first part of dans patch Fri, 14 Apr 2006 08:08:43 -0400

refpolicy/policy/global_tunables

@@ -278,6 +278,13 @@ gen_tunable(run_ssh_inetd,false)
 ## </desc>
 gen_tunable(samba_enable_home_dirs,false)
 
+## <desc>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs,false)
+
 ## <desc>
 ## <p>
 ## Allow spamassassin to do DNS lookups

refpolicy/policy/mcs

@@ -134,14 +134,18 @@ level s0:c0.c255;
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
 #
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+# At this time we do not restrict "ps" type operations via MCS.  This
+# will probably change in future.
 mlsconstrain file { read }
 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
 

refpolicy/policy/modules/admin/amanda.te

@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.3.0)
+policy_module(amanda,1.3.1)
 
 #######################################
 #
@@ -8,7 +8,7 @@ policy_module(amanda,1.3.0)
 
 type amanda_t;
 type amanda_inetd_exec_t;
-inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_service_domain(amanda_t,amanda_inetd_exec_t)
 role system_r types amanda_t;
 
 type amanda_exec_t;
@@ -189,7 +189,7 @@ optional_policy(`
 #
 # Amanda recover local policy
 
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
@@ -229,6 +229,7 @@ corenet_udp_sendrecv_all_ports(amanda_recover_t)
 corenet_non_ipsec_sendrecv(amanda_recover_t)
 corenet_tcp_bind_all_nodes(amanda_recover_t)
 corenet_udp_bind_all_nodes(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
 corenet_tcp_connect_amanda_port(amanda_recover_t)
 
 corecmd_exec_shell(amanda_recover_t)
@@ -261,3 +262,7 @@ optional_policy(`
 optional_policy(`
 	nis_use_ypbind(amanda_recover_t)
 ')
+
+optional_policy(`
+	nscd_socket_use(amanda_recover_t)
+')

refpolicy/policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.2.1)
+policy_module(bootloader,1.2.2)
 
 ########################################
 #
@@ -88,6 +88,8 @@ dev_read_raw_memory(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 
+mls_file_read_up(bootloader_t)
+
 term_getattr_all_user_ttys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 

refpolicy/policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.2)
+policy_module(usermanage,1.3.3)
 
 ########################################
 #
@@ -514,6 +514,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_staff_home_dirs(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)

refpolicy/policy/modules/apps/java.te

@@ -1,5 +1,5 @@
 
-policy_module(java,1.1.1)
+policy_module(java,1.1.2)
 
 ########################################
 #
@@ -7,10 +7,8 @@ policy_module(java,1.1.1)
 #
 
 type java_t;
-domain_type(java_t)
-
 type java_exec_t;
-files_type(java_exec_t)
+init_system_domain(java_t,java_exec_t)
 
 ########################################
 #

refpolicy/policy/modules/apps/mono.te

@@ -1,5 +1,5 @@
 
-policy_module(mono,1.1.1)
+policy_module(mono,1.1.2)
 
 ########################################
 #
@@ -22,6 +22,8 @@ ifdef(`targeted_policy',`
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 
+	init_dbus_chat_script(mono_t)
+
 	optional_policy(`
 		avahi_dbus_chat(mono_t)
 	')
@@ -29,4 +31,8 @@ ifdef(`targeted_policy',`
 	optional_policy(`
 		hal_dbus_chat(mono_t)
 	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(mono_t)
+	')
 ')

refpolicy/policy/modules/kernel/devices.if

@@ -2701,7 +2701,7 @@ interface(`dev_rw_xen',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -2720,7 +2720,7 @@ interface(`dev_manage_xen',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file manage_file_perms;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.10)
+policy_module(devices,1.1.11)
 
 ########################################
 #

refpolicy/policy/modules/kernel/files.if

@@ -946,6 +946,24 @@ interface(`files_mounton_all_mountpoints',`
 	allow $1 mountpoint:file { getattr mounton };
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir getattr;
+')
+
 ########################################
 #
 # files_list_root(domain)

refpolicy/policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.6)
+policy_module(files,1.2.7)
 
 ########################################
 #

refpolicy/policy/modules/kernel/kernel.if

@@ -1150,6 +1150,9 @@ interface(`kernel_rw_vm_sysctls',`
 	allow $1 sysctl_t:dir r_dir_perms;
 	allow $1 sysctl_vm_t:dir list_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
+
+	# hal needs this
+	allow $1 sysctl_vm_t:dir write;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.4)
+policy_module(kernel,1.3.5)
 
 ########################################
 #

refpolicy/policy/modules/kernel/mcs.te

@@ -32,6 +32,10 @@ type unconfined_t;
 type xdm_exec_t;
 
 ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions.  But while range_transitions have to be in the base module
+# this is not possible.
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
 range_transition initrc_t crond_exec_t s0 - s0:c0.c255;

refpolicy/policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.2.0)
+policy_module(avahi,1.2.1)
 
 ########################################
 #
@@ -92,6 +92,7 @@ optional_policy(`
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus(avahi_t)
+	init_dbus_chat_script(avahi_t)
 ')
 
 optional_policy(`

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.4)
+policy_module(hal,1.3.5)
 
 ########################################
 #
@@ -103,6 +103,7 @@ files_getattr_default_dirs(hald_t)
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
 fs_list_auto_mountpoints(hald_t)
+files_getattr_all_mountpoints(hald_t)
 
 mls_file_read_up(hald_t)
 

refpolicy/policy/modules/services/mailman.if

@@ -198,6 +198,45 @@ interface(`mailman_search_data',`
 	allow $1 mailman_data_t:dir search_dir_perms;
 ')
 
+#######################################
+## <summary>
+##	Allow domain to to read mailman data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_data_files',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search_dir_perms;
+	allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to to create mailman data files
+##	and write the directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_manage_data_files',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir rw_dir_perms;
+	allow $1 mailman_data_t:file manage_file_perms;
+')
+
 #######################################
 ## <summary>
 ##	List the contents of mailman data directories.

refpolicy/policy/modules/services/mailman.te

@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.1.1)
+policy_module(mailman,1.1.2)
 
 ########################################
 #

refpolicy/policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.1)
+policy_module(postfix,1.2.2)
 
 ########################################
 #
@@ -174,6 +174,11 @@ sysnet_read_config(postfix_master_t)
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
+optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_master_t)
+')
+
 optional_policy(`
 	mount_send_nfs_client_request(postfix_master_t)
 ')
@@ -280,6 +285,11 @@ mta_delete_spool(postfix_local_t)
 # For reading spamassasin
 mta_read_config(postfix_local_t)
 
+optional_policy(`
+#	for postalias
+	mailman_read_data_files(postfix_local_t)
+')
+
 optional_policy(`
 	procmail_domtrans(postfix_local_t)
 ')

refpolicy/policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.1)
+policy_module(rpc,1.2.2)
 
 ########################################
 #
@@ -110,13 +110,13 @@ portmap_tcp_connect(nfsd_t)
 portmap_udp_chat(nfsd_t)
 
 tunable_policy(`nfs_export_all_rw',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_manage_all_files_except_shadow(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_read_all_files_except_shadow(nfsd_t)
 ')
 
 ########################################

refpolicy/policy/modules/services/samba.if

@@ -33,6 +33,7 @@ template(`samba_per_userdomain_template',`
 	')
 
 	tunable_policy(`samba_enable_home_dirs',`
+		userdom_manage_user_home_content_dirs($1,smbd_t)
 		userdom_manage_user_home_content_files($1,smbd_t)
 		userdom_manage_user_home_content_symlinks($1,smbd_t)
 		userdom_manage_user_home_content_sockets($1,smbd_t)

refpolicy/policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.3)
+policy_module(samba,1.2.4)
 
 #################################
 #
@@ -296,6 +296,12 @@ tunable_policy(`allow_smbd_anon_write',`
 	miscfiles_manage_public_files(smbd_t)
 ') 
 
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+	fs_manage_nfs_dirs(smbd_t)
+	fs_manage_nfs_files(smbd_t)
+')
+
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 ')

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.5)
+policy_module(unconfined,1.3.6)
 
 ########################################
 #
@@ -62,6 +62,8 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
+		init_dbus_chat_script(unconfined_t)
+
 		dbus_stub(unconfined_t)
 
 		optional_policy(`

refpolicy/policy/modules/system/userdomain.if

@@ -3400,6 +3400,35 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
 	dontaudit $1 staff_home_dir_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete staff
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_staff_home_dirs',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type user_home_dir_t;
+		')
+
+		files_search_home($1)
+		allow $1 user_home_dir_t:dir manage_dir_perms;
+	',`
+		gen_require(`
+			type staff_home_dir_t;
+		')
+
+		files_search_home($1)
+		allow $1 staff_home_dir_t:dir manage_dir_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to append to the staff

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.14)
+policy_module(userdomain,1.3.15)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;

refpolicy/policy/modules/system/xen.te

@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.0)
+policy_module(xen,1.0.1)
 
 ########################################
 #
@@ -19,6 +19,8 @@ init_daemon_domain(xend_t, xend_exec_t)
 # var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
 
 # log files
 type xend_var_log_t;
@@ -122,6 +124,7 @@ domain_read_all_domains_state(xend_t)
 domain_dontaudit_read_all_domains_state(xend_t)
 
 files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 
@@ -208,6 +211,7 @@ kernel_read_xen_state(xenstored_t)
 dev_create_generic_dirs(xenstored_t)
 dev_manage_xen(xenconsoled_t)
 dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)