summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <cpebenito@tresys.com>2006-07-28 15:13:58 +0000
committerChris PeBenito <cpebenito@tresys.com>2006-07-28 15:13:58 +0000
commit46551033aa876d98b98f9442f8208ab069f18d28 (patch)
tree7ee7b6344f9f46c1f566fbdf3643982add69baee
parent81aa67fcc02f04bb2e21d8692b3e20d2e75b5f4d (diff)
patch from dan Wed, 26 Jul 2006 14:42:46 -0400
-rw-r--r--policy/global_booleans2
-rw-r--r--policy/global_tunables75
-rw-r--r--policy/mcs2
-rw-r--r--policy/modules/admin/bootloader.te8
-rw-r--r--policy/modules/admin/firstboot.te6
-rw-r--r--policy/modules/admin/netutils.te12
-rw-r--r--policy/modules/admin/prelink.te3
-rw-r--r--policy/modules/admin/rpm.if6
-rw-r--r--policy/modules/admin/rpm.te2
-rw-r--r--policy/modules/admin/usermanage.te4
-rw-r--r--policy/modules/kernel/corenetwork.te.in6
-rw-r--r--policy/modules/kernel/devices.fc3
-rw-r--r--policy/modules/kernel/devices.te2
-rw-r--r--policy/modules/kernel/files.fc1
-rw-r--r--policy/modules/kernel/files.te2
-rw-r--r--policy/modules/kernel/filesystem.if20
-rw-r--r--policy/modules/kernel/filesystem.te2
-rw-r--r--policy/modules/kernel/mcs.if22
-rw-r--r--policy/modules/kernel/mcs.te3
-rw-r--r--policy/modules/kernel/selinux.if12
-rw-r--r--policy/modules/kernel/selinux.te5
-rw-r--r--policy/modules/kernel/storage.fc3
-rw-r--r--policy/modules/kernel/storage.te2
-rw-r--r--policy/modules/services/automount.te10
-rw-r--r--policy/modules/services/avahi.te3
-rw-r--r--policy/modules/services/bind.fc3
-rw-r--r--policy/modules/services/bind.te2
-rw-r--r--policy/modules/services/bluetooth.if21
-rw-r--r--policy/modules/services/bluetooth.te5
-rw-r--r--policy/modules/services/clamav.fc3
-rw-r--r--policy/modules/services/clamav.if4
-rw-r--r--policy/modules/services/clamav.te22
-rw-r--r--policy/modules/services/cyrus.te7
-rw-r--r--policy/modules/services/dovecot.fc2
-rw-r--r--policy/modules/services/dovecot.te23
-rw-r--r--policy/modules/services/ftp.te9
-rw-r--r--policy/modules/services/hal.te12
-rw-r--r--policy/modules/services/inetd.te8
-rw-r--r--policy/modules/services/ldap.fc1
-rw-r--r--policy/modules/services/ldap.if21
-rw-r--r--policy/modules/services/ldap.te2
-rw-r--r--policy/modules/services/lpd.if20
-rw-r--r--policy/modules/services/lpd.te2
-rw-r--r--policy/modules/services/mailman.te12
-rw-r--r--policy/modules/services/nis.te3
-rw-r--r--policy/modules/services/nscd.if19
-rw-r--r--policy/modules/services/nscd.te2
-rw-r--r--policy/modules/services/openvpn.te10
-rw-r--r--policy/modules/services/postfix.te8
-rw-r--r--policy/modules/services/postgrey.fc5
-rw-r--r--policy/modules/services/postgrey.if20
-rw-r--r--policy/modules/services/postgrey.te3
-rw-r--r--policy/modules/services/procmail.te3
-rw-r--r--policy/modules/services/radius.fc1
-rw-r--r--policy/modules/services/radius.te10
-rw-r--r--policy/modules/services/remotelogin.te3
-rw-r--r--policy/modules/services/samba.te8
-rw-r--r--policy/modules/services/squid.te7
-rw-r--r--policy/modules/services/ssh.if1
-rw-r--r--policy/modules/services/ssh.te2
-rw-r--r--policy/modules/services/tftp.te3
-rw-r--r--policy/modules/services/xfs.te4
-rw-r--r--policy/modules/services/xserver.if2
-rw-r--r--policy/modules/services/xserver.te5
-rw-r--r--policy/modules/services/zebra.te9
-rw-r--r--policy/modules/system/authlogin.te3
-rw-r--r--policy/modules/system/fstools.fc1
-rw-r--r--policy/modules/system/fstools.te2
-rw-r--r--policy/modules/system/getty.fc1
-rw-r--r--policy/modules/system/getty.te5
-rw-r--r--policy/modules/system/hotplug.te4
-rw-r--r--policy/modules/system/init.te5
-rw-r--r--policy/modules/system/libraries.fc2
-rw-r--r--policy/modules/system/libraries.te2
-rw-r--r--policy/modules/system/locallogin.te3
-rw-r--r--policy/modules/system/logging.if8
-rw-r--r--policy/modules/system/logging.te4
-rw-r--r--policy/modules/system/lvm.te5
-rw-r--r--policy/modules/system/selinuxutil.te34
-rw-r--r--policy/modules/system/setrans.te6
-rw-r--r--policy/modules/system/sysnetwork.te3
-rw-r--r--policy/modules/system/udev.te6
-rw-r--r--policy/modules/system/unconfined.fc1
-rw-r--r--policy/modules/system/unconfined.if7
-rw-r--r--policy/modules/system/unconfined.te10
-rw-r--r--policy/modules/system/xen.te4
86 files changed, 451 insertions, 188 deletions
diff --git a/policy/global_booleans b/policy/global_booleans
index 111d004c..844fc781 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -4,6 +4,7 @@
# file should be used.
#
+ifdef(`strict_policy',`
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
@@ -12,6 +13,7 @@
## </p>
## </desc>
gen_bool(secure_mode,false)
+')
## <desc>
## <p>
diff --git a/policy/global_tunables b/policy/global_tunables
index ec5cc933..0cb55b81 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -19,6 +19,14 @@ gen_tunable(allow_cvs_read_shadow,false)
## <desc>
## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config,false)
+
+## <desc>
+## <p>
## Allow making the heap executable.
## </p>
## </desc>
@@ -89,6 +97,13 @@ gen_tunable(allow_httpd_anon_write,false)
## <desc>
## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
+## <desc>
+## <p>
## Allow java executable stack
## </p>
## </desc>
@@ -132,12 +147,6 @@ gen_tunable(allow_saslauthd_read_shadow,false)
## </desc>
gen_tunable(allow_smbd_anon_write,false)
-## <desc>
-## <p>
-## Allow sysadm to ptrace all processes
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
## <desc>
## <p>
@@ -290,13 +299,6 @@ gen_tunable(read_default_t,false)
## <desc>
## <p>
-## Allow ssh to run from inetd instead of as a daemon.
-## </p>
-## </desc>
-gen_tunable(run_ssh_inetd,false)
-
-## <desc>
-## <p>
## Allow samba to export user home directories.
## </p>
## </desc>
@@ -311,13 +313,6 @@ gen_tunable(samba_share_nfs,false)
## <desc>
## <p>
-## Allow spamassassin to do DNS lookups
-## </p>
-## </desc>
-gen_tunable(spamassasin_can_network,false)
-
-## <desc>
-## <p>
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
## </p>
@@ -326,13 +321,6 @@ gen_tunable(squid_connect_any,false)
## <desc>
## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
-## <desc>
-## <p>
## Configure stunnel to be a standalone daemon or
## inetd service.
## </p>
@@ -353,6 +341,12 @@ gen_tunable(use_nfs_home_dirs,false)
## </desc>
gen_tunable(use_samba_home_dirs,false)
+########################################
+#
+# Strict policy specific
+#
+
+ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
@@ -360,12 +354,6 @@ gen_tunable(use_samba_home_dirs,false)
## </desc>
gen_tunable(user_ping,false)
-########################################
-#
-# Strict policy specific
-#
-
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow gpg executable stack
@@ -382,6 +370,13 @@ gen_tunable(allow_mplayer_execstack,false)
## <desc>
## <p>
+## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+## <desc>
+## <p>
## allow host key based authentication
## </p>
## </desc>
@@ -482,6 +477,13 @@ gen_tunable(read_untrusted_content,false)
## <desc>
## <p>
+## Allow ssh to run from inetd instead of as a daemon.
+## </p>
+## </desc>
+gen_tunable(run_ssh_inetd,false)
+
+## <desc>
+## <p>
## Allow user spamassassin clients to use the network.
## </p>
## </desc>
@@ -489,6 +491,13 @@ gen_tunable(spamassassin_can_network,false)
## <desc>
## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
+## <desc>
+## <p>
## Allow staff_r users to search the sysadm home
## dir and read files (such as ~/.bashrc)
## </p>
diff --git a/policy/mcs b/policy/mcs
index c33b6678..5a478770 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -160,7 +160,7 @@ mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
mlsconstrain process { ptrace }
- ( h1 dom h2 );
+ (( h1 dom h2) or ( t1 == mcsptraceall ));
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 41b40272..529bfe2e 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.4)
+policy_module(bootloader,1.2.5)
########################################
#
@@ -48,7 +48,7 @@ logging_log_file(var_log_ksyms_t)
# bootloader local policy
#
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
allow bootloader_t self:fifo_file rw_file_perms;
@@ -67,6 +67,7 @@ files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file b
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
kernel_getattr_core_if(bootloader_t)
+kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)
@@ -86,7 +87,10 @@ dev_read_sysfs(bootloader_t)
dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
+fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
+#Needed for ia64
+fs_manage_dos_files(bootloader_t)
mls_file_read_up(bootloader_t)
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index b03616f3..b875c3f7 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.1.2)
+policy_module(firstboot,1.1.3)
gen_require(`
class passwd rootok;
@@ -106,6 +106,10 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ hal_dbus_send(firstboot_t)
+')
+
+optional_policy(`
nis_use_ypbind(firstboot_t)
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index d5766aa0..d70fa2af 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils,1.1.4)
+policy_module(netutils,1.1.5)
########################################
#
@@ -211,11 +211,11 @@ sysnet_read_config(traceroute_t)
ifdef(`targeted_policy',`
term_use_unallocated_ttys(traceroute_t)
term_use_generic_ptys(traceroute_t)
-')
-
-tunable_policy(`user_ping',`
- term_use_all_user_ttys(traceroute_t)
- term_use_all_user_ptys(traceroute_t)
+',`
+ tunable_policy(`user_ping',`
+ term_use_all_user_ttys(traceroute_t)
+ term_use_all_user_ptys(traceroute_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 506215ac..c53929bf 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.1.4)
+policy_module(prelink,1.1.5)
########################################
#
@@ -48,6 +48,7 @@ corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
corecmd_read_sbin_symlinks(prelink_t)
+corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 00f1b98f..9b372183 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -211,7 +211,7 @@ interface(`rpm_read_db',`
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir r_dir_perms;
- allow $1 rpm_var_lib_t:file { getattr read };
+ allow $1 rpm_var_lib_t:file r_file_perms;
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
@@ -232,8 +232,8 @@ interface(`rpm_manage_db',`
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir rw_dir_perms;
- allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
- allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+ allow $1 rpm_var_lib_t:file manage_file_perms;
+ allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
')
########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index a12a0d4f..da38ad56 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.3.9)
+policy_module(rpm,1.3.10)
########################################
#
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 54724198..0cc9adcd 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.3.7)
+policy_module(usermanage,1.3.8)
########################################
#
@@ -260,6 +260,7 @@ optional_policy(`
')
optional_policy(`
+ nscd_exec(groupadd_t)
nscd_socket_use(groupadd_t)
')
@@ -534,6 +535,7 @@ optional_policy(`
')
optional_policy(`
+ nscd_exec(useradd_t)
nscd_socket_use(useradd_t)
')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index e8093651..f27cc838 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.12)
+policy_module(corenetwork,1.1.13)
########################################
#
@@ -62,7 +62,7 @@ network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
-network_port(bgp, tcp,179,s0, udp,179,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
@@ -145,7 +145,7 @@ network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
-network_port(zebra, tcp,2601,s0)
+network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index f83f36fa..e1e67f60 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -19,7 +19,9 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -54,6 +56,7 @@
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index a1940b41..6c06c8cd 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.14)
+policy_module(devices,1.1.15)
########################################
#
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b3a21ea1..e2c84218 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -11,6 +11,7 @@
ifdef(`distro_redhat',`
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index e3f7b8f7..cf928945 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.12)
+policy_module(files,1.2.13)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 1c08a771..512192a6 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1019,6 +1019,26 @@ interface(`fs_relabelfrom_dos_fs',`
########################################
## <summary>
+## Create, read, write, and delete files
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir rw_dir_perms;
+ allow $1 dosfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read eventpollfs files.
## </summary>
## <desc>
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 104b56bf..23753bd2 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.12)
+policy_module(filesystem,1.3.13)
########################################
#
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index 3caa6f77..ed1e0229 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -6,7 +6,7 @@
########################################
## <summary>
## This domain is allowed to sigkill and sigstop
-## all domains regardless of their MCS level.
+## all domains regardless of their MCS category set.
## </summary>
## <param name="domain">
## <summary>
@@ -24,6 +24,26 @@ interface(`mcs_killall',`
########################################
## <summary>
+## This domain is allowed to ptrace
+## all domains regardless of their MCS
+## category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_ptrace_all',`
+ gen_require(`
+ attribute mcsptraceall;
+ ')
+
+ typeattribute $1 mcsptraceall;
+')
+
+########################################
+## <summary>
## Make specified domain MCS trusted
## for setting any category set for
## the processes it executes.
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 88a6e986..5f8b1f40 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
-policy_module(mcs,1.0.2)
+policy_module(mcs,1.0.3)
########################################
#
@@ -7,6 +7,7 @@ policy_module(mcs,1.0.2)
#
attribute mcskillall;
+attribute mcsptraceall;
attribute mcssetcats;
########################################
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index c4f9d7e3..f10b677a 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -150,7 +150,11 @@ interface(`selinux_set_enforce_mode',`
if(!secure_mode_policyload) {
allow $1 security_t:security setenforce;
- auditallow $1 security_t:security setenforce;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security setenforce;
+ ')
}
')
@@ -177,7 +181,11 @@ interface(`selinux_load_policy',`
if(!secure_mode_policyload) {
allow $1 security_t:security load_policy;
- auditallow $1 security_t:security load_policy;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security load_policy;
+ ')
}
')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index b62940e6..d0e27500 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,5 @@
-policy_module(selinux,1.1.1)
+policy_module(selinux,1.1.2)
########################################
#
@@ -40,10 +40,9 @@ allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setb
if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
- auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
ifdef(`distro_rhel4',`
# needed for systems without audit support
- auditallow selinux_unconfined_type security_t:security setbool;
+ auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 30d78686..8d529585 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -21,8 +21,9 @@
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index e78c43c6..59d716ba 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
-policy_module(storage,1.0.1)
+policy_module(storage,1.0.2)
########################################
#
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 67020c07..c92b118c 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.2.7)
+policy_module(automount,1.2.8)
########################################
#
@@ -36,10 +36,12 @@ allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
allow automount_t self:tcp_socket create_stream_socket_perms;
allow automount_t self:udp_socket create_socket_perms;
+allow automount_t self:netlink_route_socket r_netlink_socket_perms;
allow automount_t automount_etc_t:file { getattr read };
# because config files can be shell scripts
can_exec(automount_t, automount_etc_t)
+can_exec(automount_t, automount_exec_t)
allow automount_t automount_lock_t:file create_file_perms;
files_lock_filetrans(automount_t,automount_lock_t,file)
@@ -169,6 +171,12 @@ optional_policy(`
')
optional_policy(`
+ kerberos_read_keytab(automount_t)
+ kerberos_read_config(automount_t)
+ kerberos_dontaudit_write_config(automount_t)
+')
+
+optional_policy(`
nis_use_ypbind(automount_t)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 86a2b046..d1d378f3 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.2.3)
+policy_module(avahi,1.2.4)
########################################
#
@@ -78,6 +78,7 @@ logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
sysnet_read_config(avahi_t)
+sysnet_use_ldap(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index b63564d0..d4ad4d71 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -28,7 +28,8 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index e284ddfb..1d2dd9f1 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.1.6)
+policy_module(bind,1.1.7)
########################################
#
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 0b67faca..8eefbb5c 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -2,6 +2,27 @@
########################################
## <summary>
+## Execute bluetooth in the bluetooth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bluetooth_domtrans',`
+ gen_require(`
+ type bluetooth_t, bluetooth_exec_t;
+ ')
+
+ domain_auto_trans($1,bluetooth_exec_t,bluetooth_t)
+ allow bluetooth_t $1:fd use;
+ allow bluetooth_t $1:fifo_file rw_file_perms;
+ allow bluetooth_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Read bluetooth daemon configuration.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 3a780446..dac26bf3 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.2.8)
+policy_module(bluetooth,1.2.9)
########################################
#
@@ -173,6 +173,7 @@ allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
@@ -222,6 +223,8 @@ ifdef(`targeted_policy',`
userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
optional_policy(`
+ corenet_tcp_connect_xserver_port(bluetooth_helper_t)
+
xserver_stream_connect_xdm(bluetooth_helper_t)
xserver_use_xdm_fds(bluetooth_helper_t)
xserver_rw_xdm_pipes(bluetooth_helper_t)
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
index 874f1e58..f9790aac 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
@@ -7,9 +7,10 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav/clamd\.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 3263dbb1..9c9c3fa4 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -35,11 +35,11 @@ interface(`clamav_domtrans',`
#
interface(`clamav_stream_connect',`
gen_require(`
- type clamd_t, clamd_sock_t, clamd_var_run_t;
+ type clamd_t, clamd_var_run_t;
')
allow $1 clamd_var_run_t:dir search;
- allow $1 clamd_sock_t:sock_file write;
+ allow $1 clamd_var_run_t:sock_file write;
allow $1 clamd_t:unix_stream_socket connectto;
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 14f06d6b..e79e0144 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
-policy_module(clamav,1.0.4)
+policy_module(clamav,1.0.5)
########################################
#
@@ -15,10 +15,6 @@ init_daemon_domain(clamd_t, clamd_exec_t)
type clamd_etc_t;
files_type(clamd_etc_t)
-# named socket type
-type clamd_sock_t;
-files_type(clamd_sock_t)
-
# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
@@ -34,6 +30,7 @@ files_type(clamd_var_lib_t)
# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
type clamscan_t;
type clamscan_exec_t;
@@ -67,12 +64,6 @@ allow clamd_t clamd_etc_t:dir r_dir_perms;
allow clamd_t clamd_etc_t:file r_file_perms;
allow clamd_t clamd_etc_t:lnk_file { getattr read };
-# socket file
-allow clamd_t clamd_sock_t:file manage_file_perms;
-allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-allow clamd_t clamd_sock_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
-
# tmp files
allow clamd_t clamd_tmp_t:file create_file_perms;
allow clamd_t clamd_tmp_t:dir create_dir_perms;
@@ -80,14 +71,10 @@ files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
# var/lib files for clamd
allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
allow clamd_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
# log files
allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:sock_file create_file_perms;
allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(clamd_t,clamd_var_log_t,file)
@@ -161,10 +148,7 @@ allow freshclam_t clamd_etc_t:lnk_file { getattr read };
# var/lib files together with clamd
allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
# pidfiles- var/run together with clamd
allow freshclam_t clamd_var_run_t:file manage_file_perms;
@@ -174,7 +158,6 @@ files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
# log files (own logfiles only)
allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
allow freshclam_t clamd_var_log_t:dir search;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
@@ -234,7 +217,6 @@ files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
# var/lib files together with clamd
allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
kernel_read_kernel_sysctls(clamscan_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 21dc5dae..6199142f 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.1.3)
+policy_module(cyrus,1.1.4)
########################################
#
@@ -41,6 +41,7 @@ allow cyrus_t self:unix_dgram_socket sendto;
allow cyrus_t self:unix_stream_socket connectto;
allow cyrus_t self:tcp_socket create_stream_socket_perms;
allow cyrus_t self:udp_socket create_socket_perms;
+allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
allow cyrus_t cyrus_tmp_t:file create_file_perms;
@@ -123,6 +124,10 @@ optional_policy(`
')
optional_policy(`
+ ldap_stream_connect(cyrus_t)
+')
+
+optional_policy(`
nis_use_ypbind(cyrus_t)
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index a6a0023c..48ba5809 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -28,6 +28,8 @@ ifdef(`distro_redhat', `
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 166d4dca..642e3cea 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.2.4)
+policy_module(dovecot,1.2.5)
########################################
#
@@ -9,6 +9,12 @@ type dovecot_t;
type dovecot_exec_t;
init_daemon_domain(dovecot_t,dovecot_exec_t)
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
@@ -21,15 +27,13 @@ files_type(dovecot_passwd_t)
type dovecot_spool_t;
files_type(dovecot_spool_t)
+# /var/lib/dovecot holds SSL parameters file
+type dovecot_var_lib_t;
+files_type(dovecot_var_lib_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-type dovecot_auth_t;
-type dovecot_auth_exec_t;
-domain_type(dovecot_auth_t)
-domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
-role system_r types dovecot_auth_t;
-
########################################
#
# dovecot local policy
@@ -161,6 +165,11 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+# Allow dovecot to create and read SSL parameters file
+allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms;
+allow dovecot_t dovecot_var_lib_t:file manage_file_perms;
+files_search_var_lib(dovecot_t)
+
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
kernel_read_all_sysctls(dovecot_auth_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index fb09648f..df7e7f2d 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.2.6)
+policy_module(ftp,1.2.7)
########################################
#
@@ -50,6 +50,7 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ftpd_t ftpd_etc_t:file r_file_perms;
@@ -206,6 +207,12 @@ tunable_policy(`ftpd_is_daemon',`
')
optional_policy(`
+ tunable_policy(`ftp_home_dir',`
+ apache_search_sys_content(ftpd_t)
+ ')
+')
+
+optional_policy(`
corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 47786ad8..8c7a8720 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.10)
+policy_module(hal,1.3.11)
########################################
#
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
#
# execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
@@ -153,6 +153,10 @@ ifdef(`targeted_policy', `
')
optional_policy(`
+ bootloader_domtrans(hald_t)
+')
+
+optional_policy(`
# For /usr/libexec/hald-addon-acpi
# writes to /var/run/acpid.socket
apm_stream_connect(hald_t)
@@ -163,6 +167,10 @@ optional_policy(`
')
optional_policy(`
+ bluetooth_domtrans(hald_t)
+')
+
+optional_policy(`
clock_domtrans(hald_t)
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index d4c00505..eb533087 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.1.4)
+policy_module(inetd,1.1.5)
########################################
#
@@ -218,8 +218,10 @@ miscfiles_read_localization(inetd_child_t)
sysnet_read_config(inetd_child_t)
-tunable_policy(`run_ssh_inetd',`
- corenet_tcp_bind_ssh_port(inetd_t)
+ifdef(`strict_policy',`
+ tunable_policy(`run_ssh_inetd',`
+ corenet_tcp_bind_ssh_port(inetd_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index 8ee84ac0..d7401475 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -6,6 +6,7 @@
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 45b3bd95..03b9d837 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -57,3 +57,24 @@ interface(`ldap_use',`
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')
+
+
+########################################
+## <summary>
+## Connect to slapd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_stream_connect',`
+ gen_require(`
+ type slapd_t, slapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 slapd_var_run_t:sock_file write;
+ allow $1 slapd_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 315dffb4..6731b765 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.2.3)
+policy_module(ldap,1.2.4)
########################################
#
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index fd149e43..3d997fa2 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -62,6 +62,7 @@ template(`lpd_per_userdomain_template',`
allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
allow $1_lpr_t self:tcp_socket create_socket_perms;
allow $1_lpr_t self:udp_socket create_socket_perms;
+ allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
# lpr can run in lightweight mode, without a local print spooler.
allow $1_lpr_t lpd_var_run_t:dir search;
@@ -109,7 +110,9 @@ template(`lpd_per_userdomain_template',`
allow lpd_t $1_print_spool_t:file link_file_perms;
kernel_tcp_recvfrom($1_lpr_t)
+ kernel_read_kernel_sysctls($1_lpr_t)
+ corenet_non_ipsec_sendrecv($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
@@ -119,8 +122,8 @@ template(`lpd_per_userdomain_template',`
corenet_tcp_connect_all_ports($1_lpr_t)
corenet_sendrecv_all_client_packets($1_lpr_t)
- # for /dev/null
- dev_list_all_dev_nodes($1_lpr_t)
+ dev_read_rand($1_lpr_t)
+ dev_read_urand($1_lpr_t)
domain_use_interactive_fds($1_lpr_t)
@@ -149,6 +152,8 @@ template(`lpd_per_userdomain_template',`
userdom_read_user_tmp_symlinks($1,$1_lpr_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_lpr_t)
+ userdom_read_user_home_content_files($1,$1_lpr_t)
+ userdom_read_user_tmp_files($1,$1_lpr_t)
tunable_policy(`read_default_t',`
files_list_default($1_lpr_t)
@@ -158,8 +163,6 @@ template(`lpd_per_userdomain_template',`
tunable_policy(`read_untrusted_content',`
#list and read user specific untrusted content
- files_list_home($1_lpr_t)
- userdom_list_user_home_dirs($1,$1_lpr_t)
userdom_read_user_untrusted_content_files($1,$1_lpr_t)
#list and read user specific temporary untrusted content
@@ -186,6 +189,7 @@ template(`lpd_per_userdomain_template',`
cups_tcp_connect($1_lpr_t)
cups_read_config($2)
cups_tcp_connect($2)
+ cups_stream_connect($1_lpr_t)
')
optional_policy(`
@@ -199,14 +203,6 @@ template(`lpd_per_userdomain_template',`
optional_policy(`
nis_use_ypbind($1_lpr_t)
')
-
- ifdef(`TODO',`
- optional_policy(`
- allow $1_lpr_t xdm_t:fd use;
- allow $1_lpr_t xdm_var_run_t:dir search;
- allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
- ')
- ') dnl end TODO
')
#######################################
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index c2eedbd5..0006d343 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.2.4)
+policy_module(lpd,1.2.5)
########################################
#
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index f5ccc551..70e5b77d 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.1.5)
+policy_module(mailman,1.1.6)
########################################
#
@@ -30,12 +30,16 @@ mailman_domain_template(queue)
# Mailman CGI local policy
#
-# cjp: the template invocation for queue should be
+# cjp: the template invocation for cgi should be
# in the below optional policy; however, there are no
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
optional_policy(`
+ allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms;
+
+ dev_read_urand(mailman_cgi_t)
+
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
@@ -52,6 +56,10 @@ optional_policy(`
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
+
+ optional_policy(`
+ nscd_socket_use(mailman_cgi_t)
+ ')
')
########################################
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index a5fd29be..d9edc35b 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis,1.1.5)
+policy_module(nis,1.1.6)
########################################
#
@@ -86,6 +86,7 @@ corenet_udp_bind_generic_port(ypbind_t)
corenet_tcp_bind_reserved_port(ypbind_t)
corenet_udp_bind_reserved_port(ypbind_t)
corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_udp_bind_all_rpc_ports(ypbind_t)
corenet_tcp_connect_all_ports(ypbind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 0625b2dd..84ea4949 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -44,6 +44,25 @@ interface(`nscd_domtrans',`
########################################
## <summary>
+## Allow the specified domain to execute nscd
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_exec',`
+ gen_require(`
+ type nscd_exec_t;
+ ')
+
+ can_exec($1,nscd_exec_t)
+')
+
+########################################
+## <summary>
## Use NSCD services by connecting using
## a unix stream socket.
## </summary>
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 94ab0507..9b679d0a 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.2.6)
+policy_module(nscd,1.2.7)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8277b366..512ce2de 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn,1.0.2)
+policy_module(openvpn,1.0.3)
########################################
#
@@ -33,6 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;
+allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
allow openvpn_t openvpn_etc_t:file r_file_perms;
@@ -67,12 +68,15 @@ corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
+dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
+init_use_fds(openvpn_t)
+
libs_use_ld_so(openvpn_t)
libs_use_shared_libs(openvpn_t)
@@ -80,10 +84,12 @@ logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
+sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(openvpn_t)
+ # Need to interact with terminals if config option "auth-user-pass" is used
+ term_use_generic_ptys(openvpn_t)
')
optional_policy(`
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 8a1dd9f4..7fb0b17d 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.9)
+policy_module(postfix,1.2.10)
########################################
#
@@ -160,7 +160,7 @@ files_read_usr_files(postfix_master_t)
init_use_script_ptys(postfix_master_t)
-miscfiles_dontaudit_search_man_pages(postfix_master_t)
+miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
# postfix does a "find" on startup for some reason - keep it quiet
@@ -591,5 +591,9 @@ files_read_usr_files(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
sasl_connect(postfix_smtpd_t)
')
diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc
index 74c88dcb..f04d5ba9 100644
--- a/policy/modules/services/postgrey.fc
+++ b/policy/modules/services/postgrey.fc
@@ -3,6 +3,7 @@
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
-/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
-
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
+
+/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
index f5cae306..90f7a87a 100644
--- a/policy/modules/services/postgrey.if
+++ b/policy/modules/services/postgrey.if
@@ -1 +1,21 @@
## <summary>Postfix grey-listing server</summary>
+
+########################################
+## <summary>
+## Write to postgrey socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to talk to postgrey
+## </summary>
+## </param>
+#
+interface(`postgrey_stream_connect',`
+ gen_require(`
+ type postgrey_var_run_t, postgrey_t;
+ ')
+
+ allow $1 postgrey_t:unix_stream_socket connectto;
+ allow $1 postgrey_var_run_t:sock_file write;
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index b794ca6a..93c74828 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
-policy_module(postgrey,1.0.1)
+policy_module(postgrey,1.0.2)
########################################
#
@@ -38,6 +38,7 @@ allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms;
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
allow postgrey_t postgrey_var_run_t:file create_file_perms;
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 29eefaea..812f9cdd 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.2.4)
+policy_module(procmail,1.2.5)
########################################
#
@@ -35,6 +35,7 @@ corenet_tcp_sendrecv_all_nodes(procmail_t)
corenet_udp_sendrecv_all_nodes(procmail_t)
corenet_tcp_sendrecv_all_ports(procmail_t)
corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_all_nodes(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
corenet_sendrecv_spamd_client_packets(procmail_t)
diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc
index 576f54f1..a9ce21df 100644
--- a/policy/modules/services/radius.fc
+++ b/policy/modules/services/radius.fc
@@ -3,6 +3,7 @@
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
+/etc/raddb/db.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index 4f61a75f..6767c839 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.1.1)
+policy_module(radius,1.1.2)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(radiusd_t,radiusd_exec_t)
type radiusd_etc_t;
files_config_file(radiusd_etc_t)
+type radiusd_etc_rw_t;
+files_type(radiusd_etc_rw_t)
+
type radiusd_log_t;
logging_log_file(radiusd_log_t)
@@ -39,6 +42,11 @@ allow radiusd_t radiusd_etc_t:dir r_dir_perms;
allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
files_search_etc(radiusd_t)
+allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms;
+allow radiusd_t radiusd_etc_rw_t:file create_file_perms;
+allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms;
+type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t;
+
allow radiusd_t radiusd_log_t:file create_file_perms;
allow radiusd_t radiusd_log_t:dir create_dir_perms;
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 18d90dc8..5d1ebea5 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -1,5 +1,5 @@
-policy_module(remotelogin,1.2.0)
+policy_module(remotelogin,1.2.1)
########################################
#
@@ -37,6 +37,7 @@ allow remote_login_t self:shm create_shm_perms;
allow remote_login_t self:sem create_sem_perms;
allow remote_login_t self:msgq create_msgq_perms;
allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
allow remote_login_t remote_login_tmp_t:file create_file_perms;
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 5577c67f..37ae73ef 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.2.8)
+policy_module(samba,1.2.9)
#################################
#
@@ -186,11 +186,12 @@ allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-allow smbd_t samba_log_t:dir ra_dir_perms;
+allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };
@@ -313,6 +314,7 @@ tunable_policy(`samba_share_nfs',`
optional_policy(`
cups_read_rw_config(smbd_t)
+ cups_stream_connect(smbd_t)
')
optional_policy(`
@@ -365,7 +367,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
allow nmbd_t samba_etc_t:dir { search getattr };
allow nmbd_t samba_etc_t:file { getattr read };
-allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t samba_var_t:dir rw_dir_perms;
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index a1480f4c..c6d21dfb 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.1.3)
+policy_module(squid,1.1.4)
########################################
#
@@ -80,8 +80,10 @@ corenet_udp_sendrecv_all_ports(squid_t)
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t)
corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
@@ -176,9 +178,6 @@ optional_policy(`
')
ifdef(`TODO',`
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
') dnl end TODO
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ef79d3fb..00899343 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -71,6 +71,7 @@ template(`ssh_basic_client_template',`
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
allow $1_ssh_t self:tcp_socket create_socket_perms;
+ allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
# for rsync
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index c8113fbb..15ec28ff 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.6)
+policy_module(ssh,1.3.7)
########################################
#
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 4df1189f..4c998cd5 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp,1.1.1)
+policy_module(tftp,1.1.2)
########################################
#
@@ -78,6 +78,7 @@ logging_send_syslog_msg(tftpd_t)
miscfiles_read_localization(tftpd_t)
sysnet_read_config(tftpd_t)
+sysnet_use_ldap(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 5752f5dd..2a4da55f 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
-policy_module(xfs,1.0.3)
+policy_module(xfs,1.0.4)
########################################
#
@@ -46,6 +46,8 @@ corecmd_list_bin(xfs_t)
corecmd_list_sbin(xfs_t)
dev_read_sysfs(xfs_t)
+dev_read_urand(xfs_t)
+dev_read_rand(xfs_t)
fs_getattr_all_fs(xfs_t)
fs_search_auto_mountpoints(xfs_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0b85114..6868bb68 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -317,7 +317,6 @@ template(`xserver_per_userdomain_template',`
')
ifdef(`TODO',`
- allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
ifdef(`xdm.te', `
@@ -1126,6 +1125,7 @@ interface(`xserver_stream_connect_xdm_xserver',`
')
files_search_tmp($1)
+ allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5bc23568..86b30cc2 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.10)
+policy_module(xserver,1.1.11)
########################################
#
@@ -88,6 +88,7 @@ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:key write;
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -331,7 +332,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- consoletype_domtrans(xdm_t)
+ consoletype_exec(xdm_t)
')
optional_policy(`
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 3d331a37..2cc306e0 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.2.2)
+policy_module(zebra,1.2.3)
########################################
#
@@ -72,8 +72,10 @@ corenet_tcp_sendrecv_all_ports(zebra_t)
corenet_udp_sendrecv_all_ports(zebra_t)
corenet_tcp_bind_all_nodes(zebra_t)
corenet_udp_bind_all_nodes(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
corenet_tcp_bind_zebra_port(zebra_t)
corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
corenet_sendrecv_zebra_server_packets(zebra_t)
corenet_sendrecv_router_server_packets(zebra_t)
@@ -116,6 +118,11 @@ ifdef(`targeted_policy', `
unconfined_sigchld(zebra_t)
')
+tunable_policy(`allow_zebra_write_config',`
+ allow zebra_t zebra_conf_t:dir write;
+ allow zebra_t zebra_conf_t:file write;
+')
+
optional_policy(`
ldap_use(zebra_t)
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 7e6ca34d..18d1fe85 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.8)
+policy_module(authlogin,1.3.9)
########################################
#
@@ -193,6 +193,7 @@ term_use_all_user_ptys(pam_console_t)
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
+term_use_unallocated_ttys(pam_console_t)
auth_use_nsswitch(pam_console_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index f55036c7..dcd5ba62 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,3 +1,4 @@
+/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 73a8fe08..8d24711b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
-policy_module(fstools,1.3.2)
+policy_module(fstools,1.3.3)
########################################
#
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index b7783093..ff413c7d 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -9,3 +9,4 @@
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index aaac7527..e6a67456 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
-policy_module(getty,1.1.2)
+policy_module(getty,1.1.3)
########################################
#
@@ -37,7 +37,7 @@ files_pid_file(getty_var_run_t)
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid getsession signal_perms };
@@ -90,6 +90,7 @@ corecmd_search_sbin(getty_t)
files_rw_generic_pids(getty_t)
files_read_etc_runtime_files(getty_t)
files_read_etc_files(getty_t)
+files_search_spool(getty_t)
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 14bad2df..cddc6c9f 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.2.1)
+policy_module(hotplug,1.2.2)
########################################
#
@@ -136,7 +136,7 @@ ifdef(`targeted_policy', `
term_dontaudit_use_generic_ptys(hotplug_t)
optional_policy(`
- consoletype_domtrans(hotplug_t)
+ consoletype_exec(hotplug_t)
')
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 65cf3de4..431483b8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.17)
+policy_module(init,1.3.18)
gen_require(`
class passwd rootok;
@@ -286,6 +286,9 @@ fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
+
selinux_get_enforce_mode(initrc_t)
storage_getattr_fixed_disk_dev(initrc_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 11ce8ae2..054f2bb1 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -198,7 +198,7 @@ ifdef(`distro_redhat',`
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 03ce1fa0..a1dd7d39 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.9)
+policy_module(libraries,1.3.10)
########################################
#
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 6a16f92d..296b6d9c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
-policy_module(locallogin,1.2.3)
+policy_module(locallogin,1.2.4)
########################################
#
@@ -51,6 +51,7 @@ allow local_login_t self:shm create_shm_perms;
allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
+allow local_login_t self:key write;
allow local_login_t local_login_lock_t:file create_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 32bf6573..4efe47f2 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -165,7 +165,8 @@ interface(`logging_manage_audit_config',`
')
files_search_etc($1)
- allow $1 auditd_etc_t:file create_file_perms;
+ allow $1 auditd_etc_t:dir rw_dir_perms;
+ allow $1 auditd_etc_t:file manage_file_perms;
')
########################################
@@ -287,6 +288,7 @@ interface(`logging_read_audit_config',`
')
files_search_etc($1)
+ allow $1 auditd_etc_t:dir r_dir_perms;
allow $1 auditd_etc_t:file r_file_perms;
')
@@ -308,7 +310,7 @@ interface(`logging_search_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir search;
+ allow $1 var_log_t:dir search_dir_perms;
')
#######################################
@@ -326,7 +328,7 @@ interface(`logging_dontaudit_search_logs',`
type var_log_t;
')
- dontaudit $1 var_log_t:dir search;
+ dontaudit $1 var_log_t:dir search_dir_perms;
')
#######################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 74aee442..f209df68 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.7)
+policy_module(logging,1.3.8)
########################################
#
@@ -140,7 +140,7 @@ term_dontaudit_use_console(auditd_t)
# Probably want a transition, and a new auditd_helper app
corecmd_exec_sbin(auditd_t)
corecmd_exec_bin(auditd_t)
-
+corecmd_exec_shell(auditd_t)
domain_use_interactive_fds(auditd_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 5aca3d07..5c4a37d8 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.3.4)
+policy_module(lvm,1.3.5)
########################################
#
@@ -125,7 +125,7 @@ optional_policy(`
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
@@ -200,6 +200,7 @@ dev_create_generic_dirs(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
+fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index aada0130..94889002 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,8 +1,10 @@
-policy_module(selinuxutil,1.2.9)
+policy_module(selinuxutil,1.2.10)
-gen_require(`
- bool secure_mode;
+ifdef(`strict_policy',`
+ gen_require(`
+ bool secure_mode;
+ ')
')
########################################
@@ -104,6 +106,7 @@ domain_system_change_exemption(run_init_t)
type semanage_t;
domain_type(semanage_t)
+domain_interactive_fd(semanage_t)
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -423,18 +426,17 @@ optional_policy(`
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_file_perms;
+allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
allow restorecond_t restorecond_var_run_t:file create_file_perms;
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
-auth_relabel_all_files_except_shadow(restorecond_t )
-auth_read_all_files_except_shadow(restorecond_t)
-fs_relabelfrom_noxattr_fs(restorecond_t)
-
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
+fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
@@ -447,7 +449,11 @@ selinux_compute_user_contexts(restorecond_t)
term_dontaudit_use_generic_ptys(restorecond_t)
+auth_relabel_all_files_except_shadow(restorecond_t )
+auth_read_all_files_except_shadow(restorecond_t)
+
init_use_fds(restorecond_t)
+init_dontaudit_use_script_ptys(restorecond_t)
libs_use_ld_so(restorecond_t)
libs_use_shared_libs(restorecond_t)
@@ -456,6 +462,12 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
+optional_policy(`
+ # restorecond watches for users logging in,
+ # so it getspwnam when a user logs in to find his homedir
+ nis_use_ypbind(restorecond_t)
+')
+
#################################
#
# Run_init local policy
@@ -538,6 +550,7 @@ allow semanage_t self:capability { dac_override audit_write };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:netlink_route_socket r_netlink_socket_perms;
allow semanage_t policy_config_t:file { read write };
@@ -567,10 +580,15 @@ selinux_set_boolean(semanage_t)
term_use_all_terms(semanage_t)
+# Running genhomedircon requires this for finding all users
+auth_use_nsswitch(semanage_t)
+
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
libs_use_lib_files(semanage_t)
+locallogin_use_fds(semanage_t)
+
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
@@ -590,7 +608,7 @@ seutil_get_semanage_read_lock(semanage_t)
userdom_search_sysadm_home_dirs(semanage_t)
ifdef(`targeted_policy',`
-# Handle pp files created in homedir and /tmp
+ # Handle pp files created in homedir and /tmp
files_read_generic_tmp_files(semanage_t)
userdom_read_generic_user_home_content_files(semanage_t)
')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 4ef391e2..41ae3d84 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,5 +1,5 @@
-policy_module(setrans,1.0.1)
+policy_module(setrans,1.0.2)
########################################
#
@@ -68,3 +68,7 @@ logging_send_syslog_msg(setrans_t)
miscfiles_read_localization(setrans_t)
seutil_read_config(setrans_t)
+
+optional_policy(`
+ rpm_use_script_fds(setrans_t)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 2404432b..fb019814 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.1.8)
+policy_module(sysnetwork,1.1.9)
########################################
#
@@ -277,6 +277,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_etc_files(ifconfig_t);
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 06dec28e..785bc3ca 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.3.3)
+policy_module(udev,1.3.4)
########################################
#
@@ -39,9 +39,9 @@ files_pid_file(udev_var_run_t)
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_file_perms;
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index d651278b..37d36199 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -9,4 +9,5 @@ ifdef(`targeted_policy',`
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/xine -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index ea38ab70..36d1bf31 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -52,9 +52,10 @@ interface(`unconfined_domain_noaudit',`
allow $1 self:process execmem;
')
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execstack;
+ tunable_policy(`allow_execstack',`
+ # Allow making the stack executable via mprotect;
+ # execstack implies execmem;
+ allow $1 self:process { execstack execmem };
# auditallow $1 self:process execstack;
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 887ac687..790aa311 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.12)
+policy_module(unconfined,1.3.13)
########################################
#
@@ -56,10 +56,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- amanda_domtrans_recover(unconfined_t)
- ')
-
- optional_policy(`
apache_domtrans_helper(unconfined_t)
')
@@ -72,6 +68,10 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ bootloader_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 4f80cc0e..720cfa75 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.7)
+policy_module(xen,1.0.8)
########################################
#
@@ -171,7 +171,7 @@ xen_stream_connect_xenstore(xend_t)
netutils_domtrans(xend_t)
optional_policy(`
- consoletype_domtrans(xend_t)
+ consoletype_exec(xend_t)
')
########################################