diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.21.3/domains/admin.te --- nsapolicy/domains/admin.te 2005-01-20 15:55:00.000000000 -0500 +++ policy-1.21.3/domains/admin.te 2005-01-25 08:53:09.000000000 -0500 @@ -7,7 +7,7 @@ ifdef(`direct_sysadm_daemon', `, priv_system_role') ; dnl end of sysadm_t type declaration -allow privhome home_root_t:dir search; +allow privhome home_root_t:dir { getattr search }; # system_r is authorized for sysadm_t for single-user mode. role system_r types sysadm_t; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.3/domains/program/login.te --- nsapolicy/domains/program/login.te 2005-01-24 12:08:36.000000000 -0500 +++ policy-1.21.3/domains/program/login.te 2005-01-25 08:53:09.000000000 -0500 @@ -130,6 +130,11 @@ allow $1_login_t mouse_device_t:chr_file { getattr setattr }; +ifdef(`targeted_policy',` +unconfined_domain($1_login_t) +domain_auto_trans($1_login_t, shell_exec_t, unconfined_t) +') + ')dnl end login_domain macro ################################# # @@ -212,5 +217,18 @@ # Relabel ptys created by rlogind. allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto }; ') + +# Use the pty created by telnetd. +ifdef(`telnetd.te', ` +allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms }; + +# Relabel ptys created by telnetd. +allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto }; +') + allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; allow remote_login_t fs_t:filesystem { getattr }; + +# Allow remote login to resolve host names (passed in via the -h switch) +can_resolve(remote_login_t) + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.21.3/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2005-01-24 16:57:04.000000000 -0500 +++ policy-1.21.3/domains/program/mount.te 2005-01-25 08:53:09.000000000 -0500 @@ -49,6 +49,7 @@ allow mount_t devpts_t:dir mounton; allow mount_t usbdevfs_t:dir mounton; allow mount_t sysfs_t:dir mounton; +allow mount_t binfmt_misc_fs_t:dir mounton; allow mount_t nfs_t:dir mounton; allow mount_t nfs_t:dir search; # nfsv4 has a filesystem to mount for its userspace daemons diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.21.3/domains/program/restorecon.te --- nsapolicy/domains/program/restorecon.te 2005-01-20 15:55:01.000000000 -0500 +++ policy-1.21.3/domains/program/restorecon.te 2005-01-25 08:53:09.000000000 -0500 @@ -59,6 +59,5 @@ allow restorecon_t kernel_t:fd use; allow restorecon_t kernel_t:fifo_file { read write }; allow restorecon_t kernel_t:unix_dgram_socket { read write }; -r_dir_file(restorecon_t, selinux_config_t) -r_dir_file(restorecon_t, file_context_t) +r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.21.3/domains/program/setfiles.te --- nsapolicy/domains/program/setfiles.te 2005-01-20 15:55:02.000000000 -0500 +++ policy-1.21.3/domains/program/setfiles.te 2005-01-25 08:53:09.000000000 -0500 @@ -36,7 +36,7 @@ # Get security policy decisions. can_getsecurity(setfiles_t) -r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t }) +r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }) allow setfiles_t file_type:dir r_dir_perms; allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.21.3/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2005-01-24 12:08:36.000000000 -0500 +++ policy-1.21.3/domains/program/unused/postgresql.te 2005-01-25 08:53:09.000000000 -0500 @@ -105,8 +105,8 @@ allow postgresql_t devpts_t:dir search; allow postgresql_t { bin_t sbin_t }:dir search; -allow postgresql_t { bin_t sbin_t }:lnk_file read; -allow postgresql_t postgresql_exec_t:lnk_file read; +allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; allow postgresql_t self:sem create_sem_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.3/domains/program/unused/samba.te --- nsapolicy/domains/program/unused/samba.te 2005-01-24 16:57:05.000000000 -0500 +++ policy-1.21.3/domains/program/unused/samba.te 2005-01-25 08:53:09.000000000 -0500 @@ -120,10 +120,3 @@ # Support Samba sharing of home directories bool samba_enable_home_dirs false; -if ( samba_enable_home_dirs ) { -allow smbd_t home_root_t:dir { getattr search }; -allow smbd_t home_dir_type:dir { getattr search }; -allow smbd_t home_type:dir create_dir_perms; -dontaudit smbd_t home_type:{ sock_file fifo_file chr_file blk_file } r_file_perms; -} - diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.21.3/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 2005-01-20 15:55:14.000000000 -0500 +++ policy-1.21.3/file_contexts/distros.fc 2005-01-25 08:53:09.000000000 -0500 @@ -10,6 +10,7 @@ /usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t /usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t /usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t +/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t /usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t /usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t /usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.3/file_contexts/program/udev.fc --- nsapolicy/file_contexts/program/udev.fc 2005-01-20 15:55:20.000000000 -0500 +++ policy-1.21.3/file_contexts/program/udev.fc 2005-01-25 08:53:09.000000000 -0500 @@ -8,5 +8,5 @@ /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t /dev/udev\.tbl -- system_u:object_r:udev_tbl_t -/dev/\.udev\.tdb -- system_u:object_r:udev_tdb_t +/dev/\.udev\.tdb(/.*)? -- system_u:object_r:udev_tdb_t /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.3/macros/program/gpg_macros.te --- nsapolicy/macros/program/gpg_macros.te 2005-01-24 16:57:05.000000000 -0500 +++ policy-1.21.3/macros/program/gpg_macros.te 2005-01-25 08:54:05.000000000 -0500 @@ -23,10 +23,7 @@ # Transition from the user domain to the derived domain. domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) -# -# Is this Ok? -# -allow $1_gpg_t gpg_exec_t:file execmod; + can_network($1_gpg_t) can_ypbind($1_gpg_t) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.3/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2005-01-24 12:08:37.000000000 -0500 +++ policy-1.21.3/macros/program/mozilla_macros.te 2005-01-25 08:53:09.000000000 -0500 @@ -25,7 +25,7 @@ allow $1_mozilla_t $1_t:process signull; # Set resource limits and scheduling info. -allow $1_mozilla_t self:process { setrlimit setsched }; +allow $1_mozilla_t self:process { execmem setrlimit setsched }; allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read }; allow $1_mozilla_t var_lib_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.3/macros/program/x_client_macros.te --- nsapolicy/macros/program/x_client_macros.te 2005-01-20 15:55:26.000000000 -0500 +++ policy-1.21.3/macros/program/x_client_macros.te 2005-01-25 08:53:09.000000000 -0500 @@ -144,6 +144,7 @@ ') # Access the terminal. +allow $1_$2_t devpts_t:dir search; allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms; allow $1_$2_t $1_devpts_t:chr_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.21.3/targeted/domains/program/crond.te --- nsapolicy/targeted/domains/program/crond.te 2005-01-24 16:57:06.000000000 -0500 +++ policy-1.21.3/targeted/domains/program/crond.te 2005-01-25 13:54:41.000000000 -0500 @@ -19,5 +19,10 @@ type sysadm_cron_spool_t, file_type, sysadmfile; type crond_log_t, file_type, sysadmfile; type crond_var_run_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, crond_exec_t, crond_t) -domain_auto_trans(initrc_t, anacron_exec_t, crond_t) +domain_auto_trans(initrc_t, crond_exec_t, system_crond_t) +domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) +unconfined_domain(system_crond_t) +# Access log files +file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file) +file_type_auto_trans(system_crond_t, user_home_dir_t, user_home_t) +file_type_auto_trans(system_crond_t, tmp_t, system_crond_tmp_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.3/targeted/domains/unconfined.te --- nsapolicy/targeted/domains/unconfined.te 2005-01-24 16:57:06.000000000 -0500 +++ policy-1.21.3/targeted/domains/unconfined.te 2005-01-25 08:53:09.000000000 -0500 @@ -4,7 +4,7 @@ # is not explicitly confined. It has no restrictions. # It needs to be carefully protected from the confined domains. -type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem; +type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem; role system_r types unconfined_t; role user_r types unconfined_t; role sysadm_r types unconfined_t; @@ -23,7 +23,8 @@ type user_home_t, file_type, sysadmfile, home_type; type user_home_dir_t, file_type, sysadmfile, home_dir_type; file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t) +allow privhome home_root_t:dir { getattr search }; +file_type_auto_trans(privhome, user_home_dir_t, user_home_t) define(`user_typealias', ` ifelse($1,`user',`',` diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.3/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.21.3/tunables/distro.tun 2005-01-25 08:53:09.000000000 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.3/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2005-01-20 15:55:28.000000000 -0500 +++ policy-1.21.3/tunables/tunable.tun 2005-01-25 08:53:09.000000000 -0500 @@ -1,27 +1,24 @@ -# Allow users to execute the mount command -dnl define(`user_can_mount') - # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined.