patch from dan Thu, 09 Feb 2006 13:39:41 -0500

diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index d04e2315d74b84731c9d7deab0947e63fa995d69..a9709809697de93d4e287b405fc73cdfe45ba9e9 100644 (file)
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
 
-policy_module(kudzu,1.1.1)
+policy_module(kudzu,1.1.2)
 
 ########################################
 #
@@ -24,7 +24,6 @@ files_pid_file(kudzu_var_run_t)
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
-auditallow kudzu_t self:process execmem; 
 allow kudzu_t self:fifo_file rw_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow kudzu_t self:unix_dgram_socket create_socket_perms;
@@ -72,6 +71,7 @@ modutils_rename_module_config(kudzu_t)
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape(kudzu_t)
 storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_write_removable_device(kudzu_t)
 storage_raw_read_fixed_disk(kudzu_t)
 storage_raw_read_removable_device(kudzu_t)
 

diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index 17165bf8c8364348c1fd2e23dc3fe05c7aba680a..3433cda8b35ac4dfed0895ea2ac8713eb706ca90 100644 (file)
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.0.1)
+policy_module(prelink,1.0.2)
 
 ########################################
 #
@@ -65,6 +65,7 @@ files_read_etc_runtime_files(prelink_t)
 fs_getattr_xattr_fs(prelink_t)
 
 libs_use_ld_so(prelink_t)
+libs_exec_ld_so(prelink_t)
 libs_manage_ld_so(prelink_t)
 libs_relabel_ld_so(prelink_t)
 libs_use_shared_libs(prelink_t)

diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te
index 50a39d1018f45769caf5a73dc393937da0405dd2..f7deda61846f31c55bfee1dbf86e005554fa13d0 100644 (file)
--- a/refpolicy/policy/modules/admin/readahead.te
+++ b/refpolicy/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.1.1)
+policy_module(readahead,1.1.2)
 
 ########################################
 #
@@ -47,7 +47,9 @@ fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
-fs_search_ramfs(readahead_t)
+fs_dontaudit_search_ramfs(readahead_t)
+fs_dontaudit_read_ramfs_pipes(readahead_t)
+fs_dontaudit_read_ramfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 
 term_dontaudit_use_console(readahead_t)

diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 5ee377fac74bfcf676f0d3c0d1c11e93c73011a9..a5f9bba843d930e874336dc48e4155a1380cb3d7 100644 (file)
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -22,7 +22,6 @@ template(`su_restricted_domain_template', `
 
        # Transition from the user domain to this domain.
        domain_auto_trans($2, su_exec_t, $1_su_t)
-       allow $2 $1_su_t:fd use;
        allow $1_su_t $2:fd use;
        allow $1_su_t $2:fifo_file rw_file_perms;
        allow $1_su_t $2:process sigchld;
@@ -30,9 +29,8 @@ template(`su_restricted_domain_template', `
        # By default, revert to the calling domain when a shell is executed.
        corecmd_shell_domtrans($1_su_t,$2)
        allow $2 $1_su_t:fd use;
-       allow $1_su_t $2:fd use;
-       allow $1_su_t $2:fifo_file rw_file_perms;
-       allow $1_su_t $2:process sigchld;
+       allow $2 $1_su_t:fifo_file rw_file_perms;
+       allow $2 $1_su_t:process sigchld;
 
        kernel_read_system_state($1_su_t)
        kernel_read_kernel_sysctls($1_su_t)

diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index a3eb3892506cef18aa0e896b5d5145b4f08310b8..a3d8488e0053b5092951f5a85d81a0191b876153 100644 (file)
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su,1.2.0)
+policy_module(su,1.2.1)
 
 ########################################
 #

diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 7fb63389474d82e0ce7f28e9da49efa7487d428f..5da7b893f29392b4b374759ebff23f01097a637a 100644 (file)
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.1.2)
+policy_module(bootloader,1.1.3)
 
 ########################################
 #
@@ -71,7 +71,7 @@ logging_log_file(var_log_ksyms_t)
 
 allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
 allow bootloader_t self:process { sigkill sigstop signull signal };
-allow bootloader_t self:fifo_file { getattr read write };
+allow bootloader_t self:fifo_file rw_file_perms;
 
 allow bootloader_t boot_t:dir { create rw_dir_perms };
 allow bootloader_t boot_t:file create_file_perms;
@@ -110,7 +110,7 @@ dev_getattr_all_blk_files(bootloader_t)
 dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
-dev_getattr_sysfs_dirs(bootloader_t)
+dev_read_sysfs(bootloader_t)
 # for reading BIOS data
 dev_read_raw_memory(bootloader_t)
 

diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 960016c7b7c2dc17994a6781d8dcaf951b7387d5..e0ef7441da269c28d3793e400a97a3a3a50c4cc2 100644 (file)
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.0.2)
+policy_module(corenetwork,1.0.3)
 
 ########################################
 #
@@ -46,6 +46,7 @@ network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
 network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)

diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc
index e194c75c09de3d08ef3f8cc2ed777cebb519d8df..54bbddf01e961750da168c32be8e7207230e230e 100644 (file)
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@@ -58,6 +58,8 @@ ifdef(`distro_suse', `
 /dev/z90crypt          -c      gen_context(system_u:object_r:crypt_device_t,s0)
 /dev/zero              -c      gen_context(system_u:object_r:zero_device_t,s0)
 
+/dev/bus/usb/.*/[0-9]+ -c      gen_context(system_u:object_r:usb_device_t,s0)
+
 /dev/cpu/.*            -c      gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr          -c      gen_context(system_u:object_r:mtrr_device_t,s0)
 

diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index c5cc6eafeb951dd694da936bad4c63d21f302190..1e3008f9970a3777382812611705b919c69b5271 100644 (file)
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.0.0)
+policy_module(devices,1.0.1)
 
 ########################################
 #
@@ -159,6 +159,12 @@ fs_noxattr_type(usbfs_t)
 genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 
+#
+# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+#
+type usb_device_t;
+dev_node(usb_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 

diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
index 5fc259e91ca04606c0eab71206c4f149d20f9cf6..f9032b4097c1afa7e9c890535dc3070aed5d3f62 100644 (file)
--- a/refpolicy/policy/modules/kernel/files.fc
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -173,6 +173,8 @@ HOME_ROOT/lost\+found/.*            <<none>>
 /usr(/.*)?                     gen_context(system_u:object_r:usr_t,s0)
 /usr/\.journal                 <<none>>
 
+/usr/doc(/.*)?/lib(/.*)?               gen_context(system_u:object_r:usr_t,s0)
+
 /usr/etc(/.*)?                 gen_context(system_u:object_r:etc_t,s0)
 
 /usr/inclu.e(/.*)?             gen_context(system_u:object_r:usr_t,s0)
@@ -192,6 +194,7 @@ HOME_ROOT/lost\+found/.*            <<none>>
 /usr/share(/.*)?/lib(64)?(/.*)?        gen_context(system_u:object_r:usr_t,s0)
 
 /usr/src(/.*)?                 gen_context(system_u:object_r:src_t,s0)
+/usr/src(/.*)?/lib(/.*)?               gen_context(system_u:object_r:usr_t,s0)
 
 /usr/tmp                       -d      gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
 /usr/tmp/.*                    <<none>>

diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index ff04244d5fc38d8e7ffb67f81714baaf3697943c..73e55609c54e86cfdb2da085ba5d5e5d0cfdc110 100644 (file)
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -2292,7 +2292,7 @@ interface(`files_setattr_all_tmp_dirs',`
                attribute tmpfile;
        ')
 
-       allow $1 tmpfile:dir { search getattr };
+       allow $1 tmpfile:dir { search setattr };
 ')
 
 ########################################

diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index c3862cd1e42cfe13a78ca7d965633041de96a508..29de9d7ac2ce6ca64a826e1c4f77bd90be9ee402 100644 (file)
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.1.0)
+policy_module(files,1.1.1)
 
 ########################################
 #

diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index e884cef163c9c8616555f8bc313d1ba866f59ed9..07025093aa8dc2cdb36e1f015c5716185954a792 100644 (file)
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1031,6 +1031,24 @@ interface(`fs_search_inotifyfs',`
        allow $1 inotifyfs_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##     List inotifyfs filesystem. 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_list_inotifyfs',`
+       gen_require(`
+               type inotifyfs_t;
+       ')
+
+       allow $1 inotifyfs_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Mount an iso9660 filesystem, which
@@ -1963,6 +1981,42 @@ interface(`fs_dontaudit_search_ramfs',`
        dontaudit $1 ramfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##     Dontaudit read on a ramfs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_files',`
+       gen_require(`
+               type ramfs_t;
+       ')
+
+       dontaudit $1 ramfs_t:file read;
+')
+
+########################################
+## <summary>
+##     Dontaudit read on a ramfs fifo_files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_pipes',`
+       gen_require(`
+               type ramfs_t;
+       ')
+
+       dontaudit $1 ramfs_t:fifo_file read;
+')
+
 ########################################
 ## <summary>
 ##     Write to named pipe on a ramfs filesystem.

diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index dd185a6e82dc622a6c0623514d9b749f7bbbc578..e90f68d59f96b5184bddebc9523785b81bb8a13b 100644 (file)
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.2.1)
+policy_module(filesystem,1.2.2)
 
 ########################################
 #

diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index bd890a644eae0a3e2b57faff37736b94c88bcba6..6b7acd879575e2df143e934f64a1700d2b6083f7 100644 (file)
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',`
                type devpts_t;
        ')
 
-       dontaudit $1 devpts_t:chr_file { read write };
+       dontaudit $1 devpts_t:chr_file { getattr read write };
 ')
 
 ########################################

diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 45e3b679375deaa3740a902a49832a3f1d68c865..295bdbacabe0b4fa5919fd58cffab7929e0c4870 100644 (file)
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.0.0)
+policy_module(terminal,1.0.1)
 
 ########################################
 #

diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
index 5765eb288940b3d67083ee4380d288ab2daf65a9..1eb9976f343eed501decdcd4025317525a126282 100644 (file)
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -45,6 +45,7 @@ ifdef(`distro_suse', `
 /var/cache/rt3(/.*)?                   gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/ssl.*\.sem          --      gen_context(system_u:object_r:httpd_cache_t,s0)
 
+/var/lib/cacti(/.*)?                   gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dav(/.*)?                     gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/htdig(/.*)?                   gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?                   gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -53,6 +54,7 @@ ifdef(`distro_suse', `
 
 /var/log/apache(2)?(/.*)?              gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?          gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?                   gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cgiwrap\.log.*                --      gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/httpd(/.*)?                   gen_context(system_u:object_r:httpd_log_t,s0)
 ifdef(`distro_debian', `

diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 6b13f644927ebe92b20bac4f42ad45ec49ae0436..67ef22ba06901f2eeecabf7fd8560f13c1cc3f63 100644 (file)
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.2.0)
+policy_module(apache,1.2.1)
 
 #
 # NOTES: 

diff --git a/refpolicy/policy/modules/services/automount.if b/refpolicy/policy/modules/services/automount.if
index cf9b87aea595f22ced8ce4cf48af72001628a290..5c17e8664b59f9226ead9acab7f4617c908819d2 100644 (file)
--- a/refpolicy/policy/modules/services/automount.if
+++ b/refpolicy/policy/modules/services/automount.if
@@ -43,3 +43,22 @@ interface(`automount_exec_config',`
        corecmd_search_sbin($1)
        can_exec($1,automount_etc_t)
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to get the attributes
+##     of automount temporary directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`automount_dontaudit_getattr_tmp_dirs',`
+       gen_require(`
+               type automount_tmp_t;
+       ')
+
+       dontaudit $1 automount_tmp_t:dir getattr;
+')

diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 9ceb5651f24574f7ae89e4bd26c82c18b6bccf4b..3037e1f92ae2355f254c021e630f5150ca4e26bd 100644 (file)
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.1.1)
+policy_module(automount,1.1.2)
 
 ########################################
 #

diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index ab56c3b511bd6df82b2f9bd2f39dd4c0d1949cd8..6226fc0026a9664285cee650396057114964eb46 100644 (file)
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -429,7 +429,7 @@ interface(`cron_rw_pipes',`
                type crond_t;
        ')
 
-       allow $1 crond_t:fifo_file { read write };
+       allow $1 crond_t:fifo_file { getattr read write };
 ')
 
 ########################################

diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index e910bc0b7f833e274e6a195c56c25479325dfaec..fef15dc47144bad35f7f1bc31cee5468e79015e2 100644 (file)
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron,1.2.0)
+policy_module(cron,1.2.1)
 
 gen_require(`
        class passwd rootok;
@@ -108,6 +108,7 @@ auth_domtrans_chk_passwd(crond_t)
 
 corecmd_exec_shell(crond_t)
 corecmd_list_sbin(crond_t)
+corecmd_read_sbin_symlinks(crond_t)
 
 domain_use_wide_inherit_fd(crond_t)
 

diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
index 6ac08a720ad7746654ad0699fa8bbb5385ca74bd..4ab327c7b8fa326592f97d54c9366c24b5e4e2d1 100644 (file)
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ b/refpolicy/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail,1.0.1)
+policy_module(fetchmail,1.0.2)
 
 ########################################
 #
@@ -44,6 +44,7 @@ kernel_read_kernel_sysctls(fetchmail_t)
 kernel_list_proc(fetchmail_t)
 kernel_getattr_proc_files(fetchmail_t)
 kernel_read_proc_symlinks(fetchmail_t)
+kernel_dontaudit_read_system_state(fetchmail_t)
 
 corenet_non_ipsec_sendrecv(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)

diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 96ddc5bf1bc7d95c2f5b82da4665854c63be8ecf..8e85e00a1ef95853921af2b3edee83a4c94bf255 100644 (file)
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.2.3)
+policy_module(hal,1.2.4)
 
 ########################################
 #
@@ -112,12 +112,15 @@ storage_raw_write_fixed_disk(hald_t)
 term_dontaudit_use_console(hald_t)
 term_dontaudit_ioctl_unallocated_ttys(hald_t)
 term_dontaudit_use_unallocated_ttys(hald_t)
+term_dontaudit_use_generic_ptys(hald_t)
 
 init_use_fd(hald_t)
 init_use_script_ptys(hald_t)
 init_domtrans_script(hald_t)
 init_write_initctl(hald_t)
 init_read_utmp(hald_t)
+#hal runs shutdown, probably need a shutdown domain
+init_rw_utmp(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
@@ -150,6 +153,10 @@ optional_policy(`apm',`
        apm_stream_connect(hald_t)
 ')
 
+optional_policy(`automount', `
+       automount_dontaudit_getattr_tmp_dirs(hald_t)
+')
+
 optional_policy(`bind',`
        bind_search_cache(hald_t)
 ')

diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 64f5ed8b288f784c40d0c53924eb1b546cdc2944..91c90a8dc3e31ab57d29b61cd032c96b0f2e11bb 100644 (file)
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.2.0)
+policy_module(mta,1.2.1)
 
 ########################################
 #
@@ -145,6 +145,8 @@ optional_policy(`postfix',`
        files_getattr_tmp_dirs(system_mail_t)
 
        postfix_exec_master(system_mail_t)
+       postfix_read_config(system_mail_t)
+       postfix_search_spool(system_mail_t)
 
        ifdef(`distro_redhat',`
                # compatability for old default main.cf

diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 0bb456dc932fd1444b7c024e99df28685a6e350f..d2576449af2e265ce0f1ad0f8a1c4bb45e2f8712 100644 (file)
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.2.1)
+policy_module(networkmanager,1.2.2)
 
 ########################################
 #
@@ -30,8 +30,9 @@ allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
 
 allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
-allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms;
-files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t)
+allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
+allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
+files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)

diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 6749d3f7a31d32b3a0d6447c20ec91d4ed7d16ab..f54a670e18c58da360a3265f31a72320ad40577d 100644 (file)
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.1.0)
+policy_module(postfix,1.1.1)
 
 ########################################
 #
@@ -418,10 +418,13 @@ allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
 allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
 
+corenet_udp_sendrecv_all_if(postfix_postdrop_t)
+corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
+
 term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
 
-sysnet_dontaudit_read_config(postfix_postdrop_t)
+sysnet_dns_name_resolve(postfix_postdrop_t)
 
 mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
 

diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 10927eef49685462934ff3db0a2b114e8bea4c8c..8aa512e9996e5494c4565b750b5b3efed2686914 100644 (file)
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -1,5 +1,5 @@
 
-policy_module(remotelogin,1.1.0)
+policy_module(remotelogin,1.1.1)
 
 ########################################
 #
@@ -96,6 +96,7 @@ files_read_world_readable_symlinks(remote_login_t)
 files_read_world_readable_pipes(remote_login_t)
 files_read_world_readable_sockets(remote_login_t)
 files_list_mnt(remote_login_t)
+files_polyinstantiate_all(remote_login_t)
 # for when /var/mail is a sym-link
 files_read_var_symlinks(remote_login_t)
 
@@ -152,6 +153,10 @@ tunable_policy(`use_samba_home_dirs',`
        fs_read_cifs_symlinks(remote_login_t)
 ')
 
+optional_policy(`alsa',`
+       alsa_domtrans(remote_login_t)
+')
+
 optional_policy(`nis',`
        nis_use_ypbind(remote_login_t)
 ')
@@ -163,30 +168,3 @@ optional_policy(`nscd',`
 optional_policy(`usermanage',`
        usermanage_read_crack_db(remote_login_t)
 ')
-
-ifdef(`TODO',`
-# this goes to xdm:
-optional_policy(`remotelogin',`
-       # FIXME: what is this for?
-       remotelogin_signull(xdm_t)
-')
-# Login can polyinstantiate
-polyinstantiater(remote_login_t)
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
-
-allow remote_login_t userpty_type:chr_file { setattr write };
-allow remote_login_t ptyfile:chr_file { getattr ioctl };
-
-optional_policy(`rlogind',`
-       allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-       allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
-')
-
-optional_policy(`telnetd',`
-       allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-       allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
-')
-') dnl endif TODO

diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 04c215c32e2071718d40a6c7bcace7cc931ace3c..1aa74956736a207f0224f6fbd4874c3985575f0d 100644 (file)
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -65,6 +65,7 @@ term_dontaudit_use_console(sendmail_t)
 
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
+corecmd_search_sbin(sendmail_t)
 
 domain_use_wide_inherit_fd(sendmail_t)
 

diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 6bdea1769d4ebd043da6388b47c5f3166765d479..a3643ff1590fe20e190c1245c755c957632d30ac 100644 (file)
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.2.1)
+policy_module(spamassassin,1.2.2)
 
 ########################################
 #
@@ -77,6 +77,7 @@ corenet_tcp_bind_spamd_port(spamd_t)
 # DnsResolver.pm module which binds to
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)

diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 14369df1d6c7e7bb2bc94a8f92bcac6638dc912b..9d5d17e5c1dc9c8e51e2cb6ece8cb08b8d01514b 100644 (file)
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
 
-policy_module(zebra,1.1.0)
+policy_module(zebra,1.1.1)
 
 ########################################
 #
@@ -34,7 +34,7 @@ allow zebra_t self:file { ioctl read write getattr lock append };
 allow zebra_t self:unix_dgram_socket create_socket_perms;
 allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
-allow zebra_t self:tcp_socket connected_stream_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
 allow zebra_t self:udp_socket create_socket_perms;
 allow zebra_t self:rawip_socket create_socket_perms;
 

diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 0d3b9d2ce47722cfc5b7bd9d5c8c8038d681e266..7c345eb8738e412e8ba88b51eb6a14e7f9c3127e 100644 (file)
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.2.0)
+policy_module(fstools,1.2.1)
 
 ########################################
 #
@@ -57,6 +57,8 @@ kernel_getattr_proc(fsadm_t)
 kernel_rw_unlabeled_dirs(fsadm_t)
 kernel_rw_unlabeled_blk_files(fsadm_t)
 
+bootloader_getattr_boot_dirs(fsadm_t)
+
 dev_getattr_all_chr_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)

diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 79c490c6cf3ac16531f04a35023f3d1996dc08e2..d701311352f23fce786a14e5c438fab87f5907c0 100644 (file)
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.2.0)
+policy_module(libraries,1.2.1)
 
 ########################################
 #
@@ -71,6 +71,7 @@ domain_use_wide_inherit_fd(ldconfig_t)
 files_search_var_lib(ldconfig_t)
 files_read_etc_files(ldconfig_t)
 files_search_tmp(ldconfig_t)
+files_search_usr(ldconfig_t)
 # for when /etc/ld.so.cache is mislabeled:
 files_delete_etc_files(ldconfig_t)
 

diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 56dcfa2ed2723c14004bc9a1a12b4d4c9214dc08..fce565b5dabcc9646aa25567511ab06f62e45ae6 100644 (file)
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
 
-policy_module(locallogin,1.1.2)
+policy_module(locallogin,1.1.3)
 
 ########################################
 #
@@ -141,6 +141,8 @@ files_read_world_readable_pipes(local_login_t)
 files_read_world_readable_sockets(local_login_t)
 # for when /var/mail is a symlink
 files_read_var_symlinks(local_login_t)
+# Login can polyinstantiate
+files_polyinstantiate_all(local_login_t)
 
 init_rw_utmp(local_login_t)
 init_dontaudit_use_fd(local_login_t)
@@ -214,11 +216,6 @@ optional_policy(`alsa',`
        alsa_domtrans(local_login_t)
 ')
 
-ifdef(`TODO',`
-# Login can polyinstantiate
-polyinstantiater(local_login_t)
-') dnl endif TODO
-
 #################################
 # 
 # Sulogin local policy

diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 50b3a471fa6719078724729db128b09d4bf1345c..6e039f85dd8a2bd7746c56f5dbedc30885d75590 100644 (file)
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.2.1)
+policy_module(logging,1.2.2)
 
 ########################################
 #
@@ -80,6 +80,8 @@ domain_use_wide_inherit_fd(auditctl_t)
 
 mls_file_read_up(auditctl_t)
 
+term_use_all_terms(auditctl_t)
+
 init_use_script_ptys(auditctl_t)
 init_dontaudit_use_fd(auditctl_t)
 
@@ -114,7 +116,7 @@ allow auditctl_t admin_tty_type:chr_file rw_file_perms;
 
 allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process { signal_perms setsched };
+allow auditd_t self:process { signal_perms setpgid setsched };
 allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };

diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index d57696d293739477f86f12e58294f7b19dc59ea9..7ff39ff7703a3d6430221a3cedb3e1f8bfacdae5 100644 (file)
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount,1.2.1)
+policy_module(mount,1.2.2)
 
 ########################################
 #
@@ -33,6 +33,8 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
 dev_rw_lvm_control(mount_t)
+dev_dontaudit_getattr_memory_dev(mount_t)
+dev_getattr_sound_dev(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)

diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 8447279fce715a9e752a81a81c356ea1e1e461cf..9a7e3b944be7636ab59e5bb7707fc35cee2f0d6a 100644 (file)
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.1.3)
+policy_module(selinuxutil,1.1.4)
 
 gen_require(`
        bool secure_mode;
@@ -249,6 +249,7 @@ term_use_all_user_ttys(newrole_t)
 term_use_all_user_ptys(newrole_t)
 term_relabel_all_user_ttys(newrole_t)
 term_relabel_all_user_ptys(newrole_t)
+term_dontaudit_use_unallocated_ttys(newrole_t)
 
 auth_domtrans_chk_passwd(newrole_t)
 
@@ -354,6 +355,7 @@ init_use_fd(restorecon_t)
 init_use_script_ptys(restorecon_t)
 
 domain_use_wide_inherit_fd(restorecon_t)
+domain_dontaudit_search_all_domains_state(restorecon_t)
 
 files_read_etc_runtime_files(restorecon_t)
 files_read_etc_files(restorecon_t)

diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 6805508043c0fcdc6358c0f8bbd874b111e3367c..c729e0540ea042399dd666cd774a64aef58cf23c 100644 (file)
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
 
-policy_module(udev,1.2.1)
+policy_module(udev,1.2.2)
 
 ########################################
 #
@@ -90,7 +90,7 @@ dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 
 fs_getattr_all_fs(udev_t)
-fs_search_inotifyfs(udev_t)
+fs_list_inotifyfs(udev_t)
 
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)
@@ -106,7 +106,7 @@ corecmd_exec_sbin(udev_t)
 corecmd_exec_shell(udev_t)
 
 domain_exec_all_entry_files(udev_t)
-domain_dontaudit_list_all_domains_state(udev_t)
+domain_read_all_domains_state(udev_t)
 
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)

diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 6e0d8dd769928d3fb02c40a19bf35769cd62f282..e63d8278b3fe4f690c1fdf1dedc2046c2c53a5b1 100644 (file)
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -19,6 +19,7 @@ interface(`unconfined_domain_noaudit',`
 
        # Use any Linux capability.
        allow $1 self:capability *;
+       allow $1 self:fifo_file create_file_perms;
 
        # Transition to myself, to make get_ordered_context_list happy.
        allow $1 self:process transition;

diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index b091fac0adde8e7373a570f452d65a64affb3867..4eeced6c2f7e1adbd043c82cf28efa1069bf091d 100644 (file)
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.3)
+policy_module(unconfined,1.2.4)
 
 ########################################
 #
@@ -89,6 +89,10 @@ ifdef(`targeted_policy',`
                firstboot_domtrans(unconfined_t)
        ')
 
+       optional_policy(`fstools',`
+               fstools_domtrans(unconfined_t)
+       ')
+
        optional_policy(`lpd',`
                lpd_domtrans_checkpc(unconfined_t)
        ')
@@ -101,6 +105,10 @@ ifdef(`targeted_policy',`
                mono_domtrans(unconfined_t)
        ')
 
+       optional_policy(`mount',`
+               mount_domtrans(unconfined_t)
+       ')
+
        optional_policy(`netutils',`
                netutils_domtrans_ping(unconfined_t)
        ')

diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 5fb7042ae26d125e3e1340f1fabbedd75887c856..d0e73f3545ff9cafa529143a16cb20a44ac79db1 100644 (file)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3047,6 +3047,25 @@ interface(`userdom_dontaudit_search_staff_home_dir',`
        dontaudit $1 staff_home_dir_t:dir search;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to append to the staff
+##     users home directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_staff_home_files',`
+       gen_require(`
+               type staff_home_t;
+       ')
+
+       dontaudit $1 staff_home_t:file append;
+')
+
 ########################################
 ## <summary>
 ##     Read files in the staff users home directory.

diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2d4457a3a541f39c86dd6ceba4657735fd29f06e..ac593ef242c51a47f27b9c8cea10189c252a0254 100644 (file)
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.2.6)
+policy_module(userdomain,1.2.7)
 
 gen_require(`
        role sysadm_r, staff_r, user_r;
@@ -156,6 +156,8 @@ ifdef(`targeted_policy',`
 
        mls_process_read_up(sysadm_t)
 
+       init_exec(sysadm_t)
+
        ifdef(`direct_sysadm_daemon',`
                optional_policy(`init',`
                        init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
@@ -166,6 +168,7 @@ ifdef(`targeted_policy',`
                logging_read_audit_log(secadm_t)
                logging_domtrans_auditctl(secadm_t)
                mls_process_read_up(secadm_t)
+               userdom_dontaudit_append_staff_home_files(secadm_t)
        ', `
                logging_domtrans_auditctl(sysadm_t)
                logging_read_audit_log(sysadm_t)
@@ -224,6 +227,10 @@ ifdef(`targeted_policy',`
 
        optional_policy(`dmesg',`
                dmesg_exec(sysadm_t)
+
+               ifdef(`enable_mls',`
+                       dmesg_exec(secadm_t)
+               ')
        ')
 
        optional_policy(`dmidecode',`