Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy

Changelog

@@ -38,6 +38,7 @@
 	ulogd (Dan Walsh)
 	varnishd (Dan Walsh)
 	webadm (Dan Walsh)
+	wm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
 

policy/modules/apps/wm.fc

@@ -0,0 +1,3 @@
+/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)

policy/modules/apps/wm.if

@@ -0,0 +1,98 @@
+## <summary>X Window Managers</summary>
+
+#######################################
+## <summary>
+##	The role template for the wm module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for window manager applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wm_role_template',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	type $1_wm_t;
+	domain_type($1_wm_t)
+	domain_entry_file($1_wm_t, wm_exec_t)
+	role $2 types $1_wm_t;
+
+	allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+	allow $1_wm_t self:process getsched;
+	allow $1_wm_t self:shm create_shm_perms;
+
+	allow $1_wm_t $3:unix_stream_socket connectto;
+
+	domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+	kernel_read_system_state($1_wm_t)
+
+	corecmd_bin_domtrans($1_wm_t, $3)
+	corecmd_shell_domtrans($1_wm_t, $3)
+
+	dev_read_urand($1_wm_t)
+
+	files_read_etc_files($1_wm_t)
+	files_read_usr_files($1_wm_t)
+
+	mls_file_read_all_levels($1_wm_t)
+	mls_file_write_all_levels($1_wm_t)
+	mls_xwin_read_all_levels($1_wm_t)
+	mls_xwin_write_all_levels($1_wm_t)
+	mls_fd_use_all_levels($1_wm_t)
+
+	auth_use_nsswitch($1_wm_t)
+
+	miscfiles_read_fonts($1_wm_t)
+	miscfiles_read_localization($1_wm_t)
+
+	userdom_manage_home_role($2, $1_wm_t)
+	userdom_manage_tmpfs_role($2, $1_wm_t)
+	userdom_manage_tmp_role($2, $1_wm_t)
+
+	optional_policy(`
+		dbus_system_bus_client($1_wm_t)
+	')
+
+	optional_policy(`
+		xserver_role($2, $1_wm_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the wm program in the wm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wm_exec',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	can_exec($1, wm_exec_t)
+')

policy/modules/apps/wm.te

@@ -0,0 +1,10 @@
+
+policy_module(wm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)

policy/modules/services/snort.if

@@ -38,7 +38,7 @@ interface(`snort_domtrans',`
 interface(`snort_admin',`
 	gen_require(`
 		type snort_t, snort_var_run_t, snort_log_t;
-		type snort_initrc_exec_t;
+		type snort_etc_t, snort_initrc_exec_t;
 	')
 
 	allow $1 snort_t:process { ptrace signal_perms };

policy/modules/services/snort.te

@@ -1,5 +1,5 @@
 
-policy_module(snort, 1.7.1)
+policy_module(snort, 1.7.2)
 
 ########################################
 #
@@ -56,6 +56,7 @@ manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
 files_pid_filetrans(snort_t, snort_var_run_t, file)
 
 kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
 kernel_list_proc(snort_t)
 kernel_read_proc_symlinks(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
@@ -70,6 +71,7 @@ corenet_udp_sendrecv_generic_node(snort_t)
 corenet_raw_sendrecv_generic_node(snort_t)
 corenet_tcp_sendrecv_all_ports(snort_t)
 corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
 
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
@@ -90,10 +92,16 @@ logging_send_syslog_msg(snort_t)
 miscfiles_read_localization(snort_t)
 
 sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
 userdom_dontaudit_search_user_home_dirs(snort_t)
 
+optional_policy(`
+	prelude_manage_spool(snort_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(snort_t)
 ')