diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.12/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2004-12-09 10:26:08.583499181 -0500 +++ policy-1.19.12/domains/program/initrc.te 2004-12-09 11:03:11.335553650 -0500 @@ -12,7 +12,7 @@ # initrc_exec_t is the type of the init program. # # do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer; +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; ifdef(`sendmail.te', ` allow system_mail_t initrc_t:fd use; allow system_mail_t initrc_t:fifo_file write; @@ -20,6 +20,7 @@ role system_r types initrc_t; uses_shlib(initrc_t); +can_network(initrc_t) can_ypbind(initrc_t) type initrc_exec_t, file_type, sysadmfile, exec_type; @@ -217,6 +218,9 @@ allow initrc_t tmpfs_t:chr_file rw_file_perms; allow initrc_t tmpfs_t:dir r_dir_perms; +# Allow initrc domain to set the enforcing flag. +can_setenforce(initrc_t) + # # readahead asks for these # @@ -362,3 +366,4 @@ # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) ') +allow initrc_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.12/domains/program/ldconfig.te --- nsapolicy/domains/program/ldconfig.te 2004-12-09 10:26:08.603496932 -0500 +++ policy-1.19.12/domains/program/ldconfig.te 2004-12-09 11:05:48.845841826 -0500 @@ -44,3 +44,4 @@ ') allow ldconfig_t proc_t:file read; +dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.12/domains/program/login.te --- nsapolicy/domains/program/login.te 2004-12-09 10:26:08.614495695 -0500 +++ policy-1.19.12/domains/program/login.te 2004-12-09 11:03:11.336553537 -0500 @@ -183,6 +183,10 @@ # Allow setting of attributes on power management devices. allow local_login_t power_device_t:chr_file { getattr setattr }; +ifdef(`hide_broken_symptoms', ` +dontaudit local_login_t init_t:fd use; +') + ################################# # # Rules for the remote_login_t domain. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.12/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-12-03 14:42:06.000000000 -0500 +++ policy-1.19.12/domains/program/unused/apache.te 2004-12-09 11:09:45.666211688 -0500 @@ -297,8 +297,7 @@ # This is a bug but it still exists in FC2 # type httpd_runtime_t, file_type, sysadmfile; -file_type_auto_trans(httpd_t, httpd_log_t, httpd_runtime_t, file) -allow httpd_sys_script_t httpd_runtime_t:file { getattr append }; +allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; ') dnl distro_redhat # # Customer reported the following @@ -308,11 +307,14 @@ dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; ') -# -# The following is needed to make squirrelmail work type httpd_squirrelmail_t, file_type, sysadmfile; create_dir_file(httpd_t, httpd_squirrelmail_t) allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +# File Type of squirrelmail attachments +type squirrelmail_spool_t, file_type, sysadmfile; +allow httpd_t var_spool_t:dir { getattr search }; +create_dir_file(httpd_t, squirrelmail_spool_t) + ifdef(`mta.te', ` dontaudit system_mail_t httpd_log_t:file { append getattr }; allow system_mail_t httpd_squirrelmail_t:file { append read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.12/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-12-03 14:42:07.000000000 -0500 +++ policy-1.19.12/domains/program/unused/cups.te 2004-12-09 11:03:11.338553312 -0500 @@ -149,6 +149,7 @@ allow ptal_t self:fifo_file rw_file_perms; allow ptal_t device_t:dir read; allow ptal_t printer_device_t:chr_file { ioctl read write }; +allow initrc_t printer_device_t:chr_file getattr; allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; r_dir_file(ptal_t, usbdevfs_t) r_dir_file(ptal_t, usbfs_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.19.12/domains/program/unused/dhcpc.te --- nsapolicy/domains/program/unused/dhcpc.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.12/domains/program/unused/dhcpc.te 2004-12-09 11:03:11.359550951 -0500 @@ -136,3 +136,4 @@ allow initrc_t dhcpc_state_t:file { getattr read }; dontaudit dhcpc_t var_lock_t:dir search; dontaudit dhcpc_t selinux_config_t:dir search; +allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.19.12/domains/program/unused/ipsec.te --- nsapolicy/domains/program/unused/ipsec.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/ipsec.te 2004-12-09 11:03:11.360550839 -0500 @@ -51,7 +51,7 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t) -allow ipsec_t self:key_socket { create write read }; +allow ipsec_t self:key_socket { create write read setopt }; # for lsof allow sysadm_t ipsec_t:key_socket getattr; @@ -225,3 +225,5 @@ allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms; allow ipsec_mgmt_t sysctl_net_t:file { getattr read }; rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t) +rw_dir_create_file(initrc_t, ipsec_var_run_t) +allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.12/domains/program/unused/kerberos.te --- nsapolicy/domains/program/unused/kerberos.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/kerberos.te 2004-12-09 11:03:11.361550726 -0500 @@ -89,4 +89,4 @@ # Allow user programs to talk to KDC allow krb5kdc_t userdomain:udp_socket recvfrom; allow userdomain krb5kdc_t:udp_socket recvfrom; - +allow initrc_t krb5_conf_t:file ioctl; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.12/domains/program/unused/kudzu.te --- nsapolicy/domains/program/unused/kudzu.te 2004-12-09 10:26:09.150435429 -0500 +++ policy-1.19.12/domains/program/unused/kudzu.te 2004-12-09 11:03:11.362550614 -0500 @@ -16,6 +16,7 @@ allow kudzu_t ramfs_t:dir search; allow kudzu_t ramfs_t:sock_file write; +allow kudzu_t etc_t:file { getattr read }; allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; allow kudzu_t modules_conf_t:file { getattr read }; allow kudzu_t modules_object_t:dir r_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.19.12/domains/program/unused/mailman.te --- nsapolicy/domains/program/unused/mailman.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.12/domains/program/unused/mailman.te 2004-12-09 11:03:11.362550614 -0500 @@ -15,7 +15,7 @@ role system_r types mailman_$1_t; file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file) allow mailman_$1_t mailman_log_t:dir rw_dir_perms; -rw_dir_create_file(mailman_$1_t, mailman_data_t) +create_dir_file(mailman_$1_t, mailman_data_t) uses_shlib(mailman_$1_t) can_exec_any(mailman_$1_t) allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search; @@ -96,6 +96,7 @@ system_crond_entry(mailman_queue_exec_t, mailman_queue_t) allow mailman_queue_t devtty_t:chr_file { read write }; allow mailman_queue_t self:process { fork signal sigchld }; +allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; # so MTA can access /var/lib/mailman/mail/wrapper allow mta_delivery_agent var_lib_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.12/domains/program/unused/mta.te --- nsapolicy/domains/program/unused/mta.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.12/domains/program/unused/mta.te 2004-12-09 11:03:11.363550501 -0500 @@ -20,7 +20,7 @@ # "mail user@domain" mail_domain(system) -ifelse(`targeted-policy', `', ` +ifdef(`targeted_policy', `', ` ifdef(`sendmail.te', ` # sendmail has an ugly design, the one process parses input from the user and # then does system things with it. @@ -75,3 +75,4 @@ allow system_mail_t { var_t var_spool_t }:dir getattr; create_dir_file( system_mail_t, mqueue_spool_t) ') +allow system_mail_t etc_runtime_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.19.12/domains/program/unused/mysqld.te --- nsapolicy/domains/program/unused/mysqld.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/mysqld.te 2004-12-09 11:03:11.364550389 -0500 @@ -35,7 +35,7 @@ allow initrc_t mysqld_log_t:file { write append setattr ioctl }; -allow mysqld_t self:capability { dac_override setgid setuid }; +allow mysqld_t self:capability { dac_override setgid setuid net_bind_service }; allow mysqld_t self:process getsched; allow mysqld_t proc_t:file { getattr read }; @@ -70,11 +70,6 @@ can_unix_connect(logrotate_t, mysqld_t) ') -ifdef(`user_db_connect', ` -allow userdomain mysqld_var_run_t:dir search; -allow userdomain mysqld_var_run_t:sock_file write; -') - ifdef(`daemontools.te', ` domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) allow svc_start_t mysqld_t:process signal; @@ -87,3 +82,12 @@ # because Fedora has the sock_file in the database directory file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) ') +ifdef(`targeted_policy', `', ` +bool allow_user_mysql_connect false; + +if (allow_user_mysql_connect) { +allow userdomain mysqld_var_run_t:dir search; +allow userdomain mysqld_var_run_t:sock_file write; +} +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.12/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/nscd.te 2004-12-09 11:03:11.364550389 -0500 @@ -67,5 +67,4 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms; allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; - - +allow nscd_t urandom_device_t:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.12/domains/program/unused/portmap.te --- nsapolicy/domains/program/unused/portmap.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/portmap.te 2004-12-09 11:03:11.365550277 -0500 @@ -13,7 +13,7 @@ # daemon_domain(portmap, `, nscd_client_domain') -can_network_server(portmap_t) +can_network(portmap_t) can_ypbind(portmap_t) allow portmap_t self:unix_dgram_socket create_socket_perms; allow portmap_t self:unix_stream_socket create_stream_socket_perms; @@ -54,3 +54,14 @@ allow portmap_t self:capability { net_bind_service setuid setgid }; allow portmap_t self:netlink_route_socket r_netlink_socket_perms; +application_domain(portmap_helper) +domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) +dontaudit portmap_helper_t self:capability { net_admin }; +allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms; +allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; +can_network(portmap_helper_t) +can_ypbind(portmap_helper_t) +dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; +allow portmap_helper_t etc_t:file { getattr read }; +dontaudit portmap_helper_t userdomain:fd use; +allow portmap_helper_t reserved_port_t:udp_socket name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.12/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/postgresql.te 2004-12-09 11:03:11.366550164 -0500 @@ -60,13 +60,16 @@ allow postgresql_t self:shm create_shm_perms; -ifdef(`user_db_connect', ` +ifdef(`targeted_policy', `', ` +bool allow_user_postgresql_connect false; + +if (allow_user_postgresql_connect) { # allow any user domain to connect to the database server can_tcp_connect(userdomain, postgresql_t) allow userdomain postgresql_t:unix_stream_socket connectto; allow userdomain postgresql_var_run_t:sock_file write; +} ') - ifdef(`consoletype.te', ` can_exec(postgresql_t, consoletype_exec_t) ') @@ -85,8 +88,7 @@ # because postgresql start scripts are broken and put the pid file in the DB # directory -allow initrc_t postgresql_db_t:dir { write remove_name }; -allow initrc_t postgresql_db_t:file rw_file_perms; +rw_dir_file(initrc_t, postgresql_db_t) # read config files allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.19.12/domains/program/unused/pppd.te --- nsapolicy/domains/program/unused/pppd.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/pppd.te 2004-12-09 11:03:11.366550164 -0500 @@ -12,6 +12,8 @@ # pppd_exec_t is the type of the pppd executable. # pppd_secret_t is the type of the pap and chap password files # +bool pppd_for_user false; + daemon_domain(pppd, `, privmail') type pppd_secret_t, file_type, sysadmfile; @@ -80,13 +82,12 @@ # for ~/.ppprc - if it actually exists then you need some policy to read it allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; -ifdef(`pppd_for_user', ` -# Run pppd in pppd_t by default for user -domain_auto_trans(userdomain, pppd_exec_t, pppd_t) in_user_role(pppd_t) -role sysadm_r types pppd_t; -allow userdomain pppd_t:process signal; -') +if (pppd_for_user) { +# Run pppd in pppd_t by default for user +domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t) +allow unpriv_userdomain pppd_t:process signal; +} # for pppoe can_create_pty(pppd) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.12/domains/program/unused/rhgb.te --- nsapolicy/domains/program/unused/rhgb.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/rhgb.te 2004-12-09 11:03:11.367550052 -0500 @@ -39,7 +39,7 @@ allow rhgb_t self:capability { sys_admin sys_tty_config }; dontaudit rhgb_t var_run_t:dir search; -can_network_server(rhgb_t) +can_network_client(rhgb_t) can_ypbind(rhgb_t) # for fonts @@ -91,3 +91,5 @@ ifdef(`fsadm.te', ` dontaudit fsadm_t ramfs_t:fifo_file write; ') +allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; +dontaudit rhgb_t default_t:file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.19.12/domains/program/unused/samba.te --- nsapolicy/domains/program/unused/samba.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.12/domains/program/unused/samba.te 2004-12-09 11:03:11.368549939 -0500 @@ -115,3 +115,5 @@ ifdef(`cups.te', ` allow smbd_t cupsd_rw_etc_t:file { getattr read }; ') +# Needed for winbindd +allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.19.12/domains/program/unused/slapd.te --- nsapolicy/domains/program/unused/slapd.te 2004-10-19 16:03:06.000000000 -0400 +++ policy-1.19.12/domains/program/unused/slapd.te 2004-12-09 11:03:11.368549939 -0500 @@ -59,3 +59,4 @@ allow slapd_t usr_t:file { read getattr }; allow slapd_t urandom_device_t:chr_file { getattr read }; +allow slapd_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.12/domains/program/unused/squid.te --- nsapolicy/domains/program/unused/squid.te 2004-12-02 14:11:43.000000000 -0500 +++ policy-1.19.12/domains/program/unused/squid.te 2004-12-09 11:03:11.369549827 -0500 @@ -21,6 +21,7 @@ allow squid_t squid_conf_t:lnk_file read; logdir_domain(squid) +rw_dir_create_file(initrc_t, squid_log_t) allow squid_t usr_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.19.12/domains/program/unused/vpnc.te --- nsapolicy/domains/program/unused/vpnc.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.12/domains/program/unused/vpnc.te 2004-12-09 11:03:11.369549827 -0500 @@ -38,3 +38,4 @@ allow vpnc_t sbin_t:dir search; allow vpnc_t bin_t:dir search; allow vpnc_t bin_t:lnk_file read; +r_dir_file(vpnc_t, proc_net_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.12/domains/program/unused/ypbind.te --- nsapolicy/domains/program/unused/ypbind.te 2004-11-18 08:13:58.000000000 -0500 +++ policy-1.19.12/domains/program/unused/ypbind.te 2004-12-09 11:03:11.370549714 -0500 @@ -39,3 +39,4 @@ allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t reserved_port_t:tcp_socket name_bind; allow ypbind_t reserved_port_t:udp_socket name_bind; +dontaudit ypbind_t reserved_port_type:udp_socket name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.12/file_contexts/program/apache.fc --- nsapolicy/file_contexts/program/apache.fc 2004-12-09 10:26:09.571388094 -0500 +++ policy-1.19.12/file_contexts/program/apache.fc 2004-12-09 11:13:56.287029708 -0500 @@ -29,16 +29,17 @@ /var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t /var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t /etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t -/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t +/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t /usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t /var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t /var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t /var/run/gcache_port -s system_u:object_r:httpd_var_run_t ifdef(`distro_suse', ` # suse puts shell scripts there :-( -/usr/share/apache2/[^/]* -- system_u:object_r:bin_t +/usr/share/apache2/[^/]* -- system_u:object_r:bin_t ') /var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t +/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t /usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t /usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t /var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.19.12/file_contexts/program/ipsec.fc --- nsapolicy/file_contexts/program/ipsec.fc 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.12/file_contexts/program/ipsec.fc 2004-12-09 11:03:11.371549602 -0500 @@ -3,6 +3,7 @@ /etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t /etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t /etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t +/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t /usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t /usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t /usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t @@ -24,6 +25,7 @@ # Kame /usr/sbin/racoon -- system_u:object_r:ipsec_exec_t /usr/sbin/setkey -- system_u:object_r:ipsec_exec_t +/sbin/setkey -- system_u:object_r:ipsec_exec_t /etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t /etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t /etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/portmap.fc policy-1.19.12/file_contexts/program/portmap.fc --- nsapolicy/file_contexts/program/portmap.fc 2003-11-26 13:01:08.000000000 -0500 +++ policy-1.19.12/file_contexts/program/portmap.fc 2004-12-09 11:03:11.371549602 -0500 @@ -1,3 +1,4 @@ # portmap /sbin/portmap -- system_u:object_r:portmap_exec_t -/sbin/pmap_dump -- system_u:object_r:portmap_exec_t +/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t +/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.19.12/file_contexts/program/samba.fc --- nsapolicy/file_contexts/program/samba.fc 2004-06-16 13:33:37.000000000 -0400 +++ policy-1.19.12/file_contexts/program/samba.fc 2004-12-09 11:03:11.372549490 -0500 @@ -19,3 +19,5 @@ /var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t /var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t /var/spool/samba(/.*)? system_u:object_r:samba_var_t +/usr/sbin/winbindd -- system_u:object_r:smbd_exec_t +/var/run/winbindd(/.*)? system_u:object_r:smbd_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.12/file_contexts/types.fc --- nsapolicy/file_contexts/types.fc 2004-12-03 14:42:07.000000000 -0500 +++ policy-1.19.12/file_contexts/types.fc 2004-12-09 11:03:11.373549377 -0500 @@ -278,7 +278,7 @@ /etc/shadow.* -- system_u:object_r:shadow_t /etc/gshadow.* -- system_u:object_r:shadow_t /var/db/shadow.* -- system_u:object_r:shadow_t -/etc/blkid\.tab -- system_u:object_r:etc_runtime_t +/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t /etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t /etc/HOSTNAME -- system_u:object_r:etc_runtime_t /etc/ioctl\.save -- system_u:object_r:etc_runtime_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.12/macros/program/apache_macros.te --- nsapolicy/macros/program/apache_macros.te 2004-11-29 10:24:17.000000000 -0500 +++ policy-1.19.12/macros/program/apache_macros.te 2004-12-09 11:03:11.375549152 -0500 @@ -41,9 +41,9 @@ read_locale(httpd_$1_script_t) allow httpd_$1_script_t fs_t:filesystem getattr; allow httpd_$1_script_t self:unix_stream_socket create_socket_perms; -allow httpd_$1_script_t proc_t:file { getattr read }; allow httpd_$1_script_t httpd_t:unix_stream_socket { read write }; +allow httpd_$1_script_t { self proc_t }:file { getattr read }; allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; allow httpd_$1_script_t { self proc_t }:lnk_file read; @@ -92,6 +92,7 @@ ######################################################################### can_exec_any(httpd_$1_script_t) allow httpd_$1_script_t etc_t:file { getattr read }; +dontaudit httpd_$1_script_t selinux_config_t:dir search; ############################################################################ # Allow the script process to search the cgi directory, and users directory @@ -183,4 +184,7 @@ ######################################### allow httpd_$1_script_t httpd_log_t:file { getattr append }; +# apache should set close-on-exec +dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.12/macros/program/inetd_macros.te --- nsapolicy/macros/program/inetd_macros.te 2004-12-02 14:11:43.000000000 -0500 +++ policy-1.19.12/macros/program/inetd_macros.te 2004-12-09 11:03:11.376549040 -0500 @@ -61,4 +61,5 @@ allow inetd_t $1_port_t:udp_socket name_bind; allow $1_t inetd_t:udp_socket rw_socket_perms; ') +r_dir_file($1_t, proc_net_t) ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.12/macros/program/mta_macros.te --- nsapolicy/macros/program/mta_macros.te 2004-12-02 14:11:43.000000000 -0500 +++ policy-1.19.12/macros/program/mta_macros.te 2004-12-09 11:03:11.378548815 -0500 @@ -34,6 +34,7 @@ uses_shlib($1_mail_t) can_network_client_tcp($1_mail_t) +can_resolve($1_mail_t) can_ypbind($1_mail_t) allow $1_mail_t self:unix_dgram_socket create_socket_perms; allow $1_mail_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.19.12/macros/user_macros.te --- nsapolicy/macros/user_macros.te 2004-12-09 10:26:10.334302305 -0500 +++ policy-1.19.12/macros/user_macros.te 2004-12-09 11:03:11.384548140 -0500 @@ -134,6 +140,7 @@ attribute $1_file_type; # Grant read/search permissions to some of /proc. r_dir_file($1_t, proc_t) +r_dir_file($1_t, proc_net_t) base_file_read_access($1_t) @@ -215,27 +222,11 @@ dontaudit $1_t init_t:fd use; dontaudit $1_t initrc_t:fd use; allow $1_t initrc_t:fifo_file write; -ifdef(`user_can_mount', ` -# -# Allow users to mount file systems like floppies and cdrom -# -mount_domain($1, $1_mount, `, fs_domain') -r_dir_file($1_t, mnt_t) -allow $1_mount_t device_t:lnk_file read; -allow $1_mount_t removable_device_t:blk_file read; -allow $1_mount_t iso9660_t:filesystem relabelfrom; -allow $1_mount_t removable_t:filesystem { mount relabelto }; -allow $1_mount_t removable_t:dir mounton; -ifdef(`xdm.te', ` -allow $1_mount_t xdm_t:fd use; -allow $1_mount_t xdm_t:fifo_file { read write }; -') -') # # Rules used to associate a homedir as a mountpoint # -allow $1_home_t self:filesystem associate; +allow $1_home_t $1_home_t:filesystem associate; allow $1_file_type $1_home_t:filesystem associate; ') diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.12/net_contexts --- nsapolicy/net_contexts 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.12/net_contexts 2004-12-09 11:03:11.385548028 -0500 @@ -115,6 +115,8 @@ ') portcon tcp 88 system_u:object_r:kerberos_port_t portcon udp 88 system_u:object_r:kerberos_port_t +portcon tcp 464 system_u:object_r:kerberos_admin_port_t +portcon udp 464 system_u:object_r:kerberos_admin_port_t portcon tcp 749 system_u:object_r:kerberos_admin_port_t portcon tcp 750 system_u:object_r:kerberos_port_t portcon udp 750 system_u:object_r:kerberos_port_t diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.12/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.12/tunables/distro.tun 2004-12-09 11:03:11.385548028 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.12/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.12/tunables/tunable.tun 2004-12-09 11:17:03.670958633 -0500 @@ -1,29 +1,31 @@ -# Allow users to execute the mount command -dnl define(`user_can_mount') - # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. dnl define(`unlimitedInetd') +# for ndc_t to be used for restart shell scripts +dnl define(`ndc_shell_script') + +# To allow staff and user to share the same homedirectory file labels +dnl define(`single_user_file_type')