rpms/selinux-policy/devel policy-20070703.patch, 1.77, 1.78 selinux-policy.spec, 1.536, 1.537
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Oct 1 17:03:44 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25108
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-15
- Allow tmpreadper to read man_t
- Allow racoon to bind to all nodes
- Fixes for finger print reader
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.77
retrieving revision 1.78
diff -u -r1.77 -r1.78
--- policy-20070703.patch 26 Sep 2007 22:01:27 -0000 1.77
+++ policy-20070703.patch 1 Oct 2007 17:03:12 -0000 1.78
@@ -357,7 +357,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-28 09:14:04.000000000 -0400
@@ -14,25 +14,36 @@
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
@@ -398,11 +398,12 @@
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
-@@ -43,7 +54,13 @@
+@@ -43,7 +54,14 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_generic_user_home_dirs(alsa_t)
++userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
optional_policy(`
nscd_socket_use(alsa_t)
@@ -574,7 +575,7 @@
# Init script handling
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-09-28 09:01:45.000000000 -0400
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -610,13 +611,14 @@
logrotate_dontaudit_use_fds(consoletype_t)
')
-@@ -115,3 +121,7 @@
+@@ -115,3 +121,8 @@
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
xen_dontaudit_use_fds(consoletype_t)
')
+
+optional_policy(`
+ unconfined_use_terminals(consoletype_t)
++ unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.8/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-08-22 07:14:14.000000000 -0400
@@ -1255,6 +1257,36 @@
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.0.8/policy/modules/admin/vpn.fc
+--- nsaserefpolicy/policy/modules/admin/vpn.fc 2007-05-29 14:10:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.fc 2007-09-28 19:07:48.000000000 -0400
+@@ -7,3 +7,5 @@
+ # sbin
+ #
+ /sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
++
++/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
+--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-01 10:53:17.000000000 -0400
+@@ -22,7 +22,7 @@
+ # Local policy
+ #
+
+-allow vpnc_t self:capability { net_admin ipc_lock net_raw };
++allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
+ allow vpnc_t self:process getsched;
+ allow vpnc_t self:fifo_file { getattr ioctl read write };
+ allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+@@ -96,7 +96,7 @@
+ seutil_dontaudit_search_config(vpnc_t)
+ seutil_use_newrole_fds(vpnc_t)
+
+-sysnet_exec_ifconfig(vpnc_t)
++sysnet_domtrans_ifconfig(vpnc_t)
+ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.8/policy/modules/apps/ada.if
--- nsaserefpolicy/policy/modules/apps/ada.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/ada.if 2007-09-17 16:20:18.000000000 -0400
@@ -3457,7 +3489,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-09-28 14:34:09.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3833,7 +3865,7 @@
+## <rolecap/>
#
-interface(`apache_cgi_domain',`
-+template(`apache_admin',`
++interface(`apache_admin',`
+
gen_require(`
- type httpd_t, httpd_sys_script_exec_t;
@@ -4548,7 +4580,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-09-27 08:26:37.000000000 -0400
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -4557,7 +4589,18 @@
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -233,3 +234,7 @@
+@@ -127,6 +128,10 @@
+ amavis_create_pid_files(clamd_t)
+ ')
+
++optional_policy(`
++ exim_read_spool(clamd_t)
++')
++
+ ########################################
+ #
+ # Freshclam local policy
+@@ -233,3 +238,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -5070,7 +5113,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-21 15:23:17.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-28 09:17:04.000000000 -0400
@@ -8,17 +8,14 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5102,6 +5145,15 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+@@ -33,7 +35,7 @@
+
+ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+ /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+ /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -52,3 +54,4 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -5117,8 +5169,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-25 15:01:58.000000000 -0400
-@@ -48,9 +48,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-28 09:19:25.000000000 -0400
+@@ -48,9 +48,8 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t,hplip_exec_t)
@@ -5126,10 +5178,11 @@
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
+domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
++domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-@@ -81,12 +79,11 @@
+@@ -81,12 +80,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
@@ -5143,7 +5196,7 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -105,7 +102,7 @@
+@@ -105,7 +103,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -5152,7 +5205,7 @@
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -122,13 +119,13 @@
+@@ -122,13 +120,13 @@
manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
@@ -5168,7 +5221,7 @@
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-@@ -150,21 +147,26 @@
+@@ -150,21 +148,26 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5196,7 +5249,7 @@
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
-@@ -174,6 +176,7 @@
+@@ -174,6 +177,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
@@ -5204,7 +5257,7 @@
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -187,7 +190,7 @@
+@@ -187,7 +191,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -5213,7 +5266,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -202,6 +205,7 @@
+@@ -202,6 +206,7 @@
files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
@@ -5221,7 +5274,7 @@
init_exec_script_files(cupsd_t)
-@@ -221,17 +225,37 @@
+@@ -221,17 +226,37 @@
sysnet_read_config(cupsd_t)
@@ -5259,7 +5312,7 @@
apm_domtrans_client(cupsd_t)
')
-@@ -263,16 +287,16 @@
+@@ -263,16 +288,16 @@
')
optional_policy(`
@@ -5280,7 +5333,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -377,6 +401,14 @@
+@@ -377,6 +402,14 @@
')
optional_policy(`
@@ -5295,7 +5348,15 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -525,11 +557,9 @@
+@@ -393,6 +426,7 @@
+ optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
++ hal_dontaudit_use_fds(hplip_t)
+ ')
+
+ optional_policy(`
+@@ -525,11 +559,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -5310,7 +5371,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +590,7 @@
+@@ -560,7 +592,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5319,7 +5380,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +617,6 @@
+@@ -587,8 +619,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5555,15 +5616,14 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-09-17 16:20:18.000000000 -0400
-@@ -94,3 +94,8 @@
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-09-27 15:39:17.000000000 -0400
+@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
-+ virt_read_lib_files(dnsmasq_t)
-+ virt_append_lib_files(dnsmasq_t)
++ virt_rw_lib_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
@@ -5794,353 +5854,196 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-09-17 16:20:18.000000000 -0400
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-09-29 08:32:19.000000000 -0400
+@@ -0,0 +1,17 @@
++# $Id$
++# Draft SELinux refpolicy module for the Exim MTA
++#
++# Devin Carraway <selinux/at/devin.com>
++
++/var/spool/exim4?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
++/var/run/exim4?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
++/var/log/exim4?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
++/usr/sbin/exim4? gen_context(system_u:object_r:exim_exec_t,s0)
++/usr/sbin/eximstats gen_context(system_u:object_r:exim_stats_exec_t, s0)
++ifdef(`distro_debian', `
++/usr/sbin/update-exim4\.conf gen_context(system_u:object_r:exim_conf_update_exec_t,s0)
++# work around a misparse if the word template appears without adjustment
++/usr/sbin/update-exim4\.conf\.[t]emplate gen_context(system_u:object_r:exim_conf_update_exec_t,s0)
++/var/lib/exim4?(/.*)? gen_context(system_u:object_r:exim_lib_t,s0)
++')
+
-+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
-+/etc/rc.d/init.d/exim -- gen_context(system_u:object_r:exim_script_exec_t,s0)
-+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
-+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
-+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-09-17 16:20:18.000000000 -0400
-@@ -0,0 +1,330 @@
-+
-+## <summary>policy for exim</summary>
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-09-27 08:23:42.000000000 -0400
+@@ -0,0 +1,157 @@
++## <summary>Exim service</summary>
+
+########################################
+## <summary>
-+## Execute a domain transition to run exim.
++## Permit transitions to the exim domain
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+ gen_require(`
+ type exim_t;
-+ type exim_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,exim_exec_t,exim_t)
-+
-+ allow exim_t $1:fd use;
-+ allow exim_t $1:fifo_file rw_file_perms;
-+ allow exim_t $1:process sigchld;
-+')
-+
-+
-+########################################
-+## <summary>
-+## Execute exim server in the exim domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_script_domtrans',`
-+ gen_require(`
-+ type exim_script_exec_t;
-+ ')
-+
-+ init_script_domtrans_spec($1,exim_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read,
-+## exim tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_dontaudit_read_tmp_files',`
-+ gen_require(`
-+ type exim_tmp_t;
-+ ')
-+
-+ dontaudit $1 exim_tmp_t:file r_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to read, exim tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_read_tmp_files',`
-+ gen_require(`
-+ type exim_tmp_t;
-+ ')
-+
-+ allow $1 exim_tmp_t:file r_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to manage exim tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_manage_tmp',`
-+ gen_require(`
-+ type exim_tmp_t;
++ type exim_exec_t;
+ ')
+
-+ manage_dir_perms($1,exim_tmp_t,exim_tmp_t)
-+ manage_file_perms($1,exim_tmp_t,exim_tmp_t)
-+ manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t)
++ corecmd_search_sbin($1)
++ domtrans_pattern($1, exim_t, exim_exec_t)
+')
+
+########################################
+## <summary>
-+## Read exim PID files.
++## Read generated exim configuration
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_read_pid_files',`
++interface(`exim_read_lib',`
+ gen_require(`
-+ type exim_var_run_t;
++ type exim_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 exim_var_run_t:file r_file_perms;
++ files_search_var_lib($1)
++ read_files_pattern($1, exim_lib_t, exim_lib_t);
+')
+
+########################################
+## <summary>
-+## Manage exim var_run files.
++## Manage generated exim configuration
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_var_run',`
++interface(`exim_manage_lib',`
+ gen_require(`
-+ type exim_var_run_t;
++ type exim_lib_t;
+ ')
+
-+ manage_dir_perms($1,exim_var_run_t,exim_var_run_t)
-+ manage_file_perms($1,exim_var_run_t,exim_var_run_t)
-+ manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, exim_lib_t, exim_lib_t);
+')
+
-+
+########################################
+## <summary>
-+## Allow the specified domain to read exim's log files.
++## Grants readonly access to Exim logs
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`exim_read_log',`
++interface(`exim_read_logs',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
-+ logging_search_logs($1)
-+ allow $1 exim_log_t:dir r_dir_perms;
-+ allow $1 exim_log_t:file { read getattr lock };
++ files_search_var($1)
++ read_files_pattern($1, exim_log_t, exim_log_t)
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to append
-+## exim log files.
++## Manage exim logs
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_append_log',`
-+ gen_require(`
-+ type var_log_t, exim_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 exim_log_t:dir r_dir_perms;
-+ allow $1 exim_log_t:file { getattr append };
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to manage exim log files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_log',`
++interface(`exim_manage_logs',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
-+ manage_dir_perms($1,exim_log_t,exim_log_t)
-+ manage_file_perms($1,exim_log_t,exim_log_t)
-+ manage_lnk_file_perms($1,exim_log_t,exim_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search exim spool directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_search_spool',`
-+ gen_require(`
-+ type exim_spool_t;
-+ ')
-+
-+ allow $1 exim_spool_t:dir search_dir_perms;
-+ files_search_spool($1)
++ files_search_var($1)
++ manage_files_pattern($1, exim_log_t, exim_log_t)
+')
+
+########################################
+## <summary>
-+## Read exim spool files.
++## Read contents of exim spool
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_read_spool_files',`
++interface(`exim_read_spool',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
-+ allow $1 exim_spool_t:file r_file_perms;
-+ allow $1 exim_spool_t:dir list_dir_perms;
+ files_search_spool($1)
++ list_dirs_pattern($1, exim_spool_t, exim_spool_t)
++ read_files_pattern($1, exim_spool_t, exim_spool_t)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete
-+## exim spool files.
++## Modify/delete contents of exim mail spool
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_spool_files',`
++interface(`exim_manage_spool',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
-+ allow $1 exim_spool_t:file manage_file_perms;
-+ allow $1 exim_spool_t:dir rw_dir_perms;
+ files_search_spool($1)
++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
++ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+')
+
+########################################
+## <summary>
-+## Allow domain to manage exim spool files
++## Create an exim mail spool (implies creating dirs in var_spool_t).
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_spool',`
++interface(`exim_create_spool',`
+ gen_require(`
++ type var_spool_t;
+ type exim_spool_t;
+ ')
+
-+ manage_dir_perms($1,exim_spool_t,exim_spool_t)
-+ manage_file_perms($1,exim_spool_t,exim_spool_t)
-+ manage_lnk_file_perms($1,exim_spool_t,exim_spool_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate an exim environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the exim domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the terminal allow the dmidecode domain to use.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`exim_admin',`
-+ gen_require(`
-+ type exim_t;
-+ ')
-+
-+ allow $1 exim_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, exim_t, exim_t)
-+
-+
-+ # Allow $1 to restart the apache service
-+ exim_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 exim_script_exec_t system_r;
-+ allow $2 system_r;
-+
-+ exim_manage_tmp($1)
-+
-+ exim_manage_var_run($1)
-+
-+ exim_manage_log($1)
-+
-+ exim_manage_spool($1)
-+
++ create_dirs_pattern($1, var_spool_t, exim_spool_t)
++ filetrans_pattern($1, var_spool_t, exim_spool_t, dir)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-09-17 16:20:18.000000000 -0400
-@@ -0,0 +1,108 @@
-+policy_module(exim,1.0.0)
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-09-28 13:40:05.000000000 -0400
+@@ -0,0 +1,226 @@
++# $Id$
++# Draft SELinux refpolicy module for the Exim MTA
++#
++# Devin Carraway <selinux/at/devin.com>
++
++policy_module(exim, 1.0.0)
+
+########################################
+#
@@ -6149,14 +6052,15 @@
+
+type exim_t;
+type exim_exec_t;
-+domain_type(exim_t)
-+init_daemon_domain(exim_t, exim_exec_t)
++mta_mailserver(exim_t, exim_exec_t)
++mta_mailserver_user_agent(exim_t)
++mta_mailclient(exim_exec_t)
+
+type exim_script_exec_t;
+init_script_type(exim_script_exec_t)
+
-+type exim_tmp_t;
-+files_tmp_file(exim_tmp_t)
++type exim_spool_t;
++files_type(exim_spool_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
@@ -6164,78 +6068,151 @@
+type exim_log_t;
+logging_log_file(exim_log_t)
+
-+type exim_spool_t;
-+files_type(exim_spool_t)
-+
+########################################
+#
-+# exim local policy
++# exim booleans
+#
+
-+allow exim_t self:capability { dac_override dac_read_search setuid setgid };
-+
-+## internal communication is often done using fifo and unix sockets.
-+allow exim_t self:fifo_file rw_file_perms;
-+allow exim_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow exim_t exim_tmp_t:file manage_file_perms;
-+allow exim_t exim_tmp_t:dir create_dir_perms;
-+files_tmp_filetrans(exim_t,exim_tmp_t, { file dir })
-+
-+allow exim_t exim_var_run_t:file manage_file_perms;
-+allow exim_t exim_var_run_t:dir manage_dir_perms;
-+files_pid_filetrans(exim_t,exim_var_run_t, { file dir })
-+
-+allow exim_t exim_log_t:file manage_file_perms;
-+allow exim_t exim_log_t:dir { rw_dir_perms setattr };
-+logging_log_filetrans(exim_t,exim_log_t,{ file dir })
-+
-+allow exim_t exim_spool_t:dir manage_dir_perms;
-+allow exim_t exim_spool_t:file manage_file_perms;
-+allow exim_t exim_spool_t:sock_file create_file_perms;
-+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++## <desc>
++## <p>
++## Allow exim to connect to databases (postgres, mysql)
++## </p>
++## </desc>
++gen_tunable(exim_can_connect_db, false)
+
-+auth_use_nsswitch(exim_t)
++## <desc>
++## <p>
++## Allow exim to read files in users homedirectories
++## </p>
++## </desc>
++gen_tunable(exim_read_user_files, false)
+
-+can_exec(exim_t,exim_exec_t)
++## <desc>
++## <p>
++## Allow exim to manage files in users homedirectories
++## </p>
++## </desc>
++gen_tunable(exim_manage_user_files, false)
+
-+# Init script handling
-+domain_use_interactive_fds(exim_t)
++########################################
++#
++# exim local policy
++#
+
-+files_read_etc_files(exim_t)
++allow exim_t self:capability { sys_resource dac_override dac_read_search setuid setgid fowner chown };
++allow exim_t self:process { setrlimit setpgid };
++allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:tcp_socket create_stream_socket_perms;
++allow exim_t self:udp_socket create_socket_perms;
++allow exim_t self:unix_stream_socket create_stream_socket_perms;
+
-+sysnet_dns_name_resolve(exim_t)
+corenet_all_recvfrom_unlabeled(exim_t)
-+
-+allow exim_t self:tcp_socket create_stream_socket_perms;
++corenet_all_recvfrom_netlabel(exim_t)
++corenet_udp_sendrecv_all_if(exim_t)
++corenet_udp_sendrecv_all_nodes(exim_t)
+corenet_tcp_sendrecv_all_if(exim_t)
+corenet_tcp_sendrecv_all_nodes(exim_t)
-+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_all_nodes(exim_t)
-+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
++corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_connect_smtp_port(exim_t)
++corenet_tcp_sendrecv_smtp_port(exim_t)
++corenet_sendrecv_smtp_server_packets(exim_t)
++corenet_sendrecv_all_client_packets(exim_t)
++
++# make identd connections
+corenet_tcp_connect_auth_port(exim_t)
-+corenet_tcp_connect_inetd_child_port(exim_t)
++corenet_tcp_sendrecv_auth_port(exim_t)
+
-+corecmd_search_bin(exim_t)
++# connect to spamassassin
++corenet_tcp_connect_spamd_port(exim_t)
++corenet_tcp_sendrecv_spamd_port(exim_t)
+
+libs_use_ld_so(exim_t)
++libs_read_lib_files(exim_t)
++libs_exec_lib_files(exim_t)
+libs_use_shared_libs(exim_t)
-+logging_send_syslog_msg(exim_t)
++libs_legacy_use_shared_libs(exim_t)
+
-+miscfiles_read_localization(exim_t)
++# PID files
++manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
++files_pid_filetrans(exim_t, exim_var_run_t, file)
++
++auth_use_nsswitch(exim_t)
++
++# Exim uses BerkeleyDB, which checks /var/tmp but doesn't actually use it
++files_dontaudit_getattr_tmp_dirs(exim_t)
++files_search_usr(exim_t)
++files_search_var(exim_t)
++files_read_etc_files(exim_t)
+
+kernel_read_kernel_sysctls(exim_t)
++kernel_dontaudit_read_system_state(exim_t)
++
++miscfiles_read_localization(exim_t)
++miscfiles_read_certs(exim_t)
+
-+mta_mailclient(exim_exec_t)
+mta_read_aliases(exim_t)
++mta_read_config(exim_t)
+mta_rw_spool(exim_t)
++mta_mailserver_delivery(exim_t)
++
++# Init script handling
++domain_use_interactive_fds(exim_t)
+
-+userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-+userdom_dontaudit_search_generic_user_home_dirs(exim_t)
++can_exec(exim_t,exim_exec_t)
+
-+bool exim_read_user_files false;
-+bool exim_manage_user_files false;
++exim_create_spool(exim_t)
++exim_manage_spool(exim_t)
++allow exim_t exim_spool_t:sock_file create_file_perms;
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++
++## logging
++logging_send_syslog_msg(exim_t)
++exim_manage_logs(exim_t)
++logging_log_filetrans(exim_t, exim_log_t, { file dir })
++
++corecmd_search_bin(exim_t)
++
++# TLS sessions need entropy
++dev_read_urand(exim_t)
++dev_read_rand(exim_t)
++
++tunable_policy(`exim_can_connect_db',`
++ corenet_tcp_connect_mysqld_port(exim_t)
++ corenet_sendrecv_mysqld_client_packets(exim_t)
++ corenet_tcp_connect_postgresql_port(exim_t)
++ corenet_sendrecv_postgresql_client_packets(exim_t)
++')
++
++optional_policy(`
++ tunable_policy(`exim_can_connect_db',`
++ mysql_stream_connect(exim_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`exim_can_connect_db',`
++ postgresql_stream_connect(exim_t)
++ ')
++')
++
++optional_policy(`
++ mailman_read_data_files(exim_t)
++ mailman_domtrans(exim_t)
++')
++
++optional_policy(`
++ procmail_domtrans(exim_t)
++')
++
++optional_policy(`
++ sasl_connect(exim_t)
++')
++
++optional_policy(`
++ cyrus_stream_connect(exim_t)
++')
+
+if (exim_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(exim_t)
@@ -6248,6 +6225,45 @@
+ userdom_write_unpriv_users_tmp_files(exim_t)
+}
+
++## receipt & validation
++
++optional_policy(`
++ clamav_domtrans_clamscan(exim_t)
++ clamav_stream_connect(exim_t)
++')
++
++optional_policy(`
++ spamassassin_exec(exim_t)
++ spamassassin_exec_client(exim_t)
++')
++
++# courier authdaemon; authdaemon doesn't have a type for its UNIX domain
++# socket, nor a public interface for it yet.
++ifdef(`TODO', `
++optional_policy(`
++ gen_require(`
++ type courier_var_run_t;
++ ')
++ files_search_pids(exim_t)
++ stream_connect_pattern(exim_t, courier_var_run_t, courier_var_run_t)
++')
++')
++
++# Debian uses a template based config generator which generates config
++# files under /var
++ifdef(`distro_debian',`
++ type exim_lib_t;
++ files_config_file(exim_lib_t)
++ exim_read_lib(exim_t)
++
++ type exim_lib_update_t;
++ type exim_lib_update_exec_t;
++ init_domain(exim_lib_update_t, exim_lib_update_exec_t)
++ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t)
++ mta_read_lib(exim_lib_update_t)
++ exim_manage_var_lib(exim_lib_update_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.0.8/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ftp.if 2007-09-24 15:42:55.000000000 -0400
@@ -6272,7 +6288,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-09-24 15:47:19.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-09-27 15:13:40.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -6281,7 +6297,15 @@
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -157,6 +158,7 @@
+@@ -122,6 +123,7 @@
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
++kernel_search_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
+@@ -157,6 +159,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -6289,7 +6313,7 @@
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -168,7 +170,9 @@
+@@ -168,7 +171,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
@@ -6299,7 +6323,7 @@
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
-@@ -217,6 +221,11 @@
+@@ -217,6 +222,11 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -6311,7 +6335,7 @@
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -252,7 +261,10 @@
+@@ -252,7 +262,10 @@
')
optional_policy(`
@@ -6922,7 +6946,7 @@
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.8/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-09-28 14:29:45.000000000 -0400
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
@@ -6979,29 +7003,29 @@
+ type mysqld_script_exec_t;
+ ')
+
-+ allow $1 mysqld_t:process { ptrace signal_perms getattr };
++ allow $2 mysqld_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, mysqld_t, mysqld_t)
+
-+ # Allow $1 to restart the apache service
-+ mysql_script_domtrans($1)
-+ domain_system_change_exemption($1)
++ # Allow $2 to restart the apache service
++ mysql_script_domtrans($2)
++ domain_system_change_exemption($2)
+ role_transition $2 mysqld_script_exec_t system_r;
-+ allow $2 system_r;
++ allow $3 system_r;
+
-+ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
-+ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
++ manage_dirs_pattern($2,mysqld_var_run_t,mysqld_var_run_t)
++ manage_files_pattern($2,mysqld_var_run_t,mysqld_var_run_t)
+
-+ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
-+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
++ manage_dirs_pattern($2,mysqld_db_t,mysqld_db_t)
++ manage_files_pattern($2,mysqld_db_t,mysqld_db_t)
+
-+ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
-+ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
++ manage_dirs_pattern($2,mysqld_etc_t,mysqld_etc_t)
++ manage_files_pattern($2,mysqld_etc_t,mysqld_etc_t)
+
-+ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
-+ manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
++ manage_dirs_pattern($2,mysqld_log_t,mysqld_log_t)
++ manage_files_pattern($2,mysqld_log_t,mysqld_log_t)
+
-+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
-+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
++ manage_dirs_pattern($2,mysqld_tmp_t,mysqld_tmp_t)
++ manage_files_pattern($2,mysqld_tmp_t,mysqld_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-07-25 10:37:42.000000000 -0400
@@ -7995,7 +8019,7 @@
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.8/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-09-28 14:30:18.000000000 -0400
@@ -113,3 +113,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
@@ -8050,29 +8074,29 @@
+ type postgresql_log_t;
+ ')
+
-+ allow $1 postgresql_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postgresql_t, postgresql_t)
++ allow $2 postgresql_t:process { ptrace signal_perms getattr };
++ read_files_pattern($2, postgresql_t, postgresql_t)
+
-+ # Allow $1 to restart the apache service
-+ postgresql_script_domtrans($1)
-+ domain_system_change_exemption($1)
++ # Allow $2 to restart the apache service
++ postgresql_script_domtrans($2)
++ domain_system_change_exemption($2)
+ role_transition $2 postgresql_script_exec_t system_r;
-+ allow $2 system_r;
++ allow $3 system_r;
+
-+ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
-+ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
++ manage_dirs_pattern($2,postgresql_var_run_t,postgresql_var_run_t)
++ manage_files_pattern($2,postgresql_var_run_t,postgresql_var_run_t)
+
-+ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t)
-+ manage_files_pattern($1,postgresql_db_t,postgresql_db_t)
++ manage_dirs_pattern($2,postgresql_db_t,postgresql_db_t)
++ manage_files_pattern($2,postgresql_db_t,postgresql_db_t)
+
-+ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t)
-+ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t)
++ manage_dirs_pattern($2,postgresql_etc_t,postgresql_etc_t)
++ manage_files_pattern($2,postgresql_etc_t,postgresql_etc_t)
+
-+ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t)
-+ manage_files_pattern($1,postgresql_log_t,postgresql_log_t)
++ manage_dirs_pattern($2,postgresql_log_t,postgresql_log_t)
++ manage_files_pattern($2,postgresql_log_t,postgresql_log_t)
+
-+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
-+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
++ manage_dirs_pattern($2,postgresql_tmp_t,postgresql_tmp_t)
++ manage_files_pattern($2,postgresql_tmp_t,postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-07-25 10:37:42.000000000 -0400
@@ -9347,7 +9371,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-26 11:12:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-26 17:41:34.000000000 -0400
@@ -67,6 +67,7 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
@@ -10562,7 +10586,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-25 10:59:20.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-27 15:46:41.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10594,7 +10618,7 @@
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +178,28 @@
+@@ -176,11 +178,32 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -10616,6 +10640,10 @@
# for SSP/ProPolice
dev_read_urand($1)
++ # for fingerprint readers
++ dev_rw_input_dev($1)
++ dev_rw_generic_usb_dev($1)
++
files_read_etc_files($1)
+ fs_list_auto_mountpoints($1)
@@ -10623,7 +10651,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +215,33 @@
+@@ -196,22 +219,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10658,7 +10686,7 @@
')
')
-@@ -309,9 +339,6 @@
+@@ -309,9 +343,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10668,7 +10696,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +356,8 @@
+@@ -329,6 +360,8 @@
optional_policy(`
kerberos_use($1)
@@ -10677,7 +10705,7 @@
')
optional_policy(`
-@@ -347,6 +376,37 @@
+@@ -347,6 +380,37 @@
########################################
## <summary>
@@ -10715,7 +10743,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +755,24 @@
+@@ -695,6 +759,24 @@
########################################
## <summary>
@@ -10740,7 +10768,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,14 +1396,9 @@
+@@ -1318,14 +1400,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -10755,7 +10783,7 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1347,6 +1420,8 @@
+@@ -1347,6 +1424,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -10764,7 +10792,7 @@
')
')
-@@ -1381,3 +1456,163 @@
+@@ -1381,3 +1460,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -11628,7 +11656,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-09-24 10:16:55.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-09-27 11:30:18.000000000 -0400
@@ -56,7 +56,6 @@
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config;
@@ -11676,7 +11704,7 @@
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -299,6 +294,8 @@
+@@ -299,11 +294,15 @@
allow racoon_t ipsec_spd_t:association setcontext;
@@ -11685,6 +11713,13 @@
kernel_read_network_state(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
+ corenet_tcp_bind_all_nodes(racoon_t)
+ corenet_udp_bind_isakmp_port(racoon_t)
++corenet_udp_bind_all_nodes(racoon_t)
++corenet_udp_sendrecv_all_if(racoon_t)
+
+ dev_read_urand(racoon_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.8/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/iptables.te 2007-09-17 16:20:18.000000000 -0400
@@ -11924,7 +11959,7 @@
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-20 15:21:10.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-28 14:33:08.000000000 -0400
@@ -33,8 +33,27 @@
## </param>
#
@@ -12018,16 +12053,22 @@
## Create an object in the log directory, with a private
## type using a type transition.
## </summary>
-@@ -470,7 +546,7 @@
+@@ -465,12 +541,11 @@
+ interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
+- type var_log_t;
+ ')
files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
+- allow $1 var_log_t:dir list_dir_perms;
- read_files_pattern($1,var_log_t,logfile)
++ allow $1 logfile:dir list_dir_perms;
+ read_files_pattern($1,logfile, logfile)
')
########################################
-@@ -514,6 +590,8 @@
+@@ -514,6 +589,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -12036,7 +12077,7 @@
')
########################################
-@@ -597,3 +675,258 @@
+@@ -597,3 +674,258 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -12197,7 +12238,7 @@
+## </param>
+## <rolecap/>
+#
-+template(`logging_audit_admin',`
++interface(`logging_audit_admin',`
+
+ gen_require(`
+ type auditd_t;
@@ -12249,7 +12290,7 @@
+## </param>
+## <rolecap/>
+#
-+template(`logging_syslog_admin',`
++interface(`logging_syslog_admin',`
+
+ gen_require(`
+ type syslogd_t;
@@ -12297,7 +12338,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-09-27 11:25:28.000000000 -0400
@@ -7,6 +7,10 @@
#
@@ -12377,7 +12418,7 @@
#
-allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
-+allow auditd_t self:capability { fsetid sys_nice sys_resource };
++allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
@@ -12452,7 +12493,7 @@
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-09-24 15:55:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-10-01 10:41:59.000000000 -0400
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -12543,7 +12584,15 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -208,7 +218,6 @@
+@@ -160,6 +170,7 @@
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow lvm_t clvmd_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
+@@ -208,7 +219,6 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -12551,7 +12600,7 @@
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -228,6 +237,8 @@
+@@ -228,6 +238,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -12560,7 +12609,7 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -246,6 +257,7 @@
+@@ -246,6 +258,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -12568,7 +12617,7 @@
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -254,6 +266,7 @@
+@@ -254,6 +267,7 @@
domain_use_interactive_fds(lvm_t)
@@ -12576,7 +12625,7 @@
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -275,6 +288,8 @@
+@@ -275,6 +289,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -12585,7 +12634,7 @@
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-@@ -293,5 +308,14 @@
+@@ -293,5 +309,14 @@
')
optional_policy(`
@@ -12600,6 +12649,18 @@
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-05-29 14:10:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2007-09-27 15:33:47.000000000 -0400
+@@ -253,6 +253,8 @@
+ files_search_usr($1)
+
+ allow $1 man_t:dir setattr;
++ # 309351
++ allow $1 man_t:dir list_dir_perms;
+ delete_dirs_pattern($1,man_t,man_t)
+ delete_files_pattern($1,man_t,man_t)
+ delete_lnk_files_pattern($1,man_t,man_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-09-17 16:20:18.000000000 -0400
@@ -13465,7 +13526,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-09-28 09:01:32.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -13494,7 +13555,15 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -203,9 +208,7 @@
+@@ -177,6 +182,7 @@
+ ')
+ ')
+
++
+ # for the dhcp client to run ping to check IP addresses
+ optional_policy(`
+ netutils_domtrans_ping(dhcpc_t)
+@@ -203,9 +209,7 @@
')
optional_policy(`
@@ -13505,7 +13574,7 @@
')
optional_policy(`
-@@ -216,6 +219,7 @@
+@@ -216,6 +220,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -13513,7 +13582,7 @@
')
optional_policy(`
-@@ -254,6 +258,7 @@
+@@ -254,6 +259,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -13521,7 +13590,7 @@
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,6 +285,8 @@
+@@ -280,6 +286,8 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -13530,6 +13599,14 @@
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+@@ -332,3 +340,7 @@
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+ ')
++
++optional_policy(`
++ unconfined_dontaudit_rw_pipes(ifconfig_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-09-25 15:03:25.000000000 -0400
@@ -13556,7 +13633,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-24 15:31:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-28 09:00:54.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.536
retrieving revision 1.537
diff -u -r1.536 -r1.537
--- selinux-policy.spec 26 Sep 2007 22:01:27 -0000 1.536
+++ selinux-policy.spec 1 Oct 2007 17:03:12 -0000 1.537
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -298,13 +298,13 @@
exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.0.4-1
+%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-14-1
setsebool -P use_nfs_home_dirs=1
-restorecon -R /root /etc/selinux/targeted 2> /dev/null
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null
-semanage user -a -P guest -R guest_r guest_u 2> /dev/null
+semanage user -a -P guest -R guest_r guest_u 2> /dev/null
semanage user -a -P xguest -R xguest_r xguest_u 2> /dev/null
+restorecon -R /root /etc/selinux/targeted 2> /dev/null
exit 0
%files targeted
@@ -365,6 +365,11 @@
%endif
%changelog
+* Thu Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-15
+- Allow tmpreadper to read man_t
+- Allow racoon to bind to all nodes
+- Fixes for finger print reader
+
* Tue Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-14
- Allow xdm to talk to input device (fingerprint reader)
- Allow octave to run as java
More information about the fedora-extras-commits
mailing list