From 6578cf7413ee25605e62d67ee58d6d27ae018b32 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 30 Aug 2010 11:58:36 -0400 Subject: [PATCH] - More access needed for devicekit - Add dbadm policy --- modules-minimum.conf | 2217 +---------------------------------------- modules-mls.conf | 7 + modules-targeted.conf | 7 + policy-F14.patch | 469 +++++++-- selinux-policy.spec | 6 +- sources | 1 - 6 files changed, 395 insertions(+), 2312 deletions(-) mode change 100644 => 120000 modules-minimum.conf diff --git a/modules-minimum.conf b/modules-minimum.conf deleted file mode 100644 index 0b350d33..00000000 --- a/modules-minimum.conf +++ /dev/null @@ -1,2216 +0,0 @@ -# -# This file contains a listing of available modules. -# To prevent a module from being used in policy -# creation, set the module name to "off". -# -# For monolithic policies, modules set to "base" and "module" -# will be built into the policy. -# -# For modular policies, modules set to "base" will be -# included in the base module. "module" will be compiled -# as individual loadable modules. -# - -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = base - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = base - -# Layer: apps -# Module: ada -# -# ada executable -# -ada = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: modules -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: abrt -# -# Automatic bug detection and reporting tool -# -abrt = module - -# Layer: services -# Module: aiccu -# -# SixXS Automatic IPv6 Connectivity Client Utility -# -aiccu = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: amavis -# -# Anti-virus -# -amavis = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = base - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = base - -# Layer: system -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = base - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: audioentropy -# -# Generate entropy from audio input -# -audioentropy = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = base - -# Layer: services -# Module: asterisk -# -# Asterisk IP telephony server -# -asterisk = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = base - - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cobbler -# -# cobbler -# -cobbler = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: corosync -# -# Corosync Cluster Engine Executive -# -corosync = module - -# Layer: services -# Module: clamav -# -# ClamAV Virus Scanner -# -clamav = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = base - -# Layer: services -# Module: consolekit -# -# ConsoleKit is a system daemon for tracking what users are logged -# -consolekit = module - -# Layer: admin -# Module: consoletype -# -# Determine of the console connected to the controlling terminal. -# -consoletype = base - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = base - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = base - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = base - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: kernel -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = base - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = base - -# Layer: system -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = module - -# Layer: services -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: kernel -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Layer: kernel -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: admin -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = base - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = base - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = base - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - -# Layer: services -# Module: hal -# -# Hardware abstraction layer -# -hal = module - -# Layer: services -# Module: hddtemp -# -# hddtemp hard disk temperature tool running as a daemon -# -hddtemp = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: puppet -# -# A network tool for managing many disparate systems -# -puppet = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = base - - -# Layer: system -# Module: hotplug -# -# Policy for hotplug system, for supporting the -# connection and disconnection of devices at runtime. -# -hotplug = base - -# Layer: services -# Module: howl -# -# Port of Apple Rendezvous multicast DNS -# -howl = module - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = base - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = base - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = base - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = base - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: services -# Module: icecast -# -# ShoutCast compatible streaming media server -# -icecast = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: apps -# Module: java -# -# java executable -# -java = module - -# Layer: apps -# Module: execmem -# -# execmem executable -# -execmem = module - -# Layer: system -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: kernel -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: admin -# Module: kudzu -# -# Hardware detection and configuration tools -# -kudzu = base - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: likewise -# -# Likewise Active Directory support for UNIX -# -likewise = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = base - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = base - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = base - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = base - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = base - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = base - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = base - -# Layer: admin -# Module: mcelog -# -# Policy for mcelog. -# -mcelog = base - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: kernel -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = base - -# Layer: kernel -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Layer: services -# Module: mock -# -# Policy for mock rpm builder -# -mock = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = base - -# Layer: apps -# Module: mono -# -# mono executable -# -mono = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = base - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: apps -# Module: nsplugin -# -# Policy for nspluginwrapper -# -nsplugin = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mpd -# -# mpd - daemon for playing music -# -mpd = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: apps -# Module: gpg -# -# Policy for Mozilla and related web browsers -# -gpg = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = base - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = base - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = base - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = base - - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: nut -# -# nut - Network UPS Tools -# -nut = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = base - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - -# Layer: services -# Module: piranha -# -# piranha - various tools to administer and configure the Linux Virtual Server -# -piranha = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = base - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: publicfile -# -# publicfile supplies files to the public through HTTP and FTP -# -publicfile = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpidd = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = base - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = base - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = base - -# Layer: services -# Module: rgmanager -# -# Red Hat Resource Group Manager -# -rgmanager = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: aisexec -# -# RHCS - Red Hat Cluster Suite -# -aisexec = module - -# Layer: services -# Module: rgmanager -# -# rgmanager -# -rgmanager = module - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = base - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = base - - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: services -# Module: samba -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: apps -# Module: sandbox -# -# Experimental policy for running apps within a sandbox -# -sandbox = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: kernel -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = base - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = base - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = base - -# Layer: admin -# Module: shutdown -# -# Policy for shutdown -# -shutdown = module - -# Layer: admin -# Module: sectoolm -# -# Policy for sectool-mechanism -# -sectoolm = module - -# Layer: system -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = base - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = base - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: smokeping -# -# Latency Logging and Graphing System -# -smokeping = module - -# Layer: admin -# Module: smoltclient -# -#The Fedora hardware profiler client -# -smoltclient = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = base - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = base - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = base - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = base - - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = base - -# Layer: services -# Module: usbmuxd -# -# Daemon for communicating with Apple's iPod Touch and iPhone -# -usbmuxd = module - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = base - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = module - -# Layer: services -# Module: ulogd -# -# netfilter/iptables ULOG daemon -# -ulogd = module - -# Layer: services -# Module: vhostmd -# -# vhostmd - A metrics gathering daemon -# -vhostmd = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: admin -# Module: tzdata -# -# Policy for tzdata-update -# -tzdata = base - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: services -# Module: varnishd -# -# Varnishd http accelerator daemon -# -varnishd = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: qemu -# -# Virtualization emulator -# -qemu = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = base - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: vbetool -# -# run real-mode video BIOS code to alter hardware state -# -vbetool = base - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: services -# Module: xfs -# -# X Windows Font Server -# -xfs = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = base - -# Layer: services -# Module: zarafa -# -# Zarafa Collaboration Platform -# -zarafa = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = base - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = base - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: admin -# Module: vbetool -# -# run real-mode video BIOS code to alter hardware state -# -vbetool = base - -# Layer: kernel -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: apps -# Module: rssh -# -# Restricted (scp/sftp) only shell -# -rssh = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: system -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: role -# Module: unconfineduser -# -# The unconfined user domain. -# -unconfineduser = module - -# Layer:role -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = base - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: prelude -# -prelude = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: services -# Module: kerneloops -# -# program to collect and submit kernel oopses to kerneloops.org -# -kerneloops = module - -# Layer: apps -# Module: openoffice -# -# openoffice executable -# -openoffice = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: denyhosts -# -# script to help thwart ssh server attacks -# -denyhosts = module - -# Layer: apps -# Module: livecd -# -# livecd creator -# -livecd = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: services -# Module: milter -# -# -# -milter = module diff --git a/modules-minimum.conf b/modules-minimum.conf new file mode 120000 index 00000000..f6016594 --- /dev/null +++ b/modules-minimum.conf @@ -0,0 +1 @@ +modules-targeted.conf \ No newline at end of file diff --git a/modules-mls.conf b/modules-mls.conf index e73af3b0..c406c691 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1812,6 +1812,13 @@ telepathy = module # vmware = module +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + # Layer: role # Module: logadm # diff --git a/modules-targeted.conf b/modules-targeted.conf index 0b350d33..3164f2c5 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2015,6 +2015,13 @@ rssh = module # vmware = module +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + # Layer: role # Module: logadm # diff --git a/policy-F14.patch b/policy-F14.patch index 11cdb34a..9247ef9d 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -502,14 +502,18 @@ index 89b9f2a..9cba75f 100644 pcscd_read_pub_files(certwatch_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index 2b12a37..ce00934 100644 +index 2b12a37..a370656 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te -@@ -85,6 +85,7 @@ optional_policy(` - hal_dontaudit_rw_pipes(consoletype_t) - hal_dontaudit_rw_dgram_sockets(consoletype_t) - hal_dontaudit_write_log(consoletype_t) -+ hal_dontaudit_read_pid_files(consoletype_t) +@@ -81,10 +81,7 @@ optional_policy(` + ') + + optional_policy(` +- hal_dontaudit_use_fds(consoletype_t) +- hal_dontaudit_rw_pipes(consoletype_t) +- hal_dontaudit_rw_dgram_sockets(consoletype_t) +- hal_dontaudit_write_log(consoletype_t) ++ hal_dontaudit_leaks(consoletype_t) ') optional_policy(` @@ -1672,6 +1676,19 @@ index 6a5004b..50cd538 100644 rpm_manage_cache(tmpreaper_t) ') +diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te +index aa9636d..7851643 100644 +--- a/policy/modules/admin/tzdata.te ++++ b/policy/modules/admin/tzdata.te +@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t) + # tzdata local policy + # + +-files_read_etc_files(tzdata_t) ++files_read_config_files(tzdata_t) + files_search_spool(tzdata_t) + + fs_getattr_xattr_fs(tzdata_t) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index aecbf1c..0b5e634 100644 --- a/policy/modules/admin/usermanage.if @@ -2341,7 +2358,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..852f36f 100644 +index f5afe78..ffd9870 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,26 @@ interface(`gnome_role',` @@ -2520,7 +2537,7 @@ index f5afe78..852f36f 100644 ## ## ## -@@ -122,12 +189,52 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -2538,6 +2555,25 @@ index f5afe78..852f36f 100644 + +######################################## +## ++## append to generic cache home files (.cache) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_generic_cache_files',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ append_files_pattern($1, cache_home_t, cache_home_t) ++ userdom_search_user_home_dirs($1) ++') ++ ++######################################## ++## +## write to generic cache home files (.cache) +## +## @@ -2576,7 +2612,7 @@ index f5afe78..852f36f 100644 ') ######################################## -@@ -151,40 +258,270 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -2694,8 +2730,10 @@ index f5afe78..852f36f 100644 gen_require(` - type gnome_home_t; + type gconfd_exec_t; -+ ') -+ + ') + +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; + can_exec($1, gconfd_exec_t) +') + @@ -2734,10 +2772,8 @@ index f5afe78..852f36f 100644 +interface(`gnome_search_gconf',` + gen_require(` + type gconf_home_t; - ') - -- allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; ++ ') ++ + allow $1 gconf_home_t:dir search_dir_perms; userdom_search_user_home_dirs($1) ') @@ -2805,7 +2841,7 @@ index f5afe78..852f36f 100644 + +######################################## +## -+## read gnome homedir content (.config) ++## list gnome homedir content (.config) +## +## +## @@ -2823,6 +2859,24 @@ index f5afe78..852f36f 100644 + +######################################## +## ++## read gnome homedir content (.config) ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`gnome_read_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ read_files_pattern($1, config_home_t, config_home_t) ++') ++ ++######################################## ++## +## Read/Write all inherited gnome home config +## +## @@ -6621,7 +6675,7 @@ index 9d24449..9782698 100644 /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if -index c26662d..9cbfded 100644 +index c26662d..62e455a 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -29,12 +29,16 @@ @@ -6641,7 +6695,17 @@ index c26662d..9cbfded 100644 allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; -@@ -86,6 +90,7 @@ template(`wine_role',` +@@ -44,8 +48,7 @@ template(`wine_role',` + allow $2 wine_t:process signal_perms; + + allow $2 wine_t:fd use; +- allow $2 wine_t:shm { associate getattr }; +- allow $2 wine_t:shm { unix_read unix_write }; ++ allow $2 wine_t:shm { associate getattr unix_read unix_write }; + allow $2 wine_t:unix_stream_socket connectto; + + # X access, Home files +@@ -86,6 +89,7 @@ template(`wine_role',` # template(`wine_role_template',` gen_require(` @@ -6649,7 +6713,7 @@ index c26662d..9cbfded 100644 type wine_exec_t; ') -@@ -101,9 +106,16 @@ template(`wine_role_template',` +@@ -101,9 +105,16 @@ template(`wine_role_template',` corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) @@ -6668,6 +6732,29 @@ index c26662d..9cbfded 100644 optional_policy(` xserver_role($1_r, $1_wine_t) +@@ -153,3 +164,22 @@ interface(`wine_run',` + wine_domtrans($1) + role $2 types wine_t; + ') ++ ++######################################## ++## ++## Read and write wine Shared ++## memory segments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wine_rw_shm',` ++ gen_require(` ++ type wine_t; ++ ') ++ ++ allow $1 wine_t:shm rw_shm_perms; ++') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 8af45db..6fe38a1 100644 --- a/policy/modules/apps/wine.te @@ -7703,7 +7790,7 @@ index 3517db2..bd4c23d 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..73e4119 100644 +index 5302dac..96a406d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8001,7 +8088,32 @@ index 5302dac..73e4119 100644 ') ######################################## -@@ -5138,12 +5355,12 @@ interface(`files_getattr_generic_locks',` +@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',` + + ######################################## + ## ++## Append files in the /var directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_append_var_files',` ++ gen_require(` ++ type var_t; ++ ') ++ ++ append_files_pattern($1, var_t, var_t) ++') ++ ++######################################## ++## + ## Read and write files in the /var directory. + ## + ## +@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -8019,7 +8131,7 @@ index 5302dac..73e4119 100644 ') ######################################## -@@ -5317,6 +5534,43 @@ interface(`files_search_pids',` +@@ -5317,6 +5552,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -8063,7 +8175,7 @@ index 5302dac..73e4119 100644 ######################################## ## ## Do not audit attempts to search -@@ -5524,6 +5778,26 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -8090,7 +8202,7 @@ index 5302dac..73e4119 100644 ## Read all process ID files. ## ## -@@ -5541,6 +5815,7 @@ interface(`files_read_all_pids',` +@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -8098,7 +8210,7 @@ index 5302dac..73e4119 100644 ') ######################################## -@@ -5826,3 +6101,229 @@ interface(`files_unconfined',` +@@ -5826,3 +6119,229 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -8610,7 +8722,7 @@ index e3e17ba..3b34959 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index fb63c3a..712e644 100644 +index fb63c3a..3561f03 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -8621,7 +8733,7 @@ index fb63c3a..712e644 100644 type bdev_t; fs_type(bdev_t) -@@ -67,7 +68,7 @@ fs_type(capifs_t) +@@ -67,10 +68,11 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -8630,7 +8742,11 @@ index fb63c3a..712e644 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -106,6 +107,15 @@ fs_type(ibmasmfs_t) ++dev_associate_sysfs(cgroup_t) + genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) + + type configfs_t; +@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t) allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) @@ -8646,7 +8762,7 @@ index fb63c3a..712e644 100644 type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) -@@ -148,6 +158,12 @@ fs_type(squash_t) +@@ -148,6 +159,12 @@ fs_type(squash_t) genfscon squash / gen_context(system_u:object_r:squash_t,s0) files_mountpoint(squash_t) @@ -8659,7 +8775,7 @@ index fb63c3a..712e644 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -248,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -10282,10 +10398,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..faef468 +index 0000000..821d0dd --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,458 @@ +@@ -0,0 +1,462 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10474,7 +10590,11 @@ index 0000000..faef468 + ') + + optional_policy(` -+ xserver_rw_shm(unconfined_usertype) ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ xserver_rw_session(unconfined_usertype, user_tmpfs_t) + xserver_run_xauth(unconfined_usertype, unconfined_r) + xserver_dbus_chat_xdm(unconfined_usertype) + ') @@ -12631,7 +12751,7 @@ index 67c91aa..472ddad 100644 mta_system_content(apcupsd_tmp_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..1a44ccb 100644 +index 1c8c27e..c6832b0 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; @@ -12650,18 +12770,34 @@ index 1c8c27e..1a44ccb 100644 dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -144,6 +146,10 @@ ifdef(`distro_redhat',` +@@ -142,9 +144,8 @@ ifdef(`distro_redhat',` - # ifconfig_exec_t needs to be run in its own domain for Red Hat + can_exec(apmd_t, apmd_var_run_t) + +- # ifconfig_exec_t needs to be run in its own domain for Red Hat optional_policy(` +- sysnet_domtrans_ifconfig(apmd_t) ++ fstools_domtrans(apmd_t) + ') + + optional_policy(` +@@ -155,6 +156,15 @@ ifdef(`distro_redhat',` + netutils_domtrans(apmd_t) + ') + ++ # ifconfig_exec_t needs to be run in its own domain for Red Hat ++ optional_policy(` + sssd_search_lib(apmd_t) + ') + + optional_policy(` - sysnet_domtrans_ifconfig(apmd_t) - ') - -@@ -218,9 +224,13 @@ optional_policy(` ++ sysnet_domtrans_ifconfig(apmd_t) ++ ') ++ + ',` + # for ifconfig which is run all the time + kernel_dontaudit_search_sysctl(apmd_t) +@@ -218,9 +228,13 @@ optional_policy(` udev_read_state(apmd_t) #necessary? ') @@ -15329,10 +15465,23 @@ index 1b492ed..286ec9e 100644 + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if -index 305ddf4..2c2a551 100644 +index 305ddf4..fb3454a 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if -@@ -314,7 +314,7 @@ interface(`cups_stream_connect_ptal',` +@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',` + interface(`cups_read_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; ++ type hplip_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) ++ read_files_pattern($1, hplip_etc_t, hplip_etc_t) + read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) + ') + +@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; @@ -15341,7 +15490,12 @@ index 305ddf4..2c2a551 100644 type cupsd_config_var_run_t, cupsd_lpd_var_run_t; type cupsd_var_run_t, ptal_etc_t; type ptal_var_run_t, hplip_var_run_t; -@@ -341,9 +341,6 @@ interface(`cups_admin',` + type cupsd_initrc_exec_t; ++ type hplip_etc_t; + ') + + allow $1 cupsd_t:process { ptrace signal_perms }; +@@ -341,15 +344,14 @@ interface(`cups_admin',` admin_pattern($1, cupsd_lpd_var_run_t) @@ -15351,6 +15505,14 @@ index 305ddf4..2c2a551 100644 admin_pattern($1, cupsd_tmp_t) files_list_tmp($1) + admin_pattern($1, cupsd_var_run_t) + files_list_pids($1) + ++ admin_pattern($1, hplip_etc_t) ++ + admin_pattern($1, hplip_var_run_t) + + admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 0f28095..11e74af 100644 --- a/policy/modules/services/cups.te @@ -15706,7 +15868,7 @@ index 8ba9425..d53ee7e 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..a7de603 100644 +index f231f17..ccacea9 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -15734,7 +15896,7 @@ index f231f17..a7de603 100644 files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) -@@ -178,13 +182,25 @@ optional_policy(` +@@ -178,17 +182,33 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -15761,7 +15923,23 @@ index f231f17..a7de603 100644 allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -225,6 +241,8 @@ auth_use_nsswitch(devicekit_power_t) + ++manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) ++manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) ++files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) ++ + manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) + manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) + files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) +@@ -212,6 +232,7 @@ dev_rw_generic_usb_dev(devicekit_power_t) + dev_rw_generic_chr_files(devicekit_power_t) + dev_rw_netcontrol(devicekit_power_t) + dev_rw_sysfs(devicekit_power_t) ++dev_read_rand(devicekit_power_t) + + files_read_kernel_img(devicekit_power_t) + files_read_etc_files(devicekit_power_t) +@@ -225,6 +246,8 @@ auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) @@ -17104,10 +17282,10 @@ index 03742d8..7b9c543 100644 ') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if -index 7cf6763..d01cab6 100644 +index 7cf6763..5b9771e 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if -@@ -377,6 +377,26 @@ interface(`hal_read_pid_files',` +@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',` ######################################## ## @@ -17125,8 +17303,7 @@ index 7cf6763..d01cab6 100644 + type hald_var_run_t; + ') + -+ files_search_pids($1) -+ allow $1 hald_var_run_t:file read_inherited_file_perms; ++ dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') + +######################################## @@ -17134,6 +17311,34 @@ index 7cf6763..d01cab6 100644 ## Read/Write hald PID files. ## ## +@@ -431,3 +450,27 @@ interface(`hal_manage_pid_files',` + files_search_pids($1) + manage_files_pattern($1, hald_var_run_t, hald_var_run_t) + ') ++ ++######################################## ++## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_dontaudit_leaks',` ++ gen_require(` ++ type hald_log_t; ++ type hald_t; ++ type hald_var_run_t; ++ ') ++ ++ dontaudit $1 hald_t:fd use; ++ dontaudit $1 hald_log_t:file rw_inherited_file_perms; ++ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit hald_t $1:socket_class_set { read write }; ++ dontaudit $1 hald_var_run_t:file read_inherited_file_perms; ++') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 24c6253..0a54d67 100644 --- a/policy/modules/services/hal.te @@ -17233,19 +17438,21 @@ index 24c6253..0a54d67 100644 # # Local hald dccm policy diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te -index a57ffc0..fbcdd74 100644 +index a57ffc0..f441c9a 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te -@@ -37,6 +37,8 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) +@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +kernel_read_system_state(icecast_t) + corenet_tcp_bind_soundd_port(icecast_t) ++corenet_tcp_connect_soundd_port(icecast_t) # Init script handling -@@ -51,5 +53,9 @@ miscfiles_read_localization(icecast_t) + domain_use_interactive_fds(icecast_t) +@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t) sysnet_dns_name_resolve(icecast_t) optional_policy(` @@ -23017,10 +23224,19 @@ index a96249c..ca97ead 100644 role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index d6d76e1..af3353c 100644 +index d6d76e1..9cb5e25 100644 --- a/policy/modules/services/rpcbind.te +++ b/policy/modules/services/rpcbind.te -@@ -71,3 +71,7 @@ sysnet_dns_name_resolve(rpcbind_t) +@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + kernel_request_load_module(rpcbind_t) + ++corecmd_exec_shell(rpcbind_t) ++ + corenet_all_recvfrom_unlabeled(rpcbind_t) + corenet_all_recvfrom_netlabel(rpcbind_t) + corenet_tcp_sendrecv_generic_if(rpcbind_t) +@@ -71,3 +73,7 @@ sysnet_dns_name_resolve(rpcbind_t) ifdef(`hide_broken_symptoms',` dontaudit rpcbind_t self:udp_socket listen; ') @@ -26774,7 +26990,7 @@ index da2601a..6ff8f25 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8084740..288d513 100644 +index 8084740..60da940 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false) @@ -27578,7 +27794,7 @@ index 8084740..288d513 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,14 +1072,34 @@ optional_policy(` +@@ -775,20 +1072,44 @@ optional_policy(` ') optional_policy(` @@ -27614,7 +27830,17 @@ index 8084740..288d513 100644 optional_policy(` userhelper_search_config(xserver_t) -@@ -804,10 +1121,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; + ') + + optional_policy(` ++ wine_rw_shm(xserver_t) ++') ++ ++optional_policy(` + xfs_stream_connect(xserver_t) + ') + +@@ -804,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -27627,7 +27853,7 @@ index 8084740..288d513 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -828,6 +1145,13 @@ init_use_fds(xserver_t) +@@ -828,6 +1149,13 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27641,7 +27867,7 @@ index 8084740..288d513 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -843,11 +1167,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -843,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -27658,7 +27884,7 @@ index 8084740..288d513 100644 ') optional_policy(` -@@ -993,3 +1320,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +@@ -993,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -30291,7 +30517,7 @@ index 9df8c4d..1d2236b 100644 +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index bf416a4..6f36eca 100644 +index bf416a4..af2af2d 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -30330,7 +30556,18 @@ index bf416a4..6f36eca 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -141,6 +147,10 @@ optional_policy(` +@@ -131,6 +137,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_append_generic_cache_files(ldconfig_t) ++') ++ ++optional_policy(` + puppet_rw_tmp(ldconfig_t) + ') + +@@ -141,6 +151,10 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -30963,7 +31200,7 @@ index 9c0faab..def8d5a 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 74a4466..a3b7b0d 100644 +index 74a4466..f39f39f 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -18,6 +18,7 @@ type insmod_t; @@ -30974,7 +31211,7 @@ index 74a4466..a3b7b0d 100644 role system_r types insmod_t; # module loading config -@@ -55,12 +56,14 @@ corecmd_search_bin(depmod_t) +@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -30985,11 +31222,12 @@ index 74a4466..a3b7b0d 100644 files_read_etc_files(depmod_t) files_read_usr_src_files(depmod_t) files_list_usr(depmod_t) ++files_append_var_files(depmod_t) +files_read_boot_files(depmod_t) fs_getattr_xattr_fs(depmod_t) -@@ -74,6 +77,7 @@ userdom_use_user_terminals(depmod_t) +@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t) # Read System.map from home directories. files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) @@ -30997,7 +31235,7 @@ index 74a4466..a3b7b0d 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -94,17 +98,21 @@ optional_policy(` +@@ -94,17 +99,21 @@ optional_policy(` rpm_manage_script_tmp_files(depmod_t) ') @@ -31020,7 +31258,7 @@ index 74a4466..a3b7b0d 100644 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -125,6 +133,7 @@ kernel_write_proc_files(insmod_t) +@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -31028,7 +31266,7 @@ index 74a4466..a3b7b0d 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +151,7 @@ dev_rw_agp(insmod_t) +@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -31036,7 +31274,7 @@ index 74a4466..a3b7b0d 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -160,11 +170,15 @@ files_write_kernel_modules(insmod_t) +@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -31052,7 +31290,7 @@ index 74a4466..a3b7b0d 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,8 +187,7 @@ miscfiles_read_localization(insmod_t) +@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -31062,7 +31300,7 @@ index 74a4466..a3b7b0d 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -191,6 +204,10 @@ optional_policy(` +@@ -191,6 +205,10 @@ optional_policy(` ') optional_policy(` @@ -31073,7 +31311,7 @@ index 74a4466..a3b7b0d 100644 hal_write_log(insmod_t) ') -@@ -229,10 +246,18 @@ optional_policy(` +@@ -229,10 +247,18 @@ optional_policy(` rpm_rw_pipes(insmod_t) ') @@ -31691,10 +31929,21 @@ index 2cc4bda..9e81136 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 170e2c7..3f27d1b 100644 +index 170e2c7..bbaa8cf 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if -@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',` +@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',` + + corecmd_search_bin($1) + domtrans_pattern($1, load_policy_exec_t, load_policy_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit load_policy_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## +@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -31722,7 +31971,18 @@ index 170e2c7..3f27d1b 100644 ## Execute run_init in the run_init domain. ## ## -@@ -545,6 +566,53 @@ interface(`seutil_run_setfiles',` +@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',` + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setfiles_exec_t, setfiles_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit setfiles_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## +@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -31776,7 +32036,7 @@ index 170e2c7..3f27d1b 100644 ## Execute setfiles in the caller domain. ## ## -@@ -690,6 +758,7 @@ interface(`seutil_manage_config',` +@@ -690,6 +766,7 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -31784,10 +32044,18 @@ index 170e2c7..3f27d1b 100644 manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -1009,6 +1078,26 @@ interface(`seutil_domtrans_semanage',` - - ######################################## - ## +@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',` + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, semanage_exec_t, semanage_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit semanage_t $1:socket_class_set { read write }; ++ ') ++') ++ ++######################################## ++## +## Execute a domain transition to run setsebool. +## +## @@ -31804,14 +32072,10 @@ index 170e2c7..3f27d1b 100644 + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setsebool_exec_t, setsebool_t) -+') -+ -+######################################## -+## - ## Execute semanage in the semanage domain, and - ## allow the specified role the semanage domain, - ## and use the caller's terminal. -@@ -1038,6 +1127,54 @@ interface(`seutil_run_semanage',` + ') + + ######################################## +@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',` ######################################## ## @@ -31866,7 +32130,7 @@ index 170e2c7..3f27d1b 100644 ## Full management of the semanage ## module store. ## -@@ -1149,3 +1286,194 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -33234,7 +33498,7 @@ index 025348a..59bc26b 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a054cf5..a5d4a43 100644 +index a054cf5..8451600 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; @@ -33282,7 +33546,7 @@ index a054cf5..a5d4a43 100644 ') optional_policy(` -@@ -216,6 +224,10 @@ optional_policy(` +@@ -216,11 +224,16 @@ optional_policy(` ') optional_policy(` @@ -33293,7 +33557,24 @@ index a054cf5..a5d4a43 100644 consoletype_exec(udev_t) ') -@@ -259,6 +271,10 @@ optional_policy(` + optional_policy(` + cups_domtrans_config(udev_t) ++ cups_read_config(udev_t) + ') + + optional_policy(` +@@ -233,6 +246,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_read_home_config(udev_t) ++') ++ ++optional_policy(` + lvm_domtrans(udev_t) + ') + +@@ -259,6 +276,10 @@ optional_policy(` ') optional_policy(` @@ -33304,7 +33585,7 @@ index a054cf5..a5d4a43 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +289,10 @@ optional_policy(` +@@ -273,6 +294,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 4e87e9aa..a39aad92 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,10 @@ exit 0 %endif %changelog +* Thu Aug 26 2010 Dan Walsh 3.9.0-2 +- More access needed for devicekit +- Add dbadm policy + * Thu Aug 26 2010 Dan Walsh 3.9.0-1 - Merge with upstream diff --git a/sources b/sources index 5304f11a..cb5f5646 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -1f8151f0184945098f3cc3ca0b53e861 serefpolicy-3.8.8.tgz 9012ab09af5480459942d4a54de91db4 serefpolicy-3.9.0.tgz