diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.4/Makefile
--- nsaserefpolicy/Makefile 2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.4/Makefile 2005-12-13 09:15:56.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
ifneq ($(findstring -mls,$(TYPE)),)
- override M4PARAM += -D enable_mls
+ override M4PARAM += -D enable_mls -D separate_secadm
override CHECKPOLICY += -M
override CHECKMODULE += -M
endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfstab.te serefpolicy-2.1.4/policy/modules/admin/updfstab.te
--- nsaserefpolicy/policy/modules/admin/updfstab.te 2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/admin/updfstab.te 2005-12-13 09:15:56.000000000 -0500
@@ -32,6 +32,7 @@
dev_manage_generic_symlinks(updfstab_t)
fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
fs_getattr_tmpfs_dir(updfstab_t)
fs_search_auto_mountpoints(updfstab_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.4/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/kernel/mls.te 2005-12-13 09:16:43.000000000 -0500
@@ -68,6 +68,7 @@
ifdef(`enable_mcs',`
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
@@ -77,6 +78,7 @@
# these might be targeted_policy only
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
range_transition unconfined_t initrc_exec_t s0;
+range_transition unconfined_t ping_exec_t s0;
')
ifdef(`enable_mls',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.4/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2005-12-09 16:09:22.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/automount.te 2005-12-13 09:15:56.000000000 -0500
@@ -58,6 +58,7 @@
files_create_pid(automount_t,automount_var_run_t)
kernel_read_kernel_sysctl(automount_t)
+kernel_read_fs_sysctl(automount_t)
kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_list_proc(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/dovecot.te 2005-12-13 09:15:56.000000000 -0500
@@ -153,6 +153,7 @@
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+allow dovecot_t dovecot_var_run_t:dir r_dir_perms;
kernel_read_all_sysctl(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -165,6 +166,8 @@
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
libs_use_ld_so(dovecot_auth_t)
libs_use_shared_libs(dovecot_auth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-2.1.4/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc 2005-11-25 08:11:11.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/ftp.fc 2005-12-13 09:15:56.000000000 -0500
@@ -24,3 +24,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-2.1.4/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/gpm.te 2005-12-13 09:15:56.000000000 -0500
@@ -46,6 +46,8 @@
# cjp: this has no effect
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
+allow gpm_t self:unix_stream_socket { create_stream_socket_perms };
+
kernel_read_kernel_sysctl(gpm_t)
kernel_list_proc(gpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/hal.te 2005-12-13 09:15:56.000000000 -0500
@@ -21,7 +21,10 @@
# Local policy
#
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
+# execute openvt which needs setuid
+allow hald_t self:capability setuid;
+
+allow hald_t self:capability { kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
# vbetool requires execmem
allow hald_t self:process { execmem signal_perms };
@@ -104,9 +107,11 @@
storage_raw_write_fixed_disk(hald_t)
term_dontaudit_use_console(hald_t)
+dontaudit hald_t tty_device_t:chr_file ioctl;
init_use_fd(hald_t)
init_use_script_pty(hald_t)
+init_domtrans_script(hald_t)
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
@@ -143,6 +148,10 @@
cups_signal_config(hald_t)
')
+optional_policy(`clock',`
+ clock_domtrans(hald_t)
+')
+
optional_policy(`dbus',`
dbus_system_bus_client_template(hald,hald_t)
dbus_send_system_bus_msg(hald_t)
@@ -176,8 +185,8 @@
nscd_use_socket(hald_t)
')
-optional_policy(`ntp',`
- ntp_domtrans(hald_t)
+optional_policy(`vbetool',`
+ vbetool_domtrans(hald_t)
')
optional_policy(`pcmcia',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.1.4/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/nis.if 2005-12-13 09:15:56.000000000 -0500
@@ -150,8 +150,10 @@
interface(`nis_signal_ypbind',`
gen_require(`
type ypbind_t;
+ type ypbind_var_run_t;
')
+ allow $1 ypbind_var_run_t:file read;
allow $1 ypbind_t:process signal;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.1.4/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/spamassassin.te 2005-12-13 09:15:56.000000000 -0500
@@ -120,6 +120,8 @@
term_dontaudit_use_unallocated_tty(spamd_t)
term_dontaudit_use_generic_pty(spamd_t)
files_dontaudit_read_root_file(spamd_t)
+ allow spamd_t user_home_t:dir create_dir_perms;
+ allow spamd_t user_home_t:file create_file_perms;
')
tunable_policy(`use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vbetool.fc serefpolicy-2.1.4/policy/modules/services/vbetool.fc
--- nsaserefpolicy/policy/modules/services/vbetool.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/vbetool.fc 2005-12-13 09:15:56.000000000 -0500
@@ -0,0 +1 @@
+/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vbetool.if serefpolicy-2.1.4/policy/modules/services/vbetool.if
--- nsaserefpolicy/policy/modules/services/vbetool.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/vbetool.if 2005-12-13 09:15:56.000000000 -0500
@@ -0,0 +1,27 @@
+## run real-mode video BIOS code to alter hardware state
+
+########################################
+##
+## Execute vbetool application in the vbetool domain.
+##
+##
+## N/A
+##
+#
+interface(`vbetool_domtrans',`
+ gen_require(`
+ type vbetool_t, vbetool_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,vbetool_exec_t,vbetool_t)
+
+ allow $1 vbetool_t:fd use;
+ allow vbetool_t $1:fd use;
+ allow vbetool_t $1:fifo_file rw_file_perms;
+ allow vbetool_t $1:process sigchld;
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vbetool.te serefpolicy-2.1.4/policy/modules/services/vbetool.te
--- nsaserefpolicy/policy/modules/services/vbetool.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/vbetool.te 2005-12-13 09:15:56.000000000 -0500
@@ -0,0 +1,22 @@
+
+policy_module(vbetool,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t,vbetool_exec_t)
+
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero_dev(vbetool_t)
+dev_read_sysfs(vbetool_t)
+
+libs_use_ld_so(vbetool_t)
+libs_use_shared_libs(vbetool_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2005-12-12 23:05:35.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/system/mount.te 2005-12-13 09:15:56.000000000 -0500
@@ -47,6 +47,7 @@
fs_use_tmpfs_chr_dev(mount_t)
term_use_console(mount_t)
+term_use_generic_pty(mount_t)
# required for mount.smbfs
corecmd_exec_sbin(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.4/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2005-12-12 15:35:54.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/system/unconfined.if 2005-12-13 09:15:56.000000000 -0500
@@ -29,6 +29,8 @@
allow $1 self:dbus *;
allow $1 self:passwd *;
+ libs_use_shared_libs($1)
+
kernel_unconfined($1)
corenet_unconfined($1)
dev_unconfined($1)
@@ -42,6 +44,7 @@
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
+ auditallow $1 self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`