diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/media policy-1.17.15/appconfig/media --- nsapolicy/appconfig/media 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.17.15/appconfig/media 2004-09-14 11:08:47.000000000 -0400 @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t +floppy system_u:object_r:removable_device_t +disk system_u:object_r:fixed_disk_device_t diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.15/domains/program/unused/named.te --- nsapolicy/domains/program/unused/named.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.15/domains/program/unused/named.te 2004-09-14 16:59:49.090149450 -0400 @@ -12,10 +12,10 @@ # type rndc_port_t, port_type; -daemon_domain(named) +daemon_domain(named, `, nscd_shmem_domain') tmp_domain(named) -# for /var/run/ndc used in BIND 8 +# For /var/run/ndc used in BIND 8 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) # ndc_t is the domain for the ndc program @@ -23,6 +23,11 @@ role sysadm_r types ndc_t; role system_r types ndc_t; +ifdef(`targeted_policy', ` +dontaudit ndc_t root_t:file { getattr read }; +dontaudit ndc_t unlabeled_t:file { getattr read }; +') + can_exec(named_t, named_exec_t) allow named_t sbin_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.15/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2004-09-10 16:10:36.000000000 -0400 +++ policy-1.17.15/domains/program/unused/nscd.te 2004-09-14 16:59:24.541807946 -0400 @@ -24,6 +24,7 @@ ifdef(`nscd_all_connect', ` can_unix_connect(domain, nscd_t) allow domain nscd_var_run_t:sock_file rw_file_perms; +allow domain nscd_var_run_t:file r_file_perms; allow domain { var_run_t var_t }:dir search; allow domain nscd_t:nscd { getpwd getgrp gethost }; dontaudit domain nscd_t:nscd { shmempwd shmemgrp shmemhost }; @@ -60,3 +61,7 @@ allow nscd_t shadow_t:file getattr; dontaudit nscd_t sysadm_home_dir_t:dir search; +# +# Handle winbind for samba, Might only be needed for targeted policy +# +dontaudit nscd_t var_run_t:sock_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.15/domains/program/unused/ntpd.te --- nsapolicy/domains/program/unused/ntpd.te 2004-09-09 15:36:13.000000000 -0400 +++ policy-1.17.15/domains/program/unused/ntpd.te 2004-09-14 17:01:58.987097221 -0400 @@ -8,7 +8,7 @@ # # Rules for the ntpd_t domain. # -daemon_domain(ntpd) +daemon_domain(ntpd, `, nscd_shmem_domain') type ntp_drift_t, file_type, sysadmfile; type ntp_port_t, port_type; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.15/domains/program/unused/portmap.te --- nsapolicy/domains/program/unused/portmap.te 2004-09-09 15:36:13.000000000 -0400 +++ policy-1.17.15/domains/program/unused/portmap.te 2004-09-14 16:59:37.482406411 -0400 @@ -11,7 +11,7 @@ # # Rules for the portmap_t domain. # -daemon_domain(portmap) +daemon_domain(portmap, `, nscd_shmem_domain') can_network(portmap_t) can_ypbind(portmap_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.17.15/domains/program/unused/squid.te --- nsapolicy/domains/program/unused/squid.te 2004-09-09 15:36:13.000000000 -0400 +++ policy-1.17.15/domains/program/unused/squid.te 2004-09-14 16:54:08.434636776 -0400 @@ -13,7 +13,7 @@ can_tcp_connect(squid_t, httpd_t) ') -daemon_domain(squid, `, web_client_domain') +daemon_domain(squid, `, web_client_domain, nscd_client_domain') type squid_conf_t, file_type, sysadmfile; allow { squid_t initrc_t } squid_conf_t:file r_file_perms; @@ -66,3 +66,4 @@ allow squid_t { bin_t sbin_t }:dir search; dontaudit squid_t { home_root_t security_t devpts_t }:dir getattr; +dontaudit squid_t tty_device_t:chr_file { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.15/macros/global_macros.te --- nsapolicy/macros/global_macros.te 2004-09-10 16:10:36.000000000 -0400 +++ policy-1.17.15/macros/global_macros.te 2004-09-14 16:54:08.435636665 -0400 @@ -545,6 +545,7 @@ # Create/access any file in a labeled filesystem; allow $1 file_type:dir_file_class_set *; allow $1 sysctl_t:{ dir file } *; +allow $1 proc_mdstat_t:file *; allow $1 device_type:devfile_class_set *; allow $1 mtrr_device_t:file *; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.15/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-09-09 15:36:12.000000000 -0400 +++ policy-1.17.15/macros/program/mozilla_macros.te 2004-09-14 16:54:08.436636554 -0400 @@ -71,6 +71,8 @@ allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms; ') +dontaudit $1_mozilla_t tmp_t:lnk_file read; + # # This is another place where I sould like to allow system customization. # We need to allow the admin to select whether then want to allow mozilla diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.17.15/macros/program/ypbind_macros.te --- nsapolicy/macros/program/ypbind_macros.te 2004-09-09 15:36:12.000000000 -0400 +++ policy-1.17.15/macros/program/ypbind_macros.te 2004-09-14 16:54:08.436636554 -0400 @@ -10,8 +10,8 @@ define(`can_ypbind', ` r_dir_file($1,var_yp_t) can_network($1) +dontaudit $1 reserved_port_t:{ tcp_socket udp_socket } name_bind; allow $1 port_t:{ tcp_socket udp_socket } name_bind; -allow $1 $1:capability { net_bind_service }; ') dnl can_ypbind ') dnl allow_ypbind ') dnl ypbind.te diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.15/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-09-09 15:36:11.000000000 -0400 +++ policy-1.17.15/tunables/distro.tun 2004-09-14 16:54:08.437636443 -0400 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.15/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-09-09 15:36:11.000000000 -0400 +++ policy-1.17.15/tunables/tunable.tun 2004-09-14 16:54:08.438636332 -0400 @@ -1,54 +1,51 @@ # Allow all domains to connect to nscd -dnl define(`nscd_all_connect') +define(`nscd_all_connect') # Allow users to control network interfaces (also needs USERCTL=true) dnl define(`user_net_control') # Allow users to execute the mount command -dnl define(`user_can_mount') +define(`user_can_mount') # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Support NFS home directories -dnl define(`nfs_home_dirs') +define(`nfs_home_dirs') # Allow users to run games -dnl define(`use_games') +define(`use_games') # Allow ypbind to run with NIS -dnl define(`allow_ypbind') +define(`allow_ypbind') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow sysadm_t to do almost everything dnl define(`unrestricted_admin') # Allow the read/write/create on any NFS file system -dnl define(`nfs_export_all_rw') - -# Allow users to unrestricted access -dnl define(`unlimitedUsers') +define(`nfs_export_all_rw') # Allow the reading on any NFS file system dnl define(`nfs_export_all_ro') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined.