rpms/selinux-policy/F-7 policy-20070501.patch,1.53,1.54
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Sep 11 14:08:36 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3239
Modified Files:
policy-20070501.patch
Log Message:
* Mon Sep 10 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-42
- Allow modprobe to setsched on kernel
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- policy-20070501.patch 10 Sep 2007 18:25:11 -0000 1.53
+++ policy-20070501.patch 11 Sep 2007 14:08:33 -0000 1.54
@@ -244,10 +244,76 @@
+ hal_write_log(alsa_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.6.4/policy/modules/admin/amanda.if
+--- nsaserefpolicy/policy/modules/admin/amanda.if 2007-05-07 14:51:04.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/amanda.if 2007-09-11 09:15:10.000000000 -0400
+@@ -71,6 +71,26 @@
+
+ ########################################
+ ## <summary>
++## Search amanda var library directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`amanda_search_var_lib',`
++ gen_require(`
++ type amanda_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 amanda_var_lib_t:dir search_dir_perms;
++
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read /etc/dumpdates.
+ ## </summary>
+ ## <param name="domain">
+@@ -141,3 +161,4 @@
+
+ allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.6.4/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/amanda.te 2007-08-07 09:42:34.000000000 -0400
-@@ -85,7 +85,7 @@
++++ serefpolicy-2.6.4/policy/modules/admin/amanda.te 2007-09-11 09:15:03.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(amanda,1.5.0)
++policy_module(amanda,1.6.1)
+
+ #######################################
+ #
+@@ -51,8 +51,7 @@
+ # type for amrecover
+ type amanda_recover_t;
+ type amanda_recover_exec_t;
+-domain_type(amanda_recover_t)
+-domain_entry_file(amanda_recover_t,amanda_recover_exec_t)
++application_domain(amanda_recover_t,amanda_recover_exec_t)
+ role system_r types amanda_recover_t;
+
+ # type for recover files ( restored data )
+@@ -70,12 +69,11 @@
+
+ allow amanda_t self:capability { chown dac_override setuid kill };
+ allow amanda_t self:process { setpgid signal };
+-allow amanda_t self:fifo_file { getattr read write ioctl lock };
++allow amanda_t self:fifo_file rw_fifo_file_perms;
+ allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+ allow amanda_t self:unix_dgram_socket create_socket_perms;
+ allow amanda_t self:tcp_socket create_stream_socket_perms;
+ allow amanda_t self:udp_socket create_socket_perms;
+-allow amanda_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # access to amanda_amandates_t
+ allow amanda_t amanda_amandates_t:file { getattr lock read write };
+@@ -85,18 +83,22 @@
# access to amandas data structure
allow amanda_t amanda_data_t:dir { read search write };
@@ -256,7 +322,12 @@
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-@@ -97,6 +97,9 @@
+
+ can_exec(amanda_t,amanda_exec_t)
++can_exec(amanda_t,amanda_inetd_exec_t)
+
+ # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
@@ -266,6 +337,79 @@
manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t)
manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t)
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
+@@ -105,6 +107,8 @@
+ manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
+ files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
++auth_use_nsswitch(amanda_t)
++
+ kernel_read_system_state(amanda_t)
+ kernel_read_kernel_sysctls(amanda_t)
+ kernel_dontaudit_getattr_unlabeled_files(amanda_t)
+@@ -113,7 +117,8 @@
+ # Added for targeted policy
+ term_use_unallocated_ttys(amanda_t)
+
+-corenet_non_ipsec_sendrecv(amanda_t)
++corenet_all_recvfrom_unlabeled(amanda_t)
++corenet_all_recvfrom_netlabel(amanda_t)
+ corenet_tcp_sendrecv_all_if(amanda_t)
+ corenet_udp_sendrecv_all_if(amanda_t)
+ corenet_raw_sendrecv_all_if(amanda_t)
+@@ -150,8 +155,6 @@
+ libs_use_ld_so(amanda_t)
+ libs_use_shared_libs(amanda_t)
+
+-sysnet_read_config(amanda_t)
+-
+ optional_policy(`
+ auth_read_shadow(amanda_t)
+ ')
+@@ -160,14 +163,6 @@
+ logging_send_syslog_msg(amanda_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(amanda_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(amanda_t)
+-')
+-
+ ########################################
+ #
+ # Amanda recover local policy
+@@ -197,10 +192,13 @@
+ manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
+ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
++auth_use_nsswitch(amanda_recover_t)
++
+ kernel_read_system_state(amanda_recover_t)
+ kernel_read_kernel_sysctls(amanda_recover_t)
+
+-corenet_non_ipsec_sendrecv(amanda_recover_t)
++corenet_all_recvfrom_unlabeled(amanda_recover_t)
++corenet_all_recvfrom_netlabel(amanda_recover_t)
+ corenet_tcp_sendrecv_all_if(amanda_recover_t)
+ corenet_udp_sendrecv_all_if(amanda_recover_t)
+ corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
+@@ -232,14 +230,4 @@
+
+ miscfiles_read_localization(amanda_recover_t)
+
+-sysnet_read_config(amanda_recover_t)
+-
+ userdom_search_sysadm_home_content_dirs(amanda_recover_t)
+-
+-optional_policy(`
+- nis_use_ypbind(amanda_recover_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(amanda_recover_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amtu.fc serefpolicy-2.6.4/policy/modules/admin/amtu.fc
--- nsaserefpolicy/policy/modules/admin/amtu.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/admin/amtu.fc 2007-08-07 09:42:34.000000000 -0400
@@ -1634,7 +1778,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-04 13:41:27.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-11 08:17:57.000000000 -0400
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -1673,15 +1817,16 @@
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
-@@ -152,6 +158,7 @@
+@@ -152,13 +158,18 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
network_port(xen, tcp,8002,s0)
++network_port(xfs, tcp,7100,s0)
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
-@@ -159,6 +166,9 @@
+ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -4175,7 +4320,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-09-11 09:16:17.000000000 -0400
@@ -42,6 +42,9 @@
type cron_log_t;
logging_log_file(cron_log_t)
@@ -4268,7 +4413,7 @@
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -185,34 +209,9 @@
+@@ -185,40 +209,19 @@
locallogin_link_keys(crond_t)
')
@@ -4306,7 +4451,17 @@
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
-@@ -232,11 +231,7 @@
+ ')
+
+ optional_policy(`
++ amanda_search_var_lib(crond_t)
++')
++
++optional_policy(`
+ amavis_search_lib(crond_t)
+ ')
+
+@@ -232,11 +235,7 @@
')
optional_policy(`
@@ -4319,7 +4474,7 @@
')
optional_policy(`
-@@ -258,25 +253,39 @@
+@@ -258,25 +257,39 @@
# System cron process domain
#
@@ -4363,7 +4518,7 @@
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process { signal_perms setsched };
allow system_crond_t self:fifo_file rw_fifo_file_perms;
-@@ -369,7 +378,7 @@
+@@ -369,7 +382,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -4372,7 +4527,7 @@
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -428,6 +437,10 @@
+@@ -428,6 +441,10 @@
')
optional_policy(`
@@ -4385,7 +4540,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-09-11 08:58:55.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -4403,12 +4558,11 @@
/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-@@ -52,3 +53,5 @@
+@@ -52,3 +53,4 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:cupsd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-08-07 09:42:35.000000000 -0400
@@ -5249,9 +5403,17 @@
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-2.6.4/policy/modules/services/kerberos.fc
+--- nsaserefpolicy/policy/modules/services/kerberos.fc 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/kerberos.fc 2007-09-11 09:03:39.000000000 -0400
+@@ -16,3 +16,4 @@
+
+ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.6.4/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/kerberos.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/kerberos.if 2007-09-11 09:02:58.000000000 -0400
@@ -33,43 +33,10 @@
#
interface(`kerberos_use',`
@@ -5298,109 +5460,56 @@
')
########################################
-@@ -94,46 +61,47 @@
+@@ -94,6 +61,27 @@
########################################
## <summary>
--## Do not audit attempts to write the kerberos
--## configuration file (/etc/krb5.conf).
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`kerberos_dontaudit_write_config',`
++#
+interface(`kerberos_read_kdc_config',`
- gen_require(`
-- type krb5_conf_t;
++ gen_require(`
+ type krb5kdc_conf_t;
- ')
-
-- dontaudit $1 krb5_conf_t:file write;
++ ')
++
+ files_search_etc($1)
+ allow $1 krb5kdc_conf_t:file read_file_perms;
+
- ')
-
- ########################################
- ## <summary>
--## Read and write the kerberos configuration file (/etc/krb5.conf).
-+## Do not audit attempts to write the kerberos
-+## configuration file (/etc/krb5.conf).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`kerberos_rw_config',`
-+interface(`kerberos_dontaudit_write_config',`
- gen_require(`
- type krb5_conf_t;
- ')
-
-- files_search_etc($1)
-- allow $1 krb5_conf_t:file rw_file_perms;
-+ dontaudit $1 krb5_conf_t:file write;
- ')
-
- ########################################
- ## <summary>
--## Read the kerberos key table.
-+## Read and write the kerberos configuration file (/etc/krb5.conf).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -142,18 +110,18 @@
- ## </param>
- ## <rolecap/>
- #
--interface(`kerberos_read_keytab',`
-+interface(`kerberos_rw_config',`
- gen_require(`
-- type krb5_keytab_t;
-+ type krb5_conf_t;
- ')
-
- files_search_etc($1)
-- allow $1 krb5_keytab_t:file read_file_perms;
-+ allow $1 krb5_conf_t:file rw_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
-+## Read the kerberos key table.
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to write the kerberos
+ ## configuration file (/etc/krb5.conf).
## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -162,12 +130,11 @@
+@@ -162,12 +150,13 @@
## </param>
## <rolecap/>
#
-interface(`kerberos_read_kdc_config',`
-+interface(`kerberos_read_keytab',`
++interface(`kerberos_manage_host_rcache',`
gen_require(`
- type krb5kdc_conf_t;
-+ type krb5_keytab_t;
++ type krb5_host_rcache_t;
')
- files_search_etc($1)
+- files_search_etc($1)
- allow $1 krb5kdc_conf_t:file read_file_perms;
-
-+ allow $1 krb5_keytab_t:file read_file_perms;
++ files_search_tmp($1)
++ allow $1 self:process setfscreate;
++ seutil_read_file_contexts($1)
++ allow $1 krb5_host_rcache_t:file manage_file_perms;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-09-04 11:12:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-09-11 09:02:16.000000000 -0400
@@ -5,6 +5,7 @@
#
# Declarations
@@ -5409,7 +5518,17 @@
## <desc>
## <p>
-@@ -62,7 +63,7 @@
+@@ -54,6 +55,9 @@
+ type krb5kdc_var_run_t;
+ files_pid_file(krb5kdc_var_run_t)
+
++type krb5_host_rcache_t;
++files_tmp_file(krb5_host_rcache_t)
++
+ ########################################
+ #
+ # kadmind local policy
+@@ -62,7 +66,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
@@ -5418,7 +5537,7 @@
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -91,6 +92,7 @@
+@@ -91,6 +95,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
@@ -5426,7 +5545,7 @@
corenet_non_ipsec_sendrecv(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
-@@ -117,6 +119,9 @@
+@@ -117,6 +122,9 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
@@ -5436,7 +5555,7 @@
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -126,6 +131,7 @@
+@@ -126,6 +134,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -5444,7 +5563,7 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -142,6 +148,7 @@
+@@ -142,6 +151,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -5452,7 +5571,16 @@
')
optional_policy(`
-@@ -227,6 +234,7 @@
+@@ -156,7 +166,7 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+-allow krb5kdc_t self:process { setsched getsched signal_perms };
++allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+ allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+ allow krb5kdc_t self:udp_socket create_socket_perms;
+@@ -227,6 +237,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -5460,7 +5588,13 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -248,3 +256,36 @@
+@@ -243,8 +254,42 @@
+
+ optional_policy(`
+ seutil_sigchld_newrole(krb5kdc_t)
++ seutil_read_file_contexts(krb5kdc_t)
+ ')
+
optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -7148,15 +7282,55 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.6.4/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rlogin.te 2007-08-07 09:42:35.000000000 -0400
-@@ -64,6 +64,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/rlogin.te 2007-09-11 09:05:43.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(rlogin,1.3.0)
++policy_module(rlogin,1.4.0)
+
+ ########################################
+ #
+@@ -50,7 +50,8 @@
+ kernel_read_system_state(rlogind_t)
+ kernel_read_network_state(rlogind_t)
+
+-corenet_non_ipsec_sendrecv(rlogind_t)
++corenet_all_recvfrom_unlabeled(rlogind_t)
++corenet_all_recvfrom_netlabel(rlogind_t)
+ corenet_tcp_sendrecv_all_if(rlogind_t)
+ corenet_udp_sendrecv_all_if(rlogind_t)
+ corenet_tcp_sendrecv_all_nodes(rlogind_t)
+@@ -63,9 +64,10 @@
+ fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
++auth_use_nsswitch(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
+auth_domtrans_upd_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
- auth_use_nsswitch(rlogind_t)
+-auth_use_nsswitch(rlogind_t)
+
+ files_read_etc_files(rlogind_t)
+ files_read_etc_runtime_files(rlogind_t)
+@@ -81,7 +83,7 @@
+
+ miscfiles_read_localization(rlogind_t)
+
+-seutil_dontaudit_search_config(rlogind_t)
++seutil_read_config(rlogind_t)
+
+ sysnet_read_config(rlogind_t)
+@@ -92,7 +94,9 @@
+ remotelogin_domtrans(rlogind_t)
+
+ optional_policy(`
++ kerberos_use(rlogind_t)
+ kerberos_read_keytab(rlogind_t)
++ kerberos_manage_host_rcache(rlogind_t)
+ ')
+
+ ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-2.6.4/policy/modules/services/rpcbind.fc
--- nsaserefpolicy/policy/modules/services/rpcbind.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/services/rpcbind.fc 2007-08-07 09:42:35.000000000 -0400
@@ -7428,15 +7602,105 @@
tunable_policy(`nfs_export_all_ro',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-08-07 09:42:35.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-09-11 09:10:41.000000000 -0400
+@@ -11,19 +11,22 @@
+ domain_subj_id_change_exemption(rshd_t)
+ domain_role_change_exemption(rshd_t)
+ role system_r types rshd_t;
++domain_interactive_fd(rshd_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+ allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
++allow rshd_t self:key {search write link};
+
+ kernel_read_kernel_sysctls(rshd_t)
+
+-corenet_non_ipsec_sendrecv(rshd_t)
++corenet_all_recvfrom_unlabeled(rshd_t)
++corenet_all_recvfrom_netlabel(rshd_t)
+ corenet_tcp_sendrecv_generic_if(rshd_t)
+ corenet_udp_sendrecv_generic_if(rshd_t)
+ corenet_tcp_sendrecv_all_nodes(rshd_t)
+@@ -32,6 +35,8 @@
+ corenet_udp_sendrecv_all_ports(rshd_t)
+ corenet_tcp_bind_all_nodes(rshd_t)
+ corenet_tcp_bind_rsh_port(rshd_t)
++corenet_tcp_bind_all_rpc_ports(rshd_t)
++corenet_tcp_connect_all_rpc_ports(rshd_t)
+ corenet_sendrecv_rsh_server_packets(rshd_t)
+
+ dev_read_urand(rshd_t)
+@@ -43,31 +48,43 @@
+ selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
++auth_use_nsswitch(rshd_t)
auth_domtrans_chk_passwd(rshd_t)
+auth_domtrans_upd_passwd(rshd_t)
++auth_search_key(rshd_t)
++auth_write_login_records(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
+ files_list_home(rshd_t)
+ files_read_etc_files(rshd_t)
+-files_search_tmp(rshd_t)
++files_manage_generic_tmp_dirs(rshd_t)
++
++init_rw_utmp(rshd_t)
+
+ libs_use_ld_so(rshd_t)
+ libs_use_shared_libs(rshd_t)
+
+ logging_send_syslog_msg(rshd_t)
++logging_search_logs(rshd_t)
+
+ miscfiles_read_localization(rshd_t)
+
+ seutil_read_config(rshd_t)
+ seutil_read_default_contexts(rshd_t)
+
+-sysnet_read_config(rshd_t)
+-
+ userdom_search_all_users_home_content(rshd_t)
+
++optional_policy(`
++ kerberos_use(rshd_t)
++ kerberos_read_keytab(rshd_t)
++ kerberos_manage_host_rcache(rshd_t)
++')
++
+ ifdef(`targeted_policy',`
+ unconfined_domain(rshd_t)
+ unconfined_shell_domtrans(rshd_t)
++ unconfined_signal(rshd_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -80,16 +97,3 @@
+ fs_read_cifs_symlinks(rshd_t)
+ ')
+
+-optional_policy(`
+- kerberos_use(rshd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(rshd_t)
+-')
+-
+-ifdef(`TODO',`
+-optional_policy(`
+- allow rshd_t rlogind_tmp_t:file rw_file_perms;
+-')
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.6.4/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/rsync.te 2007-08-07 09:42:35.000000000 -0400
@@ -7539,7 +7803,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-2.6.4/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.fc 2007-09-11 09:23:35.000000000 -0400
@@ -3,6 +3,7 @@
# /etc
#
@@ -7548,7 +7812,15 @@
/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
-@@ -27,6 +28,9 @@
+@@ -14,6 +15,7 @@
+ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+ /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+ /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+ /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+
+ /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+@@ -27,6 +29,9 @@
/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -7560,7 +7832,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-11 09:24:04.000000000 -0400
@@ -177,6 +177,27 @@
########################################
@@ -7653,7 +7925,7 @@
## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
-@@ -377,3 +443,70 @@
+@@ -377,3 +443,121 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -7724,15 +7996,64 @@
+
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
++
++########################################
++## <summary>
++## Execute a domain transition to run smbcontrol.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`samba_domtrans_smbcontrol',`
++ gen_require(`
++ type smbcontrol_t;
++ type smbcontrol_exec_t;
++ ')
++
++ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
++')
++
++
++########################################
++## <summary>
++## Execute smbcontrol in the smbcontrol domain, and
++## allow the specified role the smbcontrol domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the smbcontrol domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`samba_run_smbcontrol',`
++ gen_require(`
++ type smbcontrol_t;
++ ')
++
++ samba_domtrans_smbcontrol($1)
++ role $2 types smbcontrol_t;
++ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-23 17:07:33.000000000 -0400
-@@ -28,6 +28,35 @@
- ## </desc>
- gen_tunable(samba_share_nfs,false)
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-09-11 09:56:07.000000000 -0400
+@@ -16,6 +16,14 @@
-+## <desc>
-+## <p>
+ ## <desc>
+ ## <p>
+## Allow samba to run as the domain controller; add machines to passwd file
+##
+## </p>
@@ -7741,17 +8062,24 @@
+
+## <desc>
+## <p>
-+## Allow samba to be exported read/write.
+ ## Allow samba to export user home directories.
+ ## </p>
+ ## </desc>
+@@ -23,6 +31,27 @@
+
+ ## <desc>
+ ## <p>
++## Export all files on system read only.
+## </p>
+## </desc>
-+gen_tunable(samba_export_all_rw,false)
++gen_tunable(samba_export_all_ro,false)
+
+## <desc>
+## <p>
-+## Allow samba to be exported read only
++## Export all files on system read-write.
+## </p>
+## </desc>
-+gen_tunable(samba_export_all_ro,false)
++gen_tunable(samba_export_all_rw,false)
+
+## <desc>
+## <p>
@@ -7760,27 +8088,54 @@
+## </desc>
+gen_tunable(samba_run_unconfined,false)
+
- type nmbd_t;
- type nmbd_exec_t;
- init_daemon_domain(nmbd_t,nmbd_exec_t)
-@@ -117,6 +146,7 @@
- allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
- allow samba_net_t self:udp_socket create_socket_perms;
- allow samba_net_t self:tcp_socket create_socket_perms;
-+allow samba_net_t self:netlink_route_socket r_netlink_socket_perms;
++## <desc>
++## <p>
+ ## Allow samba to export NFS volumes.
+ ## </p>
+ ## </desc>
+@@ -108,6 +137,11 @@
+ type winbind_var_run_t;
+ files_pid_file(winbind_var_run_t)
+
++type smbcontrol_t;
++type smbcontrol_exec_t;
++application_domain(smbcontrol_t, smbcontrol_exec_t)
++role system_r types smbcontrol_t;
++
+ ########################################
+ #
+ # Samba net local policy
+@@ -131,6 +165,8 @@
+ manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
+ manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
- allow samba_net_t samba_etc_t:file read_file_perms;
++auth_use_nsswitch(samba_net_t)
++
+ kernel_read_proc_symlinks(samba_net_t)
-@@ -159,6 +189,8 @@
+ corenet_tcp_sendrecv_all_if(samba_net_t)
+@@ -159,8 +195,7 @@
miscfiles_read_localization(samba_net_t)
+-sysnet_read_config(samba_net_t)
+-sysnet_use_ldap(samba_net_t)
+samba_read_var_files(samba_net_t)
-+
- sysnet_read_config(samba_net_t)
- sysnet_use_ldap(samba_net_t)
-@@ -191,7 +223,7 @@
+ userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
+
+@@ -173,10 +208,6 @@
+ kerberos_use(samba_net_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(samba_net_t)
+-')
+-
+ ########################################
+ #
+ # smbd Local policy
+@@ -191,18 +222,16 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -7789,7 +8144,8 @@
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -200,9 +232,8 @@
+ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -7801,7 +8157,7 @@
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
-@@ -231,7 +262,8 @@
+@@ -231,7 +260,8 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -7811,17 +8167,17 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -256,6 +288,9 @@
- corenet_tcp_connect_ipp_port(smbd_t)
- corenet_tcp_connect_smbd_port(smbd_t)
+@@ -241,6 +271,9 @@
+ kernel_read_software_raid_state(smbd_t)
+ kernel_read_system_state(smbd_t)
+corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
+
- dev_read_sysfs(smbd_t)
- dev_read_urand(smbd_t)
- dev_getattr_mtrr_dev(smbd_t)
-@@ -265,11 +300,14 @@
+ corenet_tcp_sendrecv_all_if(smbd_t)
+ corenet_udp_sendrecv_all_if(smbd_t)
+ corenet_raw_sendrecv_all_if(smbd_t)
+@@ -265,11 +298,14 @@
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
@@ -7836,7 +8192,13 @@
files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
-@@ -296,6 +334,12 @@
+@@ -290,12 +326,16 @@
+ miscfiles_read_localization(smbd_t)
+ miscfiles_read_public_files(smbd_t)
+
+-sysnet_read_config(smbd_t)
+-
+ userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -7849,7 +8211,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -319,6 +363,14 @@
+@@ -319,6 +359,14 @@
')
optional_policy(`
@@ -7864,7 +8226,7 @@
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -339,6 +391,23 @@
+@@ -339,6 +387,23 @@
udev_read_db(smbd_t)
')
@@ -7888,7 +8250,7 @@
########################################
#
# nmbd Local policy
-@@ -352,7 +421,7 @@
+@@ -352,7 +417,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -7897,7 +8259,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -362,9 +431,12 @@
+@@ -362,9 +427,12 @@
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -7911,7 +8273,16 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -391,6 +463,7 @@
+@@ -373,6 +441,8 @@
+
+ allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
++auth_use_nsswitch(nmbd_t)
++
+ kernel_getattr_core_if(nmbd_t)
+ kernel_getattr_message_if(nmbd_t)
+ kernel_read_kernel_sysctls(nmbd_t)
+@@ -391,6 +461,7 @@
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -7919,7 +8290,24 @@
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-@@ -457,6 +530,7 @@
+@@ -402,6 +473,7 @@
+
+ files_read_usr_files(nmbd_t)
+ files_read_etc_files(nmbd_t)
++files_list_var_lib(nmbd_t)
+
+ libs_use_ld_so(nmbd_t)
+ libs_use_shared_libs(nmbd_t)
+@@ -411,8 +483,6 @@
+
+ miscfiles_read_localization(nmbd_t)
+
+-sysnet_read_config(nmbd_t)
+-
+ userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
+ userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
+ userdom_use_unpriv_users_fds(nmbd_t)
+@@ -457,6 +527,7 @@
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -7927,24 +8315,96 @@
allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -514,7 +588,7 @@
+@@ -489,6 +560,8 @@
+ term_list_ptys(smbmount_t)
+ term_use_controlling_term(smbmount_t)
+
++auth_use_nsswitch(smbmount_t)
++
+ corecmd_list_bin(smbmount_t)
+
+ files_list_mnt(smbmount_t)
+@@ -508,21 +581,11 @@
+
+ logging_search_logs(smbmount_t)
+
+-sysnet_read_config(smbmount_t)
+-
+ userdom_use_all_users_fds(smbmount_t)
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
- cups_read_rw_config(smbd_t)
+-')
+-
+-optional_policy(`
+- nis_use_ypbind(smbmount_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(smbmount_t)
+ cups_read_rw_config(smbmount_t)
')
- optional_policy(`
-@@ -534,7 +608,6 @@
- allow swat_t self:process signal_perms;
+ ########################################
+@@ -530,22 +593,30 @@
+ # SWAT Local policy
+ #
+
+-allow swat_t self:capability { setuid setgid };
+-allow swat_t self:process signal_perms;
++allow swat_t self:capability { setuid setgid sys_resource net_bind_service };
++allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:netlink_audit_socket create;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
- allow swat_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -588,6 +661,7 @@
+-allow swat_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow swat_t nmbd_exec_t:file { execute read };
++can_exec(swat_t, nmbd_exec_t)
++allow swat_t nmbd_port_t:udp_socket name_bind;
++allow swat_t nmbd_t:process { signal signull };
++allow swat_t nmbd_var_run_t:file { lock read unlink };
+
+ rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
+
++init_read_utmp(swat_t)
++init_dontaudit_write_utmp(swat_t)
++
+ append_files_pattern(swat_t,samba_log_t,samba_log_t)
+
+-allow swat_t smbd_exec_t:file execute ;
++allow swat_t self:unix_stream_socket connectto;
++can_exec(swat_t, smbd_exec_t)
++allow swat_t smbd_port_t:tcp_socket name_bind;
++allow swat_t smbd_t:process signal;
++allow swat_t smbd_var_run_t:file { lock unlink };
+
+ allow swat_t smbd_t:process signull;
+
+@@ -558,7 +629,11 @@
+ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
+ files_pid_filetrans(swat_t,swat_var_run_t,file)
+
+-allow swat_t winbind_exec_t:file execute;
++can_exec(swat_t, winbind_exec_t)
++allow swat_t winbind_var_run_t:dir { write add_name remove_name };
++allow swat_t winbind_var_run_t:sock_file { create unlink };
++
++auth_use_nsswitch(swat_t)
+
+ kernel_read_kernel_sysctls(swat_t)
+ kernel_read_system_state(swat_t)
+@@ -582,23 +657,24 @@
+
+ dev_read_urand(swat_t)
+
++files_list_var_lib(swat_t)
+ files_read_etc_files(swat_t)
+ files_search_home(swat_t)
+ files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
auth_domtrans_chk_passwd(swat_t)
@@ -7952,7 +8412,32 @@
libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)
-@@ -625,19 +699,25 @@
+
+ logging_send_syslog_msg(swat_t)
++logging_send_audit_msgs(swat_t)
+ logging_search_logs(swat_t)
+
+ miscfiles_read_localization(swat_t)
+
+-sysnet_read_config(swat_t)
+-
+ optional_policy(`
+ cups_read_rw_config(swat_t)
+ cups_stream_connect(swat_t)
+@@ -612,32 +688,30 @@
+ kerberos_use(swat_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(swat_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(swat_t)
+-')
+-
+ ########################################
+ #
# Winbind local policy
#
@@ -7979,7 +8464,7 @@
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-@@ -645,6 +725,8 @@
+@@ -645,6 +719,8 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -7988,7 +8473,7 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -682,7 +764,9 @@
+@@ -682,7 +758,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -7998,7 +8483,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -695,9 +779,6 @@
+@@ -695,9 +773,6 @@
miscfiles_read_localization(winbind_t)
@@ -8008,7 +8493,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -713,10 +794,6 @@
+@@ -713,10 +788,6 @@
')
optional_policy(`
@@ -8019,7 +8504,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -736,6 +813,7 @@
+@@ -736,6 +807,7 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -8027,32 +8512,67 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -763,4 +841,25 @@
+@@ -763,4 +835,60 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
-+')
+ ')
+
+########################################
+#
+# samba_unconfined_script_t local policy
+#
-+type samba_unconfined_script_t;
-+domain_type(samba_unconfined_script_t)
-+role system_r types samba_unconfined_script_t;
-+
-+# This type is used for executable scripts files
-+type samba_unconfined_script_exec_t;
-+corecmd_shell_entry_type(samba_unconfined_script_t)
-+domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
-+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++optional_policy(`
++ type samba_unconfined_script_t;
++ domain_type(samba_unconfined_script_t)
++ role system_r types samba_unconfined_script_t;
+
-+tunable_policy(`samba_run_unconfined',`
-+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ')
-+unconfined_domain(samba_unconfined_script_t)
++ # This type is used for executable scripts files
++ type samba_unconfined_script_exec_t;
++ corecmd_shell_entry_type(samba_unconfined_script_t)
++ domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
++ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
++ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
++ tunable_policy(`samba_run_unconfined',`
++ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
++ ')
++ unconfined_domain(samba_unconfined_script_t)
++')
++
++########################################
++#
++# smbcontrol local policy
++#
++
++## internal communication is often done using fifo and unix sockets.
++allow smbcontrol_t self:fifo_file rw_file_perms;
++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(smbcontrol_t)
++
++libs_use_ld_so(smbcontrol_t)
++libs_use_shared_libs(smbcontrol_t)
++
++miscfiles_read_localization(smbcontrol_t)
++
++files_search_var_lib(smbcontrol_t)
++samba_read_config(smbcontrol_t)
++samba_rw_var_files(smbcontrol_t)
++samba_search_var(smbcontrol_t)
++samba_read_winbind_pid(smbcontrol_t)
++
++allow smbcontrol_t smbd_t:process signal;
++allow smbd_t smbcontrol_t:process { signal signull };
++
++allow nmbd_t smbcontrol_t:process signal;
++allow smbcontrol_t nmbd_t:process { signal signull };
++
++allow smbcontrol_t winbind_t:process { signal signull };
++allow winbind_t smbcontrol_t:process signal;
++
++allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-08-07 09:42:35.000000000 -0400
@@ -8430,8 +8950,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.6.4/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ssh.if 2007-08-07 09:42:35.000000000 -0400
-@@ -709,3 +709,42 @@
++++ serefpolicy-2.6.4/policy/modules/services/ssh.if 2007-09-11 09:11:48.000000000 -0400
+@@ -521,6 +521,7 @@
+
+ optional_policy(`
+ kerberos_use($1_t)
++ kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
+@@ -709,3 +710,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -8510,6 +9038,83 @@
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.6.4/policy/modules/services/telnet.te
+--- nsaserefpolicy/policy/modules/services/telnet.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/telnet.te 2007-09-11 09:05:30.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(telnet,1.4.0)
++policy_module(telnet,1.5.0)
+
+ ########################################
+ #
+@@ -32,7 +32,6 @@
+ allow telnetd_t self:udp_socket create_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow telnetd_t self:capability { setuid setgid };
+
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+@@ -49,7 +48,8 @@
+ kernel_read_system_state(telnetd_t)
+ kernel_read_network_state(telnetd_t)
+
+-corenet_non_ipsec_sendrecv(telnetd_t)
++corenet_all_recvfrom_unlabeled(telnetd_t)
++corenet_all_recvfrom_netlabel(telnetd_t)
+ corenet_tcp_sendrecv_all_if(telnetd_t)
+ corenet_udp_sendrecv_all_if(telnetd_t)
+ corenet_tcp_sendrecv_all_nodes(telnetd_t)
+@@ -61,10 +61,12 @@
+
+ fs_getattr_xattr_fs(telnetd_t)
+
++auth_use_nsswitch(telnetd_t)
+ auth_rw_login_records(telnetd_t)
+
+ corecmd_search_bin(telnetd_t)
+
++files_read_usr_files(telnetd_t)
+ files_read_etc_files(telnetd_t)
+ files_read_etc_runtime_files(telnetd_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+@@ -79,9 +81,7 @@
+
+ miscfiles_read_localization(telnetd_t)
+
+-seutil_dontaudit_search_config(telnetd_t)
+-
+-sysnet_read_config(telnetd_t)
++seutil_read_config(telnetd_t)
+
+ remotelogin_domtrans(telnetd_t)
+
+@@ -89,17 +89,16 @@
+ optional_policy(`
+ kerberos_use(telnetd_t)
+ kerberos_read_keytab(telnetd_t)
++ kerberos_manage_host_rcache(telnetd_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(telnetd_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(telnetd_t)
++ fs_manage_nfs_files(telnetd_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(telnetd_t)
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(telnetd_t)
++ fs_manage_cifs_files(telnetd_t)
+ ')
+
+-ifdef(`TODO',`
+-# Allow krb5 telnetd to use fork and open /dev/tty for use
+-allow telnetd_t userpty_type:chr_file setattr;
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.6.4/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/tftp.te 2007-08-22 08:28:44.000000000 -0400
@@ -8574,6 +9179,25 @@
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.6.4/policy/modules/services/xfs.te
+--- nsaserefpolicy/policy/modules/services/xfs.te 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xfs.te 2007-09-11 08:17:28.000000000 -0400
+@@ -37,6 +37,15 @@
+ kernel_read_kernel_sysctls(xfs_t)
+ kernel_read_system_state(xfs_t)
+
++corenet_all_recvfrom_unlabeled(xfs_t)
++corenet_all_recvfrom_netlabel(xfs_t)
++corenet_tcp_sendrecv_generic_if(xfs_t)
++corenet_tcp_sendrecv_all_nodes(xfs_t)
++corenet_tcp_sendrecv_all_ports(xfs_t)
++corenet_tcp_bind_all_nodes(xfs_t)
++corenet_tcp_bind_xfs_port(xfs_t)
++corenet_sendrecv_xfs_client_packets(xfs_t)
++
+ corecmd_list_bin(xfs_t)
+
+ dev_read_sysfs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400
@@ -10831,7 +11455,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-09-10 14:35:42.000000000 -0400
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.5.0)
@@ -11028,7 +11652,15 @@
dev_read_urand(semanage_t)
-@@ -595,6 +611,8 @@
+@@ -581,6 +597,7 @@
+ files_read_etc_runtime_files(semanage_t)
+ files_read_usr_files(semanage_t)
+ files_list_pids(semanage_t)
++fs_list_inotifyfs(semanage_t)
+
+ mls_file_write_down(semanage_t)
+ mls_rangetrans_target(semanage_t)
+@@ -595,6 +612,8 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
@@ -11037,7 +11669,7 @@
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-@@ -621,6 +639,15 @@
+@@ -621,6 +640,15 @@
userdom_search_sysadm_home_dirs(semanage_t)
@@ -11053,7 +11685,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -700,6 +727,8 @@
+@@ -700,6 +728,8 @@
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
optional_policy(`
More information about the fedora-extras-commits
mailing list