- Allow users to execute all files in homedir, if boolean set
- Allow mount to read samba config
This commit is contained in:
Daniel J Walsh
parent
27c7d85aab
commit
8a40d69539
|
|
@ -4546,8 +4546,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
|||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:12:10.000000000 -0500
|
||||
@@ -122,6 +122,8 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-14 13:32:12.000000000 -0500
|
||||
@@ -82,6 +82,7 @@
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||
network_port(comsat, udp,512,s0)
|
||||
+network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
|
||||
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||
network_port(dbskkd, tcp,1178,s0)
|
||||
@@ -122,6 +123,8 @@
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
|
|
@ -4556,7 +4564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
@@ -133,6 +135,7 @@
|
||||
@@ -133,6 +136,7 @@
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(postfix_policyd, tcp,10031,s0)
|
||||
|
|
@ -4564,6 +4572,256 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
|
|||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis 2007-12-31 07:12:10.000000000 -0500
|
||||
@@ -0,0 +1,246 @@
|
||||
+
|
||||
+policy_module(corenetwork,1.2.14)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+attribute client_packet_type;
|
||||
+attribute netif_type;
|
||||
+attribute node_type;
|
||||
+attribute packet_type;
|
||||
+attribute port_type;
|
||||
+attribute reserved_port_type;
|
||||
+attribute rpc_port_type;
|
||||
+attribute server_packet_type;
|
||||
+
|
||||
+attribute corenet_unconfined_type;
|
||||
+
|
||||
+type ppp_device_t;
|
||||
+dev_node(ppp_device_t)
|
||||
+
|
||||
+#
|
||||
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
|
||||
+#
|
||||
+type tun_tap_device_t;
|
||||
+dev_node(tun_tap_device_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Ports and packets
|
||||
+#
|
||||
+
|
||||
+#
|
||||
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
|
||||
+#
|
||||
+type client_packet_t, packet_type, client_packet_type;
|
||||
+
|
||||
+#
|
||||
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
|
||||
+# connections using NetLabel which do not carry full SELinux contexts.
|
||||
+#
|
||||
+type netlabel_peer_t;
|
||||
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
|
||||
+
|
||||
+#
|
||||
+# port_t is the default type of INET port numbers.
|
||||
+#
|
||||
+type port_t, port_type;
|
||||
+sid port gen_context(system_u:object_r:port_t,s0)
|
||||
+
|
||||
+#
|
||||
+# reserved_port_t is the type of INET port numbers below 1024.
|
||||
+#
|
||||
+type reserved_port_t, port_type, reserved_port_type;
|
||||
+
|
||||
+#
|
||||
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
|
||||
+#
|
||||
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
|
||||
+
|
||||
+#
|
||||
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
|
||||
+#
|
||||
+type server_packet_t, packet_type, server_packet_type;
|
||||
+
|
||||
+network_port(afs_bos, udp,7007,s0)
|
||||
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
|
||||
+network_port(afs_ka, udp,7004,s0)
|
||||
+network_port(afs_pt, udp,7002,s0)
|
||||
+network_port(afs_vl, udp,7003,s0)
|
||||
+network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
||||
+network_port(amavisd_recv, tcp,10024,s0)
|
||||
+network_port(amavisd_send, tcp,10025,s0)
|
||||
+network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
|
||||
+network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||
+network_port(auth, tcp,113,s0)
|
||||
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||
+type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||
+network_port(clamd, tcp,3310,s0)
|
||||
+network_port(clockspeed, udp,4041,s0)
|
||||
+network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||
+network_port(comsat, udp,512,s0)
|
||||
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||
+network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||
+network_port(dbskkd, tcp,1178,s0)
|
||||
+network_port(dhcpc, udp,68,s0)
|
||||
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
|
||||
+network_port(dict, tcp,2628,s0)
|
||||
+network_port(distccd, tcp,3632,s0)
|
||||
+network_port(dns, udp,53,s0, tcp,53,s0)
|
||||
+network_port(fingerd, tcp,79,s0)
|
||||
+network_port(ftp_data, tcp,20,s0)
|
||||
+network_port(ftp, tcp,21,s0)
|
||||
+network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||
+network_port(giftd, tcp,1213,s0)
|
||||
+network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||
+network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
+network_port(i18n_input, tcp,9010,s0)
|
||||
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
+network_port(innd, tcp,119,s0)
|
||||
+network_port(ipp, tcp,631,s0, udp,631,s0)
|
||||
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
|
||||
+network_port(ircd, tcp,6667,s0)
|
||||
+network_port(isakmp, udp,500,s0)
|
||||
+network_port(iscsi, tcp,3260,s0)
|
||||
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||
+network_port(jabber_interserver, tcp,5269,s0)
|
||||
+network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||
+network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||
+network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
||||
+type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||
+network_port(lmtp, tcp,24,s0, udp,24,s0)
|
||||
+network_port(mail, tcp,2000,s0)
|
||||
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
+network_port(monopd, tcp,1234,s0)
|
||||
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
+network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
|
||||
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
+network_port(nessus, tcp,1241,s0)
|
||||
+network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
||||
+network_port(nmbd, udp,137,s0, udp,138,s0)
|
||||
+network_port(ntp, udp,123,s0)
|
||||
+network_port(ocsp, tcp,9080,s0)
|
||||
+network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
||||
+network_port(pegasus_http, tcp,5988,s0)
|
||||
+network_port(pegasus_https, tcp,5989,s0)
|
||||
+network_port(postfix_policyd, tcp,10031,s0)
|
||||
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
|
||||
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
+network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
+network_port(postgresql, tcp,5432,s0)
|
||||
+network_port(postgrey, tcp,60000,s0)
|
||||
+network_port(printer, tcp,515,s0)
|
||||
+network_port(ptal, tcp,5703,s0)
|
||||
+network_port(pxe, udp,4011,s0)
|
||||
+network_port(pyzor, udp,24441,s0)
|
||||
+network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
+network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||
+network_port(razor, tcp,2703,s0)
|
||||
+network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
||||
+network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
||||
+network_port(rlogind, tcp,513,s0)
|
||||
+network_port(rndc, tcp,953,s0)
|
||||
+network_port(router, udp,520,s0)
|
||||
+network_port(rsh, tcp,514,s0)
|
||||
+network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||
+network_port(rwho, udp,513,s0)
|
||||
+network_port(smbd, tcp,139,s0, tcp,445,s0)
|
||||
+network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
+network_port(spamd, tcp,783,s0)
|
||||
+network_port(ssh, tcp,22,s0)
|
||||
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
||||
+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||
+type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
|
||||
+network_port(swat, tcp,901,s0)
|
||||
+network_port(syslogd, udp,514,s0)
|
||||
+network_port(telnetd, tcp,23,s0)
|
||||
+network_port(tftp, udp,69,s0)
|
||||
+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
|
||||
+network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
|
||||
+network_port(transproxy, tcp,8081,s0)
|
||||
+type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
+network_port(uucpd, tcp,540,s0)
|
||||
+network_port(vnc, tcp,5900,s0)
|
||||
+network_port(wccp, udp,2048,s0)
|
||||
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||
+network_port(xen, tcp,8002,s0)
|
||||
+network_port(xfs, tcp,7100,s0)
|
||||
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
|
||||
+network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
|
||||
+network_port(zope, tcp,8021,s0)
|
||||
+
|
||||
+# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
+# these entries just cover any remaining reserved ports not otherwise declared.
|
||||
+
|
||||
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
+portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
+portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Network nodes
|
||||
+#
|
||||
+
|
||||
+#
|
||||
+# node_t is the default type of network nodes.
|
||||
+# The node_*_t types are used for specific network
|
||||
+# nodes in net_contexts or net_contexts.mls.
|
||||
+#
|
||||
+type node_t, node_type;
|
||||
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
|
||||
+
|
||||
+network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||
+network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
||||
+type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
|
||||
+network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
|
||||
+network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
|
||||
+network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||
+network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
||||
+network_node(site_local, s0, fec0::, ffc0::)
|
||||
+network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Network Interfaces
|
||||
+#
|
||||
+
|
||||
+#
|
||||
+# netif_t is the default type of network interfaces.
|
||||
+#
|
||||
+type netif_t, netif_type;
|
||||
+sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
+
|
||||
+build_option(`enable_mls',`
|
||||
+network_interface(lo, lo,s0 - mls_systemhigh)
|
||||
+',`
|
||||
+typealias netif_t alias netif_lo_t;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Unconfined access to this module
|
||||
+#
|
||||
+
|
||||
+allow corenet_unconfined_type node_type:node *;
|
||||
+allow corenet_unconfined_type netif_type:netif *;
|
||||
+allow corenet_unconfined_type packet_type:packet *;
|
||||
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
|
||||
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
|
||||
+
|
||||
+# Bind to any network address.
|
||||
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
|
||||
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-31 08:18:04.000000000 -0500
|
||||
|
|
@ -5193,7 +5451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
|
|||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.5/policy/modules/services/amavis.te
|
||||
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/amavis.te 2007-12-19 09:38:10.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/amavis.te 2008-01-14 13:46:45.000000000 -0500
|
||||
@@ -65,6 +65,7 @@
|
||||
# Spool Files
|
||||
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
|
||||
|
|
@ -7172,9 +7430,139 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
|||
-optional_policy(`
|
||||
- nscd_socket_use(cvs_t)
|
||||
-')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.2.5/policy/modules/services/cyphesis.fc
|
||||
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cyphesis.fc 2008-01-14 13:52:50.000000000 -0500
|
||||
@@ -0,0 +1,2 @@
|
||||
+
|
||||
+/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.2.5/policy/modules/services/cyphesis.if
|
||||
--- nsaserefpolicy/policy/modules/services/cyphesis.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cyphesis.if 2008-01-14 13:52:25.000000000 -0500
|
||||
@@ -0,0 +1,19 @@
|
||||
+## <summary>policy for cyphesis</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run cyphesis.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`cyphesis_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type cyphesis_t, cyphesis_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1,cyphesis_exec_t,cyphesis_t)
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.5/policy/modules/services/cyphesis.te
|
||||
--- nsaserefpolicy/policy/modules/services/cyphesis.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/cyphesis.te 2008-01-14 14:41:56.000000000 -0500
|
||||
@@ -0,0 +1,97 @@
|
||||
+policy_module(cyphesis,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type cyphesis_t;
|
||||
+type cyphesis_exec_t;
|
||||
+domain_type(cyphesis_t)
|
||||
+init_daemon_domain(cyphesis_t, cyphesis_exec_t)
|
||||
+
|
||||
+type cyphesis_var_run_t;
|
||||
+files_pid_file(cyphesis_var_run_t)
|
||||
+
|
||||
+type cyphesis_log_t;
|
||||
+logging_file(cyphesis_log_t)
|
||||
+
|
||||
+type cyphesis_tmp_t;
|
||||
+files_tmp_file(cyphesis_tmp_t)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# cyphesis local policy
|
||||
+#
|
||||
+
|
||||
+allow cyphesis_t self:process { setfscreate setsched signal };
|
||||
+allow cyphesis_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow cyphesis_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow cyphesis_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow cyphesis_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
+
|
||||
+# DAN> What is cyphesis looking for in /bin?
|
||||
+corecmd_search_bin(cyphesis_t)
|
||||
+corecmd_getattr_bin_files(cyphesis_t)
|
||||
+
|
||||
+manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t)
|
||||
+logging_log_filetrans(cyphesis_t,cyphesis_log_t,file)
|
||||
+
|
||||
+# DAN > Does cyphesis really create a sock_file in /tmp? Why?
|
||||
+allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
|
||||
+files_tmp_filetrans(cyphesis_t,cyphesis_tmp_t,file)
|
||||
+
|
||||
+manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
|
||||
+manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
|
||||
+files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file })
|
||||
+
|
||||
+dev_read_urand(cyphesis_t)
|
||||
+
|
||||
+files_read_etc_files(cyphesis_t)
|
||||
+files_read_usr_files(cyphesis_t)
|
||||
+
|
||||
+libs_use_ld_so(cyphesis_t)
|
||||
+libs_use_shared_libs(cyphesis_t)
|
||||
+
|
||||
+miscfiles_read_localization(cyphesis_t)
|
||||
+
|
||||
+logging_send_syslog_msg(cyphesis_t)
|
||||
+
|
||||
+## Networking basics (adjust to your needs!)
|
||||
+sysnet_dns_name_resolve(cyphesis_t)
|
||||
+corenet_tcp_sendrecv_all_if(cyphesis_t)
|
||||
+corenet_tcp_sendrecv_all_nodes(cyphesis_t)
|
||||
+corenet_all_recvfrom_unlabeled(cyphesis_t)
|
||||
+corenet_tcp_bind_all_nodes(cyphesis_t)
|
||||
+corenet_tcp_cyphesis_bind(cyphesis_t)
|
||||
+corenet_tcp_sendrecv_all_ports(cyphesis_t)
|
||||
+
|
||||
+# DAN Do you really need this?
|
||||
+# For communication with the metaserver
|
||||
+# allow cyphesis_t port_t:udp_socket { recv_msg send_msg };
|
||||
+
|
||||
+# Init script handling
|
||||
+domain_use_interactive_fds(cyphesis_t)
|
||||
+
|
||||
+kernel_read_system_state(cyphesis_t)
|
||||
+kernel_read_kernel_sysctls(cyphesis_t)
|
||||
+
|
||||
+# cyphesis wants to talk to avahi via dbus
|
||||
+optional_policy(`
|
||||
+
|
||||
+ dbus_system_bus_client_template(cyphesis_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ avahi_dbus_chat(cyphesis_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postgresql_stream_connect(cyphesis_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerberos_use(cyphesis_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-08 10:52:45.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-14 14:20:38.000000000 -0500
|
||||
@@ -53,6 +53,7 @@
|
||||
gen_require(`
|
||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||
|
|
@ -11509,7 +11897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
|
||||
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2008-01-14 11:54:22.000000000 -0500
|
||||
@@ -20,13 +20,17 @@
|
||||
mta_mailserver_delivery(sendmail_t)
|
||||
mta_mailserver_sender(sendmail_t)
|
||||
|
|
@ -11538,7 +11926,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||
|
||||
corenet_all_recvfrom_unlabeled(sendmail_t)
|
||||
corenet_all_recvfrom_netlabel(sendmail_t)
|
||||
@@ -97,20 +102,35 @@
|
||||
@@ -69,6 +74,7 @@
|
||||
|
||||
# for piping mail to a command
|
||||
corecmd_exec_shell(sendmail_t)
|
||||
+corecmd_exec_bin(sendmail_t)
|
||||
|
||||
domain_use_interactive_fds(sendmail_t)
|
||||
|
||||
@@ -97,20 +103,35 @@
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
|
||||
|
|
@ -11575,7 +11971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
|
|||
postfix_exec_master(sendmail_t)
|
||||
postfix_read_config(sendmail_t)
|
||||
postfix_search_spool(sendmail_t)
|
||||
@@ -125,24 +145,25 @@
|
||||
@@ -125,24 +146,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -11762,14 +12158,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-09 09:00:58.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-14 11:58:23.000000000 -0500
|
||||
@@ -1,4 +1,4 @@
|
||||
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
|
||||
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
|
||||
|
||||
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
||||
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
|
||||
@@ -9,8 +9,11 @@
|
||||
@@ -9,8 +9,12 @@
|
||||
|
||||
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
||||
|
||||
|
|
@ -11777,6 +12173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
|
|||
+
|
||||
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
||||
|
||||
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
||||
|
|
@ -12916,12 +13313,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
|
|||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.5/policy/modules/services/tftp.fc
|
||||
--- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/tftp.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/tftp.fc 2008-01-14 12:49:13.000000000 -0500
|
||||
@@ -4,3 +4,4 @@
|
||||
|
||||
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
|
||||
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
|
||||
+/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
|
||||
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.5/policy/modules/services/w3c.fc
|
||||
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/services/w3c.fc 2007-12-19 05:38:09.000000000 -0500
|
||||
|
|
@ -14955,8 +15352,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
|
|||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-31 05:53:37.000000000 -0500
|
||||
@@ -183,6 +183,7 @@
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-14 12:58:45.000000000 -0500
|
||||
@@ -133,6 +133,7 @@
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@@ -183,6 +184,7 @@
|
||||
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -14964,7 +15369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -242,7 +243,7 @@
|
||||
@@ -242,7 +244,7 @@
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
@ -14973,7 +15378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -292,6 +293,8 @@
|
||||
@@ -292,6 +294,8 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
|
|
@ -14982,7 +15387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
|||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@@ -304,3 +307,4 @@
|
||||
@@ -304,3 +308,4 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
|
@ -15552,7 +15957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
|
||||
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-02 13:29:31.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-14 10:34:15.000000000 -0500
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
## <desc>
|
||||
|
|
@ -15652,7 +16057,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
|
|||
# for kernel package installation
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(mount_t)
|
||||
@@ -192,4 +206,26 @@
|
||||
@@ -182,6 +196,7 @@
|
||||
|
||||
optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
+ samba_read_config(mount_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -192,4 +207,26 @@
|
||||
optional_policy(`
|
||||
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
|
||||
unconfined_domain(unconfined_mount_t)
|
||||
|
|
@ -17073,7 +17486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-08 05:05:58.000000000 -0500
|
||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-14 09:58:38.000000000 -0500
|
||||
@@ -29,8 +29,9 @@
|
||||
')
|
||||
|
||||
|
|
@ -17399,9 +17812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
- tunable_policy(`use_nfs_home_dirs',`
|
||||
- fs_exec_nfs_files($1_t)
|
||||
+ tunable_policy(`allow_$1_exec_content', `
|
||||
+ can_exec($1_usertype,user_home_t)
|
||||
+ can_exec($1_usertype,user_home_type)
|
||||
+ ',`
|
||||
+ dontaudit $1_usertype user_home_t:file execute;
|
||||
+ dontaudit $1_usertype user_home_type:file execute;
|
||||
')
|
||||
|
||||
- tunable_policy(`use_samba_home_dirs',`
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.2.5
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -387,6 +387,10 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 14 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-12
|
||||
- Allow users to execute all files in homedir, if boolean set
|
||||
- Allow mount to read samba config
|
||||
|
||||
* Sun Jan 13 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-11
|
||||
- Fixes for xguest to run java plugin
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue