diff -ru policy.orig/modules/kernel/files.if policy/modules/kernel/files.if
--- policy.orig/modules/kernel/files.if 2006-10-05 22:30:53.000000000 +1000
+++ policy/modules/kernel/files.if 2006-10-05 22:33:15.000000000 +1000
@@ -1390,26 +1390,6 @@
########################################
##
-## Read and write symbolic links
-## in the /boot directory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`files_rw_boot_symlinks',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir r_dir_perms;
- allow $1 boot_t:lnk_file rw_file_perms;
-')
-
-########################################
-##
## Create, read, write, and delete symbolic links
## in the /boot directory.
##
diff -ru policy.orig/modules/kernel/kernel.if policy/modules/kernel/kernel.if
--- policy.orig/modules/kernel/kernel.if 2006-10-05 22:30:53.000000000 +1000
+++ policy/modules/kernel/kernel.if 2006-10-05 22:33:15.000000000 +1000
@@ -2060,6 +2060,24 @@
########################################
##
+## Allow caller to stat unlabeled processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_getattr_unlabeled_procs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process getattr;
+')
+
+########################################
+##
## Allow caller to relabel unlabeled files.
##
##
diff -ru policy.orig/modules/kernel/terminal.te policy/modules/kernel/terminal.te
--- policy.orig/modules/kernel/terminal.te 2006-10-05 22:30:53.000000000 +1000
+++ policy/modules/kernel/terminal.te 2006-10-05 22:33:15.000000000 +1000
@@ -28,7 +28,6 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
-files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff -ru policy.orig/modules/services/amavis.te policy/modules/services/amavis.te
--- policy.orig/modules/services/amavis.te 2006-10-05 22:31:08.000000000 +1000
+++ policy/modules/services/amavis.te 2006-10-05 22:33:15.000000000 +1000
@@ -50,6 +50,7 @@
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
+kernel_read_proc_symlinks(amavis_t)
# configuration files
allow amavis_t amavis_etc_t:dir r_dir_perms;
@@ -66,7 +67,6 @@
allow amavis_t amavis_spool_t:dir manage_dir_perms;
allow amavis_t amavis_spool_t:file manage_file_perms;
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
-files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
# tmp files
@@ -78,8 +78,6 @@
allow amavis_t amavis_var_lib_t:file create_file_perms;
allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
allow amavis_t amavis_var_lib_t:dir create_dir_perms;
-files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
# log files
allow amavis_t amavis_var_log_t:file create_file_perms;
diff -ru policy.orig/modules/services/mailman.te policy/modules/services/mailman.te
--- policy.orig/modules/services/mailman.te 2006-10-05 22:31:08.000000000 +1000
+++ policy/modules/services/mailman.te 2006-10-05 22:33:15.000000000 +1000
@@ -40,6 +40,9 @@
dev_read_urand(mailman_cgi_t)
+# for python pre-compile foolishness
+ dontaudit mailman_cgi_t lib_t:dir write;
+
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
diff -ru policy.orig/modules/services/postgrey.te policy/modules/services/postgrey.te
--- policy.orig/modules/services/postgrey.te 2006-10-05 22:31:08.000000000 +1000
+++ policy/modules/services/postgrey.te 2006-10-05 22:33:15.000000000 +1000
@@ -18,6 +18,8 @@
type postgrey_var_run_t;
files_pid_file(postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, sock_file)
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
########################################
#
diff -ru policy.orig/modules/services/samba.te policy/modules/services/samba.te
--- policy.orig/modules/services/samba.te 2006-10-05 22:31:09.000000000 +1000
+++ policy/modules/services/samba.te 2006-10-05 22:33:15.000000000 +1000
@@ -501,10 +501,6 @@
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
- cups_read_rw_config(smbd_t)
-')
-
-optional_policy(`
nis_use_ypbind(smbmount_t)
')
diff -ru policy.orig/modules/system/init.te policy/modules/system/init.te
--- policy.orig/modules/system/init.te 2006-10-05 22:31:10.000000000 +1000
+++ policy/modules/system/init.te 2006-10-05 22:33:15.000000000 +1000
@@ -430,11 +430,6 @@
selinux_set_enforce_mode(initrc_t)
- # Create and read /boot/kernel.h and /boot/System.map.
- # Redhat systems typically create this file at boot time.
- bootloader_create_runtime_file(initrc_t)
- files_rw_boot_symlinks(initrc_t)
-
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
diff -ru policy.orig/modules/system/libraries.fc policy/modules/system/libraries.fc
--- policy.orig/modules/system/libraries.fc 2006-10-05 22:31:10.000000000 +1000
+++ policy/modules/system/libraries.fc 2006-10-05 22:33:15.000000000 +1000
@@ -41,8 +41,10 @@
#
# /lib(64)?
#
-/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/lib -d gen_context(system_u:object_r:lib_t,s0)
+/lib/.* gen_context(system_u:object_r:lib_t,s0)
+/lib64 -d gen_context(system_u:object_r:lib_t,s0)
+/lib64/.* gen_context(system_u:object_r:lib_t,s0)
/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -57,7 +59,8 @@
')
ifdef(`distro_gentoo',`
-/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/lib32 -d gen_context(system_u:object_r:lib_t,s0)
+/lib32/.* gen_context(system_u:object_r:lib_t,s0)
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
diff -ru policy.orig/modules/system/unconfined.if policy/modules/system/unconfined.if
--- policy.orig/modules/system/unconfined.if 2006-10-05 22:31:10.000000000 +1000
+++ policy/modules/system/unconfined.if 2006-10-05 22:33:15.000000000 +1000
@@ -88,6 +88,11 @@
optional_policy(`
storage_unconfined($1)
')
+
+ optional_policy(`
+ kernel_getattr_unlabeled_procs($1)
+ kernel_kill_unlabeled($1)
+ ')
')
########################################