim_tmp_t;
+ ')
+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, exim_lib_t, exim_lib_t);
++ allow $1 exim_tmp_t:file read_file_perms;
++ files_search_tmp($1)
+')
+
+########################################
+## <summary>
-+## Grants readonly access to Exim logs
++## Read exim PID files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_read_logs',`
++interface(`exim_read_pid_files',`
+ gen_require(`
-+ type exim_log_t;
++ type exim_var_run_t;
+ ')
+
-+ files_search_var($1)
-+ read_files_pattern($1, exim_log_t, exim_log_t)
++ allow $1 exim_var_run_t:file read_file_perms;
++ files_search_pids($1)
+')
+
+########################################
+## <summary>
-+## append exim logs
++## Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`exim_append_log',`
++interface(`exim_read_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
-+ files_search_var($1)
-+ append_files_pattern($1, exim_log_t, exim_log_t)
++ read_files_pattern($1, exim_log_t, exim_log_t)
++ logging_search_logs($1)
+')
+
+########################################
+## <summary>
-+## Read contents of exim spool
++## Allow the specified domain to append
++## exim log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+#
-+interface(`exim_read_spool',`
++interface(`exim_append_log',`
+ gen_require(`
-+ type exim_spool_t;
++ type exim_log_t;
+ ')
+
-+ files_search_spool($1)
-+ list_dirs_pattern($1, exim_spool_t, exim_spool_t)
-+ read_files_pattern($1, exim_spool_t, exim_spool_t)
++ append_files_pattern($1, exim_log_t, exim_log_t)
++ logging_search_logs($1)
+')
+
+########################################
+## <summary>
-+## Modify/delete contents of exim mail spool
++## Read exim spool files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_spool_files',`
++interface(`exim_read_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
++ allow $1 exim_spool_t:file read_file_perms;
++ allow $1 exim_spool_t:dir list_dir_perms;
+ files_search_spool($1)
-+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
-+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+')
+
+########################################
+## <summary>
-+## Create an exim mail spool (implies creating dirs in var_spool_t).
++## Create, read, write, and delete
++## exim spool files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_create_spool',`
++interface(`exim_manage_spool_files',`
+ gen_require(`
-+ type var_spool_t;
+ type exim_spool_t;
+ ')
+
-+ create_dirs_pattern($1, var_spool_t, exim_spool_t)
-+ filetrans_pattern($1, var_spool_t, exim_spool_t, dir)
++ manage_files_pattern($1, exim_spool_t, exim_spool_t)
++ files_search_spool($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-10-29 23:59:29.000000000 -0400
-@@ -0,0 +1,237 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-11-08 09:52:12.000000000 -0500
+@@ -0,0 +1,214 @@
+
-+policy_module(exim, 1.0.0)
++policy_module(exim,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow exim to read unprivileged user files.
++## </p>
++## </desc>
++gen_tunable(exim_read_user_files,false)
++
++## <desc>
++## <p>
++## Allow exim to create, read, write, and delete
++## unprivileged user files.
++## </p>
++## </desc>
++gen_tunable(exim_manage_user_files,false)
++
++## <desc>
++## <p>
++## Allow exim to connect to databases (postgres, mysql)
++## </p>
++## </desc>
++gen_tunable(exim_can_connect_db,false)
++
+type exim_t;
+type exim_exec_t;
-+domain_type(exim_t)
-+domain_entry_file(exim_t,exim_exec_t)
++init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_mailclient(exim_exec_t)
+
-+type exim_script_exec_t;
-+init_script_type(exim_script_exec_t)
++type exim_log_t;
++logging_log_file(exim_log_t)
+
+type exim_spool_t;
+files_type(exim_spool_t)
@@ -8045,46 +8195,44 @@
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
-+type exim_log_t;
-+logging_log_file(exim_log_t)
-+
-+########################################
-+#
-+# exim booleans
-+#
-+
-+## <desc>
-+## <p>
-+## Allow exim to connect to databases (postgres, mysql)
-+## </p>
-+## </desc>
-+gen_tunable(exim_can_connect_db, false)
-+
-+## <desc>
-+## <p>
-+## Allow exim to read files in users homedirectories
-+## </p>
-+## </desc>
-+gen_tunable(exim_read_user_files, false)
-+
-+## <desc>
-+## <p>
-+## Allow exim to manage files in users homedirectories
-+## </p>
-+## </desc>
-+gen_tunable(exim_manage_user_files, false)
++type exim_script_exec_t;
++init_script_type(exim_script_exec_t)
+
+########################################
+#
+# exim local policy
+#
+
-+allow exim_t self:capability { sys_resource dac_override dac_read_search setuid setgid fowner chown };
++allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:unix_stream_socket create_stream_socket_perms;
+allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
-+allow exim_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(exim_t,exim_exec_t)
++
++manage_files_pattern(exim_t, exim_log_t, exim_log_t)
++logging_log_filetrans(exim_t, exim_log_t, { file dir })
++
++manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
++manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
++manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++
++manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
++
++manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
++manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
++files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
++
++kernel_read_kernel_sysctls(exim_t)
++kernel_dontaudit_read_system_state(exim_t)
++kernel_read_network_state(exim_t)
++
++corecmd_search_bin(exim_t)
+
+corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
@@ -8092,76 +8240,57 @@
+corenet_udp_sendrecv_all_nodes(exim_t)
+corenet_tcp_sendrecv_all_if(exim_t)
+corenet_tcp_sendrecv_all_nodes(exim_t)
++corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_all_nodes(exim_t)
-+corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_sendrecv_smtp_port(exim_t)
+corenet_sendrecv_smtp_server_packets(exim_t)
+corenet_sendrecv_all_client_packets(exim_t)
+
-+# make identd connections
+corenet_tcp_connect_auth_port(exim_t)
++corenet_tcp_connect_inetd_child_port(exim_t)
+corenet_tcp_sendrecv_auth_port(exim_t)
+
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
+corenet_tcp_sendrecv_spamd_port(exim_t)
+
-+libs_use_ld_so(exim_t)
-+libs_read_lib_files(exim_t)
-+libs_exec_lib_files(exim_t)
-+libs_use_shared_libs(exim_t)
-+libs_legacy_use_shared_libs(exim_t)
-+
-+# PID files
-+manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
-+files_pid_filetrans(exim_t, exim_var_run_t, file)
-+
-+auth_use_nsswitch(exim_t)
++# Init script handling
++domain_use_interactive_fds(exim_t)
+
-+# Exim uses BerkeleyDB, which checks /var/tmp but doesn't actually use it
-+files_dontaudit_getattr_tmp_dirs(exim_t)
+files_search_usr(exim_t)
+files_search_var(exim_t)
+files_read_etc_files(exim_t)
+
-+fs_getattr_xattr_fs(exim_t)
++auth_use_nsswitch(exim_t)
+
-+kernel_read_kernel_sysctls(exim_t)
-+kernel_dontaudit_read_system_state(exim_t)
-+kernel_read_network_state(exim_t)
++libs_use_ld_so(exim_t)
++libs_use_shared_libs(exim_t)
++
++logging_send_syslog_msg(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
+
++fs_getattr_xattr_fs(exim_t)
++
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
-+# Init script handling
-+domain_use_interactive_fds(exim_t)
-+
-+can_exec(exim_t,exim_exec_t)
-+
-+manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
-+manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
-+manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
-+allow exim_t exim_spool_t:sock_file create_file_perms;
-+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
-+
-+manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
-+manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
-+files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
-+
-+## logging
-+logging_send_syslog_msg(exim_t)
-+
-+manage_files_pattern(exim_t, exim_log_t, exim_log_t)
-+logging_log_filetrans(exim_t, exim_log_t, { file dir })
++tunable_policy(`exim_read_user_files',`
++ userdom_read_unpriv_users_home_content_files(exim_t)
++ userdom_read_unpriv_users_tmp_files(exim_t)
++')
+
-+corecmd_search_bin(exim_t)
++tunable_policy(`exim_manage_user_files',`
++ userdom_manage_unpriv_users_home_content_dirs(exim_t)
++ userdom_read_unpriv_users_tmp_files(exim_t)
++ userdom_write_unpriv_users_tmp_files(exim_t)
++')
+
+# TLS sessions need entropy
+dev_read_urand(exim_t)
@@ -8203,17 +8332,6 @@
+ cyrus_stream_connect(exim_t)
+')
+
-+if (exim_read_user_files) {
-+ userdom_read_unpriv_users_home_content_files(exim_t)
-+ userdom_read_unpriv_users_tmp_files(exim_t)
-+}
-+
-+if (exim_manage_user_files) {
-+ userdom_manage_unpriv_users_home_content_dirs(exim_t)
-+ userdom_read_unpriv_users_tmp_files(exim_t)
-+ userdom_write_unpriv_users_tmp_files(exim_t)
-+}
-+
+## receipt & validation
+
+optional_policy(`
@@ -8226,18 +8344,6 @@
+ spamassassin_exec_client(exim_t)
+')
+
-+# courier authdaemon; authdaemon doesn't have a type for its UNIX domain
-+# socket, nor a public interface for it yet.
-+ifdef(`TODO', `
-+optional_policy(`
-+ gen_require(`
-+ type courier_var_run_t;
-+ ')
-+ files_search_pids(exim_t)
-+ stream_connect_pattern(exim_t, courier_var_run_t, courier_var_run_t)
-+')
-+')
-+
+# Debian uses a template based config generator which generates config
+# files under /var
+ifdef(`distro_debian',`
@@ -8458,7 +8564,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-07 10:35:03.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-08 13:34:38.000000000 -0500
@@ -53,6 +53,8 @@
allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@@ -8532,7 +8638,23 @@
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -212,13 +231,10 @@
+@@ -198,6 +217,8 @@
+
+ files_read_etc_files(inetd_child_t)
+
++auth_use_nsswitch(inetd_child_t)
++
+ libs_use_ld_so(inetd_child_t)
+ libs_use_shared_libs(inetd_child_t)
+
+@@ -205,20 +226,11 @@
+
+ miscfiles_read_localization(inetd_child_t)
+
+-sysnet_read_config(inetd_child_t)
+-
+ optional_policy(`
+ kerberos_use(inetd_child_t)
')
optional_policy(`
@@ -8541,10 +8663,9 @@
-
-optional_policy(`
- nscd_socket_use(inetd_child_t)
-+ auth_use_nsswitch(inetd_child_t)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
unconfined_domain(inetd_child_t)
+ inetd_service_domain(inetd_child_t,bin_t)
')
@@ -8739,6 +8860,46 @@
- nscd_socket_use(ktalkd_t)
-')
+term_search_ptys(ktalkd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.0.8/policy/modules/services/ldap.te
+--- nsaserefpolicy/policy/modules/services/ldap.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ldap.te 2007-11-08 13:37:16.000000000 -0500
+@@ -42,7 +42,6 @@
+ dontaudit slapd_t self:capability sys_tty_config;
+ allow slapd_t self:process setsched;
+ allow slapd_t self:fifo_file { read write };
+-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow slapd_t self:udp_socket create_socket_perms;
+ #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+ allow slapd_t self:tcp_socket create_stream_socket_perms;
+@@ -104,6 +103,8 @@
+ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
++auth_use_nsswitch(slapd_t)
++
+ libs_use_ld_so(slapd_t)
+ libs_use_shared_libs(slapd_t)
+
+@@ -112,8 +113,6 @@
+ miscfiles_read_certs(slapd_t)
+ miscfiles_read_localization(slapd_t)
+
+-sysnet_read_config(slapd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+@@ -122,10 +121,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(slapd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(slapd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.0.8/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/lpd.fc 2007-10-29 23:59:29.000000000 -0400
@@ -8914,7 +9075,7 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-11-06 10:45:33.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-11-08 09:56:54.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -8947,7 +9108,7 @@
')
+ optional_policy(`
-+ exim_read_logs($1_mail_t)
++ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
@@ -8971,7 +9132,7 @@
')
optional_policy(`
-@@ -314,6 +320,24 @@
+@@ -314,6 +320,42 @@
########################################
## <summary>
@@ -8993,21 +9154,6 @@
+
+########################################
+## <summary>
- ## Modified mailserver interface for
- ## sendmail daemon use.
- ## </summary>
-@@ -392,6 +416,7 @@
- allow $1 mail_spool_t:dir list_dir_perms;
- create_files_pattern($1,mail_spool_t,mail_spool_t)
- read_files_pattern($1,mail_spool_t,mail_spool_t)
-+ append_files_pattern($1,mail_spool_t,mail_spool_t)
- create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
- read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-
-@@ -436,6 +461,24 @@
-
- ########################################
- ## <summary>
+## Make the specified type readable for a system_mail_t
+## </summary>
+## <param name="type">
@@ -9026,9 +9172,17 @@
+
+########################################
+## <summary>
- ## Send mail from the system.
+ ## Modified mailserver interface for
+ ## sendmail daemon use.
## </summary>
- ## <param name="domain">
+@@ -392,6 +434,7 @@
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_files_pattern($1,mail_spool_t,mail_spool_t)
++ append_files_pattern($1,mail_spool_t,mail_spool_t)
+ create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
+
@@ -447,20 +490,18 @@
interface(`mta_send_mail',`
gen_require(`
@@ -10507,7 +10661,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2007-11-08 13:35:53.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -10518,6 +10672,44 @@
########################################
#
# postgresql Local policy
+@@ -42,7 +45,6 @@
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+@@ -118,6 +120,8 @@
+
+ init_read_utmp(postgresql_t)
+
++auth_use_nsswitch(postgresql_t)
++
+ libs_use_ld_so(postgresql_t)
+ libs_use_shared_libs(postgresql_t)
+
+@@ -127,9 +131,6 @@
+
+ seutil_dontaudit_search_config(postgresql_t)
+
+-sysnet_read_config(postgresql_t)
+-sysnet_use_ldap(postgresql_t)
+-
+ userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
+ userdom_dontaudit_use_sysadm_ttys(postgresql_t)
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+@@ -158,10 +159,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(postgresql_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(postgresql_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ppp.fc 2007-10-29 23:59:29.000000000 -0400
@@ -10927,7 +11119,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-11-08 09:14:47.000000000 -0500
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -10943,7 +11135,12 @@
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
-@@ -76,9 +80,16 @@
+@@ -73,12 +77,21 @@
+ # cjp: this should really have its own type
+ files_manage_mounttab(rpcd_t)
+
++auth_read_cache(gssd_t)
++
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -10960,7 +11157,7 @@
')
########################################
-@@ -91,9 +102,13 @@
+@@ -91,9 +104,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -10974,7 +11171,7 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +138,7 @@
+@@ -123,6 +140,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -10982,7 +11179,7 @@
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +159,9 @@
+@@ -143,6 +161,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -10992,7 +11189,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +177,9 @@
+@@ -158,6 +179,9 @@
miscfiles_read_certs(gssd_t)
@@ -11093,7 +11290,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-08 13:36:23.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -11125,7 +11322,16 @@
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-@@ -89,8 +99,6 @@
+@@ -80,6 +90,8 @@
+ files_read_etc_files(rsync_t)
+ files_search_home(rsync_t)
+
++auth_use_nsswitch(rsync_t)
++
+ libs_use_ld_so(rsync_t)
+ libs_use_shared_libs(rsync_t)
+
+@@ -89,8 +101,6 @@
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -11134,7 +11340,7 @@
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
-@@ -107,10 +115,8 @@
+@@ -107,10 +117,8 @@
inetd_service_domain(rsync_t,rsync_exec_t)
')
@@ -12402,6 +12608,50 @@
')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.0.8/policy/modules/services/stunnel.te
+--- nsaserefpolicy/policy/modules/services/stunnel.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/stunnel.te 2007-11-08 13:37:45.000000000 -0500
+@@ -38,7 +38,6 @@
+ allow stunnel_t self:fifo_file rw_fifo_file_perms;
+ allow stunnel_t self:tcp_socket create_stream_socket_perms;
+ allow stunnel_t self:udp_socket create_socket_perms;
+-allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow stunnel_t stunnel_etc_t:dir { getattr read search };
+ allow stunnel_t stunnel_etc_t:file { read getattr };
+@@ -68,6 +67,8 @@
+
+ fs_getattr_all_fs(stunnel_t)
+
++auth_use_nsswitch(stunnel_t)
++
+ libs_use_ld_so(stunnel_t)
+ libs_use_shared_libs(stunnel_t)
+
+@@ -75,8 +76,6 @@
+
+ miscfiles_read_localization(stunnel_t)
+
+-sysnet_read_config(stunnel_t)
+-
+ ifdef(`distro_gentoo', `
+ dontaudit stunnel_t self:capability sys_tty_config;
+ allow stunnel_t self:udp_socket create_socket_perms;
+@@ -112,14 +111,6 @@
+ optional_policy(`
+ kerberos_use(stunnel_t)
+ ')
+-
+- optional_policy(`
+- nis_use_ypbind(stunnel_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use(stunnel_t)
+- ')
+ ')
+
+ # hack since this port has no interfaces since it doesnt
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.0.8/policy/modules/services/tcpd.if
--- nsaserefpolicy/policy/modules/services/tcpd.if 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/tcpd.if 2007-11-05 15:37:04.000000000 -0500
@@ -12588,6 +12838,39 @@
# server packets:
corenet_sendrecv_ftp_server_packets(ucspitcp_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.0.8/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/uucp.te 2007-11-08 13:38:09.000000000 -0500
+@@ -88,6 +88,8 @@
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+
++auth_use_nsswitch(uucpd_t)
++
+ libs_use_ld_so(uucpd_t)
+ libs_use_shared_libs(uucpd_t)
+
+@@ -95,20 +97,10 @@
+
+ miscfiles_read_localization(uucpd_t)
+
+-sysnet_read_config(uucpd_t)
+-
+ optional_policy(`
+ kerberos_use(uucpd_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(uucpd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(uucpd_t)
+-')
+-
+ ########################################
+ #
+ # UUX Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2007-10-29 23:59:29.000000000 -0400
@@ -12690,13 +12973,13 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-07 12:07:13.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-08 10:56:23.000000000 -0500
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
+ dev_read_urand($1_xserver_t)
-+
++ dev_rw_generic_usb_dev($1_xserver_t)
domain_mmap_low($1_xserver_t)
@@ -13354,7 +13637,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-30 20:09:22.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-08 09:15:07.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -13571,7 +13854,7 @@
')
')
-@@ -1381,3 +1469,163 @@
+@@ -1381,3 +1469,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -13735,6 +14018,24 @@
+ allow system_chkpwd_t $3:chr_file rw_file_perms;
+')
+
++########################################
++## <summary>
++## Read authentication cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_read_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ read_files_pattern($1, auth_cache_t, auth_cache_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-10-29 23:59:29.000000000 -0400
@@ -14660,8 +14961,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-07 17:05:02.000000000 -0500
-@@ -65,11 +65,12 @@
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-08 16:05:08.000000000 -0500
+@@ -65,11 +65,13 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -14672,17 +14973,10 @@
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -80,6 +81,7 @@
- /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -112,6 +114,7 @@
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14780,8 +15074,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/locallogin.te 2007-10-29 23:59:29.000000000 -0400
-@@ -97,6 +97,11 @@
++++ serefpolicy-3.0.8/policy/modules/system/locallogin.te 2007-11-08 17:05:40.000000000 -0500
+@@ -97,6 +97,12 @@
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
@@ -14790,10 +15084,11 @@
+ term_setattr_console(local_login_t)
+')
+
++auth_use_nsswitch(local_login_t)
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
auth_manage_pam_console_data(local_login_t)
-@@ -130,6 +135,7 @@
+@@ -130,6 +136,7 @@
miscfiles_read_localization(local_login_t)
@@ -14801,7 +15096,7 @@
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_all_users_home_content(local_login_t)
-@@ -160,6 +166,15 @@
+@@ -160,6 +167,15 @@
')
optional_policy(`
@@ -14817,7 +15112,7 @@
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
')
-@@ -178,13 +193,18 @@
+@@ -178,13 +194,18 @@
')
optional_policy(`
@@ -19177,36 +19472,21 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.8/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/guest.fc 2007-11-08 09:00:09.000000000 -0500
@@ -0,0 +1 @@
+# No guest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.0.8/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/guest.if 2007-11-08 09:00:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-10-29 23:59:29.000000000 -0400
-@@ -0,0 +1,18 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-11-08 09:00:10.000000000 -0500
+@@ -0,0 +1,3 @@
+policy_module(guest,1.0.0)
+userdom_unpriv_login_user(guest)
+userdom_unpriv_login_user(gadmin)
-+userdom_unpriv_xwindows_login_user(xguest)
-+mozilla_per_role_template(xguest, xguest_t, xguest_r)
-+
-+optional_policy(`
-+ consolekit_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_dbus_chat(xguest_t)
-+')
-+
-+# Allow mounting of file systems
-+optional_policy(`
-+ hal_dbus_chat(xguest_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2007-10-29 23:59:29.000000000 -0400
@@ -19294,6 +19574,31 @@
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.0.8/policy/modules/users/xguest.fc
+--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/users/xguest.fc 2007-11-08 09:00:00.000000000 -0500
+@@ -0,0 +1 @@
++# No xguest file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.0.8/policy/modules/users/xguest.if
+--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/users/xguest.if 2007-11-08 09:00:00.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for xguest user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te
+--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-11-08 09:00:00.000000000 -0500
+@@ -0,0 +1,11 @@
++policy_module(xguest,1.0.0)
++userdom_unpriv_xwindows_login_user(xguest)
++mozilla_per_role_template(xguest, xguest_t, xguest_r)
++# Allow mounting of file systems
++optional_policy(`
++ hal_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ bluetooth_dbus_chat(xguest_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400
+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-29 23:59:29.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.571
retrieving revision 1.572
diff -u -r1.571 -r1.572
--- selinux-policy.spec 7 Nov 2007 22:18:38 -0000 1.571
+++ selinux-policy.spec 8 Nov 2007 22:07:40 -0000 1.572
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 48%{?dist}
+Release: 49%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -179,7 +179,7 @@
# Build targeted policy
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_mandir}
-cp -R man %{buildroot}%{_mandir}
+cp -R man/* %{buildroot}%{_mandir}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
@@ -380,6 +380,10 @@
%endif
%changelog
+* Thu Nov 8 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-49
+- Separate xguest from guest
+- Allow confined domains to output to rpm pipes
+
* Tue Nov 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-48
- Add obsoletes selinux-policy-strict
- Run inetd unconfined
- Previous message (by thread): rpms/kernel/F-8 linux-2.6-wireless-pending.patch, 1.11, 1.12 config-generic, 1.35, 1.36 kernel.spec, 1.257, 1.258 linux-2.6-at76.patch, 1.3, 1.4 linux-2.6-ath5k.patch, 1.5, 1.6 linux-2.6-wireless.patch, 1.10, 1.11 linux-2.6-zd1211rw-mac80211.patch, 1.4, 1.5 linux-2.6-ath5k-fixes.patch, 1.4, NONE linux-2.6-iwlwifi-fixes.patch, 1.4, NONE linux-2.6-mac80211-decryption-noise.patch, 1.1, NONE linux-2.6-mac80211-extras.patch, 1.3, NONE linux-2.6-wireless-fixes.patch, 1.3, NONE
- Next message (by thread): rpms/dhcpv6/devel dhcpv6-0.99.0-libdhcp6client.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 dhcpv6.spec, 1.68, 1.69 sources, 1.2, 1.3 dhcpv6-0.10-IA_NA-ignore.patch, 1.1, NONE dhcpv6-0.10-device-names.patch, 1.1, NONE dhcpv6-0.10-elapsed-time.patch, 1.1, NONE dhcpv6-0.10-file-checks.patch, 1.1, NONE dhcpv6-0.10-gethwid.patch, 1.1, NONE dhcpv6-0.10-initscripts.patch, 1.4, NONE dhcpv6-0.10-libdhcp6client.patch, 1.12, NONE dhcpv6-0.10-lsb.patch, 1.2, NONE dhcpv6-0.10-man.patch, 1.1, NONE dhcpv6-0.10-no-strlcat.patch, 1.1, NONE dhcpv6-0.10-reassign-global.patch, 1.1, NONE dhcpv6-0.10-redhat.patch, 1.7, NONE dhcpv6-0.10-relay.patch, 1.2, NONE dhcpv6-0.10-remove-leases.patch, 1.1, NONE dhcpv6-0.10-retransmit-confirm.patch, 1.1, NONE dhcpv6-0.10-salen.patch, 1.4, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list