diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 7ee01bc4..897620a5 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -30,6 +30,11 @@ gen_tunable(cron_can_relabel,false)
##
gen_tunable(fcron_crond,false)
+##
+## Allow gpg executable stack
+##
+gen_tunable(allow_gpg_execstack,false)
+
##
## Allow reading of default_t files.
##
@@ -72,6 +77,11 @@ gen_tunable(user_dmesg,false)
##
gen_tunable(user_net_control,false)
+##
+## Control users use of ping and traceroute
+##
+gen_tunable(user_ping,false)
+
##
## Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
##
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 9f4348a2..a49a055c 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -73,21 +73,7 @@ allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use;
-optional_policy(`ypbind.te', `
-if (allow_ypbind) {
-can_network(consoletype_t)
-r_dir_file(consoletype_t,var_yp_t)
-corenet_tcp_bind_generic_port(consoletype_t)
-corenet_udp_bind_generic_port(consoletype_t)
-corenet_tcp_bind_reserved_port(consoletype_t)
-corenet_udp_bind_reserved_port(consoletype_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t)
-dontaudit consoletype_t self:capability net_bind_service;
-} else {
-dontaudit consoletype_t var_yp_t:dir search;
-}
-') dnl end ypbind optional_policy
+can_ypbind(consoletype_t)
optional_policy(`automount.te', `
allow consoletype_t autofs_t:dir { search getattr };
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 6f9995bd..ce6656f9 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -24,11 +24,6 @@ type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;
-#
-# Control users use of ping and traceroute
-#
-bool user_ping false;
-
########################################
#
# Netutils local policy
@@ -129,10 +124,10 @@ sysnet_read_config(ping_t)
logging_send_syslog_msg(ping_t)
-if (user_ping) {
+tunable_policy(`user_ping',`
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
-}
+')
ifdef(`TODO',`
can_ypbind(ping_t)
@@ -143,10 +138,11 @@ allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
in_user_role(ping_t)
-if (user_ping) {
+tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-}
+')
+
') dnl end TODO
########################################
@@ -192,10 +188,10 @@ dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)
-if (user_ping) {
+tunable_policy(`user_ping',`
term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t)
-}
+')
ifdef(`TODO',`
role sysadm_r types traceroute_t;
@@ -210,9 +206,9 @@ allow traceroute_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
in_user_role(traceroute_t)
-if (user_ping) {
+tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
-}
+')
#rules needed for nmap
dontaudit traceroute_t userdomain:dir search;
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 0af217d7..4e3a53a3 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -94,14 +94,14 @@ define(`gpg_per_userdomain_template',`
sysnet_read_config($1_gpg_t)
# Legacy
- if (allow_gpg_execstack) {
+ tunable_policy(`allow_gpg_execstack',`
allow $1_gpg_t self:process execmem;
libs_legacy_use_shared_libs($1_gpg_t)
libs_legacy_use_ld_so($1_gpg_t)
miscfiles_legacy_read_localization($1_gpg_t)
# Not quite sure why this is needed...
allow $1_gpg_t gpg_exec_t:file execmod;
- }
+ ')
ifdef(`TODO',`
@@ -134,12 +134,12 @@ define(`gpg_per_userdomain_template',`
# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
- if (use_nfs_home_dirs) {
+ tunable_policy(`use_nfs_home_dirs',`
create_dir_file($1_gpg_t, nfs_t)
- }
- if (use_samba_home_dirs) {
+ ')
+ tunable_policy(`use_samba_home_dirs',`
create_dir_file($1_gpg_t, cifs_t)
- }
+ ')
rw_dir_create_file($1_gpg_t, $1_file_type)
@@ -199,12 +199,12 @@ define(`gpg_per_userdomain_template',`
ifdef(`TODO',`
- if (use_nfs_home_dirs) {
+ tunable_policy(`use_nfs_home_dirs',`
dontaudit $1_gpg_helper_t nfs_t:file { read write };
- }
- if (use_samba_home_dirs) {
+ ')
+ tunable_policy(`use_samba_home_dirs',`
dontaudit $1_gpg_helper_t cifs_t:file { read write };
- }
+ ')
# communicate with the user
allow $1_gpg_helper_t $1_t:fd use;
@@ -261,12 +261,12 @@ define(`gpg_per_userdomain_template',`
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
- if (use_nfs_home_dirs) {
+ tunable_policy(`use_nfs_home_dirs',`
create_dir_file($1_gpg_agent_t, nfs_t)
- }
- if (use_samba_home_dirs) {
+ ')
+ tunable_policy(`use_samba_home_dirs',`
create_dir_file($1_gpg_agent_t, cifs_t)
- }
+ ')
# gpg connect
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
@@ -327,19 +327,19 @@ define(`gpg_per_userdomain_template',`
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
- if (use_nfs_home_dirs) {
+ tunable_policy(`use_nfs_home_dirs',`
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write;
- }
+ ')
- if (use_samba_home_dirs) {
+ tunable_policy(`use_samba_home_dirs',`
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
dontaudit $1_gpg_pinentry_t cifs_t:file write;
- }
+ ')
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
') dnl end TODO
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
index 0bc46d20..15154b9c 100644
--- a/refpolicy/policy/modules/apps/gpg.te
+++ b/refpolicy/policy/modules/apps/gpg.te
@@ -6,9 +6,6 @@ policy_module(gpg, 1.0)
# Declarations
#
-# Allow gpg exec stack
-bool allow_gpg_execstack false;
-
# Type for gpg or pgp executables.
type gpg_exec_t;
type gpg_helper_exec_t;
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 2b89a8d1..6aaf2400 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -116,9 +116,9 @@ define(`mta_per_userdomain_template',`
# Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
- if (use_samba_home_dirs) {
+ tunable_policy(`use_samba_home_dirs',`
rw_dir_create_file($1_mail_t, cifs_t)
- }
+ ')
# if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index bde3757b..3d002993 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -92,10 +92,10 @@ allow remote_login_t bin_t:dir r_dir_perms;
allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
allow remote_login_t sbin_t:dir r_dir_perms;
allow remote_login_t sbin_t:notdevfile_class_set r_file_perms;
-if (read_default_t) {
+tunable_policy(`read_default_t',`
allow remote_login_t default_t:dir r_dir_perms;
allow remote_login_t default_t:notdevfile_class_set r_file_perms;
-}
+')
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
@@ -116,13 +116,13 @@ dontaudit remote_login_t sysfs_t:dir search;
allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms;
-if (use_nfs_home_dirs) {
-r_dir_file(remote_login_t, nfs_t)
-}
+tunable_policy(`use_nfs_home_dirs',`
+ r_dir_file(remote_login_t, nfs_t)
+')
-if (use_samba_home_dirs) {
-r_dir_file(remote_login_t, cifs_t)
-}
+tunable_policy(`use_samba_home_dirs',`
+ r_dir_file(remote_login_t, cifs_t)
+')
# FIXME: what is this for?
ifdef(`xdm.te', `
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 6745937f..e93ac690 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -124,10 +124,11 @@ allow local_login_t bin_t:dir r_dir_perms;
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
-if (read_default_t) {
+
+tunable_policy(`read_default_t',`
allow local_login_t default_t:dir r_dir_perms;
allow local_login_t default_t:notdevfile_class_set r_file_perms;
-}
+')
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
@@ -182,13 +183,14 @@ allow local_login_t sound_device_t:chr_file { getattr setattr };
# Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr };
-#if (use_nfs_home_dirs) {
-#r_dir_file(local_login_t, nfs_t)
-#}
+tunable_policy(`use_nfs_home_dirs',`
+ r_dir_file(local_login_t, nfs_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ r_dir_file(local_login_t, cifs_t)
+')
-#if (use_samba_home_dirs) {
-#r_dir_file(local_login_t, cifs_t)
-#}
') dnl endif TODO
#################################
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 2b3d1c50..d1118e75 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -238,10 +238,10 @@ define(`base_user_domain',`
# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr;
- if (read_default_t) {
+ tunable_policy(`read_default_t',`
allow $1_t default_t:dir r_dir_perms;
allow $1_t default_t:notdevfile_class_set r_file_perms;
- }
+ ')
#
# Running ifconfig as a user generates the following
@@ -254,10 +254,10 @@ define(`base_user_domain',`
can_ypbind($1_t)
- if (allow_execmod) {
+ tunable_policy(`allow_execmod',`
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;
- }
+ ')
allow $1_t fs_type:dir getattr;
@@ -275,17 +275,19 @@ define(`base_user_domain',`
allow $1_t autofs_t:dir { getattr search };
can_exec($1_t, { removable_t noexattrfile } )
- if (user_rw_noexattrfile) {
+
+ tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
# Write floppies
allow $1_t removable_device_t:blk_file rw_file_perms;
allow $1_t usbtty_device_t:chr_file write;
- } else {
+ ',`
r_dir_file($1_t, noexattrfile)
r_dir_file($1_t, removable_t)
allow $1_t removable_device_t:blk_file r_file_perms;
- }
+ ')
+
allow $1_t usbtty_device_t:chr_file read;
can_exec($1_t, noexattrfile)
@@ -526,15 +528,15 @@ define(`user_domain_template', `
')
ifdef(`ftpd.te', `
- if (ftp_home_dir) {
+ tunable_policy(`ftp_home_dir',`
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
- }
+ ')
')
- if (read_default_t) {
+ tunable_policy(`read_default_t',`
allow $1 default_t:dir r_dir_perms;
allow $1 default_t:notdevfile_class_set r_file_perms;
- }
+ ')
can_exec($1_t, usr_t)
@@ -557,11 +559,11 @@ define(`user_domain_template', `
allow $1_t var_lib_t:file { getattr read };
# Allow users to rw usb devices
- if (user_rw_usb) {
+ tunable_policy(`user_rw_usb',`
rw_dir_create_file($1_t,usbdevfs_t)
- } else {
+ ',`
r_dir_file($1_t,usbdevfs_t)
- }
+ ')
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
@@ -765,10 +767,10 @@ define(`admin_domain_template',`
ifdef(`xdm.te', `
ifdef(`xauth.te', `
- if (xdm_sysadm_login) {
+ tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
- }
+ ')
allow $1_t xdm_t:fifo_file rw_file_perms;
')
')