##
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
##
##
## This is a templated interface, and should only
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-2.6.4/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/apps/gpg.fc 2007-05-07 11:27:37.000000000 -0400
@@ -7,6 +7,4 @@
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-ifdef(`targeted_policy',`',`
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-2.6.4/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/apps/loadkeys.if 2007-05-07 11:27:37.000000000 -0400
@@ -11,16 +11,12 @@
##
#
interface(`loadkeys_domtrans',`
- ifdef(`strict_policy',`
- gen_require(`
- type loadkeys_t, loadkeys_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
')
########################################
@@ -45,18 +41,13 @@
##
#
interface(`loadkeys_run',`
- ifdef(`targeted_policy',`
- # $0(): disabled in targeted policy as there
- # is no loadkeys domain.
- ',`
- gen_require(`
- type loadkeys_t;
- ')
-
- loadkeys_domtrans($1)
- role $2 types loadkeys_t;
- allow loadkeys_t $3:chr_file rw_term_perms;
+ gen_require(`
+ type loadkeys_t;
')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+ allow loadkeys_t $3:chr_file rw_term_perms;
')
########################################
@@ -70,15 +61,8 @@
##
#
interface(`loadkeys_exec',`
- ifdef(`targeted_policy',`
- # $0(): the loadkeys program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type loadkeys_exec_t;
- ')
-
- can_exec($1,loadkeys_exec_t)
+ gen_require(`
+ type loadkeys_exec_t;
')
+ can_exec($1,loadkeys_exec_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.6.4/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-03-26 16:24:09.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/mozilla.if 2007-05-07 11:27:37.000000000 -0400
@@ -150,6 +150,7 @@
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
dev_read_urand($1_mozilla_t)
+ dev_read_rand($1_mozilla_t)
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.6.4/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-04-30 11:25:12.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/slocate.te 2007-05-07 11:27:37.000000000 -0400
@@ -43,7 +43,7 @@
files_read_etc_files(locate_t)
fs_getattr_all_fs(locate_t)
-fs_getattr_all_dirs(locate_t)
+fs_getattr_all_files(locate_t)
libs_use_shared_libs(locate_t)
libs_use_ld_so(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if serefpolicy-2.6.4/policy/modules/apps/uml.if
--- nsaserefpolicy/policy/modules/apps/uml.if 2007-03-26 10:38:58.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/uml.if 2007-05-07 11:27:37.000000000 -0400
@@ -193,33 +193,6 @@
nis_use_ypbind($1_uml_t)
')
- ifdef(`TODO',`
- # for X
- optional_policy(`
- ifelse($1, sysadm,`
- ',`
- optional_policy(`
- allow $1_uml_t xdm_xserver_tmp_t:dir search;
- ')
- allow $1_uml_t $1_xserver_tmp_t:sock_file write;
- allow $1_uml_t $1_xserver_t:unix_stream_socket connectto;
- ')
- ')
-
- optional_policy(`
- # for uml_net
- domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
- allow uml_net_t $1_uml_t:unix_stream_socket { read write };
- allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
- dontaudit uml_net_t privfd:fd use;
- can_access_pty(uml_net_t, $1_uml)
- dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
- ')
- #TODO
- optional_policy(`
- allow $1_uml_t $1_xauth_home_t:file { getattr read };
- ')
- ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-04-11 15:52:53.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-05-07 11:27:37.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -256,3 +261,5 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.6.4/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-03-26 10:38:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-05-07 11:27:37.000000000 -0400
@@ -988,3 +988,23 @@
mmap_files_pattern($1,bin_t,exec_type)
')
+
+########################################
+##
+## dontaudit checking for execute privs on all executables
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ dontaudit $1 exec_type:file execute;
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 10:32:44.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-05-07 11:27:37.000000000 -0400
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -60,6 +65,7 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
+network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@@ -85,7 +91,7 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -100,7 +106,7 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
@@ -159,6 +165,9 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-03-01 10:01:48.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-05-07 11:27:37.000000000 -0400
@@ -19,6 +19,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
@@ -81,6 +82,8 @@
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.6.4/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-03-26 16:24:09.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.if 2007-05-07 11:27:37.000000000 -0400
@@ -2729,6 +2729,24 @@
########################################
##
+## Get the attributes of a directory in the usb filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_search_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir search_dir_perms;
+')
+
+########################################
+##
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
##
@@ -2939,6 +2957,24 @@
########################################
##
+## write the video4linux devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_write_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ write_chr_files_pattern($1,device_t,v4l_device_t)
+')
+
+########################################
+##
## Read and write VMWare devices.
##
##
@@ -3192,3 +3228,78 @@
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+##
+## Getattr on smartcard devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_smartcard',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+##
+## dontaudit getattr on smartcard devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_dontaudit_getattr_smartcard',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+##
+## Read and write smartcard devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ rw_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+##
+## Create, read, write, and delete smartcard devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_manage_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ manage_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.6.4/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-04-23 09:35:56.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.te 2007-05-07 11:27:37.000000000 -0400
@@ -139,6 +139,12 @@
#
# Type for sound devices and mixers
#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
+#
+# Type for sound devices and mixers
+#
type sound_device_t;
dev_node(sound_device_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.6.4/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-05-07 11:27:37.000000000 -0400
@@ -1254,3 +1254,21 @@
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
')
+
+########################################
+##
+## Allow specified type to associate ipsec packets from any domain
+##
+##
+##
+## Type of subject to be allowed this.
+##
+##
+#
+interface(`domain_ipsec_labels',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association { sendto recvfrom };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-04-23 09:35:56.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-05-07 11:27:37.000000000 -0400
@@ -6,6 +6,29 @@
# Declarations
#
+ifdef(`enable_mls',`
+##
+##
+## Allow all domains to use netlabel labeled packets
+##
+##
+gen_tunable(allow_netlabel,true)
+
+##
+##
+## Allow all domains to use ipsec labeled packets
+##
+##
+gen_tunable(allow_ipsec_label,true)
+')
+
+##
+##
+## Allow unlabeled packets to work on system
+##
+##
+gen_tunable(allow_unlabeled_packets,true)
+
# Mark process types as domains
attribute domain;
@@ -144,3 +167,26 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
+
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
+tunable_policy(`allow_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_association(domain)
+ corenet_sendrecv_unlabeled_packets(domain)
+')
+
+ifdef(`enable_mls',`
+ tunable_policy(`allow_netlabel',`
+ kernel_raw_recvfrom_unlabeled(domain)
+ kernel_tcp_recvfrom_unlabeled(domain)
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
+ tunable_policy(`allow_ipsec_label',`
+ ipsec_labeled(domain)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-05-07 11:27:37.000000000 -0400
@@ -54,6 +54,7 @@
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-02-26 14:17:21.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-05-07 11:27:37.000000000 -0400
@@ -343,8 +343,7 @@
########################################
##
-## Mount a filesystem on all non-security
-## directories and files.
+## Mount a filesystem on all non-security directories.
##
##
##
@@ -352,12 +351,29 @@
##
##
#
-interface(`files_mounton_non_security',`
+interface(`files_mounton_non_security_dir',`
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
+')
+
+########################################
+##
+## Mount a filesystem on all non-security and files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
allow $1 { file_type -security_file_type }:file mounton;
')
@@ -376,7 +392,7 @@
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 { file_type -security_file_type }:dir rw_dir_perms;
')
########################################
@@ -992,7 +1008,7 @@
attribute file_type;
')
- dontaudit $1 file_type:dir search;
+ dontaudit $1 file_type:dir search_dir_perms;
')
########################################
@@ -1320,7 +1336,7 @@
type boot_t;
')
- dontaudit $1 boot_t:dir search;
+ dontaudit $1 boot_t:dir search_dir_perms;
')
########################################
@@ -3310,6 +3326,24 @@
########################################
##
+## Add and remove entries from /usr directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+##
## Get the attributes of files in /usr.
##
##
@@ -3637,7 +3671,7 @@
type var_t;
')
- dontaudit $1 var_t:dir search;
+ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
@@ -3993,7 +4027,7 @@
type var_lock_t;
')
- dontaudit $1 var_lock_t:dir search;
+ dontaudit $1 var_lock_t:dir search_dir_perms;
')
########################################
@@ -4012,7 +4046,7 @@
type var_t, var_lock_t;
')
- rw_dirs_pattern($1,var_t,var_lock_t)
+ rw_files_pattern($1,var_t,var_lock_t)
')
########################################
@@ -4181,7 +4215,7 @@
type var_run_t;
')
- dontaudit $1 var_run_t:dir search;
+ dontaudit $1 var_run_t:dir search_dir_perms;
')
########################################
@@ -4529,6 +4563,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
+ files_search_home($1)
+
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
@@ -4551,6 +4587,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ corecmd_exec_bin($1)
+
')
########################################
@@ -4588,3 +4626,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-03-26 16:24:09.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-05-07 11:27:37.000000000 -0400
@@ -1096,6 +1096,24 @@
########################################
##
+## Search dosfs filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_search_dos',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir search_dir_perms;
+')
+
+########################################
+##
## Read files on a DOS filesystem.
##
##
@@ -1291,6 +1309,26 @@
########################################
##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
+')
+
+########################################
+##
## Mount a NFS filesystem.
##
##
@@ -3420,3 +3458,22 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
+
+
+########################################
+##
+## Mount an fuse filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem mount;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-04-23 09:35:56.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-05-07 11:27:37.000000000 -0400
@@ -54,17 +54,30 @@
type capifs_t;
fs_type(capifs_t)
+files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+type fusefs_t;
+fs_type(fusefs_t)
+fs_noxattr_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -83,6 +96,12 @@
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+type mvfs_t;
+fs_type(mvfs_t)
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.6.4/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-05-02 15:04:46.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if 2007-05-07 11:27:37.000000000 -0400
@@ -1848,6 +1848,26 @@
########################################
##
+## Read the process state (/proc/pid) of all unlabeled_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1,unlabeled_t,unlabeled_t)
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+########################################
+##
## Do not audit attempts to list unlabeled directories.
##
##
@@ -2158,9 +2178,6 @@
')
allow $1 unlabeled_t:association { sendto recvfrom };
-
- # temporary hack until labeling on packets is supported
- allow $1 unlabeled_t:packet { send recv };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.6.4/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-05-02 15:04:46.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/kernel.te 2007-05-07 11:27:37.000000000 -0400
@@ -146,6 +146,8 @@
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+corenet_non_ipsec_sendrecv(unlabeled_t)
+
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
@@ -279,6 +281,7 @@
optional_policy(`
logging_send_syslog_msg(kernel_t)
+ logging_unconfined(kernel_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.6.4/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/mls.if 2007-05-07 11:27:37.000000000 -0400
@@ -154,6 +154,26 @@
########################################
##
## Make specified domain MLS trusted
+## for writing to sockets at any level
+## that is dominated by the process clearance.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mls_socket_write_to_clearance',`
+ gen_require(`
+ attribute mlsnetwritetoclr;
+ ')
+
+ typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+##
+## Make specified domain MLS trusted
## for writing to sockets at any level.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.6.4/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2007-01-02 12:57:13.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/mls.te 2007-05-07 11:27:37.000000000 -0400
@@ -18,6 +18,7 @@
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
@@ -43,6 +44,8 @@
attribute mlsxwinwritecolormap;
attribute mlsxwinwritexinput;
+# Object attributes that allow MLS overrides for access by all subjects
+attribute mlsrangedobject;
attribute mlstrustedobject;
attribute privrangetrans;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.6.4/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-02-27 14:37:10.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/selinux.if 2007-05-07 11:27:37.000000000 -0400
@@ -51,6 +51,44 @@
########################################
##
+## Do not audit attempts to get the
+## attributes of the selinuxfs filesystem
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`selinux_dontaudit_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:filesystem getattr;
+')
+
+########################################
+##
+## Allow domain to get the
+## attributes of the selinuxfs filesystem
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem getattr;
+')
+
+########################################
+##
## Search selinuxfs.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.6.4/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-01-02 12:57:13.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/storage.if 2007-05-07 11:27:37.000000000 -0400
@@ -100,6 +100,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -144,6 +145,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
typeattribute $1 fixed_disk_raw_write;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.6.4/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-02-20 16:35:52.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/kernel/terminal.if 2007-05-07 11:27:37.000000000 -0400
@@ -278,6 +278,25 @@
########################################
##
+## Relabel from and to the console_device_t
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_relabel_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file { relabelfrom relabelto };
+')
+
+########################################
+##
## Create the console device (/dev/console).
##
##
@@ -1052,7 +1071,7 @@
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { getattr write };
+ allow $1 ttynode:chr_file { getattr write append };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.6.4/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-04-23 09:35:56.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/terminal.te 2007-05-07 11:27:37.000000000 -0400
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.fc serefpolicy-2.6.4/policy/modules/services/aide.fc
--- nsaserefpolicy/policy/modules/services/aide.fc 2007-04-30 11:25:12.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/aide.fc 2007-05-07 11:27:37.000000000 -0400
@@ -2,5 +2,5 @@
/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
-/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-2.6.4/policy/modules/services/aide.te
--- nsaserefpolicy/policy/modules/services/aide.te 2007-04-30 11:25:12.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/aide.te 2007-05-07 11:27:37.000000000 -0400
@@ -26,7 +26,7 @@
allow aide_t self:capability { dac_override fowner };
-send_audit_msgs_pattern(aide_t)
+logging_send_audit_msg(aide_t)
# database actions
manage_files_pattern(aide_t,aide_db_t,aide_db_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-2.6.4/policy/modules/services/amavis.if
--- nsaserefpolicy/policy/modules/services/amavis.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/services/amavis.if 2007-05-07 11:27:37.000000000 -0400
@@ -167,3 +167,22 @@
allow $1 amavis_var_run_t:file setattr;
files_search_pids($1)
')
+
+########################################
+##
+## Set the create of amavis var run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`amavis_create_pid_files',`
+ gen_require(`
+ type amavis_var_run_t;
+ ')
+
+ allow $1 amavis_var_run_t:file create_file_perms;
+ files_search_pids($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.6.4/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-02-23 16:50:01.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/services/apache.fc 2007-05-07 11:27:37.000000000 -0400
@@ -1,10 +1,5 @@
# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-',`
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-')
-
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -21,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -78,3 +72,11 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-04-02 10:58:34.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-05-07 11:27:37.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -268,8 +260,11 @@
')
apache_content_template($1)
+ manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
- typeattribute httpd_$1_script_t httpd_script_domains;
+ typeattribute httpd_$1_content_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
@@ -434,6 +429,24 @@
########################################
##
+## getattr apache.process
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_getattr',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process getattr;
+')
+
+########################################
+##
## Inherit and use file descriptors from Apache.
##
##
@@ -752,6 +765,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
@@ -923,7 +937,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
')
########################################
@@ -1000,3 +1014,140 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache modules.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
+')
+
+########################################
+##
+## Allow the specified domain to create
+## apache lock file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_lock',`
+ gen_require(`
+ type httpd_lock_t;
+ ')
+ allow $1 httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans($1, httpd_lock_t, file)
+')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache pid file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_pid',`
+ gen_require(`
+ type httpd_var_run_t;
+ ')
+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+ files_pid_filetrans($1,httpd_var_run_t, file)
+')
+
+########################################
+##
+##f Read apache system state
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_read_state',`
+ gen_require(`
+ type httpd_t;
+ ')
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_t,httpd_t)
+ read_lnk_files_pattern($1,httpd_t,httpd_t)
+ dontaudit $1 httpd_t:process ptrace;
+')
+
+########################################
+##
+##f allow domain to signal apache
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_signal',`
+ gen_require(`
+ type httpd_t;
+ ')
+ allow $1 httpd_t:process signal;
+')
+
+########################################
+##
+## allow domain to relabel apache content
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_relabel',`
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+ ')
+
+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
+')
+
+########################################
+##
+## Allow the specified domain to search
+## apache bugzilla directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-04-23 09:36:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-05-07 11:27:37.000000000 -0400
@@ -106,6 +106,27 @@
##
gen_tunable(httpd_unified,false)
+##