diff --git a/Changelog b/Changelog
index 67a18ef3..dc1eebf4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,6 @@
+- Move booleans and tunables to modules when it is only used in a single
+ module.
+- Add support for tunables and booleans local to a module.
- Merge sbin_t and ls_exec_t into bin_t.
- Remove disable_trans booleans.
- Output different header sets for kernel and userland from flask headers.
diff --git a/Makefile b/Makefile
index 640b7c4f..fa67f45e 100644
--- a/Makefile
+++ b/Makefile
@@ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon
# documentation paths
docs := doc
xmldtd = $(docs)/policy.dtd
-layerxml = metadata.xml
+metaxml = metadata.xml
doctemplate = $(docs)/templates
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
@@ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
# when a generated file is already generated
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+modxml := $(detected_mods:.te=.xml)
+layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))
+all_metaxml := $(addsuffix /$(metaxml), $(all_layers))
+
# modules.conf setting for base module
configbase := base
@@ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c
# Documentation generation
#
-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change. Also use all .if files here, rather then just the
-# enabled modules.
-xml: $(polxml)
-$(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+$(modxml): %.xml: %.if %.te
+ $(verbose) $(genxml) -w -m $* > $@
+
+$(layerxml): %.xml: $(modxml) $(all_metaxml)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) echo '' > $@
+ $(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@
+ $(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@
+ $(verbose) echo '' >> $@
+
+$(tunxml): $(globaltun)
+ $(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+ $(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
@echo "Creating $(@F)"
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) echo '' > $@
$(verbose) echo '' >> $@
- $(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@
+ $(verbose) echo '' >> $@
+ $(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@
+ $(verbose) echo '' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
-$(tunxml) $(boolxml): $(polxml)
+xml: $(polxml)
html $(tmpdir)/html: $(polxml)
@echo "Building html interface reference documentation in $(htmldir)"
@@ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts
#
# Install policy headers
#
-install-headers: $(tunxml) $(boolxml)
+install-headers: $(layerxml) $(tunxml) $(boolxml)
@mkdir -p $(headerdir)
@echo "Installing $(TYPE) policy headers."
$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir)
@@ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml)
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\
$(INSTALL) -m 644 $(moddir)/$$i/*.if \
- $(moddir)/$$i/metadata.xml \
+ $(moddir)/$$i/*.xml \
$(headerdir)/$$i ;\
done
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
@@ -620,6 +637,8 @@ resetlabels:
#
bare: clean
rm -f $(polxml)
+ rm -f $(layerxml)
+ rm -f $(modxml)
rm -f $(tunxml)
rm -f $(boolxml)
rm -f $(mod_conf)
diff --git a/doc/policy.dtd b/doc/policy.dtd
index dddae6ad..e6a41820 100644
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@@ -4,7 +4,7 @@
-
+
diff --git a/doc/templates/bool_list.html b/doc/templates/bool_list.html
new file mode 100644
index 00000000..2d852da4
--- /dev/null
+++ b/doc/templates/bool_list.html
@@ -0,0 +1,23 @@
+
Master boolean index:
+
+[[for bool in booleans]]
+
+[[if bool.has_key('mod_layer')]]
+Module:
+[[bool['mod_name']]]
+Layer:
+[[bool['mod_layer']]]
+[[else]]
+Global
+[[end]]
+
+[[bool['bool_name']]]
+(Default: [[bool['def_val']]])
+
+[[if bool['desc']]]
+
+[[bool['desc']]]
+
+[[end]]
+
+[[end]]
diff --git a/doc/templates/boolean.html b/doc/templates/boolean.html
new file mode 100644
index 00000000..ea5a2604
--- /dev/null
+++ b/doc/templates/boolean.html
@@ -0,0 +1,13 @@
+[[for bool in booleans]]
+
+
+
[[bool['bool_name']]]
+
+
Default value
+
[[bool['def_val']]]
+[[if bool['desc']]]
+
Description
+[[bool['desc']]]
+[[end]]
+
+[[end]]
diff --git a/doc/templates/menu.html b/doc/templates/menu.html
index 6d2cce35..9472b2c3 100644
--- a/doc/templates/menu.html
+++ b/doc/templates/menu.html
@@ -16,6 +16,10 @@
* Layer Index
+ * Boolean Index
+
+ * Tunable Index
+
* Interface Index
* Template Index
diff --git a/doc/templates/module.html b/doc/templates/module.html
index 71341feb..a8d008a8 100644
--- a/doc/templates/module.html
+++ b/doc/templates/module.html
@@ -1,8 +1,16 @@
Layer: [[mod_layer]]
Module: [[mod_name]]
-[[if interfaces and templates]]
+[[if booleans]]
+Booleans
+[[end]]
+[[if tunables]]
+Tunables
+[[end]]
+[[if interfaces]]
Interfaces
+[[end]]
+[[if templates]]
Templates
[[end]]
Description:
@@ -14,6 +22,19 @@
[[if mod_req]]
This module is required to be included in all policies.
[[end]]
+
+[[if booleans]]
+
+Booleans:
+[[booleans]]
+Return
+[[end]]
+[[if tunables]]
+
+Tunables:
+[[tunables]]
+Return
+[[end]]
[[if interfaces]]
Interfaces:
@@ -26,6 +47,6 @@
[[templates]]
Return
[[end]]
-[[if not templates and not interfaces]]
-No interfaces or templates.
+[[if not templates and not interfaces and not tunables]]
+No booleans, tunables, interfaces, or templates.
[[end]]
diff --git a/doc/templates/tun_list.html b/doc/templates/tun_list.html
new file mode 100644
index 00000000..278f284c
--- /dev/null
+++ b/doc/templates/tun_list.html
@@ -0,0 +1,23 @@
+Master tunable index:
+
+[[for tun in tunables]]
+
+[[if tun.has_key('mod_layer')]]
+Module:
+[[tun['mod_name']]]
+Layer:
+[[tun['mod_layer']]]
+[[else]]
+Global
+[[end]]
+
+[[tun['tun_name']]]
+(Default: [[tun['def_val']]])
+
+[[if tun['desc']]]
+
+[[tun['desc']]]
+
+[[end]]
+
+[[end]]
diff --git a/doc/templates/tunable.html b/doc/templates/tunable.html
new file mode 100644
index 00000000..9316779e
--- /dev/null
+++ b/doc/templates/tunable.html
@@ -0,0 +1,13 @@
+[[for tun in tunables]]
+
+
+
[[tun['tun_name']]]
+
+
Default value
+
[[tun['def_val']]]
+[[if tun['desc']]]
+
Description
+[[tun['desc']]]
+[[end]]
+
+[[end]]
diff --git a/policy/global_tunables b/policy/global_tunables
index 05b19ffd..9a443147 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -9,22 +9,6 @@
# Common tunables
#
-##
-##
-## Allow cvs daemon to read shadow
-##
-##
-#
-gen_tunable(allow_cvs_read_shadow,false)
-
-##
-##
-## Allow zebra daemon to write it configuration files
-##
-##
-#
-gen_tunable(allow_zebra_write_config,false)
-
##
##
## Allow making the heap executable.
@@ -56,82 +40,6 @@ gen_tunable(allow_execmod,false)
##
gen_tunable(allow_execstack,false)
-##
-##
-## Allow ftp servers to modify public files
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_ftpd_anon_write,false)
-
-##
-##
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-##
-##
-gen_tunable(allow_ftpd_full_access,false)
-
-##
-##
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_ftpd_use_cifs,false)
-
-##
-##
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_ftpd_use_nfs,false)
-
-##
-##
-## Allow gssd to read temp directory.
-##
-##
-gen_tunable(allow_gssd_read_tmp,true)
-
-##
-##
-## Allow Apache to modify public files
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_httpd_anon_write,false)
-
-##
-##
-## Allow Apache to use mod_auth_pam
-##
-##
-gen_tunable(allow_httpd_mod_auth_pam,false)
-
-##
-##
-## Allow java executable stack
-##
-##
-gen_tunable(allow_java_execstack,false)
-
-##
-##
-## Allow system to run with kerberos
-##
-##
-gen_tunable(allow_kerberos,false)
-
-##
-##
-## Allow nfs servers to modify public files
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_nfsd_anon_write,false)
-
##
##
## Enable polyinstantiated directory support.
@@ -139,30 +47,6 @@ gen_tunable(allow_nfsd_anon_write,false)
##
gen_tunable(allow_polyinstantiation,false)
-##
-##
-## Allow rsync to modify public files
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_rsync_anon_write,false)
-
-##
-##
-## Allow sasl to read shadow
-##
-##
-gen_tunable(allow_saslauthd_read_shadow,false)
-
-##
-##
-## Allow samba to modify public files
-## used for public file transfer services.
-##
-##
-gen_tunable(allow_smbd_anon_write,false)
-
-
##
##
## Allow system to run with NIS
@@ -170,28 +54,6 @@ gen_tunable(allow_smbd_anon_write,false)
##
gen_tunable(allow_ypbind,false)
-##
-##
-## Enable extra rules in the cron domain
-## to support fcron.
-##
-##
-gen_tunable(fcron_crond,false)
-
-##
-##
-## Allow ftp to read and write files in the user home directories
-##
-##
-gen_tunable(ftp_home_dir,false)
-
-##
-##
-## Allow ftpd to run directly without inetd
-##
-##
-gen_tunable(ftpd_is_daemon,false)
-
##
##
## Enable reading of urandom for all domains.
@@ -205,85 +67,6 @@ gen_tunable(ftpd_is_daemon,false)
##
gen_tunable(global_ssp,false)
-##
-##
-## Allow httpd to use built in scripting (usually php)
-##
-##
-gen_tunable(httpd_builtin_scripting,false)
-
-##
-##
-## Allow http daemon to tcp connect
-##
-##
-gen_tunable(httpd_can_network_connect,false)
-
-##
-##
-## Allow httpd to connect to mysql/posgresql
-##
-##
-gen_tunable(httpd_can_network_connect_db, false)
-
-##
-##
-## Allow httpd to act as a relay
-##
-##
-gen_tunable(httpd_can_network_relay, false)
-
-##
-##
-## Allow httpd cgi support
-##
-##
-gen_tunable(httpd_enable_cgi,false)
-
-##
-##
-## Allow httpd to act as a FTP server by
-## listening on the ftp port.
-##
-##
-gen_tunable(httpd_enable_ftp_server,false)
-
-##
-##
-## Allow httpd to read home directories
-##
-##
-gen_tunable(httpd_enable_homedirs,false)
-
-##
-##
-## Run SSI execs in system CGI script domain.
-##
-##
-gen_tunable(httpd_ssi_exec,false)
-
-##
-##
-## Allow http daemon to communicate with the TTY
-##
-##
-gen_tunable(httpd_tty_comm,false)
-
-##
-##
-## Run CGI in the main httpd domain
-##
-##
-gen_tunable(httpd_unified,false)
-
-##
-##
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS.
-##
-##
-gen_tunable(named_write_master_zones,false)
-
##
##
## Allow nfs to be exported read/write.
@@ -298,13 +81,6 @@ gen_tunable(nfs_export_all_rw,false)
##
gen_tunable(nfs_export_all_ro,false)
-##
-##
-## Allow pppd to load kernel modules for certain modems
-##
-##
-gen_tunable(pppd_can_insmod,false)
-
##
##
## Allow reading of default_t files.
@@ -312,43 +88,6 @@ gen_tunable(pppd_can_insmod,false)
##
gen_tunable(read_default_t,false)
-##
-##
-## Allow samba to export user home directories.
-##
-##
-gen_tunable(samba_enable_home_dirs,false)
-
-##
-##
-## Allow samba to export NFS volumes.
-##
-##
-gen_tunable(samba_share_nfs,false)
-
-##
-##
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-##
-##
-gen_tunable(squid_connect_any,false)
-
-##
-##
-## Allow ssh logins as sysadm_r:sysadm_t
-##
-##
-gen_tunable(ssh_sysadm_login,false)
-
-##
-##
-## Configure stunnel to be a standalone daemon or
-## inetd service.
-##
-##
-gen_tunable(stunnel_is_daemon,false)
-
##
##
## Support NFS home directories
@@ -363,115 +102,12 @@ gen_tunable(use_nfs_home_dirs,false)
##
gen_tunable(use_samba_home_dirs,false)
-##
-##
-## Allow xdm logins as sysadm
-##
-##
-gen_tunable(xdm_sysadm_login,false)
-
########################################
#
# Strict policy specific
#
ifdef(`strict_policy',`
-##
-##
-## Control users use of ping and traceroute
-##
-##
-gen_tunable(user_ping,false)
-
-##
-##
-## Allow gpg executable stack
-##
-##
-gen_tunable(allow_gpg_execstack,false)
-
-##
-##
-## Allow mplayer executable stack
-##
-##
-gen_tunable(allow_mplayer_execstack,false)
-
-##
-##
-## Allow sysadm to ptrace all processes
-##
-##
-gen_tunable(allow_ptrace,false)
-
-##
-##
-## allow host key based authentication
-##
-##
-gen_tunable(allow_ssh_keysign,false)
-
-##
-##
-## Allow users to connect to mysql
-##
-##
-gen_tunable(allow_user_mysql_connect,false)
-
-##
-##
-## Allows clients to write to the X server shared
-## memory segments.
-##
-##
-gen_tunable(allow_write_xshm,false)
-
-##
-##
-## Allow cdrecord to read various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-##
-##
-gen_tunable(cdrecord_read_content,false)
-
-##
-##
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-##
-##
-gen_tunable(cron_can_relabel,false)
-
-##
-##
-## force to games to run in user_t
-## mapping executable (text relocation).
-##
-##
-gen_tunable(disable_games_trans,false)
-
-##
-##
-## Disable transitions to evolution domains.
-##
-##
-gen_tunable(disable_evolution_trans,false)
-
-##
-##
-## Disable transitions to user mozilla domains
-##
-##
-gen_tunable(disable_mozilla_trans,false)
-
-##
-##
-## Disable transitions to user thunderbird domains
-##
-##
-gen_tunable(disable_thunderbird_trans,false)
-
##
##
## Allow email client to various content.
@@ -481,20 +117,6 @@ gen_tunable(disable_thunderbird_trans,false)
##
gen_tunable(mail_read_content,false)
-##
-##
-## Control mozilla content access
-##
-##
-gen_tunable(mozilla_read_content,false)
-
-##
-##
-## Allow pppd to be run for a regular user
-##
-##
-gen_tunable(pppd_for_user,false)
-
##
##
## Allow applications to read untrusted content
@@ -504,65 +126,6 @@ gen_tunable(pppd_for_user,false)
##
gen_tunable(read_untrusted_content,false)
-##
-##
-## Allow ssh to run from inetd instead of as a daemon.
-##
-##
-gen_tunable(run_ssh_inetd,false)
-
-##
-##
-## Allow user spamassassin clients to use the network.
-##
-##
-gen_tunable(spamassassin_can_network,false)
-
-##
-##
-## Allow staff_r users to search the sysadm home
-## dir and read files (such as ~/.bashrc)
-##
-##
-gen_tunable(staff_read_sysadm_file,false)
-
-##
-##
-## Use lpd server instead of cups
-##
-##
-gen_tunable(use_lpd_server,false)
-
-##
-##
-## Allow regular users direct mouse access
-##
-##
-gen_tunable(user_direct_mouse,false)
-
-##
-##
-## Allow users to read system messages.
-##
-##
-gen_tunable(user_dmesg,false)
-
-##
-##
-## Allow users to control network interfaces
-## (also needs USERCTL=true)
-##
-##
-gen_tunable(user_net_control,false)
-
-##
-##
-## Allow user to r/w files on filesystems
-## that do not have extended attributes (FAT, CDROM, FLOPPY)
-##
-##
-gen_tunable(user_rw_noexattrfile,false)
-
##
##
## Allow users to run TCP servers (bind to ports and accept connection from
@@ -572,13 +135,6 @@ gen_tunable(user_rw_noexattrfile,false)
##
gen_tunable(user_tcp_server,false)
-##
-##
-## Allow w to display everyone
-##
-##
-gen_tunable(user_ttyfile_stat,false)
-
##
##
## Allow applications to write untrusted content
@@ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false)
##
gen_tunable(write_untrusted_content,false)
')
-
-########################################
-#
-# Targeted policy specific
-#
-
-ifdef(`targeted_policy',`
-##
-##
-## Allow all daemons the ability to use unallocated ttys
-##
-##
-gen_tunable(allow_daemons_use_tty,false)
-
-##
-##
-## Allow mount to mount any file
-##
-##
-gen_tunable(allow_mount_anyfile,false)
-
-##
-##
-## Allow spamd to read/write user home directories.
-##
-##
-gen_tunable(spamd_enable_home_dirs,true)
-')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index d27eaf60..b34146e8 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,11 +1,20 @@
-policy_module(netutils,1.3.0)
+policy_module(netutils,1.3.1)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Control users use of ping and traceroute
+##
+##
+gen_tunable(user_ping,false)
+')
+
type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index abdf579a..760ce28e 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -1,10 +1,21 @@
-policy_module(cdrecord,1.1.0)
+policy_module(cdrecord,1.1.1)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+##
+##
+gen_tunable(cdrecord_read_content,false)
+')
+
type cdrecord_exec_t;
corecmd_executable_file(cdrecord_exec_t)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index dee79e05..b1678579 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -187,7 +187,6 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_t)
# Run various programs
corecmd_exec_bin($1_evolution_t)
- corecmd_exec_bin($1_evolution_t)
corenet_non_ipsec_sendrecv($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
@@ -674,7 +673,8 @@ template(`evolution_per_role_template',`
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
- allow $1_evolution_server_t $2:fd use;
+ # Transition from user type
+ domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
kernel_read_system_state($1_evolution_server_t)
@@ -718,11 +718,6 @@ template(`evolution_per_role_template',`
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
- # Transition from user type
- tunable_policy(`!disable_evolution_trans',`
- domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
- ')
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_server_t)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index e6d1b5c1..b3a08567 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
-policy_module(evolution,1.1.1)
+policy_module(evolution,1.1.2)
########################################
#
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index dedbd6db..7aa39b34 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -84,6 +84,7 @@ template(`games_per_role_template',`
can_exec($1_games_t, games_exec_t)
+ domain_auto_trans($2, games_exec_t, $1_games_t)
allow $2 $1_games_t:unix_stream_socket connectto;
allow $1_games_t $2:unix_stream_socket connectto;
@@ -136,11 +137,6 @@ template(`games_per_role_template',`
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
- # Type transition
- tunable_policy(`!disable_games_trans',`
- domain_auto_trans($2, games_exec_t, $1_games_t)
- ')
-
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index d3b63bc1..4c462b8c 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.1.2)
+policy_module(games,1.1.3)
########################################
#
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index bb18d375..7c061203 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,11 +1,18 @@
-policy_module(java,1.3.3)
+policy_module(java,1.3.4)
########################################
#
# Declarations
#
+##
+##
+## Allow java executable stack
+##
+##
+gen_tunable(allow_java_execstack,false)
+
type java_t;
type java_exec_t;
init_system_domain(java_t,java_exec_t)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 42616176..5056fb1e 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -105,6 +105,10 @@ template(`mozilla_per_role_template',`
allow $1_mozilla_t $2:process signull;
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
+
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
@@ -207,13 +211,6 @@ template(`mozilla_per_role_template',`
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Type transition
- tunable_policy(`! disable_mozilla_trans',`
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
- # Unrestricted inheritance from the caller.
- allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
- ')
-
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_mozilla_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 7752e69e..6832f0e3 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,11 +1,20 @@
-policy_module(mozilla,1.1.1)
+policy_module(mozilla,1.1.2)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Control mozilla content access
+##
+##
+gen_tunable(mozilla_read_content,false)
+')
+
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index dd9b1a46..1ee51bf4 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,11 +1,20 @@
-policy_module(mplayer,1.1.1)
+policy_module(mplayer,1.1.2)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Allow mplayer executable stack
+##
+##
+gen_tunable(allow_mplayer_execstack,false)
+')
+
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 7edcec68..fe9dcc5e 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -77,6 +77,7 @@ template(`thunderbird_per_role_template',`
manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
allow $2 $1_thunderbird_t:fd use;
allow $2 $1_thunderbird_t:shm { associate getattr };
allow $2 $1_thunderbird_t:unix_stream_socket connectto;
@@ -166,11 +167,6 @@ template(`thunderbird_per_role_template',`
xserver_read_xdm_tmp_files($1_thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
- # Transition from user type
- tunable_policy(`! disable_thunderbird_trans',`
- domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
- ')
-
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_thunderbird_t)
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 0d1c693d..54e5575b 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
-policy_module(thunderbird,1.1.1)
+policy_module(thunderbird,1.1.2)
########################################
#
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index f2bcebfc..bf1bee72 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,11 +1,21 @@
-policy_module(usernetctl,1.0.0)
+policy_module(usernetctl,1.0.1)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Allow users to control network interfaces
+## (also needs USERCTL=true)
+##
+##
+gen_tunable(user_net_control,false)
+')
+
type usernetctl_t;
type usernetctl_exec_t;
domain_type(usernetctl_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index c11832c5..8c4c9989 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.5.4)
+policy_module(apache,1.5.5)
#
# NOTES:
@@ -20,6 +20,92 @@ policy_module(apache,1.5.4)
# Declarations
#
+##
+##
+## Allow Apache to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_httpd_anon_write,false)
+
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
+##
+##
+## Allow httpd to use built in scripting (usually php)
+##
+##
+gen_tunable(httpd_builtin_scripting,false)
+
+##
+##
+## Allow http daemon to tcp connect
+##
+##
+gen_tunable(httpd_can_network_connect,false)
+
+##
+##
+## Allow httpd to connect to mysql/posgresql
+##
+##
+gen_tunable(httpd_can_network_connect_db, false)
+
+##
+##
+## Allow httpd to act as a relay
+##
+##
+gen_tunable(httpd_can_network_relay, false)
+
+##
+##
+## Allow httpd cgi support
+##
+##
+gen_tunable(httpd_enable_cgi,false)
+
+##
+##
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+##
+##
+gen_tunable(httpd_enable_ftp_server,false)
+
+##
+##
+## Allow httpd to read home directories
+##
+##
+gen_tunable(httpd_enable_homedirs,false)
+
+##
+##
+## Run SSI execs in system CGI script domain.
+##
+##
+gen_tunable(httpd_ssi_exec,false)
+
+##
+##
+## Allow http daemon to communicate with the TTY
+##
+##
+gen_tunable(httpd_tty_comm,false)
+
+##
+##
+## Run CGI in the main httpd domain
+##
+##
+gen_tunable(httpd_unified,false)
+
attribute httpdcontent;
# domains that can exec all users scripts
@@ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`targeted_policy',`
- gen_tunable(httpd_suexec_disable_trans,false)
-
- tunable_policy(`httpd_suexec_disable_trans',`',`
- domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
- ')
-')
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index cec18b07..6bb39666 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,11 +1,19 @@
-policy_module(bind,1.3.1)
+policy_module(bind,1.3.2)
########################################
#
# Declarations
#
+##
+##
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS.
+##
+##
+gen_tunable(named_write_master_zones,false)
+
# for DNSSEC key files
type dnssec_t;
files_security_file(dnssec_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index bb08029d..d9cb1bba 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.5.1)
+policy_module(cron,1.5.2)
gen_require(`
class passwd rootok;
@@ -9,6 +9,23 @@ gen_require(`
#
# Declarations
#
+
+##
+##
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+##
+##
+gen_tunable(cron_can_relabel,false)
+
+##
+##
+## Enable extra rules in the cron domain
+## to support fcron.
+##
+##
+gen_tunable(fcron_crond,false)
+
attribute cron_spool_type;
type anacron_exec_t;
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 35ddd025..43721b5d 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,11 +1,18 @@
-policy_module(cvs,1.3.0)
+policy_module(cvs,1.3.1)
########################################
#
# Declarations
#
+##
+##
+## Allow cvs daemon to read shadow
+##
+##
+gen_tunable(allow_cvs_read_shadow,false)
+
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 31585d1b..e3bbfb5d 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -28,13 +28,11 @@ template(`ftp_per_role_template',`
type ftpd_t;
')
- tunable_policy(`ftpd_is_daemon',`
- userdom_manage_user_home_content_files($1,ftpd_t)
- userdom_manage_user_home_content_symlinks($1,ftpd_t)
- userdom_manage_user_home_content_sockets($1,ftpd_t)
- userdom_manage_user_home_content_pipes($1,ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
- ')
+ userdom_manage_user_home_content_files($1,ftpd_t)
+ userdom_manage_user_home_content_symlinks($1,ftpd_t)
+ userdom_manage_user_home_content_sockets($1,ftpd_t)
+ userdom_manage_user_home_content_pipes($1,ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
########################################
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 3138f0c8..033d90a1 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,11 +1,50 @@
-policy_module(ftp,1.4.3)
+policy_module(ftp,1.4.4)
########################################
#
# Declarations
#
+##
+##
+## Allow ftp servers to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_ftpd_anon_write,false)
+
+##
+##
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+##
+##
+gen_tunable(allow_ftpd_full_access,false)
+
+##
+##
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_ftpd_use_cifs,false)
+
+##
+##
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_ftpd_use_nfs,false)
+
+##
+##
+## Allow ftp to read and write files in the user home directories
+##
+##
+gen_tunable(ftp_home_dir,false)
+
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)
@@ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@@ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
+allow ftpd_t ftpd_lock_t:file manage_file_perms;
+files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
+
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
@@ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
fs_read_cifs_symlinks(ftpd_t)
')
-tunable_policy(`ftpd_is_daemon',`
- allow ftpd_t ftpd_lock_t:file manage_file_perms;
- files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
-
- corenet_tcp_bind_ftp_port(ftpd_t)
-')
-
optional_policy(`
tunable_policy(`ftp_home_dir',`
apache_search_sys_content(ftpd_t)
@@ -232,17 +266,10 @@ optional_policy(`
')
optional_policy(`
- #reh: typeattributes not allowed in conditionals yet.
- #tunable_policy(`! ftpd_is_daemon',`
- # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
- #')
-
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`
- tunable_policy(`! ftpd_is_daemon',`
- tcpd_domtrans(tcpd_t)
- ')
+ tcpd_domtrans(tcpd_t)
')
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index c746cd44..344c57ab 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.2.3)
+policy_module(inetd,1.2.4)
########################################
#
@@ -227,13 +227,6 @@ ifdef(`targeted_policy',`
unconfined_domain(inetd_child_t)
')
-optional_policy(`
- tunable_policy(`ftpd_is_daemon',`
- # Allows it to check exec privs on daemon
- ftp_check_exec(inetd_t)
- ')
-')
-
optional_policy(`
kerberos_use(inetd_child_t)
')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index a384b13c..142974b5 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,11 +1,18 @@
-policy_module(kerberos,1.3.3)
+policy_module(kerberos,1.3.4)
########################################
#
# Declarations
#
+##
+##
+## Allow system to run with kerberos
+##
+##
+gen_tunable(allow_kerberos,false)
+
type kadmind_t;
type kadmind_exec_t;
init_daemon_domain(kadmind_t,kadmind_exec_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 5d74d247..ef0f8eda 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,11 +1,18 @@
-policy_module(lpd,1.4.2)
+policy_module(lpd,1.4.3)
########################################
#
# Declarations
#
+##
+##
+## Use lpd server instead of cups
+##
+##
+gen_tunable(use_lpd_server,false)
+
type checkpc_t;
type checkpc_exec_t;
init_system_domain(checkpc_t,checkpc_exec_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 7b7d00a3..f7c683e9 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,11 +1,27 @@
-policy_module(ppp,1.3.1)
+policy_module(ppp,1.3.2)
########################################
#
# Declarations
#
+##
+##
+## Allow pppd to load kernel modules for certain modems
+##
+##
+gen_tunable(pppd_can_insmod,false)
+
+ifdef(`strict_policy',`
+##
+##
+## Allow pppd to be run for a regular user
+##
+##
+gen_tunable(pppd_for_user,false)
+')
+
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
@@ -172,20 +188,6 @@ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(pppd_t)
term_dontaudit_use_generic_ptys(pppd_t)
files_dontaudit_read_root_files(pppd_t)
-
- optional_policy(`
- gen_require(`
- bool postfix_disable_trans;
- ')
-
- if(!postfix_disable_trans) {
- postfix_domtrans_master(pppd_t)
- }
- ')
-',`
- optional_policy(`
- postfix_domtrans_master(pppd_t)
- ')
')
optional_policy(`
@@ -210,6 +212,10 @@ optional_policy(`
nscd_socket_use(pppd_t)
')
+optional_policy(`
+ postfix_domtrans_master(pppd_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(pppd_t)
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index e21f3e71..697d7803 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,11 +1,26 @@
-policy_module(rpc,1.4.3)
+policy_module(rpc,1.4.4)
########################################
#
# Declarations
#
+##
+##
+## Allow gssd to read temp directory.
+##
+##
+gen_tunable(allow_gssd_read_tmp,true)
+
+##
+##
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_nfsd_anon_write,false)
+
type exports_t;
files_type(exports_t)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 5e12b876..682d5f28 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,11 +1,19 @@
-policy_module(rsync,1.3.1)
+policy_module(rsync,1.3.2)
########################################
#
# Declarations
#
+##
+##
+## Allow rsync to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_rsync_anon_write,false)
+
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index b2a5004a..a114c46c 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,11 +1,33 @@
-policy_module(samba,1.4.2)
+policy_module(samba,1.4.3)
#################################
#
# Declarations
#
+##
+##
+## Allow samba to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_smbd_anon_write,false)
+
+##
+##
+## Allow samba to export user home directories.
+##
+##
+gen_tunable(samba_enable_home_dirs,false)
+
+##
+##
+## Allow samba to export NFS volumes.
+##
+##
+gen_tunable(samba_share_nfs,false)
+
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index a20ace85..6128b90f 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,11 +1,18 @@
-policy_module(sasl,1.4.1)
+policy_module(sasl,1.4.2)
########################################
#
# Declarations
#
+##
+##
+## Allow sasl to read shadow
+##
+##
+gen_tunable(allow_saslauthd_read_shadow,false)
+
type saslauthd_t;
type saslauthd_exec_t;
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 2a8e3a4b..f5e023eb 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,11 +1,29 @@
-policy_module(spamassassin,1.5.5)
+policy_module(spamassassin,1.5.6)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Allow user spamassassin clients to use the network.
+##
+##
+gen_tunable(spamassassin_can_network,false)
+')
+
+ifdef(`targeted_policy',`
+##
+##
+## Allow spamd to read/write user home directories.
+##
+##
+gen_tunable(spamd_enable_home_dirs,true)
+')
+
# spamassassin client executable
type spamc_exec_t;
corecmd_executable_file(spamc_exec_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 18ebdd85..8fa700fe 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,11 +1,19 @@
-policy_module(squid,1.2.1)
+policy_module(squid,1.2.2)
########################################
#
# Declarations
#
+##
+##
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+##
+##
+gen_tunable(squid_connect_any,false)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t,squid_exec_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index b22317cb..4b05a154 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -476,6 +476,7 @@ template(`ssh_server_template', `
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@@ -517,25 +518,6 @@ template(`ssh_server_template', `
fs_read_cifs_files($1_t)
')
- # cjp: commenting out until typeattribute works in conditional
- # and require block in optional else is resolved
- #optional_policy(`
- # tunable_policy(`run_ssh_inetd',`
- # allow $1_t self:process signal;
- # files_list_pids($1_t)
- # ',`
- # corenet_tcp_bind_ssh_port($1_t)
- # init_use_fds($1_t)
- # init_use_script_ptys($1_t)
- # ')
- #',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- corenet_tcp_bind_ssh_port($1_t)
- init_use_fds($1_t)
- init_use_script_ptys($1_t)
- #')
-
optional_policy(`
kerberos_use($1_t)
')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cf9cceb8..cbe8c0d9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,11 +1,25 @@
-policy_module(ssh,1.5.1)
+policy_module(ssh,1.5.2)
########################################
#
# Declarations
#
+##
+##
+## allow host key based authentication
+##
+##
+gen_tunable(allow_ssh_keysign,false)
+
+##
+##
+## Allow ssh logins as sysadm_r:sysadm_t
+##
+##
+gen_tunable(ssh_sysadm_login,false)
+
attribute ssh_server;
# Type for the ssh-agent executable.
@@ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',`
ifdef(`strict_policy',`
ifdef(`TODO',`
+ domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
# Signal the user domains.
allow sshd_extern_t user_mini_domain:process signal;
@@ -159,15 +175,7 @@ ifdef(`strict_policy',`
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
optional_policy(`
- tunable_policy(`run_ssh_inetd',`
- domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
- ',`
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
- ')
- ',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+ domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
')
ifdef(`direct_sysadm_daemon', `
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 73160ea7..09443a48 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.2.1)
+policy_module(stunnel,1.2.2)
########################################
#
@@ -127,13 +127,9 @@ ifdef(`distro_gentoo', `
')
')
-tunable_policy(`stunnel_is_daemon',`
- allow stunnel_t self:tcp_socket create_stream_socket_perms;
-
- # hack since this port has no interfaces since it doesnt
- # have net_contexts
- gen_require(`
- type stunnel_port_t;
- ')
- allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+# hack since this port has no interfaces since it doesnt
+# have net_contexts
+gen_require(`
+ type stunnel_port_t;
')
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4c299e20..c94dc602 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,11 +1,28 @@
-policy_module(xserver,1.3.3)
+policy_module(xserver,1.3.4)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Allows clients to write to the X server shared
+## memory segments.
+##
+##
+gen_tunable(allow_write_xshm,false)
+')
+
+##
+##
+## Allow xdm logins as sysadm
+##
+##
+gen_tunable(xdm_sysadm_login,false)
+
attribute fonts_type;
attribute fonts_cache_type;
attribute fonts_config_type;
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index c32fe07d..27cb5715 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,11 +1,19 @@
-policy_module(zebra,1.3.1)
+policy_module(zebra,1.3.2)
########################################
#
# Declarations
#
+##
+##
+## Allow zebra daemon to write it configuration files
+##
+##
+#
+gen_tunable(allow_zebra_write_config,false)
+
type zebra_t;
type zebra_exec_t;
init_daemon_domain(zebra_t,zebra_exec_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d92065f4..cf355f6e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.5.4)
+policy_module(init,1.5.5)
gen_require(`
class passwd rootok;
@@ -10,6 +10,15 @@ gen_require(`
# Declarations
#
+ifdef(`targeted_policy',`
+##
+##
+## Allow all daemons the ability to use unallocated ttys
+##
+##
+gen_tunable(allow_daemons_use_tty,false)
+')
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 1d095283..d7ae4b78 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,11 +1,20 @@
-policy_module(mount,1.5.0)
+policy_module(mount,1.5.1)
########################################
#
# Declarations
#
+ifdef(`targeted_policy',`
+##
+##
+## Allow mount to mount any file
+##
+##
+gen_tunable(allow_mount_anyfile,false)
+')
+
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index d3fa84ef..ec35724e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.1.2)
+policy_module(userdomain,2.1.3)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -15,6 +15,51 @@ gen_require(`
# Declarations
#
+ifdef(`strict_policy',`
+##
+##
+## Allow sysadm to ptrace all processes
+##
+##
+gen_tunable(allow_ptrace,false)
+
+##
+##
+## Allow users to connect to mysql
+##
+##
+gen_tunable(allow_user_mysql_connect,false)
+
+##
+##
+## Allow regular users direct mouse access
+##
+##
+gen_tunable(user_direct_mouse,false)
+
+##
+##
+## Allow users to read system messages.
+##
+##
+gen_tunable(user_dmesg,false)
+
+##
+##
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+##
+##
+gen_tunable(user_rw_noexattrfile,false)
+
+##
+##
+## Allow w to display everyone
+##
+##
+gen_tunable(user_ttyfile_stat,false)
+')
+
# admin users terminals (tty and pty)
attribute admin_terminal;
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 595f7789..ccbec6b5 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
docs = doc
polxml = $(docs)/policy.xml
xmldtd = $(HEADERDIR)/support/policy.dtd
-layerxml = metadata.xml
+metaxml = metadata.xml
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
@@ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$
# policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
rolemap = $(HEADERDIR)/rolemap
detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+
+clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
+all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
+detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
+
3rd_party_mods = $(wildcard *.te)
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
+
detected_ifs = $(detected_mods:.te=.if)
detected_fcs = $(detected_mods:.te=.fc)
all_packages = $(notdir $(detected_mods:.te=.pp))
+modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
+layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
+
+hmodxml = $(all_interfaces:.if=.xml)
+hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
+hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
+
+cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
+cmodxml = $(cmods:.te=.xml)
+clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
+cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
+
vpath %.te $(detected_layers)
vpath %.if $(detected_layers)
vpath %.fc $(detected_layers)
-# if there are modules in the current directory, add them into the third party layer
-ifneq "$(3rd_party_mods)" ""
- genxml += -3 .
-endif
-
########################################
#
# Functions
@@ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs):
# Documentation generation
#
-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change. Also use all .if files here, rather then just the
-# enabled modules.
-$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
- @echo "Creating $@"
- @mkdir -p doc
+$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) echo '' > $@
+ $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
+ $(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
+ $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
+ $(verbose) echo '' >> $@
+
+$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) echo '' > $@
+ $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
+ $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
+ $(verbose) echo '' >> $@
+
+$(cmodxml) $(modxml): %.xml: %.if %.te
+ $(verbose) $(genxml) -w -m $* > $@
+
+$(layerxml): %.xml: $(modxml)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) echo '' > $@
+ $(verbose) if test -f '$(metaxml)'; then \
+ cat $(metaxml) >> $@; \
+ else \
+ echo 'This is all third-party generated modules.' >> $@; \
+ fi
+ $(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
+ $(verbose) echo '' >> $@
+
+$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
+ @echo "Creating $(@F)"
+ @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
$(verbose) echo '' > $@
- $(verbose) echo '' >> $@
- $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+ $(verbose) echo '' >> $@
+ $(verbose) echo '' >> $@
+ $(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
+ $(verbose) echo '' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
- $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
########################################
diff --git a/support/sedoctool.py b/support/sedoctool.py
index 55eee3b4..f15a5b50 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -1,6 +1,7 @@
#!/usr/bin/python
# Author: Joshua Brindle
+# Caleb Case
#
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
@@ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir):
templatefile = open(templatedir + "/template.html", "r")
templatedata = templatefile.read()
templatefile.close()
+ tunfile = open(templatedir + "/tunable.html", "r")
+ tundata = tunfile.read()
+ tunfile.close()
+ boolfile = open(templatedir + "/boolean.html", "r")
+ booldata = boolfile.read()
+ boolfile.close()
menufile = open(templatedir + "/menu.html", "r")
menudata = menufile.read()
menufile.close()
@@ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir):
templistfile = open(templatedir + "/temp_list.html", "r")
templistdata = templistfile.read()
templistfile.close()
- boollistfile = open(templatedir + "/global_bool_list.html", "r")
- boollistdata = boollistfile.read()
- boollistfile.close()
- tunlistfile = open(templatedir + "/global_tun_list.html", "r")
+ tunlistfile = open(templatedir + "/tun_list.html", "r")
tunlistdata = tunlistfile.read()
tunlistfile.close()
+ boollistfile = open(templatedir + "/bool_list.html", "r")
+ boollistdata = boollistfile.read()
+ boollistfile.close()
+ gboollistfile = open(templatedir + "/global_bool_list.html", "r")
+ gboollistdata = gboollistfile.read()
+ gboollistfile.close()
+ gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
+ gtunlistdata = gtunlistfile.read()
+ gtunlistfile.close()
except:
error("Could not open templates")
@@ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir):
all_interfaces = []
all_templates = []
+ all_tunables = []
+ all_booleans = []
for node in doc.getElementsByTagName("module"):
mod_name = mod_layer = mod_desc = interface_buf = ''
@@ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir):
template_tpl = pyplate.Template(templatedata)
template_buf = template_tpl.execute_string({"templates" : templates})
+ #generate 'boolean' pages
+ booleans = []
+ for boolean in node.getElementsByTagName("bool"):
+ boolean_parameters = []
+ boolean_desc = None
+ boolean_name = boolean.getAttribute("name")
+ boolean_dftval = boolean.getAttribute("dftval")
+ for desc in boolean.childNodes:
+ if desc.nodeName == "desc":
+ boolean_desc = format_html_desc(desc)
+
+ booleans.append({ "bool_name" : boolean_name,
+ "desc" : boolean_desc,
+ "def_val" : boolean_dftval })
+ #all_booleans is for the main boolean index with all booleans
+ all_booleans.append({ "bool_name" : boolean_name,
+ "desc" : boolean_desc,
+ "def_val" : boolean_dftval,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ booleans.sort(bool_cmp)
+ boolean_tpl = pyplate.Template(booldata)
+ boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
+
+ #generate 'tunable' pages
+ tunables = []
+ for tunable in node.getElementsByTagName("tunable"):
+ tunable_parameters = []
+ tunable_desc = None
+ tunable_name = tunable.getAttribute("name")
+ tunable_dftval = tunable.getAttribute("dftval")
+ for desc in tunable.childNodes:
+ if desc.nodeName == "desc":
+ tunable_desc = format_html_desc(desc)
+
+ tunables.append({ "tun_name" : tunable_name,
+ "desc" : tunable_desc,
+ "def_val" : tunable_dftval })
+ #all_tunables is for the main tunable index with all tunables
+ all_tunables.append({ "tun_name" : tunable_name,
+ "desc" : tunable_desc,
+ "def_val" : tunable_dftval,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ tunables.sort(tun_cmp)
+ tunable_tpl = pyplate.Template(tundata)
+ tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
+
menu = gen_doc_menu(mod_layer, module_list)
@@ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir):
interface_buf = None
if not template_buf.strip():
template_buf = None
+ if not tunable_buf.strip():
+ tunable_buf = None
+ if not boolean_buf.strip():
+ boolean_buf = None
module_args = { "mod_layer" : mod_layer,
"mod_name" : mod_name,
@@ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir):
"mod_desc" : mod_desc,
"mod_req" : mod_req,
"interfaces" : interface_buf,
- "templates": template_buf }
+ "templates" : template_buf,
+ "tunables" : tunable_buf,
+ "booleans" : boolean_buf }
module_tpl = pyplate.Template(moduledata)
module_buf = module_tpl.execute_string(module_args)
@@ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir):
#build the global tunable index
- global_tun_buf = []
+ global_tun = []
for tunable in doc.getElementsByTagName("tunable"):
if tunable.parentNode.nodeName == "policy":
tunable_name = tunable.getAttribute("name")
default_value = tunable.getAttribute("dftval")
for desc in tunable.getElementsByTagName("desc"):
description = format_html_desc(desc)
- global_tun_buf.append( { "tun_name" : tunable_name,
+ global_tun.append( { "tun_name" : tunable_name,
"def_val" : default_value,
"desc" : description } )
- global_tun_buf.sort(tun_cmp)
- global_tun_tpl = pyplate.Template(tunlistdata)
- global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
+ global_tun.sort(tun_cmp)
+ global_tun_tpl = pyplate.Template(gtunlistdata)
+ global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
global_tun_file = "global_tunables.html"
global_tun_fh = open(global_tun_file, "w")
body_tpl = pyplate.Template(bodydata)
@@ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_tun_fh, body_args)
global_tun_fh.close()
+ #build the tunable index
+ all_tunables = all_tunables + global_tun
+ all_tunables.sort(tun_cmp)
+ tunable_tpl = pyplate.Template(tunlistdata)
+ tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
+ temp_file = "tunables.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : tunable_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
#build the global boolean index
- global_bool_buf = []
+ global_bool = []
for boolean in doc.getElementsByTagName("bool"):
if boolean.parentNode.nodeName == "policy":
bool_name = boolean.getAttribute("name")
default_value = boolean.getAttribute("dftval")
for desc in boolean.getElementsByTagName("desc"):
description = format_html_desc(desc)
- global_bool_buf.append( { "bool_name" : bool_name,
+ global_bool.append( { "bool_name" : bool_name,
"def_val" : default_value,
"desc" : description } )
- global_bool_buf.sort(bool_cmp)
- global_bool_tpl = pyplate.Template(boollistdata)
- global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
+ global_bool.sort(bool_cmp)
+ global_bool_tpl = pyplate.Template(gboollistdata)
+ global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
global_bool_file = "global_booleans.html"
global_bool_fh = open(global_bool_file, "w")
body_tpl = pyplate.Template(bodydata)
@@ -637,6 +720,21 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_bool_fh, body_args)
global_bool_fh.close()
+
+ #build the boolean index
+ all_booleans = all_booleans + global_bool
+ all_booleans.sort(bool_cmp)
+ boolean_tpl = pyplate.Template(boollistdata)
+ boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
+ temp_file = "booleans.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : boolean_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
diff --git a/support/segenxml.py b/support/segenxml.py
index 10cc8bdd..d6c4fd59 100644
--- a/support/segenxml.py
+++ b/support/segenxml.py
@@ -3,6 +3,7 @@
# Author(s): Donald Miner
# Dave Sugar
# Brian Williams
+# Caleb Case
#
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
@@ -18,6 +19,7 @@ import sys
import os
import glob
import re
+import getopt
# GLOBALS
@@ -70,9 +72,15 @@ def getModuleXML(file_name):
Returns the XML data for a module in a list, one line per list item.
'''
+ # Gather information.
+ module_dir = os.path.dirname(file_name)
+ module_name = os.path.basename(file_name)
+ module_te = "%s/%s.te" % (module_dir, module_name)
+ module_if = "%s/%s.if" % (module_dir, module_name)
+
# Try to open the file, if it cant, just ignore it.
try:
- module_file = open(file_name, "r")
+ module_file = open(module_if, "r")
module_code = module_file.readlines()
module_file.close()
except:
@@ -83,7 +91,7 @@ def getModuleXML(file_name):
# Infer the module name, which is the base of the file name.
module_buf.append("\n"
- % (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
+ % (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
temp_buf = []
interface = None
@@ -175,54 +183,13 @@ def getModuleXML(file_name):
elif temp_buf:
warning("orphan XML comments at bottom of file %s" % file_name)
+ # Process the TE file if it exists.
+ module_buf = module_buf + getTunableXML(module_te, "both")
+
module_buf.append("\n")
return module_buf
-def getLayerXML (layerName, directories):
- '''
- Returns the XML documentation for a layer.
- '''
-
- layer_buf = []
-
- # Infer the layer name from the directory name.
- layer_buf.append("\n" % layerName)
-
- # Try to file the metadata file for this layer and if it exists,
- # append the contents to the buffer.
- bFoundMeta = False
- for directory in directories:
- metafile = directory + "/" + meta
-
- if not bFoundMeta and os.path.isfile (metafile):
- layer_meta = open (metafile, "r")
- layer_buf += layer_meta.readlines ()
- layer_meta.close()
- bFoundMeta = True
-
- # force the metadata for the third party layer
- if not bFoundMeta:
- if layerName == third_party:
- layer_buf.append ("This is all third-party generated modules.\n")
- bFoundMeta = True
-
- # didn't find meta data for this layer - oh well
- if not bFoundMeta:
- layer_buf.append ("Summary is missing!.\n")
- warning ("unable to find %s for layer %s" % (meta, layerName))
-
- # For each module file in the layer, add its XML.
- for directory in directories:
- modules = glob.glob("%s/*.if" % directory)
- modules.sort()
- for module in modules:
- layer_buf += getModuleXML(module)
-
- layer_buf.append("\n")
-
- return layer_buf
-
def getTunableXML(file_name, kind):
'''
Return all the XML for the tunables/bools in the file specified.
@@ -257,8 +224,10 @@ def getTunableXML(file_name, kind):
if boolean:
# If there is a gen_bool in a tunable file or a
# gen_tunable in a boolean file, error and exit.
- if boolean.group(1) != kind:
- error("%s in a %s file." % (boolean.group(1), kind))
+ # Skip if both kinds are valid.
+ if kind != "both":
+ if boolean.group(1) != kind:
+ error("%s in a %s file." % (boolean.group(1), kind))
tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
tunable_buf += temp_buf
@@ -341,39 +310,15 @@ def usage():
Displays a message describing the proper usage of this script.
"""
- sys.stdout.write("usage: %s [-w] [-m file] "\
- % sys.argv[0])
+ sys.stdout.write("usage: %s [-w] [-mtb] \n\n" % sys.argv[0])
+ sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
+ "-m --module \t\tname of module to process\n"+\
+ "-t --tunable \t\tname of global tunable file to process\n"+\
+ "-b --boolean \t\tname of global boolean file to process\n\n")
- sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
-
- sys.stdout.write("Options:\n")
-
- sys.stdout.write ("-h --help -- "+\
- "show command line options\n")
-
- sys.stdout.write("-w --warn -- "+\
- "show warnings\n")
-
- sys.stdout.write("-m --meta -- "+\
- "the filename of the metadata in each layer\n")
-
- sys.stdout.write("-t --tunable -- "+\
- "A file containing tunable declarations\n")
-
- sys.stdout.write("-b --bool -- "+\
- "A file containing bool declarations\n")
-
- sys.stdout.write("-o --output-dir -- "+\
- "A directory to output global_tunables.xml and global_booleans.xml\n")
-
- sys.stdout.write("--tunables-xml -- "+\
- "A file containing tunable declarations already in XML format\n")
-
- sys.stdout.write("--booleans-xml -- "+\
- "A file containing bool declarations already in XML format\n")
-
- sys.stdout.write ("-3 --third-party -- "+\
- "Look for 3rd Party modules in directory.\n")
+ sys.stdout.write("examples:\n")
+ sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
+ sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
def warning(description):
'''
@@ -397,79 +342,50 @@ def error(description):
# MAIN PROGRAM
+
+# Defaults
+warn = False
+module = False
+tunable = False
+boolean = False
+
# Check that there are command line arguments.
if len(sys.argv) <= 1:
usage()
sys.exit(1)
-
-# Parse the command line arguments
-for i in range(1, len(sys.argv)):
- if sys.argv[i-1] in ("-m", "--meta",\
- "-t", "--tunable", "-b", "--bool",\
- "-o", "--output-dir", "-3", "--third-party", \
- "--tunables-xml", "--booleans-xml"):
- continue
- elif sys.argv[i] in ("-w", "--warn"):
+# Parse command line args
+try:
+ opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
+except getopt.GetoptError:
+ usage()
+ sys.exit(2)
+for o, a in opts:
+ if o in ('-w', '--warn'):
warn = True
- elif sys.argv[i] in ("-m", "--meta"):
- if i < len(sys.argv)-1:
- meta = sys.argv[i+1]
- else:
- usage()
- elif sys.argv[i] in ("-t", "--tunable"):
- if i < len(sys.argv)-1:
- tunable_files.append(sys.argv[i+1])
- else:
- usage()
- elif sys.argv[i] in ("-b", "--bool"):
- if i < len(sys.argv)-1:
- bool_files.append(sys.argv[i+1])
- else:
- usage()
-
- elif sys.argv[i] == "--tunables-xml":
- if i < len(sys.argv)-1:
- xml_bool_files.append (sys.argv[i+1])
- else:
- usage ()
-
- elif sys.argv[i] == "--booleans-xml":
- if i < len(sys.argv)-1:
- xml_tunable_files.append (sys.argv[i+1])
- else:
- usage ()
-
- elif sys.argv[i] in ("-o", "--output-dir"):
- if i < len(sys.argv)-1:
- output_dir = sys.argv[i+1]
- else:
- usage ()
-
- elif sys.argv[i] in ("-3", "--third-party"):
- if i < len(sys.argv) -1:
- if layers.has_key (third_party):
- layers[third_party].append (sys.argv[i+1])
- else:
- layers[third_party] = [sys.argv[i+1]]
- else:
- usage ()
-
- elif sys.argv[i] in ("-h", "--help"):
- usage ()
- sys.exit (1)
-
+ elif o in ('-h', '--help'):
+ usage()
+ sys.exit(0)
+ elif o in ('-m', '--module'):
+ module = a
+ break
+ elif o in ('-t', '--tunable'):
+ tunable = a
+ break
+ elif o in ('-b', '--boolean'):
+ boolean = a
+ break
else:
- # store directories in hash stored by layer name
- splitlayer = os.path.split(sys.argv[i])
- if layers.has_key (splitlayer[1]):
- layers[splitlayer[1]].append (sys.argv[i])
- else:
- layers[splitlayer[1]] = [sys.argv[i]]
+ usage()
+ sys.exit(2)
-
-# Generate the XML and output it to a file
-lines = getPolicyXML()
-for s in lines:
- sys.stdout.write(s)
+if module:
+ sys.stdout.writelines(getModuleXML(module))
+elif tunable:
+ sys.stdout.writelines(getTunableXML(tunable, "tunable"))
+elif boolean:
+ sys.stdout.writelines(getTunableXML(boolean, "bool"))
+else:
+ usage()
+ sys.exit(2)