diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.7/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-01-13 09:48:26.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/admin/rpm.fc 2006-01-26 17:01:26.000000000 -0500 @@ -16,6 +16,8 @@ /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) ') /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.2.7/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2006-01-04 17:28:52.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/admin/rpm.if 2006-01-26 17:01:26.000000000 -0500 @@ -71,6 +71,7 @@ rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; + seutil_run_loadpol(rpm_script_t,$2,$3) allow rpm_t $3:chr_file rw_term_perms; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.7/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2006-01-17 17:08:52.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/admin/rpm.te 2006-01-26 17:01:26.000000000 -0500 @@ -288,6 +288,7 @@ term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) +term_use_all_terms(rpm_script_t) auth_dontaudit_getattr_shadow(rpm_script_t) # ideally we would not need this diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.7/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2006-01-19 18:02:04.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/apps/mono.te 2006-01-26 17:01:26.000000000 -0500 @@ -18,7 +18,7 @@ # ifdef(`targeted_policy',` - allow mono_t self:process execheap; + allow mono_t self:process { execheap execmem }; unconfined_domain_template(mono_t) role system_r types mono_t; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.7/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2006-01-25 15:58:58.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/kernel/files.fc 2006-01-26 17:01:26.000000000 -0500 @@ -126,6 +126,11 @@ /mnt/[^/]*/.* <> # +# /net +# +/net -d gen_context(system_u:object_r:mnt_t,s0) + +# # /opt # /opt(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.7/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2006-01-25 15:58:59.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/kernel/files.if 2006-01-26 17:01:26.000000000 -0500 @@ -321,7 +321,7 @@ attribute file_type, security_file_type; ') - dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; + allow $1 { file_type -security_file_type }:dir r_dir_perms; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.7/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-01-25 15:58:59.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/kernel/filesystem.if 2006-01-26 17:01:26.000000000 -0500 @@ -2855,3 +2855,22 @@ # and its files. allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; ') + + +######################################## +## +## Search inotifyfs_t filesystem +## +## +## The type of the domain performing this action. +## +# +interface(`fs_search_inotifyfs',` + gen_require(` + type inotifyfs_t; + class dir search_dir_perms; + ') + + allow $1 inotifyfs_t:dir search_dir_perms; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.7/policy/modules/kernel/mls.te --- nsaserefpolicy/policy/modules/kernel/mls.te 2006-01-17 17:08:52.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/kernel/mls.te 2006-01-26 17:01:26.000000000 -0500 @@ -86,7 +86,8 @@ ') ifdef(`enable_mls',` -# run init with maximum MLS range range_transition kernel_t init_exec_t s0 - s15:c0.c255; +range_transition kernel_t lvm_exec_t s0 - s15:c0.c255; range_transition initrc_t auditd_exec_t s15:c0.c255; +range_transition sysadm_t rpm_exec_t s0 - s15:c0.c255; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.2.7/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-01-09 11:32:53.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/kernel/storage.fc 2006-01-26 17:01:26.000000000 -0500 @@ -12,6 +12,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.7/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2006-01-17 17:08:53.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/services/cups.te 2006-01-26 17:01:26.000000000 -0500 @@ -148,6 +148,7 @@ fs_search_auto_mountpoints(cupsd_t) term_dontaudit_use_console(cupsd_t) +term_write_unallocated_ttys(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) auth_dontaudit_read_pam_pid(cupsd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.7/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2006-01-19 10:00:41.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/services/hal.te 2006-01-26 17:01:26.000000000 -0500 @@ -116,6 +116,8 @@ init_use_fd(hald_t) init_use_script_pty(hald_t) init_domtrans_script(hald_t) +init_write_initctl(hald_t) +init_read_utmp(hald_t) libs_use_ld_so(hald_t) libs_use_shared_libs(hald_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.7/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2006-01-25 15:59:01.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/locallogin.te 2006-01-26 17:01:26.000000000 -0500 @@ -27,6 +27,8 @@ domain_subj_id_change_exempt(sulogin_t) domain_role_change_exempt(sulogin_t) domain_wide_inherit_fd(sulogin_t) +fs_use_tmpfs_chr_dev(sulogin_t) + init_domain(sulogin_t,sulogin_exec_t) init_system_domain(sulogin_t,sulogin_exec_t) role system_r types sulogin_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.2.7/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2006-01-13 17:06:08.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/modutils.te 2006-01-26 17:01:26.000000000 -0500 @@ -113,6 +113,8 @@ miscfiles_read_localization(insmod_t) +seutil_read_file_contexts(insmod_t) + if( ! secure_mode_insmod ) { kernel_userland_entry(insmod_t,insmod_exec_t) } diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.7/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-01-19 10:00:41.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/selinuxutil.te 2006-01-26 17:01:26.000000000 -0500 @@ -414,7 +414,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; - allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read }; + allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.2.7/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2006-01-19 10:00:41.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/udev.te 2006-01-26 17:01:26.000000000 -0500 @@ -90,6 +90,7 @@ dev_delete_generic_file(udev_t) fs_getattr_all_fs(udev_t) +fs_search_inotifyfs(udev_t) selinux_get_fs_mount(udev_t) selinux_validate_context(udev_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.7/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2006-01-20 10:02:33.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/unconfined.if 2006-01-26 17:01:26.000000000 -0500 @@ -54,8 +54,13 @@ tunable_policy(`allow_execmem && allow_execstack',` # Allow making the stack executable via mprotect. allow $1 self:process execstack; + ', ` + # These are fairly common but seem to be harmless + # caused by using shared libraries built with old tool chains + dontaudit $1 self:process execstack; ') + optional_policy(`authlogin',` auth_unconfined($1) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2006-01-26 16:54:28.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/userdomain.if 2006-01-26 17:01:26.000000000 -0500 @@ -848,9 +848,6 @@ fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) - selinux_set_enforce_mode($1_t) - selinux_set_boolean($1_t) - selinux_set_parameters($1_t) # Get security policy decisions: selinux_get_fs_mount($1_t) selinux_validate_context($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2006-01-26 16:54:28.000000000 -0500 +++ serefpolicy-2.2.7/policy/modules/system/userdomain.te 2006-01-26 17:12:42.000000000 -0500 @@ -154,10 +154,16 @@ corecmd_exec_shell(sysadm_t) - mls_process_read_up(sysadm_t) - - logging_read_audit_log(sysadm_t) + ifdef(`enable_mls',` + logging_read_audit_log(secadm_t) + logging_domtrans_auditctl(secadm_t) + mls_process_read_up(secadm_t) + ', ` + logging_domtrans_auditctl(sysadm_t) + logging_read_audit_log(sysadm_t) + ') + mls_process_read_up(sysadm_t) ifdef(`direct_sysadm_daemon',` optional_policy(`init',` init_run_daemon(sysadm_t,sysadm_r,admin_terminal) @@ -168,6 +174,10 @@ domain_ptrace_all_domains(sysadm_t) ') + optional_policy(`dmesg',` + dmesg_exec(sysadm_t) + ') + optional_policy(`amanda',` amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) ') @@ -205,6 +215,9 @@ optional_policy(`consoletype',` consoletype_exec(sysadm_t) + ifdef(`enable_mls',` + consoletype_exec(secadm_t) + ') ') optional_policy(`ddcprobe',` @@ -320,10 +333,24 @@ ') optional_policy(`selinuxutil',` - seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) - seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) + ifdef(`enable_mls',` + seutil_manage_binary_pol(secadm_t) + seutil_run_checkpol(secadm_t,secadm_r,admin_terminal) + seutil_run_loadpol(secadm_t,secadm_r,admin_terminal) + seutil_run_setfiles(secadm_t,secadm_r,admin_terminal) + selinux_set_enforce_mode(secadm_t) + selinux_set_boolean(secadm_t) + selinux_set_parameters(secadm_t) + ', ` + seutil_manage_binary_pol(sysadm_t) + seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) + seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) + seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) + selinux_set_enforce_mode(sysadm_t) + selinux_set_boolean(sysadm_t) + selinux_set_parameters(sysadm_t) + ') seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal) - seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) ifdef(`targeted_policy',`',` seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)