patch from dan Sun, 19 Feb 2006 08:16:18 -0500

refpolicy/policy/global_tunables

@@ -469,3 +469,17 @@ gen_tunable(write_untrusted_content,false)
 ## </desc>
 gen_tunable(xdm_sysadm_login,false)
 ')
+
+########################################
+#
+# Targeted policy specific
+#
+
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow spammd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs,true)
+')

refpolicy/policy/modules/admin/amanda.if

@@ -90,3 +90,40 @@ interface(`amanda_dontaudit_read_dumpdates',`
 
 	dontaudit $1 amanda_dumpdates_t:file { getattr read };
 ')
+
+########################################
+## <summary>
+##	Allow read/writing /etc/dumpdates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+	gen_require(`
+		type amanda_dumpdates_t;
+	')
+
+	allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+########################################
+## <summary>
+##	Allow read/writing amanda logs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+	gen_require(`
+		type amanda_log_t;
+	')
+
+	allow $1 amanda_log_t:file ra_file_perms;
+')
+
+

refpolicy/policy/modules/admin/amanda.te

@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.2.0)
+policy_module(amanda,1.2.1)
 
 #######################################
 #
@@ -86,7 +86,7 @@ optional_policy(`prelink',`
 # Amanda local policy
 #
 
-allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:capability { chown dac_override setuid kill };
 allow amanda_t self:process { setpgid signal };
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
 allow amanda_t self:unix_stream_socket create_stream_socket_perms;

refpolicy/policy/modules/admin/vpn.te

@@ -1,5 +1,5 @@
 
-policy_module(vpnc,1.1.0)
+policy_module(vpnc,1.1.1)
 
 ########################################
 #
@@ -11,6 +11,7 @@ domain_type(vpnc_t)
 
 type vpnc_exec_t;
 domain_entry_file(vpnc_t,vpnc_exec_t)
+role system_r types vpnc_t;
 
 type vpnc_tmp_t;
 files_tmp_file(vpnc_tmp_t)
@@ -69,6 +70,7 @@ dev_read_urand(vpnc_t)
 dev_read_sysfs(vpnc_t)
 
 fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
 
 term_use_all_user_ptys(vpnc_t)
 term_use_all_user_ttys(vpnc_t)

refpolicy/policy/modules/apps/java.fc

@@ -2,4 +2,5 @@
 # /usr
 #
 /usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)

refpolicy/policy/modules/apps/java.if

@@ -178,3 +178,31 @@ template(`java_per_userdomain_template',`
 		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type java_t, java_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, java_exec_t, java_t)
+
+		allow $1 java_t:fd use;
+		allow java_t $1:fd use;
+		allow java_t $1:fifo_file rw_file_perms;
+		allow java_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')

refpolicy/policy/modules/apps/java.te

@@ -1,10 +1,24 @@
 
-policy_module(java,1.0.0)
+policy_module(java,1.0.1)
 
 ########################################
 #
 # Declarations
 #
 
+type java_t;
+domain_type(java_t)
+
 type java_exec_t;
 files_type(java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow java_t self:process { execstack execmem };
+	unconfined_domain_noaudit(java_t)
+	role system_r types java_t;
+')

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.0.3)
+policy_module(corenetwork,1.0.4)
 
 ########################################
 #
@@ -106,6 +106,7 @@ network_port(radius, udp,1645,s0, udp,1812,s0)
 network_port(razor, tcp,2703,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
+network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)

refpolicy/policy/modules/kernel/devices.if

@@ -204,6 +204,25 @@ interface(`dev_delete_generic_files',`
 	allow $1 device_t:file unlink;
 ')
 
+########################################
+## <summary>
+##	Create a file in the device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to create the files.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 device_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit getattr on generic pipes.

refpolicy/policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.0.2)
+policy_module(devices,1.0.3)
 
 ########################################
 #

refpolicy/policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount,1.1.2)
+policy_module(automount,1.1.3)
 
 ########################################
 #
@@ -92,7 +92,7 @@ domain_use_wide_inherit_fd(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_search_var_lib(automount_t)
-files_search_mnt(automount_t)
+files_list_mnt(automount_t)
 files_getattr_home_dir(automount_t)
 files_read_etc_files(automount_t)
 files_read_etc_runtime_files(automount_t)

refpolicy/policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.1.0)
+policy_module(avahi,1.1.1)
 
 ########################################
 #
@@ -63,6 +63,7 @@ term_dontaudit_use_console(avahi_t)
 domain_use_wide_inherit_fd(avahi_t)
 
 files_read_etc_files(avahi_t)
+files_read_etc_runtime_files(avahi_t)
 
 init_use_fd(avahi_t)
 init_use_script_ptys(avahi_t)

refpolicy/policy/modules/services/fetchmail.te

@@ -1,5 +1,5 @@
 
-policy_module(fetchmail,1.0.2)
+policy_module(fetchmail,1.0.3)
 
 ########################################
 #
@@ -67,6 +67,7 @@ dev_read_urand(fetchmail_t)
 
 files_read_etc_files(fetchmail_t)
 files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
 
 fs_getattr_all_fs(fetchmail_t)
 fs_search_auto_mountpoints(fetchmail_t)

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.2.5)
+policy_module(hal,1.2.6)
 
 ########################################
 #
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { setuid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
+allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;

refpolicy/policy/modules/services/ktalk.fc

@@ -1,2 +1,3 @@
 
+/usr/bin/in.talkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
 /usr/bin/ktalkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)

refpolicy/policy/modules/services/ktalk.te

@@ -1,5 +1,5 @@
 
-policy_module(ktalk,1.1.0)
+policy_module(ktalk,1.1.1)
 
 ########################################
 #

refpolicy/policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.2.2)
+policy_module(spamassassin,1.2.3)
 
 ########################################
 #
@@ -77,6 +77,7 @@ corenet_tcp_bind_spamd_port(spamd_t)
 # DnsResolver.pm module which binds to
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
 corenet_tcp_connect_razor_port(spamd_t)
 
 dev_read_sysfs(spamd_t)
@@ -122,8 +123,11 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(spamd_t)
 	term_dontaudit_use_generic_ptys(spamd_t)
 	files_dontaudit_read_root_files(spamd_t)
-	userdom_manage_generic_user_home_dirs(spamd_t)
-	userdom_manage_generic_user_home_files(spamd_t)
+	tunable_policy(`spamd_enable_home_dirs',`
+		userdom_manage_generic_user_home_dirs(spamd_t)
+		userdom_manage_generic_user_home_files(spamd_t)
+		userdom_manage_generic_user_home_symlinks(spamd_t)
+	')
 ')
 
 tunable_policy(`use_nfs_home_dirs',`

refpolicy/policy/modules/services/xserver.fc

@@ -52,6 +52,7 @@ ifdef(`strict_policy',`
 /usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 

refpolicy/policy/modules/services/xserver.if

@@ -39,11 +39,12 @@ template(`xserver_common_domain_template',`
 	# admin of APM bios?
 	# sys_nice is so that the X server can set a negative nice value
 	# execheap needed until the X module loader is fixed.
+	# NVIDIA Needs execstack
 
 	allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 	dontaudit $1_xserver_t self:capability chown;
 	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_xserver_t self:process { execmem execheap setsched };
+	allow $1_xserver_t self:process { execmem execheap execstack setsched };
 	allow $1_xserver_t self:fd use;
 	allow $1_xserver_t self:fifo_file rw_file_perms;
 	allow $1_xserver_t self:sock_file r_file_perms;
@@ -53,6 +54,7 @@ template(`xserver_common_domain_template',`
 	allow $1_xserver_t self:msg { send receive };
 	allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
 	allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
 	allow $1_xserver_t self:udp_socket create_socket_perms;
 
@@ -86,6 +88,7 @@ template(`xserver_common_domain_template',`
 	kernel_read_modprobe_sysctls($1_xserver_t)
 	# Xorg wants to check if kernel is tainted
 	kernel_read_kernel_sysctls($1_xserver_t)
+	kernel_write_proc_files($1_xserver_t)
 
 	# Run helper programs in $1_xserver_t.
 	corecmd_search_sbin($1_xserver_t)
@@ -122,9 +125,12 @@ template(`xserver_common_domain_template',`
 	dev_rw_xserver_misc($1_xserver_t)
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
+	dev_rwx_zero($1_xserver_t)
 
 	files_read_etc_files($1_xserver_t)
 	files_read_etc_runtime_files($1_xserver_t)
+	files_read_usr_files($1_xserver_t)
+
 	# brought on by rhgb
 	files_search_mnt($1_xserver_t)
 	# for nscd
@@ -134,6 +140,8 @@ template(`xserver_common_domain_template',`
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
 
+	init_getpgid($1_xserver_t)
+
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
 

refpolicy/policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.0.2)
+policy_module(xserver,1.0.3)
 
 ########################################
 #

refpolicy/policy/modules/services/zebra.te

@@ -1,5 +1,5 @@
 
-policy_module(zebra,1.1.1)
+policy_module(zebra,1.1.2)
 
 ########################################
 #
@@ -73,6 +73,7 @@ corenet_non_ipsec_sendrecv(zebra_t)
 corenet_tcp_bind_all_nodes(zebra_t)
 corenet_udp_bind_all_nodes(zebra_t)
 corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
 
 dev_associate_usbfs(zebra_var_run_t)
 dev_list_all_dev_nodes(zebra_t)

refpolicy/policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.2.1)
+policy_module(fstools,1.2.2)
 
 ########################################
 #
@@ -15,7 +15,7 @@ role system_r types fsadm_t;
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
-type swapfile_t;
+type swapfile_t; # customizable
 files_type(swapfile_t)
 
 ########################################
@@ -154,6 +154,11 @@ tunable_policy(`read_default_t',`
 	files_read_default_pipes(fsadm_t)
 ')
 
+optional_policy(`amanda',`
+	amanda_rw_dumpdates_files(fsadm_t)
+	amanda_append_log_files(fsadm_t)
+')
+
 optional_policy(`cron',`
 	# for smartctl cron jobs
 	cron_system_entry(fsadm_t,fsadm_exec_t)

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.2.4)
+policy_module(init,1.2.5)
 
 gen_require(`
 	class passwd rootok;
@@ -231,6 +231,8 @@ allow initrc_t initrc_tmp_t:file create_file_perms;
 allow initrc_t initrc_tmp_t:dir create_dir_perms;
 files_filetrans_tmp(initrc_t,initrc_tmp_t, { file dir })
 
+init_write_initctl(initrc_t)
+
 kernel_read_system_state(initrc_t)
 kernel_read_software_raid_state(initrc_t)
 kernel_read_network_state(initrc_t)
@@ -272,6 +274,7 @@ dev_setattr_all_chr_files(initrc_t)
 dev_read_lvm_control(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
+dev_manage_generic_files(initrc_t)
 # Wants to remove udev.tbl:
 dev_delete_generic_symlinks(initrc_t)
 

refpolicy/policy/modules/system/libraries.fc

@@ -62,7 +62,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 

refpolicy/policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.2.2)
+policy_module(libraries,1.2.3)
 
 ########################################
 #

refpolicy/policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.2.1)
+policy_module(lvm,1.2.2)
 
 ########################################
 #
@@ -203,6 +203,7 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
+fs_donaudit_read_removable_files(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>

refpolicy/policy/modules/system/modutils.if

@@ -204,7 +204,7 @@ interface(`modutils_run_depmod',`
 	')
 
 	modutils_domtrans_depmod($1)
-	role $2 types insmod_t;
+	role $2 types depmod_t;
 	allow insmod_t $3:chr_file rw_term_perms;
 ')
 

refpolicy/policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.0.1)
+policy_module(modutils,1.0.2)
 
 gen_require(`
 	bool secure_mode_insmod;

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.5)
+policy_module(unconfined,1.2.6)
 
 ########################################
 #
@@ -93,6 +93,10 @@ ifdef(`targeted_policy',`
 		fstools_domtrans(unconfined_t)
 	')
 
+	optional_policy(`java',`
+		java_domtrans(unconfined_t)
+	')
+
 	optional_policy(`lpd',`
 		lpd_domtrans_checkpc(unconfined_t)
 	')
@@ -149,6 +153,10 @@ ifdef(`targeted_policy',`
 		usermanage_domtrans_admin_passwd(unconfined_t)
 	')
 
+	optional_policy(`vpn',`
+		vpn_domtrans(unconfined_t)
+	')
+
 	optional_policy(`webalizer',`
 		webalizer_domtrans(unconfined_t)
 	')