diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/Makefile --- nsaserefpolicy/Makefile 2010-07-14 11:21:53.000000000 -0400 +++ serefpolicy-3.8.8/Makefile 2010-07-30 14:06:53.000000000 -0400 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 serefpolicy-3.8.8/man/man8/git_selinux.8 --- nsaserefpolicy/man/man8/git_selinux.8 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/man/man8/git_selinux.8 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,109 @@ +.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation" +.de EX +.nf +.ft CW +.. +.de EE +.ft R +.fi +.. +.SH "NAME" +git_selinux \- Security Enhanced Linux Policy for the Git daemon. +.SH "DESCRIPTION" +Security-Enhanced Linux secures the Git server via flexible mandatory access +control. +.SH FILE_CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible. +.PP +The following file contexts types are by default defined for Git: +.EX +git_system_content_t +.EE +- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users. +.EX +git_session_content_t +.EE +- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type. +.SH BOOLEANS +SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible. +.PP +Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. +.EX +sudo setsebool -P git_system_enable_homedirs 1 +.EE +.PP +Allow the Git system daemon to read system shared repositories on NFS shares. +.EX +sudo setsebool -P git_system_use_nfs 1 +.EE +.PP +Allow the Git system daemon to read system shared repositories on Samba shares. +.EX +sudo setsebool -P git_system_use_cifs 1 +.EE +.PP +Allow the Git session daemon to read users personal repositories on NFS mounted home directories. +.EX +sudo setsebool -P use_nfs_home_dirs 1 +.EE +.PP +Allow the Git session daemon to read users personal repositories on Samba mounted home directories. +.EX +sudo setsebool -P use_samba_home_dirs 1 +.EE +.PP +To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories. +.EX +sudo setsebool -P git_system_enable_homedirs 1 +.EE +.PP +To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports. +.EX +sudo setsebool -P git_session_bind_all_unreserved_ports 1 +.EE +.SH GIT_SHELL +The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t). +.PP +To add a new Linux user and map him to this Git shell user domain automatically: +.EX +sudo useradd -Z git_shell_u joe +.EE +.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS +Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content. +.PP +To add a new Git system repository type, for example "project1" create a file named project1.te and add to it: +.EX +policy_module(project1, 1.0.0) +git_content_template(project1) +.EE +Next create a file named project1.fc and add a file context specification for the new repository type to it: +.EX +/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0) +.EE +Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository: +.EX +make -f /usr/share/selinux/devel/Makefile project.pp +sudo semodule -i project1.pp +sudo restorecon -R -v /srv/git/project1 +.EE +To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following: +.EX +policy_module(project1user, 1.0.0) +git_role_template(project1user) +git_content_delegation(project1user_t, git_project1_content_t) +gen_user(project1user_u, user, project1user_r, s0, s0) +.EE +Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user: +.EX +make -f /usr/share/selinux/devel/Makefile project1user.pp +sudo semodule -i project1user.pp +sudo useradd -Z project1user_u jane +.EE +.PP +system-config-selinux is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dominick Grift . +.SH "SEE ALSO" +selinux(8), git(8), chcon(1), semodule(8), setsebool(8) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpolicy-3.8.8/policy/constraints --- nsaserefpolicy/policy/constraints 2009-11-12 12:51:51.000000000 -0500 +++ serefpolicy-3.8.8/policy/constraints 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,3 @@ - # # Define the constraints # @@ -91,7 +90,7 @@ ( u1 == u2 or ( t1 == can_change_process_identity and t2 == process_user_target ) - or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) + or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) or ( t1 == can_system_change and u2 == system_u ) or ( t1 == process_uncond_exempt ) ); @@ -100,7 +99,7 @@ ( r1 == r2 or ( t1 == can_change_process_role and t2 == process_user_target ) - or ( t1 == cron_source_domain and t2 == cron_job_domain ) + or ( t1 == cron_source_domain and t2 == cron_job_domain ) or ( t1 == can_system_change and r2 == system_r ) or ( t1 == process_uncond_exempt ) ); @@ -173,7 +172,7 @@ ######################################## # -# SE-X Windows rules +# X Windows rules # exempted_ubac_constraint(x_drawable, ubacxwin) @@ -219,26 +218,21 @@ exempted_ubac_constraint(db_tuple, ubacdb) exempted_ubac_constraint(db_blob, ubacdb) - - basic_ubac_constraint(association) basic_ubac_constraint(peer) - -# these classes have no UBAC restrictions -#class security -#class system -#class capability -#class memprotect -#class passwd # userspace -#class node -#class netif -#class packet -#class capability2 -#class nscd # userspace -#class context # userspace - - +# These classes have no UBAC restrictions +# class security +# class system +# class capability +# class memprotect +# class passwd +# class node +# class netif +# class packet +# class capability2 +# class nscd +# class context undefine(`basic_ubac_constraint') undefine(`basic_ubac_conditions') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.8.8/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/global_tunables 2010-07-30 14:06:53.000000000 -0400 @@ -61,15 +61,6 @@ ## ##

-## Allow email client to various content. -## nfs, samba, removable devices, and user temp -## files -##

-## -gen_tunable(mail_read_content,false) - -## -##

## Allow any files/directories to be exported read/write via NFS. ##

## @@ -104,3 +95,18 @@ ##

## gen_tunable(user_tcp_server,false) + +## +##

+## Allow direct login to the console device. Required for System 390 +##

+## +gen_tunable(allow_console_login,false) + +## +##

+## Allow certain domains to map low memory in the kernel +##

+## +gen_tunable(mmap_low_allowed, false) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8/policy/mcs --- nsaserefpolicy/policy/mcs 2009-11-12 12:51:51.000000000 -0500 +++ serefpolicy-3.8.8/policy/mcs 2010-07-30 14:06:53.000000000 -0400 @@ -86,10 +86,10 @@ (( h1 dom h2 ) and ( l2 eq h2 )); # new file labels must be dominated by the relabeling subject clearance -mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom } ( h1 dom h2 ); -mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.8.8/policy/modules/admin/accountsd.fc --- nsaserefpolicy/policy/modules/admin/accountsd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/admin/accountsd.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + +/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.if serefpolicy-3.8.8/policy/modules/admin/accountsd.if --- nsaserefpolicy/policy/modules/admin/accountsd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/admin/accountsd.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,173 @@ +## Accountsservice D-Bus interfaces for querying and manipulating user account information. + +######################################## +## +## Execute a domain transition to +## run Account Service daemon. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`accountsd_domtrans',` + gen_require(` + type accountsd_t, accountsd_exec_t; + ') + + domtrans_pattern($1, accountsd_exec_t, accountsd_t) + corecmd_search_bin($1) + files_search_usr($1) +') + +######################################## +## +## Search Accounts Service daemon +## lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`accountsd_search_lib',` + gen_require(` + type accountsd_var_lib_t; + ') + + allow $1 accountsd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read Accounts Service daemon +## lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`accountsd_read_lib_files',` + gen_require(` + type accountsd_var_lib_t; + ') + + read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Manage Account Service daemon +## lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`accountsd_manage_lib_files',` + gen_require(` + type accountsd_var_lib_t; + ') + + manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Manage Account Service daemon +## lib content. +## +## +## +## Domain allowed access. +## +## +# +interface(`accountsd_manage_var_lib',` + gen_require(` + type accountsd_var_lib_t; + ') + + manage_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) + manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) + manage_lnk_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Send and receive messages from +## Account Service daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`accountsd_dbus_chat',` + gen_require(` + type accountsd_t; + class dbus send_msg; + ') + + allow $1 accountsd_t:dbus send_msg; + allow accountsd_t $1:dbus send_msg; +') + +######################################## +## +## Do not audit attempts to read and +## write Account Service daemon pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`accountsd_dontaudit_rw_fifo_file',` + gen_require(` + type accountsd_t; + ') + + dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## All of the rules required to administrate +## an Account Service daemon environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`accountsd_admin',` + gen_require(` + type accountsd_t, accountsd_var_lib_t; + ') + + allow $1 accountsd_t:process { ptrace signal_perms }; + read_files_pattern($1, accountsd_t, accountsd_t) + + admin_pattern($1, accountsd_var_lib_t) + files_search_var_lib($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te --- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,64 @@ +policy_module(accountsd, 1.0.0) + +######################################## +# +# Declarations +# + +type accountsd_t; +type accountsd_exec_t; +dbus_system_domain(accountsd_t, accountsd_exec_t) +init_daemon_domain(accountsd_t, accountsd_exec_t) +role system_r types accountsd_t; + +type accountsd_var_lib_t; +files_type(accountsd_var_lib_t) + +######################################## +# +# accountsd local policy +# +allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; + +allow accountsd_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } ) + +kernel_read_kernel_sysctls(accountsd_t) + +corecmd_exec_bin(accountsd_t) + +files_read_usr_files(accountsd_t) +files_read_mnt_files(accountsd_t) + +fs_list_inotifyfs(accountsd_t) +fs_read_noxattr_fs_files(accountsd_t) + +auth_read_shadow(accountsd_t) +auth_use_nsswitch(accountsd_t) + +miscfiles_read_localization(accountsd_t) + +logging_send_syslog_msg(accountsd_t) +logging_set_loginuid(accountsd_t) + +usermanage_domtrans_useradd(accountsd_t) +usermanage_domtrans_passwd(accountsd_t) + +userdom_read_user_tmp_files(accountsd_t) +userdom_read_user_home_content_files(accountsd_t) + +optional_policy(` + consolekit_read_log(accountsd_t) +') + +optional_policy(` + policykit_dbus_chat(accountsd_t) +') + +optional_policy(` + xserver_dbus_chat_xdm(accountsd_t) + xserver_manage_xdm_etc_files(accountsd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if serefpolicy-3.8.8/policy/modules/admin/acct.if --- nsaserefpolicy/policy/modules/admin/acct.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/acct.if 2010-07-30 14:06:53.000000000 -0400 @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -44,7 +44,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -65,7 +65,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.8.8/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/alsa.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,18 +1,20 @@ -/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) +HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) + +/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) ifdef(`distro_debian', ` -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) ') -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-08-11 08:22:58.000000000 -0400 @@ -1,8 +1,9 @@ -## Ainit ALSA configuration tool +## Advanced Linux Sound Architecture. ######################################## ## -## Domain transition to alsa +## Execute a domain transition to +## run Alsa. ## ## ## @@ -16,11 +17,12 @@ ') domtrans_pattern($1, alsa_exec_t, alsa_t) + corecmd_search_bin($1) ') ######################################## ## -## Allow read and write access to alsa semaphores. +## Read and write Alsa semaphores. ## ## ## @@ -33,12 +35,12 @@ type alsa_t; ') - allow $1 alsa_t:sem { unix_read unix_write associate read write }; + allow $1 alsa_t:sem rw_sem_perms; ') ######################################## ## -## Allow read and write access to alsa shared memory. +## Read and write Alsa shared memory. ## ## ## @@ -51,12 +53,12 @@ type alsa_t; ') - allow $1 alsa_t:shm { unix_read unix_write create_shm_perms }; + allow $1 alsa_t:shm rw_shm_perms; ') ######################################## ## -## Read alsa writable config files. +## Read Alsa writable config files. ## ## ## @@ -72,11 +74,12 @@ allow $1 alsa_etc_rw_t:dir list_dir_perms; read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + files_search_etc($1) ') ######################################## ## -## Manage alsa writable config files. +## Manage Alsa writable config files. ## ## ## @@ -92,11 +95,12 @@ allow $1 alsa_etc_rw_t:dir list_dir_perms; manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + files_search_etc($1) ') ######################################## ## -## Read alsa lib files. +## Read Alsa lib files. ## ## ## @@ -110,4 +114,24 @@ ') read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Read Alsa home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`alsa_read_home_files',` + gen_require(` + type alsa_home_t; + ') + + allow $1 alsa_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/alsa.te 2010-07-30 14:06:53.000000000 -0400 @@ -16,6 +16,9 @@ type alsa_var_lib_t; files_type(alsa_var_lib_t) +type alsa_home_t; +userdom_user_home_content(alsa_home_t) + ######################################## # # Local policy @@ -28,6 +31,8 @@ allow alsa_t self:unix_stream_socket create_stream_socket_perms; allow alsa_t self:unix_dgram_socket create_socket_perms; +allow alsa_t alsa_home_t:file read_file_perms; + manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.8.8/policy/modules/admin/amanda.if --- nsaserefpolicy/policy/modules/admin/amanda.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/amanda.if 2010-07-30 14:06:53.000000000 -0400 @@ -1,12 +1,13 @@ -## Automated backup program. +## Advanced Maryland Automatic Network Disk Archiver. ######################################## ## -## Execute amrecover in the amanda_recover domain. +## Execute a domain transition to +## run Amanda Recover. ## ## ## -## The type of the process performing this action. +## Domain allowed to transition. ## ## # @@ -16,21 +17,25 @@ ') domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) + corecmd_search_bin($1) ') ######################################## ## -## Execute amrecover in the amanda_recover domain, and -## allow the specified role the amanda_recover domain. +## Execute a domain transition to +## run Amanda Recover and allow the +## specified role the Amanda Recover +## domain. ## ## ## -## The type of the process performing this action. +## Domain allowed to transition. ## ## ## ## -## The role to be allowed the amanda_recover domain. +## The role to be allowed the Amanda +## Recover domain. ## ## ## @@ -46,11 +51,11 @@ ######################################## ## -## Search amanda library directories. +## Search Amanda lib directories. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -61,11 +66,13 @@ allow $1 amanda_usr_lib_t:dir search_dir_perms; files_search_usr($1) + libs_search_lib($1) ') ######################################## ## -## Do not audit attempts to read /etc/dumpdates. +## Do not audit attempts to read +## dumpdates files. ## ## ## @@ -78,16 +85,16 @@ type amanda_dumpdates_t; ') - dontaudit $1 amanda_dumpdates_t:file { getattr read }; + dontaudit $1 amanda_dumpdates_t:file read_file_perms; ') ######################################## ## -## Allow read/writing /etc/dumpdates. +## Read and write dumpdates files. ## ## ## -## Domain to allow +## Domain allowed access. ## ## # @@ -97,15 +104,16 @@ ') allow $1 amanda_dumpdates_t:file rw_file_perms; + files_search_etc($1) ') ######################################## ## -## Search amanda library directories. +## Search Amanda lib directories. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -116,15 +124,16 @@ allow $1 amanda_usr_lib_t:dir manage_dir_perms; files_search_usr($1) + libs_search_lib($1) ') ######################################## ## -## Allow read/writing amanda logs +## Read and write Amanda logs. ## ## ## -## Domain to allow +## Domain allowed access. ## ## # @@ -134,15 +143,16 @@ ') allow $1 amanda_log_t:file { read_file_perms append_file_perms }; + logging_search_logs($1) ') ####################################### ## -## Search amanda var library directories. +## Search Amanda lib directories. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -151,7 +161,6 @@ type amanda_var_lib_t; ') - files_search_var_lib($1) allow $1 amanda_var_lib_t:dir search_dir_perms; - + files_search_var_lib($1) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.8.8/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/anaconda.te 2010-07-30 14:06:53.000000000 -0400 @@ -28,8 +28,10 @@ logging_send_syslog_msg(anaconda_t) modutils_domtrans_insmod(anaconda_t) +modutils_domtrans_depmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) @@ -51,7 +53,7 @@ ') optional_policy(` - unconfined_domain(anaconda_t) + unconfined_domain_noaudit(anaconda_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/apt.if serefpolicy-3.8.8/policy/modules/admin/apt.if --- nsaserefpolicy/policy/modules/admin/apt.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/apt.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -26,7 +26,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -52,7 +52,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -90,7 +90,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -109,7 +109,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -146,7 +146,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -167,7 +167,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -188,7 +188,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/backup.if serefpolicy-3.8.8/policy/modules/admin/backup.if --- nsaserefpolicy/policy/modules/admin/backup.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/backup.if 2010-07-30 14:06:53.000000000 -0400 @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.8.8/policy/modules/admin/bootloader.if --- nsaserefpolicy/policy/modules/admin/bootloader.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/bootloader.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -56,7 +56,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -75,7 +75,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -95,7 +95,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -115,7 +115,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.8.8/policy/modules/admin/brctl.if --- nsaserefpolicy/policy/modules/admin/brctl.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/brctl.if 2010-08-10 05:23:35.000000000 -0400 @@ -17,3 +17,22 @@ domtrans_pattern($1, brctl_exec_t, brctl_t) ') + +##################################### +## +## Execute brctl in the brctl domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`brctl_run',` + gen_require(` + type brctl_t, brctl_exec_t; + ') + + brctl_domtrans($1) + role $2 types brctl_t; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.8.8/policy/modules/admin/certwatch.if --- nsaserefpolicy/policy/modules/admin/certwatch.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if 2010-07-30 14:06:53.000000000 -0400 @@ -29,7 +29,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -57,7 +57,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.8.8/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/certwatch.te 2010-07-30 14:06:53.000000000 -0400 @@ -35,7 +35,7 @@ miscfiles_read_localization(certwatch_t) userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_user_home_dirs(certwatch_t) +userdom_dontaudit_list_admin_dir(certwatch_t) optional_policy(` apache_exec_modules(certwatch_t) @@ -47,6 +47,7 @@ ') optional_policy(` + pcscd_domtrans(certwatch_t) pcscd_stream_connect(certwatch_t) pcscd_read_pub_files(certwatch_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.8.8/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/consoletype.if 2010-07-30 14:06:53.000000000 -0400 @@ -8,7 +8,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -32,7 +32,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -56,7 +56,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.8/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/consoletype.te 2010-07-30 14:06:53.000000000 -0400 @@ -85,6 +85,7 @@ hal_dontaudit_rw_pipes(consoletype_t) hal_dontaudit_rw_dgram_sockets(consoletype_t) hal_dontaudit_write_log(consoletype_t) + hal_dontaudit_read_pid_files(consoletype_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ddcprobe.if serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if --- nsaserefpolicy/policy/modules/admin/ddcprobe.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.if serefpolicy-3.8.8/policy/modules/admin/dmesg.if --- nsaserefpolicy/policy/modules/admin/dmesg.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/dmesg.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.8.8/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/dmesg.te 2010-07-30 14:06:53.000000000 -0400 @@ -50,6 +50,12 @@ userdom_use_user_terminals(dmesg_t) optional_policy(` + abrt_append_cache_files(dmesg_t) + abrt_rw_fifo_file(dmesg_t) + abrt_manage_pid_files(dmesg_t) +') + +optional_policy(` seutil_sigchld_newrole(dmesg_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.if serefpolicy-3.8.8/policy/modules/admin/dmidecode.if --- nsaserefpolicy/policy/modules/admin/dmidecode.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/dmidecode.if 2010-07-30 14:06:53.000000000 -0400 @@ -30,7 +30,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dpkg.if serefpolicy-3.8.8/policy/modules/admin/dpkg.if --- nsaserefpolicy/policy/modules/admin/dpkg.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/dpkg.if 2010-07-30 14:06:53.000000000 -0400 @@ -8,7 +8,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -50,7 +50,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -77,7 +77,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -95,7 +95,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -113,7 +113,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -131,7 +131,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -149,7 +149,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -170,7 +170,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -211,7 +211,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.8.8/policy/modules/admin/firstboot.if --- nsaserefpolicy/policy/modules/admin/firstboot.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/firstboot.if 2010-07-30 14:06:53.000000000 -0400 @@ -9,7 +9,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -28,7 +28,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -52,7 +52,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -89,7 +89,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -107,7 +107,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.8.8/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-08-11 09:17:15.000000000 -0400 @@ -91,6 +91,10 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` + consoletype_domtrans(firstboot_t) +') + +optional_policy(` dbus_system_bus_client(firstboot_t) optional_policy(` @@ -121,6 +125,7 @@ ') optional_policy(` + gnome_admin_home_gconf_filetrans(firstboot_t, dir) gnome_manage_config(firstboot_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.if serefpolicy-3.8.8/policy/modules/admin/kudzu.if --- nsaserefpolicy/policy/modules/admin/kudzu.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/kudzu.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -50,7 +50,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.if serefpolicy-3.8.8/policy/modules/admin/logrotate.if --- nsaserefpolicy/policy/modules/admin/logrotate.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/logrotate.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -50,7 +50,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.8/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/logrotate.te 2010-07-30 14:06:53.000000000 -0400 @@ -119,6 +119,7 @@ userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) +userdom_dontaudit_list_admin_dir(logrotate_t) cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) @@ -138,7 +139,7 @@ ') optional_policy(` - abrt_cache_manage(logrotate_t) + abrt_manage_cache_files(logrotate_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.8/policy/modules/admin/logwatch.fc --- nsaserefpolicy/policy/modules/admin/logwatch.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/logwatch.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,7 +1,11 @@ /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) +/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-08-17 07:18:59.000000000 -0400 @@ -19,6 +19,9 @@ type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) +type logwatch_var_run_t; +files_pid_file(logwatch_var_run_t) + ######################################## # # Local policy @@ -39,6 +42,9 @@ manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) +allow logwatch_t logwatch_var_run_t:file manage_file_perms; +files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) + kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) @@ -92,8 +98,16 @@ sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) +userdom_dontaudit_list_admin_dir(logwatch_t) -mta_send_mail(logwatch_t) +#mta_send_mail(logwatch_t) +mta_base_mail_template(logwatch) +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) +role system_r types logwatch_mail_t; +logging_read_all_logs(logwatch_mail_t) +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) +allow logwatch_mail_t self:capability { dac_read_search dac_override }; +mta_read_home(logwatch_mail_t) ifdef(`distro_redhat',` files_search_all(logwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.8.8/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/mrtg.te 2010-07-30 14:06:53.000000000 -0400 @@ -115,6 +115,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) +userdom_dontaudit_list_admin_dir(mrtg_t) netutils_domtrans_ping(mrtg_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.8.8/policy/modules/admin/ncftool.fc --- nsaserefpolicy/policy/modules/admin/ncftool.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/admin/ncftool.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.8/policy/modules/admin/ncftool.if --- nsaserefpolicy/policy/modules/admin/ncftool.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if 2010-08-10 05:23:35.000000000 -0400 @@ -0,0 +1,78 @@ + +## policy for ncftool + +######################################## +## +## Execute a domain transition to run ncftool. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ncftool_domtrans',` + gen_require(` + type ncftool_t, ncftool_exec_t; + ') + + domtrans_pattern($1, ncftool_exec_t, ncftool_t) +') + +######################################## +## +## Execute ncftool in the ncftool domain, and +## allow the specified role the ncftool domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the ncftool domain. +## +## +# +interface(`ncftool_run',` + gen_require(` + type ncftool_t; + ') + + ncftool_domtrans($1) + role $2 types ncftool_t; + + optional_policy(` + brctl_run(ncftool_t, $2) + ') +') + +######################################## +## +## Role access for ncftool +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`ncftool_role',` + gen_require(` + type ncftool_t; + ') + + role $1 types ncftool_t; + + ncftool_domtrans($2) + + ps_process_pattern($2, ncftool_t) + allow $2 ncftool_t:process signal; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te --- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-11 08:45:52.000000000 -0400 @@ -0,0 +1,91 @@ +policy_module(ncftool, 1.0.0) + +######################################## +# +# Declarations +# + +type ncftool_t; +type ncftool_exec_t; +application_domain(ncftool_t, ncftool_exec_t) +domain_obj_id_change_exemption(ncftool_t) +domain_system_change_exemption(ncftool_t) +role system_r types ncftool_t; + +permissive ncftool_t; + +######################################## +# +# ncftool local policy +# + +allow ncftool_t self:capability { net_admin sys_ptrace }; + +allow ncftool_t self:process signal; + +allow ncftool_t self:fifo_file manage_fifo_file_perms; +allow ncftool_t self:unix_stream_socket create_stream_socket_perms; + +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; +allow ncftool_t self:tcp_socket create_stream_socket_perms; + +kernel_read_kernel_sysctls(ncftool_t) +kernel_read_modprobe_sysctls(ncftool_t) +kernel_read_network_state(ncftool_t) +kernel_read_system_state(ncftool_t) +kernel_request_load_module(ncftool_t) +kernel_rw_net_sysctls(ncftool_t) + +corecmd_exec_bin(ncftool_t) +corecmd_exec_shell(ncftool_t) + +domain_read_all_domains_state(ncftool_t) + +dev_read_sysfs(ncftool_t) + +files_manage_system_conf_files(ncftool_t) +files_relabelto_system_conf_files(ncftool_t) +files_read_etc_files(ncftool_t) +files_read_etc_runtime_files(ncftool_t) +files_read_usr_files(ncftool_t) + +term_use_all_terms(ncftool_t) + +miscfiles_read_localization(ncftool_t) + +modutils_list_module_config(ncftool_t) +modutils_read_module_config(ncftool_t) +modutils_domtrans_insmod(ncftool_t) + +sysnet_delete_dhcpc_pid(ncftool_t) +sysnet_domtrans_dhcpc(ncftool_t) +sysnet_domtrans_ifconfig(ncftool_t) +sysnet_etc_filetrans_config(ncftool_t) +sysnet_manage_config(ncftool_t) +sysnet_read_dhcpc_state(ncftool_t) +sysnet_relabelfrom_net_conf(ncftool_t) +sysnet_relabelto_net_conf(ncftool_t) +sysnet_read_dhcpc_pid(ncftool_t) +sysnet_signal_dhcpc(ncftool_t) + +userdom_read_user_tmp_files(ncftool_t) + +optional_policy(` + consoletype_exec(ncftool_t) +') + +optional_policy(` + dbus_system_bus_client(ncftool_t) +') + +optional_policy(` + iptables_initrc_domtrans(ncftool_t) +') + +optional_policy(` + iptables_initrc_domtrans(ncftool_t) +') + +optional_policy(` + netutils_domtrans(ncftool_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/netutils.te 2010-07-30 14:06:53.000000000 -0400 @@ -51,6 +51,8 @@ kernel_search_proc(netutils_t) kernel_read_all_sysctls(netutils_t) +kernel_read_network_state(netutils_t) +kernel_request_load_module(netutils_t) corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) @@ -67,6 +69,9 @@ corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) +dev_read_usbmon_dev(netutils_t) +dev_write_usbmon_dev(netutils_t) +dev_rw_generic_usb_dev(netutils_t) fs_getattr_xattr_fs(netutils_t) @@ -137,8 +142,6 @@ miscfiles_read_localization(ping_t) -userdom_use_user_terminals(ping_t) - ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) @@ -148,11 +151,25 @@ ') ') +term_use_all_terms(ping_t) + +tunable_policy(`user_ping',` + term_use_all_ttys(ping_t) + term_use_all_ptys(ping_t) +',` + term_dontaudit_use_all_ttys(ping_t) + term_dontaudit_use_all_ptys(ping_t) +') + optional_policy(` munin_append_log(ping_t) ') optional_policy(` + nagios_rw_inerited_tmp_files(ping_t) +') + +optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') @@ -197,6 +214,7 @@ domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) +files_read_usr_files(traceroute_t) files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) @@ -207,9 +225,16 @@ miscfiles_read_localization(traceroute_t) -userdom_use_user_terminals(traceroute_t) - #rules needed for nmap dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) -files_read_usr_files(traceroute_t) + +term_use_all_terms(traceroute_t) + +tunable_policy(`user_ping',` + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +',` + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-13 11:29:37.000000000 -0400 @@ -59,6 +59,7 @@ manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) +files_search_var_lib(prelink_t) # prelink misc objects that are not system # libraries or entrypoints @@ -73,6 +74,7 @@ corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) +dev_getattr_all_chr_files(prelink_t) files_list_all(prelink_t) files_getattr_all_files(prelink_t) @@ -86,6 +88,8 @@ fs_getattr_xattr_fs(prelink_t) +storage_getattr_fixed_disk_dev(prelink_t) + selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) @@ -99,6 +103,8 @@ miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) +userdom_manage_user_home_content(prelink_t) +userdom_execmod_user_home_files(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) @@ -109,6 +115,10 @@ ') optional_policy(` + nsplugin_manage_rw_files(prelink_t) +') + +optional_policy(` rpm_manage_tmp_files(prelink_t) ') @@ -129,6 +139,7 @@ read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; + files_delete_etc_dir_entry(prelink_cron_system_t) domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; @@ -148,7 +159,7 @@ files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) - init_exec(prelink_cron_system_t) + init_telinit(prelink_cron_system_t) libs_exec_ld_so(prelink_cron_system_t) @@ -158,6 +169,8 @@ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) + userdom_dontaudit_list_admin_dir(prelink_cron_system_t) + optional_policy(` rpm_read_db(prelink_cron_system_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if --- nsaserefpolicy/policy/modules/admin/quota.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/quota.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.8.8/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/readahead.te 2010-07-30 14:06:53.000000000 -0400 @@ -51,6 +51,7 @@ files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) +files_dontaudit_read_security_files(readahead_t) files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) @@ -64,6 +65,7 @@ fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) +fs_dontaudit_read_tmpfs_blk_dev(readahead_t) fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.8.8/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc 2010-08-06 11:14:58.000000000 -0400 @@ -7,6 +7,7 @@ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -25,6 +26,9 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -36,6 +40,8 @@ /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.8/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/rpm.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,18 +6,21 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # interface(`rpm_domtrans',` gen_require(` type rpm_t, rpm_exec_t; + attribute rpm_transition_domain; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, rpm_exec_t, rpm_t) + typeattribute $1 rpm_transition_domain; + rpm_debuginfo_domtrans($1) ') ######################################## @@ -69,7 +72,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -87,6 +90,11 @@ rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; + + domain_system_change_exemption($1) + role_transition $2 rpm_exec_t system_r; + allow $2 system_r; + seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) @@ -135,7 +143,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -153,7 +161,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -171,7 +179,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -185,6 +193,41 @@ ######################################## ## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_dontaudit_leaks',` + gen_require(` + type rpm_t, rpm_var_cache_t; + type rpm_script_t, rpm_var_run_t, rpm_tmp_t; + type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; + ') + + dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 rpm_t:tcp_socket { read write }; + dontaudit $1 rpm_t:unix_dgram_socket { read write }; + dontaudit $1 rpm_t:shm rw_shm_perms; + + dontaudit $1 rpm_script_t:fd use; + dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; + + dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms; + + dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; + dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; + dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; + dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; + dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; +') + +######################################## +## ## Send and receive messages from ## rpm over dbus. ## @@ -252,7 +295,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -290,7 +333,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -309,7 +352,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -338,7 +381,9 @@ ') files_search_tmp($1) + manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ') ##################################### @@ -378,7 +423,9 @@ ') files_search_tmp($1) + manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) + manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ') ######################################## @@ -448,7 +495,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -461,6 +508,7 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + rpm_read_cache($1) ') ######################################## @@ -487,7 +535,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -577,3 +625,66 @@ files_pid_filetrans($1, rpm_var_run_t, file) ') + +######################################## +## +## Send a null signal to rpm. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_inherited_fifo',` + gen_require(` + attribute rpm_transition_domain; + ') + + allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; +') + + +######################################## +## +## Make rpm_exec_t an entry point for +## the specified domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_entry_type',` + gen_require(` + type rpm_exec_t; + ') + + domain_entry_file($1, rpm_exec_t) +') + +######################################## +## +## Allow application to transition to rpm_script domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_transition_script',` + gen_require(` + type rpm_script_t; + attribute rpm_transition_domain; + ') + + typeattribute $1 rpm_transition_domain; + allow $1 rpm_script_t:process transition; + + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:process sigchld; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/rpm.te 2010-08-04 16:24:06.000000000 -0400 @@ -1,10 +1,11 @@ policy_module(rpm, 1.11.1) +attribute rpm_transition_domain; + ######################################## # # Declarations # - type debuginfo_exec_t; domain_entry_file(rpm_t, debuginfo_exec_t) @@ -44,6 +45,7 @@ domain_obj_id_change_exemption(rpm_script_t) domain_system_change_exemption(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) +corecmd_bin_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) @@ -77,6 +79,8 @@ allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; +allow rpm_t self:dir search; +allow rpm_t self:file rw_file_perms;; allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) @@ -84,6 +88,7 @@ manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) +can_exec(rpm_t, rpm_tmp_t) manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) @@ -91,6 +96,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_t, rpm_tmpfs_t) manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) @@ -100,12 +106,14 @@ manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) +manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -files_pid_filetrans(rpm_t, rpm_var_run_t, file) +files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) kernel_read_network_state(rpm_t) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) +kernel_read_network_state_symlinks(rpm_t) corecmd_exec_all_executables(rpm_t) @@ -125,6 +133,8 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) +dev_read_raw_memory(rpm_t) +#devices_manage_all_device_types(rpm_t) fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) @@ -205,6 +215,7 @@ optional_policy(` networkmanager_dbus_chat(rpm_t) ') + ') optional_policy(` @@ -212,7 +223,7 @@ ') optional_policy(` - unconfined_domain(rpm_t) + unconfined_domain_noaudit(rpm_t) # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) @@ -242,6 +253,8 @@ allow rpm_script_t rpm_script_tmp_t:dir mounton; manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) @@ -254,6 +267,7 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) +kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) @@ -301,6 +315,8 @@ auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) +can_exec(rpm_script_t, rpm_script_tmp_t) +can_exec(rpm_script_t, rpm_script_tmpfs_t) domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) @@ -331,12 +347,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) +seutil_domtrans_setsebool(rpm_script_t) userdom_use_all_users_fds(rpm_script_t) +userdom_exec_admin_home_files(rpm_script_t) ifdef(`distro_redhat',` optional_policy(` mta_send_mail(rpm_script_t) + mta_system_content(rpm_var_run_t) ') ') @@ -366,8 +385,9 @@ ') optional_policy(` - unconfined_domain(rpm_script_t) + unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) + unconfined_execmem_domtrans(rpm_script_t) optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.8.8/policy/modules/admin/sectoolm.te --- nsaserefpolicy/policy/modules/admin/sectoolm.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/sectoolm.te 2010-07-30 14:06:53.000000000 -0400 @@ -84,6 +84,7 @@ sysnet_domtrans_ifconfig(sectoolm_t) userdom_manage_user_tmp_sockets(sectoolm_t) +userdom_write_user_tmp_sockets(sectoolm_t) optional_policy(` mount_exec(sectoolm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-08-17 06:09:36.000000000 -0400 @@ -18,6 +18,24 @@ domtrans_pattern($1, shorewall_exec_t, shorewall_t) ') +###################################### +## +## Execute a domain transition to run shorewall. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`shorewall_domtrans_lib',` + gen_require(` + type shorewall_t, shorewall_var_lib_t; + ') + + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) +') + ####################################### ## ## Read shorewall etc configuration files. @@ -134,9 +152,10 @@ # interface(`shorewall_admin',` gen_require(` - type shorewall_t, shorewall_var_run_t, shorewall_lock_t; + type shorewall_t, shorewall_lock_t; + type shorewall_log_t; type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t; + type shorewall_tmp_t, shorewall_etc_t; ') allow $1 shorewall_t:process { ptrace signal_perms }; @@ -153,12 +172,12 @@ files_search_locks($1) admin_pattern($1, shorewall_lock_t) - files_search_pids($1) - admin_pattern($1, shorewall_var_run_t) - files_search_var_lib($1) admin_pattern($1, shorewall_var_lib_t) + logging_search_logs($1) + admin_pattern($1, shorewall_log_t) + files_search_tmp($1) admin_pattern($1, shorewall_tmp_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-08-17 06:09:36.000000000 -0400 @@ -58,6 +58,9 @@ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) +allow shorewall_t shorewall_var_lib_t:file entrypoint; + +allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; kernel_read_kernel_sysctls(shorewall_t) kernel_read_network_state(shorewall_t) @@ -80,13 +83,18 @@ init_rw_utmp(shorewall_t) +logging_read_generic_logs(shorewall_t) logging_send_syslog_msg(shorewall_t) miscfiles_read_localization(shorewall_t) sysnet_domtrans_ifconfig(shorewall_t) -userdom_dontaudit_list_user_home_dirs(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) + +optional_policy(` + brctl_domtrans(shorewall_t) +') optional_policy(` hostname_exec(shorewall_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc --- nsaserefpolicy/policy/modules/admin/shutdown.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc 2010-07-30 14:06:53.000000000 -0400 @@ -3,3 +3,5 @@ /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) + +/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if --- nsaserefpolicy/policy/modules/admin/shutdown.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if 2010-07-30 14:06:53.000000000 -0400 @@ -19,10 +19,11 @@ ifdef(`hide_broken_symptoms', ` dontaudit shutdown_t $1:socket_class_set { read write }; - dontaudit shutdown_t $1:fifo_file { read write }; + dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; ') ') + ######################################## ## ## Execute shutdown in the shutdown domain, and @@ -50,6 +51,73 @@ ######################################## ## +## Role access for shutdown +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`shutdown_role',` + gen_require(` + type shutdown_t; + ') + + role $1 types shutdown_t; + + shutdown_domtrans($2) + + ps_process_pattern($2, shutdown_t) + allow $2 shutdown_t:process signal; +') + +######################################## +## +## Recieve sigchld from shutdown +## +## +## +## Domain allowed access +## +## +# +interface(`shutdown_send_sigchld',` + gen_require(` + type shutdown_t; + ') + + allow shutdown_t $1:process signal; +') + +######################################## +## +## Send and receive messages from +## shutdown over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`shutdown_dbus_chat',` + gen_require(` + type shutdown_t; + class dbus send_msg; + ') + + allow $1 shutdown_t:dbus send_msg; + allow shutdown_t $1:dbus send_msg; +') + +######################################## +## ## Get attributes of shutdown executable. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.8/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te 2010-08-10 05:23:35.000000000 -0400 @@ -36,6 +36,8 @@ files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) +mls_file_write_to_clearance(shutdown_t) + term_use_all_terms(shutdown_t) auth_use_nsswitch(shutdown_t) @@ -55,5 +57,10 @@ ') optional_policy(` + oddjob_dontaudit_rw_fifo_file(shutdown_t) + oddjob_sigchld(shutdown_t) +') + +optional_policy(` xserver_dontaudit_write_log(shutdown_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.8.8/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-30 14:06:53.000000000 -0400 @@ -76,6 +76,8 @@ # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) + userdom_domtrans_user_home($1_sudo_t, $3) + userdom_domtrans_user_tmp($1_sudo_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_file_perms; allow $3 $1_sudo_t:process signal_perms; @@ -134,12 +136,16 @@ userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) + userdom_search_user_home_content($1_sudo_t) + userdom_search_admin_dir($1_sudo_t) + userdom_manage_all_users_keys($1_sudo_t) ifdef(`hide_broken_symptoms', ` dontaudit $1_sudo_t $3:socket_class_set { read write }; ') + mta_role($2, $1_sudo_t) + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.8.8/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/su.if 2010-07-30 14:06:53.000000000 -0400 @@ -212,7 +212,7 @@ auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) + auth_use_pam($1_su_t) auth_rw_faillog($1_su_t) corecmd_search_bin($1_su_t) @@ -236,6 +236,7 @@ userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) + userdom_search_admin_dir($1_su_t) ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.if serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if --- nsaserefpolicy/policy/modules/admin/tmpreaper.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te 2010-07-30 14:06:53.000000000 -0400 @@ -25,8 +25,11 @@ files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) +files_delete_usr_dirs(tmpreaper_t) +files_delete_usr_files(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +files_setattr_usr_dirs(tmpreaper_t) files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) @@ -52,7 +55,9 @@ ') optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) apache_list_cache(tmpreaper_t) + apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') @@ -66,6 +71,14 @@ ') optional_policy(` + sandbox_list(tmpreaper_t) + sandbox_delete_dirs(tmpreaper_t) + sandbox_delete_files(tmpreaper_t) + sandbox_delete_sock_files(tmpreaper_t) + sandbox_setattr_dirs(tmpreaper_t) +') + +optional_policy(` rpm_manage_cache(tmpreaper_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfstab.if serefpolicy-3.8.8/policy/modules/admin/updfstab.if --- nsaserefpolicy/policy/modules/admin/updfstab.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/updfstab.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usbmodules.if serefpolicy-3.8.8/policy/modules/admin/usbmodules.if --- nsaserefpolicy/policy/modules/admin/usbmodules.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/usbmodules.if 2010-07-30 14:06:53.000000000 -0400 @@ -26,7 +26,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.8.8/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/usermanage.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -31,7 +31,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -55,7 +55,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -80,7 +80,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -109,7 +109,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -152,7 +152,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -200,7 +200,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -229,7 +229,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -247,7 +247,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -272,7 +272,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -290,6 +290,9 @@ usermanage_domtrans_useradd($1) role $2 types useradd_t; + # Add/remove user home directories + userdom_manage_home_role($2, useradd_t) + seutil_run_semanage(useradd_t, $2) optional_policy(` @@ -303,7 +306,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.8.8/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/usermanage.te 2010-07-30 14:06:53.000000000 -0400 @@ -295,6 +295,7 @@ term_use_all_ttys(passwd_t) term_use_all_ptys(passwd_t) +term_use_generic_ptys(passwd_t) auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) @@ -304,6 +305,9 @@ # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) +corecmd_exec_bin(passwd_t) + +corenet_tcp_connect_kerberos_password_port(passwd_t) domain_use_interactive_fds(passwd_t) @@ -334,6 +338,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) optional_policy(` nscd_domtrans(passwd_t) @@ -428,7 +433,7 @@ # Useradd local policy # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace }; dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; @@ -500,12 +505,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) -userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) mta_manage_spool(useradd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.8.8/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,10 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) -domain_mmap_low(vbetool_t) +domain_mmap_low_type(vbetool_t) +tunable_policy(`mmap_low_allowed',` + allow vbetool_t self:memprotect mmap_zero; +') mls_file_read_all_levels(vbetool_t) mls_file_write_all_levels(vbetool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.8.8/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/admin/vpn.te 2010-07-30 14:06:53.000000000 -0400 @@ -107,6 +107,7 @@ userdom_use_all_users_fds(vpnc_t) userdom_dontaudit_search_user_home_content(vpnc_t) +userdom_read_home_certs(vpnc_t) optional_policy(` dbus_system_bus_client(vpnc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.8.8/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/awstats.te 2010-07-30 14:06:53.000000000 -0400 @@ -47,6 +47,7 @@ files_read_etc_files(awstats_t) # e.g. /usr/share/awstats/lang/awstats-en.txt files_read_usr_files(awstats_t) +files_dontaudit_search_all_mountpoints(awstats_t) fs_list_inotifyfs(awstats_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.8.8/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/chrome.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,3 @@ + /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.8.8/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/chrome.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,90 @@ + +## policy for chrome + +######################################## +## +## Execute a domain transition to run chrome_sandbox. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`chrome_domtrans_sandbox',` + gen_require(` + type chrome_sandbox_t, chrome_sandbox_exec_t; + ') + + domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) +ifdef(`hide_broken_symptoms', ` + dontaudit chrome_sandbox_t $1:socket_class_set { read write }; + fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) +') +') + + +######################################## +## +## Execute chrome_sandbox in the chrome_sandbox domain, and +## allow the specified role the chrome_sandbox domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the chrome_sandbox domain. +## +## +# +interface(`chrome_run_sandbox',` + gen_require(` + type chrome_sandbox_t; + ') + + chrome_domtrans_sandbox($1) + role $2 types chrome_sandbox_t; +') + +######################################## +## +## Role access for chrome sandbox +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`chrome_role',` + gen_require(` + type chrome_sandbox_t; + type chrome_sandbox_tmpfs_t; + ') + + role $1 types chrome_sandbox_t; + + chrome_domtrans_sandbox($2) + + ps_process_pattern($2, chrome_sandbox_t) + allow $2 chrome_sandbox_t:process signal_perms; + + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; + allow chrome_sandbox_t $2:unix_stream_socket { read write }; + allow $2 chrome_sandbox_t:unix_stream_socket { read write }; + + allow $2 chrome_sandbox_t:shm rw_shm_perms; + + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.8.8/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/chrome.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,86 @@ +policy_module(chrome,1.0.0) + +######################################## +# +# Declarations +# + +type chrome_sandbox_t; +type chrome_sandbox_exec_t; +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +role system_r types chrome_sandbox_t; + +type chrome_sandbox_tmp_t; +files_tmp_file(chrome_sandbox_tmp_t) + +type chrome_sandbox_tmpfs_t; +files_tmpfs_file(chrome_sandbox_tmpfs_t) +ubac_constrained(chrome_sandbox_tmpfs_t) + +######################################## +# +# chrome_sandbox local policy +# +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:fifo_file manage_file_perms; +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; +allow chrome_sandbox_t self:shm create_shm_perms; + +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) + +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) +fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) + +kernel_read_system_state(chrome_sandbox_t) +kernel_read_kernel_sysctls(chrome_sandbox_t) + +corecmd_exec_bin(chrome_sandbox_t) + +domain_dontaudit_read_all_domains_state(chrome_sandbox_t) + +dev_read_urand(chrome_sandbox_t) +dev_read_sysfs(chrome_sandbox_t) +dev_rwx_zero(chrome_sandbox_t) + +files_read_etc_files(chrome_sandbox_t) +files_read_usr_files(chrome_sandbox_t) + +fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + +userdom_rw_user_tmpfs_files(chrome_sandbox_t) +userdom_use_user_ptys(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +userdom_read_inherited_user_home_content_files(chrome_sandbox_t) +userdom_dontaudit_use_user_terminals(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) + +optional_policy(` + execmem_exec(chrome_sandbox_t) +') + +optional_policy(` + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_list_home_config(chrome_sandbox_t) +') + +optional_policy(` + xserver_use_user_fonts(chrome_sandbox_t) + xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_append_nfs_files(chrome_sandbox_t) + fs_dontaudit_read_nfs_files(chrome_sandbox_t) + fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te 2010-07-30 14:06:53.000000000 -0400 @@ -27,7 +27,7 @@ miscfiles_read_localization(cpufreqselector_t) userdom_read_all_users_state(cpufreqselector_t) -userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) +userdom_dontaudit_search_admin_dir(cpufreqselector_t) optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-08-13 16:54:24.000000000 -0400 @@ -0,0 +1,48 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +') +/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.8.8/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/execmem.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,110 @@ +## execmem domain + +######################################## +## +## Execute the execmem program in the execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`execmem_exec',` + gen_require(` + type execmem_exec_t; + ') + + can_exec($1, execmem_exec_t) +') + +####################################### +## +## The role template for the execmem module. +## +## +##

+## This template creates a derived domains which are used +## for execmem applications. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`execmem_role_template',` + gen_require(` + type execmem_exec_t; + ') + + type $1_execmem_t; + domain_type($1_execmem_t) + domain_entry_file($1_execmem_t, execmem_exec_t) + role $2 types $1_execmem_t; + + userdom_unpriv_usertype($1, $1_execmem_t) + userdom_manage_tmp_role($2, $1_execmem_t) + userdom_manage_tmpfs_role($2, $1_execmem_t) + + allow $1_execmem_t self:process { execmem execstack }; + allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; + domtrans_pattern($3, execmem_exec_t, $1_execmem_t) +ifdef(`hide_broken_symptoms', ` + dontaudit $1_execmem_t $3:socket_class_set { read write }; +') + files_execmod_tmp($1_execmem_t) + + optional_policy(` + chrome_role($2, $1_execmem_t) + ') + + optional_policy(` + mozilla_execmod_user_home_files($1_execmem_t) + ') + + optional_policy(` + nsplugin_rw_shm($1_execmem_t) + nsplugin_rw_semaphores($1_execmem_t) + ') + + optional_policy(` + xserver_role($2, $1_execmem_t) + ') +') + +######################################## +## +## Execute a execmem_exec file +## in the specified domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`execmem_domtrans',` + gen_require(` + type execmem_exec_t; + ') + + domtrans_pattern($1, execmem_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.8.8/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/execmem.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,10 @@ +policy_module(execmem, 1.0.0) + +######################################## +# +# Declarations +# + +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.8.8/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,23 @@ + +## policy for firewallgui + +######################################## +## +## Send and receive messages from +## firewallgui over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`firewallgui_dbus_chat',` + gen_require(` + type firewallgui_t; + class dbus send_msg; + ') + + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.8.8/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,66 @@ +policy_module(firewallgui,1.0.0) + +######################################## +# +# Declarations +# + +type firewallgui_t; +type firewallgui_exec_t; +dbus_system_domain(firewallgui_t, firewallgui_exec_t) + +type firewallgui_tmp_t; +files_tmp_file(firewallgui_tmp_t) + +######################################## +# +# firewallgui local policy +# + +allow firewallgui_t self:capability net_admin; + +allow firewallgui_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) +manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) +files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) + +files_manage_system_conf_files(firewallgui_t) +files_etc_filetrans_system_conf(firewallgui_t) + +corecmd_exec_shell(firewallgui_t) +corecmd_exec_bin(firewallgui_t) +consoletype_exec(firewallgui_t) + +kernel_read_system_state(firewallgui_t) +kernel_read_network_state(firewallgui_t) +kernel_rw_net_sysctls(firewallgui_t) +kernel_rw_kernel_sysctl(firewallgui_t) +kernel_rw_vm_sysctls(firewallgui_t) + +files_read_etc_files(firewallgui_t) +files_read_usr_files(firewallgui_t) +files_search_kernel_modules(firewallgui_t) +files_list_kernel_modules(firewallgui_t) + +modutils_getattr_module_deps(firewallgui_t) + +dev_read_urand(firewallgui_t) +dev_read_sysfs(firewallgui_t) + +nscd_dontaudit_search_pid(firewallgui_t) +nscd_socket_use(firewallgui_t) + +miscfiles_read_localization(firewallgui_t) + +iptables_domtrans(firewallgui_t) +iptables_initrc_domtrans(firewallgui_t) + +optional_policy(` + gnome_read_gconf_home_files(firewallgui_t) +') + +optional_policy(` + policykit_dbus_chat(firewallgui_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.8.8/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) + +/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-05 09:43:28.000000000 -0400 @@ -74,6 +74,24 @@ ######################################## ## +## Dontaudit search gnome homedir content (.config) +## +## +## +## The type of the user domain. +## +## +# +interface(`gnome_dontaudit_search_config',` + gen_require(` + attribute gnome_home_type; + ') + + dontaudit $1 gnome_home_type:dir search_dir_perms; +') + +######################################## +## ## manage gnome homedir content (.config) ## ## @@ -84,10 +102,426 @@ # interface(`gnome_manage_config',` gen_require(` + attribute gnome_home_type; + ') + + allow $1 gnome_home_type:dir manage_dir_perms; + allow $1 gnome_home_type:file manage_file_perms; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Send general signals to all gconf domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_signal_all',` + gen_require(` + attribute gnomedomain; + ') + + allow $1 gnomedomain:process signal; +') + +######################################## +## +## Create objects in a Gnome cache home directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`gnome_cache_filetrans',` + gen_require(` + type cache_home_t; + ') + + filetrans_pattern($1, cache_home_t, $2, $3) + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read generic cache home files (.cache) +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_generic_cache_files',` + gen_require(` + type cache_home_t; + ') + + read_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Set attributes of cache home dir (.cache) +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_setattr_cache_home_dir',` + gen_require(` + type cache_home_t; + ') + + setattr_dirs_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## +## write to generic cache home files (.cache) +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_write_generic_cache_files',` + gen_require(` + type cache_home_t; + ') + + write_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## +## read gnome homedir content (.config) +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_read_config',` + gen_require(` + attribute gnome_home_type; + ') + + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) +') + +######################################## +## +## Set attributes of Gnome config dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_setattr_config_dirs',` + gen_require(` type gnome_home_t; ') - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; + setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) + files_search_home($1) +') + +######################################## +## +## Create objects in a Gnome gconf home directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`gnome_data_filetrans',` + gen_require(` + type data_home_t; + ') + + filetrans_pattern($1, data_home_t, $2, $3) + gnome_search_gconf($1) +') + +######################################## +## +## Create gconf_home_t objects in the /root directory +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`gnome_admin_home_gconf_filetrans',` + gen_require(` + type gconf_home_t; + ') + + userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) +') + +######################################## +## +## read gconf config files +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_read_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) +') + +####################################### +## +## Manage gconf config files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; + manage_files_pattern($1, gconf_etc_t, gconf_etc_t) +') + +######################################## +## +## Execute gconf programs in +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; + ') + + can_exec($1, gconfd_exec_t) +') + +######################################## +## +## Read gconf home files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_gconf_home_files',` + gen_require(` + type gconf_home_t; + type data_home_t; + ') + + allow $1 gconf_home_t:dir list_dir_perms; + allow $1 data_home_t:dir list_dir_perms; + read_files_pattern($1, gconf_home_t, gconf_home_t) + read_files_pattern($1, data_home_t, data_home_t) +') + +######################################## +## +## search gconf homedir (.local) +## +## +## +## The type of the domain. +## +## +# +interface(`gnome_search_gconf',` + gen_require(` + type gconf_home_t; + ') + + allow $1 gconf_home_t:dir search_dir_perms; userdom_search_user_home_dirs($1) ') + +######################################## +## +## Append gconf home files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_append_gconf_home_files',` + gen_require(` + type gconf_home_t; + ') + + append_files_pattern($1, gconf_home_t, gconf_home_t) +') + +######################################## +## +## manage gconf home files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_gconf_home_files',` + gen_require(` + type gconf_home_t; + ') + + allow $1 gconf_home_t:dir list_dir_perms; + manage_files_pattern($1, gconf_home_t, gconf_home_t) +') + +######################################## +## +## Connect to gnome over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`gnome_stream_connect',` + gen_require(` + attribute gnome_home_type; + ') + + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) +') + +######################################## +## +## read gnome homedir content (.config) +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_list_home_config',` + gen_require(` + type config_home_t; + ') + + allow $1 config_home_t:dir list_dir_perms; +') + +######################################## +## +## Read/Write all inherited gnome home config +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_rw_inherited_config',` + gen_require(` + attribute gnome_home_type; + ') + + allow $1 gnome_home_type:file rw_inherited_file_perms; +') + +######################################## +## +## Send and receive messages from +## gconf system service over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gconfdefault',` + gen_require(` + type gconfdefaultsm_t; + class dbus send_msg; + ') + + allow $1 gconfdefaultsm_t:dbus send_msg; + allow gconfdefaultsm_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.8.8/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/gnome.te 2010-07-30 14:06:53.000000000 -0400 @@ -6,18 +6,33 @@ # attribute gnomedomain; +attribute gnome_home_type; type gconf_etc_t; -files_type(gconf_etc_t) +files_config_file(gconf_etc_t) -type gconf_home_t; +type data_home_t, gnome_home_type; +userdom_user_home_content(data_home_t) + +type config_home_t, gnome_home_type; +userdom_user_home_content(config_home_t) + +type cache_home_t, gnome_home_type; +userdom_user_home_content(cache_home_t) + +type gstreamer_home_t, gnome_home_type; +userdom_user_home_content(gstreamer_home_t) + +type gconf_home_t, gnome_home_type; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +typealias gconf_home_t alias unconfined_gconf_home_t; userdom_user_home_content(gconf_home_t) type gconf_tmp_t; typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; +typealias gconf_tmp_t alias unconfined_gconf_tmp_t; files_tmp_file(gconf_tmp_t) ubac_constrained(gconf_tmp_t) @@ -28,11 +43,20 @@ application_domain(gconfd_t, gconfd_exec_t) ubac_constrained(gconfd_t) -type gnome_home_t; +type gnome_home_t, gnome_home_type; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; +typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) +type gconfdefaultsm_t; +type gconfdefaultsm_exec_t; +dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) + +type gnomesystemmm_t; +type gnomesystemmm_exec_t; +dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) + ############################## # # Local Policy @@ -72,3 +96,91 @@ xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gconfdefaultsm_t) + fs_manage_nfs_files(gconfdefaultsm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gconfdefaultsm_t) + fs_manage_cifs_files(gconfdefaultsm_t) +') + +####################################### +# +# gconf-defaults-mechanisms local policy +# + +allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; + +corecmd_search_bin(gconfdefaultsm_t) + +files_read_etc_files(gconfdefaultsm_t) +files_read_usr_files(gconfdefaultsm_t) + +miscfiles_read_localization(gconfdefaultsm_t) + +gnome_manage_gconf_home_files(gconfdefaultsm_t) +gnome_manage_gconf_config(gconfdefaultsm_t) + +userdom_read_all_users_state(gconfdefaultsm_t) +userdom_search_user_home_dirs(gconfdefaultsm_t) + +userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) + +optional_policy(` + consolekit_dbus_chat(gconfdefaultsm_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(gconfdefaultsm_t) +') + +optional_policy(` + policykit_domtrans_auth(gconfdefaultsm_t) + policykit_dbus_chat(gconfdefaultsm_t) + policykit_read_lib(gconfdefaultsm_t) + policykit_read_reload(gconfdefaultsm_t) +') + +####################################### +# +# gnome-system-monitor-mechanisms local policy +# + +allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; +allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; + +corecmd_search_bin(gnomesystemmm_t) + +domain_kill_all_domains(gnomesystemmm_t) +domain_search_all_domains_state(gnomesystemmm_t) +domain_setpriority_all_domains(gnomesystemmm_t) +domain_signal_all_domains(gnomesystemmm_t) +domain_sigstop_all_domains(gnomesystemmm_t) + +files_read_etc_files(gnomesystemmm_t) +files_read_usr_files(gnomesystemmm_t) + +miscfiles_read_localization(gnomesystemmm_t) + +userdom_read_all_users_state(gnomesystemmm_t) +userdom_dontaudit_search_admin_dir(gnomesystemmm_t) + +optional_policy(` + consolekit_dbus_chat(gnomesystemmm_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(gnomesystemmm_t) +') + +optional_policy(` + policykit_dbus_chat(gnomesystemmm_t) + policykit_domtrans_auth(gnomesystemmm_t) + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.8.8/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/gpg.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.8.8/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/gpg.if 2010-07-30 14:06:53.000000000 -0400 @@ -85,6 +85,43 @@ domtrans_pattern($1, gpg_exec_t, gpg_t) ') +###################################### +## +## Transition to a gpg web domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_domtrans_web',` + gen_require(` + type gpg_web_t, gpg_exec_t; + ') + + domtrans_pattern($1, gpg_exec_t, gpg_web_t) +') + +###################################### +## +## Make gpg an entrypoint for +## the specified domain. +## +## +## +## The domain for which cifs_t is an entrypoint. +## +## +# +interface(`gpg_entry_type',` + gen_require(` + type gpg_exec_t; + ') + + domain_entry_file($1, gpg_exec_t) +') + ######################################## ## ## Send generic signals to user gpg processes. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.8.8/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-07-30 14:06:53.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations # +attribute gpgdomain; ## ##

@@ -13,7 +14,15 @@ ## gen_tunable(gpg_agent_env_file, false) -type gpg_t; +## +##

+## Allow gpg web domain to modify public files +## used for public file transfer services. +##

+## +gen_tunable(gpg_web_anon_write, false) + +type gpg_t, gpgdomain; type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; @@ -62,17 +71,23 @@ files_tmpfs_file(gpg_pinentry_tmpfs_t) ubac_constrained(gpg_pinentry_tmpfs_t) +type gpg_web_t; +domain_type(gpg_web_t) +gpg_entry_type(gpg_web_t) +role system_r types gpg_web_t; + ######################################## # # GPG local policy # -allow gpg_t self:capability { ipc_lock setuid }; -# setrlimit is for ulimit -c 0 -allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; +allow gpgdomain self:capability { ipc_lock setuid }; +allow gpgdomain self:process { getsched setsched }; +#at setrlimit is for ulimit -c 0 +allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; -allow gpg_t self:fifo_file rw_fifo_file_perms; -allow gpg_t self:tcp_socket create_stream_socket_perms; +allow gpgdomain self:fifo_file rw_fifo_file_perms; +allow gpgdomain self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) @@ -128,6 +143,7 @@ userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) +userdom_stream_connect(gpg_t) mta_write_config(gpg_t) @@ -151,10 +167,10 @@ xserver_rw_xdm_pipes(gpg_t) ') -optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -') +#optional_policy(` +# cron_system_entry(gpg_t, gpg_exec_t) +# cron_read_system_job_tmp_files(gpg_t) +#') ######################################## # @@ -205,6 +221,7 @@ # # GPG agent local policy # +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; @@ -245,6 +262,7 @@ ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) + userdom_dontaudit_write_user_tmp_files(gpg_agent_t) ') tunable_policy(`gpg_agent_env_file',` @@ -332,6 +350,9 @@ # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) +# Bug: user pulseaudio files need open,read and unlink: +allow gpg_pinentry_t user_tmpfs_t:file unlink; +userdom_signull_unpriv_users(gpg_pinentry_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) @@ -347,6 +368,12 @@ ') optional_policy(` + gnome_write_generic_cache_files(gpg_pinentry_t) + gnome_read_generic_cache_files(gpg_pinentry_t) + gnome_read_gconf_home_files(gpg_pinentry_t) +') + +optional_policy(` pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) @@ -356,4 +383,25 @@ optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) + +') + +############################# +# +# gpg web local policy +# + +allow gpg_web_t self:process setrlimit; + +can_exec(gpg_web_t, gpg_exec_t) + +files_read_usr_files(gpg_web_t) + +miscfiles_read_localization(gpg_web_t) + +apache_dontaudit_rw_tmp_files(gpg_web_t) +apache_manage_sys_content_rw(gpg_web_t) + +tunable_policy(`gpg_web_anon_write',` + miscfiles_manage_public_files(gpg_web_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.8.8/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/irc.fc 2010-07-30 14:06:53.000000000 -0400 @@ -2,10 +2,14 @@ # /home # HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) +HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0) + +/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0) # # /usr # /usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0) /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.8.8/policy/modules/apps/irc.if --- nsaserefpolicy/policy/modules/apps/irc.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/irc.if 2010-07-30 14:06:53.000000000 -0400 @@ -18,9 +18,11 @@ interface(`irc_role',` gen_require(` type irc_t, irc_exec_t; + type irssi_t, irssi_exec_t, irssi_home_t; ') role $1 types irc_t; + role $1 types irssi_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, irc_exec_t, irc_t) @@ -28,4 +30,17 @@ # allow ps to show irc ps_process_pattern($2, irc_t) allow $2 irc_t:process signal; + + domtrans_pattern($2, irssi_exec_t, irssi_t) + + allow $2 irssi_t:process { ptrace signal_perms }; + ps_process_pattern($2, irssi_t) + + manage_dirs_pattern($2, irssi_home_t, irssi_home_t) + manage_files_pattern($2, irssi_home_t, irssi_home_t) + manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t) + + relabel_dirs_pattern($2, irssi_home_t, irssi_home_t) + relabel_files_pattern($2, irssi_home_t, irssi_home_t) + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.8.8/policy/modules/apps/irc.te --- nsaserefpolicy/policy/modules/apps/irc.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/irc.te 2010-07-30 14:06:53.000000000 -0400 @@ -24,6 +24,30 @@ ######################################## # +# Irssi personal declarations. +# + +## +##

+## Allow the Irssi IRC Client to connect to any port, +## and to bind to any unreserved port. +##

+## +gen_tunable(irssi_use_full_network, false) + +type irssi_t; +type irssi_exec_t; +application_domain(irssi_t, irssi_exec_t) +ubac_constrained(irssi_t) + +type irssi_etc_t; +files_config_file(irssi_etc_t) + +type irssi_home_t; +userdom_user_home_content(irssi_home_t) + +######################################## +# # Local policy # @@ -101,3 +125,83 @@ optional_policy(` nis_use_ypbind(irc_t) ') + +######################################## +# +# Irssi personal declarations. +# + +allow irssi_t self:process { signal sigkill }; +allow irssi_t self:fifo_file rw_fifo_file_perms; +allow irssi_t self:netlink_route_socket create_netlink_socket_perms; +allow irssi_t self:tcp_socket create_stream_socket_perms; +allow irssi_t self:udp_socket create_socket_perms; + +read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t) + +manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t) +manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t) +manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t) +userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file }) +userdom_search_user_home_dirs(irssi_t) + +corecmd_search_bin(irssi_t) +corecmd_read_bin_symlinks(irssi_t) + +corenet_tcp_connect_ircd_port(irssi_t) +corenet_sendrecv_ircd_client_packets(irssi_t) + +# Privoxy +corenet_tcp_connect_http_cache_port(irssi_t) +corenet_sendrecv_http_cache_client_packets(irssi_t) + +corenet_all_recvfrom_netlabel(irssi_t) +corenet_all_recvfrom_unlabeled(irssi_t) +corenet_tcp_sendrecv_generic_if(irssi_t) +corenet_tcp_sendrecv_generic_node(irssi_t) +corenet_tcp_sendrecv_generic_port(irssi_t) +corenet_tcp_bind_generic_node(irssi_t) +corenet_udp_bind_generic_node(irssi_t) + +dev_read_urand(irssi_t) +# irssi-otr genkey. +dev_read_rand(irssi_t) + +files_read_etc_files(irssi_t) +files_read_usr_files(irssi_t) + +fs_search_auto_mountpoints(irssi_t) + +miscfiles_read_localization(irssi_t) + +sysnet_read_config(irssi_t) + +userdom_use_user_terminals(irssi_t) + +tunable_policy(`irssi_use_full_network', ` + corenet_tcp_bind_all_unreserved_ports(irssi_t) + corenet_tcp_connect_all_ports(irssi_t) + corenet_sendrecv_generic_server_packets(irssi_t) + corenet_sendrecv_all_client_packets(irssi_t) +') + +tunable_policy(`use_nfs_home_dirs', ` + fs_manage_nfs_dirs(irssi_t) + fs_manage_nfs_files(irssi_t) + fs_manage_nfs_symlinks(irssi_t) +') + +tunable_policy(`use_samba_home_dirs', ` + fs_manage_cifs_dirs(irssi_t) + fs_manage_cifs_files(irssi_t) + fs_manage_cifs_symlinks(irssi_t) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(irssi_t) +') + +optional_policy(` + nis_use_ypbind(irssi_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.8.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/java.fc 2010-07-30 14:06:53.000000000 -0400 @@ -9,6 +9,7 @@ # # /usr # +/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) @@ -33,6 +34,9 @@ /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + ifdef(`distro_redhat',` /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.8.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/java.if 2010-07-30 14:06:53.000000000 -0400 @@ -72,7 +72,8 @@ domain_interactive_fd($1_java_t) - userdom_manage_user_tmpfs_files($1_java_t) + userdom_unpriv_usertype($1, $1_java_t) + userdom_manage_tmpfs_role($2, $1_java_t) allow $1_java_t self:process { ptrace signal getsched execmem execstack }; @@ -82,7 +83,7 @@ domtrans_pattern($3, java_exec_t, $1_java_t) - corecmd_bin_domtrans($1_java_t, $3) + corecmd_bin_domtrans($1_java_t, $1_t) dev_dontaudit_append_rand($1_java_t) @@ -120,7 +121,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -179,6 +180,7 @@ java_domtrans_unconfined($1) role $2 types unconfined_java_t; + nsplugin_role_notrans($2, unconfined_java_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-08-13 15:48:49.000000000 -0400 @@ -82,12 +82,12 @@ dev_read_rand(java_t) dev_dontaudit_append_rand(java_t) +files_read_etc_files(java_t) files_read_usr_files(java_t) files_search_home(java_t) files_search_var_lib(java_t) files_read_etc_runtime_files(java_t) # Read global fonts and font config -files_read_etc_files(java_t) fs_getattr_xattr_fs(java_t) fs_dontaudit_rw_tmpfs_files(java_t) @@ -143,12 +143,15 @@ # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; + init_dbus_chat_script(unconfined_java_t) + files_execmod_all_files(unconfined_java_t) init_dbus_chat_script(unconfined_java_t) unconfined_domain_noaudit(unconfined_java_t) unconfined_dbus_chat(unconfined_java_t) + userdom_unpriv_usertype(unconfined, unconfined_java_t) optional_policy(` rpm_domtrans(unconfined_java_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-kdump policy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-08-11 08:49:51.000000000 -0400 @@ -0,0 +1,69 @@ +policy_module(kdumpgui,1.0.0) + +######################################## +# +# Declarations +# + +type kdumpgui_t; +type kdumpgui_exec_t; + +dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + +###################################### +# +# system-config-kdump local policy +# + +allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; +allow kdumpgui_t self:fifo_file rw_fifo_file_perms; + +allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; + +kdump_manage_config(kdumpgui_t) +kdump_initrc_domtrans(kdumpgui_t) + +corecmd_exec_bin(kdumpgui_t) +corecmd_exec_shell(kdumpgui_t) +consoletype_exec(kdumpgui_t) + +kernel_read_system_state(kdumpgui_t) +kernel_read_network_state(kdumpgui_t) + +storage_raw_read_fixed_disk(kdumpgui_t) +storage_raw_write_fixed_disk(kdumpgui_t) + +dev_dontaudit_getattr_all_chr_files(kdumpgui_t) +dev_read_sysfs(kdumpgui_t) + +# for blkid.tab +files_manage_etc_runtime_files(kdumpgui_t) +files_etc_filetrans_etc_runtime(kdumpgui_t, file) + +files_manage_boot_files(kdumpgui_t) +files_manage_boot_symlinks(kdumpgui_t) +# Needed for running chkconfig +files_manage_etc_symlinks(kdumpgui_t) +files_read_usr_files(kdumpgui_t) + +auth_use_nsswitch(kdumpgui_t) + +logging_send_syslog_msg(kdumpgui_t) + +miscfiles_read_localization(kdumpgui_t) + +init_dontaudit_read_all_script_files(kdumpgui_t) + +userdom_dontaudit_search_admin_dir(kdumpgui_t) + +optional_policy(` + dev_rw_lvm_control(kdumpgui_t) +') + +optional_policy(` + gnome_dontaudit_search_config(kdumpgui_t) +') + +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.8.8/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-08-12 08:05:10.000000000 -0400 @@ -41,6 +41,8 @@ livecd_domtrans($1) role $2 types livecd_t; + + seutil_run_setfiles_mac(livecd_t, $2) optional_policy(` mount_run(livecd_t, $2) @@ -49,6 +51,24 @@ ######################################## ## +## Dontaudit read/write to a livecd leaks +## +## +## +## Domain allowed access. +## +## +# +interface(`livecd_dontaudit_leaks',` + gen_require(` + type livecd_t; + ') + + dontaudit $1 livecd_t:unix_dgram_socket { read write }; +') + +######################################## +## ## Read livecd temporary files. ## ## @@ -82,7 +102,7 @@ ') files_search_tmp($1) - allow $1 livecd_tmp_t:file rw_file_perms; + rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.8.8/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/livecd.te 2010-07-30 14:06:53.000000000 -0400 @@ -20,6 +20,7 @@ dontaudit livecd_t self:capability2 mac_admin; +unconfined_domain_noaudit(livecd_t) domain_ptrace_all_domains(livecd_t) manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) @@ -27,9 +28,6 @@ files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) optional_policy(` - unconfined_domain(livecd_t) -') - -optional_policy(` hal_dbus_chat(livecd_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.8.8/policy/modules/apps/loadkeys.if --- nsaserefpolicy/policy/modules/apps/loadkeys.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/loadkeys.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -29,7 +29,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -54,7 +54,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.8.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/mono.if 2010-07-30 14:06:53.000000000 -0400 @@ -41,15 +41,18 @@ application_type($1_mono_t) allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + userdom_unpriv_usertype($1, $1_mono_t) + userdom_manage_tmpfs_role($2, $1_mono_t) + domtrans_pattern($3, mono_exec_t, $1_mono_t) fs_dontaudit_rw_tmpfs_files($1_mono_t) corecmd_bin_domtrans($1_mono_t, $1_t) - - userdom_manage_user_tmpfs_files($1_mono_t) + ifdef(`hide_broken_symptoms', ` + dontaudit $1_t $1_mono_t:socket_class_set { read write }; + ') optional_policy(` xserver_role($1_r, $1_mono_t) @@ -82,7 +85,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -125,7 +128,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.8.8/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-08-19 06:50:14.000000000 -0400 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -27,3 +28,4 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.8.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-08-19 06:49:11.000000000 -0400 @@ -29,6 +29,8 @@ allow mozilla_t $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; + mozilla_plugin_run(mozilla_t, $2) + # Allow the user domain to signal/ps. ps_process_pattern($2, mozilla_t) allow $2 mozilla_t:process signal_perms; @@ -48,6 +50,12 @@ mozilla_dbus_chat($2) + userdom_manage_tmp_role($1, mozilla_t) + + optional_policy(` + nsplugin_role($1, mozilla_t) + ') + optional_policy(` pulseaudio_role($1, mozilla_t) ') @@ -108,7 +116,7 @@ type mozilla_home_t; ') - dontaudit $1 mozilla_home_t:file rw_file_perms; + dontaudit $1 mozilla_home_t:file rw_inherited_file_perms; ') ######################################## @@ -168,6 +176,50 @@ ######################################## ## +## Execute a domain transition to run mozilla_plugin. +## +## +## +## Domain allowed access. +## +## +# +interface(`mozilla_domtrans_plugin',` + gen_require(` + type mozilla_plugin_t, mozilla_plugin_exec_t; + ') + + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) +') + + +######################################## +## +## Execute mozilla_plugin in the mozilla_plugin domain, and +## allow the specified role the mozilla_plugin domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the mozilla_plugin domain. +## +## +# +interface(`mozilla_run_plugin',` + gen_require(` + type mozilla_plugin_t; + ') + + mozilla_domtrans_plugin($1) + role $2 types mozilla_plugin_t; +') + +######################################## +## ## Send and receive messages from ## mozilla over dbus. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-19 06:47:05.000000000 -0400 @@ -25,6 +25,7 @@ type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +files_poly_member(mozilla_home_t) userdom_user_home_content(mozilla_home_t) type mozilla_tmpfs_t; @@ -33,6 +34,13 @@ files_tmpfs_file(mozilla_tmpfs_t) ubac_constrained(mozilla_tmpfs_t) +type mozilla_plugin_t; +type mozilla_plugin_exec_t; +application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +role system_r types mozilla_plugin_t; + +permissive mozilla_plugin_t; + ######################################## # # Local policy @@ -89,6 +97,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) +corenet_tcp_connect_flash_port(mozilla_t) corenet_tcp_sendrecv_ftp_port(mozilla_t) corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) @@ -238,6 +247,7 @@ optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ') optional_policy(` @@ -258,6 +268,11 @@ ') optional_policy(` + nsplugin_manage_rw(mozilla_t) + nsplugin_manage_home_files(mozilla_t) +') + +optional_policy(` pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) @@ -266,3 +281,17 @@ optional_policy(` thunderbird_domtrans(mozilla_t) ') + +######################################## +# +# mozilla_plugin local policy +# + +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +allow mozilla_plugin_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(mozilla_plugin_t) + +files_read_etc_files(mozilla_plugin_t) + +miscfiles_read_localization(mozilla_plugin_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if 2010-07-30 14:06:53.000000000 -0400 @@ -102,3 +102,39 @@ read_files_pattern($1, mplayer_home_t, mplayer_home_t) userdom_search_user_home_dirs($1) ') + +######################################## +## +## Execute mplayer_exec_t +## in the specified domain. +## +## +##

+## Execute a mplayer_exec_t +## in the specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`mplayer_exec_domtrans',` + gen_require(` + type mplayer_exec_t; + ') + + allow $2 mplayer_exec_t:file entrypoint; + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.8.8/policy/modules/apps/mplayer.te --- nsaserefpolicy/policy/modules/apps/mplayer.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/mplayer.te 2010-07-30 14:06:53.000000000 -0400 @@ -32,6 +32,7 @@ type mplayer_home_t; typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; +files_poly_member(mplayer_home_t) userdom_user_home_content(mplayer_home_t) type mplayer_tmpfs_t; @@ -159,6 +160,7 @@ manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) +userdom_search_user_home_dirs(mplayer_t) manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) @@ -222,6 +224,8 @@ fs_search_auto_mountpoints(mplayer_t) fs_list_inotifyfs(mplayer_t) +logging_send_syslog_msg(mplayer_t) + miscfiles_read_localization(mplayer_t) miscfiles_read_fonts(mplayer_t) @@ -302,6 +306,10 @@ ') optional_policy(` + gnome_setattr_config_dirs(mplayer_t) +') + +optional_policy(` nscd_socket_use(mplayer_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) + +/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-10 07:28:28.000000000 -0400 @@ -0,0 +1,391 @@ + +## policy for nsplugin + +######################################## +## +## Create, read, write, and delete +## nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + + allow $1 nsplugin_rw_t:file manage_file_perms; + allow $1 nsplugin_rw_t:dir rw_dir_perms; +') + +######################################## +## +## Manage nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_rw',` + gen_require(` + type nsplugin_rw_t; + ') + + manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +##

+## This template creates a derived domains which are used +## for nsplugin web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +interface(`nsplugin_role_notrans',` + gen_require(` + type nsplugin_rw_t; + type nsplugin_home_t; + type nsplugin_exec_t; + type nsplugin_config_exec_t; + type nsplugin_t; + type nsplugin_config_t; + class x_drawable all_x_drawable_perms; + class x_resource all_x_resource_perms; + class dbus send_msg; + ') + + role $1 types nsplugin_t; + role $1 types nsplugin_config_t; + + allow nsplugin_t $2:process signull; + allow nsplugin_t $2:dbus send_msg; + allow $2 nsplugin_t:dbus send_msg; + + list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + can_exec($2, nsplugin_rw_t) + + #Leaked File Descriptors +ifdef(`hide_broken_symptoms', ` + dontaudit nsplugin_t $2:socket_class_set { read write }; + dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; + dontaudit nsplugin_config_t $2:socket_class_set { read write }; + dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; +') + allow nsplugin_t $2:unix_stream_socket connectto; + dontaudit nsplugin_t $2:process ptrace; + allow nsplugin_t $2:sem rw_sem_perms; + allow nsplugin_t $2:shm rw_shm_perms; + dontaudit nsplugin_t $2:shm destroy; + allow $2 nsplugin_t:sem rw_sem_perms; + + allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; + + # Connect to pulseaudit server + stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) + gnome_stream_connect(nsplugin_t, $2) + + userdom_use_user_terminals(nsplugin_t) + userdom_use_user_terminals(nsplugin_config_t) + userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) + userdom_manage_tmpfs_role($1, nsplugin_t) + + optional_policy(` + pulseaudio_role($1, nsplugin_t) + ') +') + +####################################### +## +## Role access for nsplugin +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`nsplugin_role',` + gen_require(` + type nsplugin_exec_t; + type nsplugin_config_exec_t; + type nsplugin_t; + type nsplugin_config_t; + ') + + nsplugin_role_notrans($1, $2) + + domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) + domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) + +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +## +## The type of the user domain. +## +## +# +interface(`nsplugin_domtrans',` + gen_require(` + type nsplugin_exec_t; + type nsplugin_t; + ') + + domtrans_pattern($1, nsplugin_exec_t, nsplugin_t) + allow $1 nsplugin_t:unix_stream_socket connectto; + allow nsplugin_t $1:process signal; +') +####################################### +## +## The per role template for the nsplugin module. +## +## +## +## The type of the user domain. +## +## +# +interface(`nsplugin_domtrans_config',` + gen_require(` + type nsplugin_config_exec_t; + type nsplugin_config_t; + ') + + domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t) +') + +######################################## +## +## Search nsplugin rw directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_search_rw_dir',` + gen_require(` + type nsplugin_rw_t; + ') + + allow $1 nsplugin_rw_t:dir search_dir_perms; +') + +######################################## +## +## Read nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_read_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + + list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + +######################################## +## +## Read nsplugin home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_read_home',` + gen_require(` + type nsplugin_home_t; + ') + + list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) + read_files_pattern($1, nsplugin_home_t, nsplugin_home_t) + read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t) +') + +######################################## +## +## Exec nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_rw_exec',` + gen_require(` + type nsplugin_rw_t; + ') + + can_exec($1, nsplugin_rw_t) +') + +######################################## +## +## Create, read, write, and delete +## nsplugin home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_home_files',` + gen_require(` + type nsplugin_home_t; + ') + + manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) +') + +######################################## +## +## Allow attempts to read and write to +## nsplugin named pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`nsplugin_rw_pipes',` + gen_require(` + type nsplugin_home_t; + ') + + allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Read and write to nsplugin shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_rw_shm',` + gen_require(` + type nsplugin_t; + ') + + allow $1 nsplugin_t:shm rw_shm_perms; +') + +##################################### +## +## Allow read and write access to nsplugin semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_rw_semaphores',` + gen_require(` + type nsplugin_t; + ') + + allow $1 nsplugin_t:sem rw_sem_perms; +') + +######################################## +## +## Execute nsplugin_exec_t +## in the specified domain. +## +## +##

+## Execute a nsplugin_exec_t +## in the specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`nsplugin_exec_domtrans',` + gen_require(` + type nsplugin_exec_t; + ') + + allow $2 nsplugin_exec_t:file entrypoint; + domtrans_pattern($1, nsplugin_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-13 15:48:58.000000000 -0400 @@ -0,0 +1,301 @@ +policy_module(nsplugin, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allow nsplugin code to execmem/execstack +##

+## +gen_tunable(allow_nsplugin_execmem, false) + +## +##

+## Allow nsplugin code to connect to unreserved ports +##

+## +gen_tunable(nsplugin_can_network, true) + +type nsplugin_exec_t; +application_executable_file(nsplugin_exec_t) + +type nsplugin_config_exec_t; +application_executable_file(nsplugin_config_exec_t) + +type nsplugin_rw_t; +files_poly_member(nsplugin_rw_t) +files_type(nsplugin_rw_t) + +type nsplugin_tmp_t; +files_tmp_file(nsplugin_tmp_t) + +type nsplugin_home_t; +files_poly_member(nsplugin_home_t) +userdom_user_home_content(nsplugin_home_t) +typealias nsplugin_home_t alias user_nsplugin_home_t; + +type nsplugin_t; +domain_type(nsplugin_t) +domain_entry_file(nsplugin_t, nsplugin_exec_t) + +type nsplugin_config_t; +domain_type(nsplugin_config_t) +domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) + +application_executable_file(nsplugin_exec_t) +application_executable_file(nsplugin_config_exec_t) + + +######################################## +# +# nsplugin local policy +# +dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; +allow nsplugin_t self:fifo_file rw_file_perms; +allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; + +allow nsplugin_t self:sem create_sem_perms; +allow nsplugin_t self:shm create_shm_perms; +allow nsplugin_t self:msgq create_msgq_perms; +allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow nsplugin_t self:unix_dgram_socket create_socket_perms; +allow nsplugin_t nsplugin_rw_t:dir search_dir_perms; + +tunable_policy(`allow_nsplugin_execmem',` + allow nsplugin_t self:process { execstack execmem }; + allow nsplugin_config_t self:process { execstack execmem }; +') + +tunable_policy(`nsplugin_can_network',` + corenet_tcp_connect_all_unreserved_ports(nsplugin_t) +') + +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) +userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) +userdom_dontaudit_getattr_user_home_content(nsplugin_t) +userdom_dontaudit_search_user_bin_dirs(nsplugin_t) +userdom_dontaudit_write_user_home_content_files(nsplugin_t) +userdom_dontaudit_search_admin_dir(nsplugin_t) + +corecmd_exec_bin(nsplugin_t) +corecmd_exec_shell(nsplugin_t) + +corenet_all_recvfrom_unlabeled(nsplugin_t) +corenet_all_recvfrom_netlabel(nsplugin_t) +corenet_tcp_connect_flash_port(nsplugin_t) +corenet_tcp_connect_streaming_port(nsplugin_t) +corenet_tcp_connect_pulseaudio_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_connect_http_cache_port(nsplugin_t) +corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_generic_node(nsplugin_t) +corenet_tcp_connect_ipp_port(nsplugin_t) +corenet_tcp_connect_speech_port(nsplugin_t) + +domain_dontaudit_read_all_domains_state(nsplugin_t) + +dev_read_rand(nsplugin_t) +dev_read_sound(nsplugin_t) +dev_write_sound(nsplugin_t) +dev_read_video_dev(nsplugin_t) +dev_write_video_dev(nsplugin_t) +dev_getattr_dri_dev(nsplugin_t) +dev_rwx_zero(nsplugin_t) +dev_search_sysfs(nsplugin_t) + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) + +files_dontaudit_getattr_lost_found_dirs(nsplugin_t) +files_dontaudit_list_home(nsplugin_t) +files_read_etc_files(nsplugin_t) +files_read_usr_files(nsplugin_t) +files_read_config_files(nsplugin_t) + +fs_getattr_tmpfs(nsplugin_t) +fs_getattr_xattr_fs(nsplugin_t) +fs_search_auto_mountpoints(nsplugin_t) +fs_rw_anon_inodefs_files(nsplugin_t) +fs_list_inotifyfs(nsplugin_t) + +storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) + +term_dontaudit_getattr_all_ptys(nsplugin_t) +term_dontaudit_getattr_all_ttys(nsplugin_t) + +auth_use_nsswitch(nsplugin_t) + +libs_exec_ld_so(nsplugin_t) + +miscfiles_read_localization(nsplugin_t) +miscfiles_read_fonts(nsplugin_t) +miscfiles_dontaudit_write_fonts(nsplugin_t) +miscfiles_setattr_fonts_cache_dirs(nsplugin_t) + +userdom_manage_user_tmp_dirs(nsplugin_t) +userdom_manage_user_tmp_files(nsplugin_t) +userdom_manage_user_tmp_sockets(nsplugin_t) +userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file }) +userdom_rw_semaphores(nsplugin_t) +userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t) + +userdom_read_user_home_content_symlinks(nsplugin_t) +userdom_read_user_home_content_files(nsplugin_t) +userdom_read_user_tmp_files(nsplugin_t) +userdom_write_user_tmp_sockets(nsplugin_t) +userdom_dontaudit_append_user_home_content_files(nsplugin_t) + +optional_policy(` + alsa_read_rw_config(nsplugin_t) + alsa_read_home_files(nsplugin_t) +') + +optional_policy(` + cups_stream_connect(nsplugin_t) +') + +optional_policy(` + dbus_session_bus_client(nsplugin_t) + dbus_connect_session_bus(nsplugin_t) + dbus_system_bus_client(nsplugin_t) +') + +optional_policy(` + gnome_exec_gconf(nsplugin_t) + gnome_manage_config(nsplugin_t) + gnome_read_gconf_home_files(nsplugin_t) +') + +optional_policy(` + mozilla_read_user_home_files(nsplugin_t) + mozilla_write_user_home_files(nsplugin_t) +') + +optional_policy(` + mplayer_exec(nsplugin_t) + mplayer_read_user_home_files(nsplugin_t) +') + +optional_policy(` + unconfined_execmem_signull(nsplugin_t) +') + +optional_policy(` + gen_require(` + type user_tmpfs_t; + ') + xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) + xserver_rw_shm(nsplugin_t) + xserver_read_xdm_pid(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) + xserver_read_user_xauth(nsplugin_t) + xserver_read_user_iceauth(nsplugin_t) + xserver_use_user_fonts(nsplugin_t) + xserver_rw_inherited_user_fonts(nsplugin_t) +') + +######################################## +# +# nsplugin_config local policy +# + +allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; +#execing pulseaudio +dontaudit nsplugin_t self:process { getcap setcap }; + +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + +dev_dontaudit_read_rand(nsplugin_config_t) + +fs_search_auto_mountpoints(nsplugin_config_t) +fs_list_inotifyfs(nsplugin_config_t) + +can_exec(nsplugin_config_t, nsplugin_rw_t) +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) + +manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) +manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) + +corecmd_exec_bin(nsplugin_config_t) +corecmd_exec_shell(nsplugin_config_t) + +kernel_read_system_state(nsplugin_config_t) + +files_read_etc_files(nsplugin_config_t) +files_read_usr_files(nsplugin_config_t) +files_dontaudit_search_home(nsplugin_config_t) +files_list_tmp(nsplugin_config_t) + +auth_use_nsswitch(nsplugin_config_t) + +miscfiles_read_localization(nsplugin_config_t) +miscfiles_read_fonts(nsplugin_config_t) + +userdom_search_user_home_content(nsplugin_config_t) +userdom_read_user_home_content_symlinks(nsplugin_config_t) +userdom_read_user_home_content_files(nsplugin_config_t) +userdom_dontaudit_search_admin_dir(nsplugin_config_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_t) + fs_manage_nfs_files(nsplugin_t) + fs_read_nfs_symlinks(nsplugin_t) + fs_manage_nfs_named_pipes(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_config_t) + fs_manage_nfs_files(nsplugin_config_t) + fs_manage_nfs_named_pipes(nsplugin_config_t) + fs_read_nfs_symlinks(nsplugin_config_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_t) + fs_manage_cifs_files(nsplugin_t) + fs_read_cifs_symlinks(nsplugin_t) + fs_manage_cifs_named_pipes(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_config_t) + fs_manage_cifs_files(nsplugin_config_t) + fs_manage_cifs_named_pipes(nsplugin_config_t) + fs_read_cifs_symlinks(nsplugin_config_t) +') + +domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) + +optional_policy(` + xserver_use_user_fonts(nsplugin_config_t) +') + +optional_policy(` + mozilla_read_user_home_files(nsplugin_config_t) + mozilla_write_user_home_files(nsplugin_config_t) +') + +application_signull(nsplugin_t) + +optional_policy(` + pulseaudio_exec(nsplugin_t) + pulseaudio_stream_connect(nsplugin_t) + pulseaudio_manage_home_files(nsplugin_t) + pulseaudio_setattr_home_dir(nsplugin_t) +') + +optional_policy(` + unconfined_execmem_exec(nsplugin_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.8.8/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/openoffice.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,4 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.8.8/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/openoffice.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,129 @@ +## Openoffice + +####################################### +## +## The per role template for the openoffice module. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`openoffice_plugin_role',` + gen_require(` + type openoffice_exec_t; + type openoffice_t; + ') + + ######################################## + # + # Local policy + # + + domtrans_pattern($1, openoffice_exec_t, openoffice_t) + allow $1 openoffice_t:process { signal sigkill }; +') + +####################################### +## +## role for openoffice +## +## +##

+## This template creates a derived domains which are used +## for java applications. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`openoffice_role_template',` + gen_require(` + type openoffice_exec_t; + ') + + role $2 types $1_openoffice_t; + + type $1_openoffice_t; + domain_type($1_openoffice_t) + domain_entry_file($1_openoffice_t, openoffice_exec_t) + domain_interactive_fd($1_openoffice_t) + + userdom_unpriv_usertype($1, $1_openoffice_t) + userdom_exec_user_home_content_files($1_openoffice_t) + + allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; + + allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; + allow $1_openoffice_t $3:tcp_socket { read write }; + + domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) + + dev_read_urand($1_openoffice_t) + dev_read_rand($1_openoffice_t) + + fs_dontaudit_rw_tmpfs_files($1_openoffice_t) + + allow $3 $1_openoffice_t:process { signal sigkill }; + allow $1_openoffice_t $3:unix_stream_socket connectto; + + optional_policy(` + xserver_role($2, $1_openoffice_t) + ') +') + +######################################## +## +## Execute openoffice_exec_t +## in the specified domain. +## +## +##

+## Execute a openoffice_exec_t +## in the specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`openoffice_exec_domtrans',` + gen_require(` + type openoffice_exec_t; + ') + + allow $2 openoffice_exec_t:file entrypoint; + domtrans_pattern($1, openoffice_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.8.8/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/openoffice.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,16 @@ +policy_module(openoffice, 1.0.0) + +######################################## +# +# Declarations +# + +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) + +######################################## +# +# Unconfined java local policy +# + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-08-11 08:27:39.000000000 -0400 @@ -27,7 +27,7 @@ # podsleuth local policy # allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack }; +allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:sem create_sem_perms; @@ -73,6 +73,7 @@ sysnet_dns_name_resolve(podsleuth_t) userdom_signal_unpriv_users(podsleuth_t) +userdom_signull_unpriv_users(podsleuth_t) userdom_read_user_tmpfs_files(podsleuth_t) optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if 2010-07-30 14:06:53.000000000 -0400 @@ -35,6 +35,10 @@ allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; + userdom_manage_home_role($1, pulseaudio_t) + userdom_manage_tmp_role($1, pulseaudio_t) + userdom_manage_tmpfs_role($1, pulseaudio_t) + allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te 2010-07-30 14:06:53.000000000 -0400 @@ -44,6 +44,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) @@ -53,7 +54,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -94,11 +95,6 @@ miscfiles_read_localization(pulseaudio_t) -# cjp: this seems excessive. need to confirm -userdom_manage_user_home_content_files(pulseaudio_t) -userdom_manage_user_tmp_files(pulseaudio_t) -userdom_manage_user_tmpfs_files(pulseaudio_t) - optional_policy(` bluetooth_stream_connect(pulseaudio_t) ') @@ -131,6 +127,10 @@ ') optional_policy(` + mpd_read_tmpfs_files(pulseaudio_t) +') + +optional_policy(` policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) @@ -148,3 +148,7 @@ xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') + +optional_policy(` + sandbox_manage_tmpfs_files(pulseaudio_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.8/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/qemu.if 2010-07-30 14:06:53.000000000 -0400 @@ -275,6 +275,67 @@ ######################################## ## +## Execute qemu_exec_t +## in the specified domain but do not +## do it automatically. This is an explicit +## transition, requiring the caller to use setexeccon(). +## +## +##

+## Execute qemu_exec_t +## in the specified domain. This allows +## the specified domain to qemu programs +## on these filesystems in the specified +## domain. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`qemu_spec_domtrans',` + gen_require(` + type qemu_exec_t; + ') + + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) + domain_transition_pattern($1, qemu_exec_t, $2) + domain_entry_file($2,qemu_exec_t) + can_exec($1,qemu_exec_t) + + allow $2 $1:fd use; + allow $2 $1:fifo_file rw_fifo_file_perms; + allow $2 $1:process sigchld; +') + +######################################## +## +## Execute qemu unconfined programs in the role. +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`qemu_unconfined_role',` + gen_require(` + type unconfined_qemu_t; + type qemu_t; + ') + role $1 types unconfined_qemu_t; + role $1 types qemu_t; +') + +######################################## +## ## Manage qemu temporary dirs. ## ## @@ -308,3 +369,24 @@ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') + +######################################## +## +## Make qemu_exec_t an entrypoint for +## the specified domain. +## +## +## +## The domain for which qemu_exec_t is an entrypoint. +## +## +# +interface(`qemu_entry_type',` + gen_require(` + type qemu_exec_t; + ') + + domain_entry_file($1, qemu_exec_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.8.8/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/qemu.te 2010-07-30 14:06:53.000000000 -0400 @@ -102,6 +102,10 @@ xen_rw_image_files(qemu_t) ') +optional_policy(` + xen_rw_image_files(qemu_t) +') + ######################################## # # Unconfined qemu local policy @@ -112,6 +116,8 @@ typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) unconfined_domain(unconfined_qemu_t) + userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t) + userdom_unpriv_usertype(unconfined, unconfined_qemu_t) allow unconfined_qemu_t self:process { execstack execmem }; allow unconfined_qemu_t qemu_exec_t:file execmod; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.8.8/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/sambagui.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.8.8/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/sambagui.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-samba policy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-08-13 15:50:28.000000000 -0400 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + +######################################## +# +# Declarations +# + +type sambagui_t; +type sambagui_exec_t; +dbus_system_domain(sambagui_t, sambagui_exec_t) + +######################################## +# +# system-config-samba local policy +# + +allow sambagui_t self:capability dac_override; +allow sambagui_t self:fifo_file rw_fifo_file_perms; +allow sambagui_t self:unix_dgram_socket create_socket_perms; + +# handling with samba conf files +samba_append_log(sambagui_t) +samba_manage_config(sambagui_t) +samba_manage_var_files(sambagui_t) +samba_read_secrets(sambagui_t) +samba_initrc_domtrans(sambagui_t) +samba_domtrans_smbd(sambagui_t) +samba_domtrans_nmbd(sambagui_t) + +# execut apps of system-config-samba +corecmd_exec_shell(sambagui_t) +corecmd_exec_bin(sambagui_t) + +files_read_etc_files(sambagui_t) +files_read_usr_files(sambagui_t) +files_search_var_lib(sambagui_t) + +# reading shadow by pdbedit +#auth_read_shadow(sambagui_t) + +auth_use_nsswitch(sambagui_t) + +logging_send_syslog_msg(sambagui_t) + +miscfiles_read_localization(sambagui_t) + +# read meminfo +kernel_read_system_state(sambagui_t) + +dev_dontaudit_read_urand(sambagui_t) +nscd_dontaudit_search_pid(sambagui_t) + +userdom_dontaudit_search_admin_dir(sambagui_t) + + +optional_policy(` + consoletype_exec(sambagui_t) +') + +optional_policy(` + gnome_dontaudit_search_config(sambagui_t) +') + +optional_policy(` + policykit_dbus_chat(sambagui_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.8.8/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/sandbox.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1 @@ +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-18 06:43:23.000000000 -0400 @@ -0,0 +1,314 @@ + +## policy for sandbox + +######################################## +## +## Execute sandbox in the sandbox domain, and +## allow the specified role the sandbox domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the sandbox domain. +## +## +# +interface(`sandbox_transition',` + gen_require(` + type sandbox_xserver_t; + attribute sandbox_domain; + attribute sandbox_x_domain; + attribute sandbox_file_type; + attribute sandbox_tmpfs_type; + ') + + allow $1 sandbox_domain:process transition; + dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; + role $2 types sandbox_domain; + allow sandbox_domain $1:process { sigchld signull }; + allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; + + allow $1 sandbox_x_domain:process { signal_perms transition }; + dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; + allow sandbox_x_domain $1:process { sigchld signull }; + role $2 types sandbox_x_domain; + role $2 types sandbox_xserver_t; + allow $1 sandbox_xserver_t:process signal_perms; + dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; + dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; + allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors + dontaudit sandbox_x_domain $1:fifo_file { read write }; + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; + + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; + + manage_files_pattern($1, sandbox_file_type, sandbox_file_type); + manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); + manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); + manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); + manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); + relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) + relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) + relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type) + relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type) + relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## +## +## Creates types and rules for a basic +## qemu process domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`sandbox_domain_template',` + + gen_require(` + attribute sandbox_domain; + attribute sandbox_file_type; + attribute sandbox_x_type; + ') + + type $1_t, sandbox_domain, sandbox_x_type; + application_type($1_t) + + mls_rangetrans_target($1_t) + + type $1_file_t, sandbox_file_type; + files_type($1_file_t) + + can_exec($1_t, $1_file_t) + manage_dirs_pattern($1_t, $1_file_t, $1_file_t) + manage_files_pattern($1_t, $1_file_t, $1_file_t) + manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) + manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) +') + +######################################## +## +## Creates types and rules for a basic +## qemu process domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`sandbox_x_domain_template',` + gen_require(` + type xserver_exec_t, sandbox_devpts_t; + type sandbox_xserver_t; + attribute sandbox_domain, sandbox_x_domain; + attribute sandbox_file_type, sandbox_tmpfs_type; + ') + + type $1_t, sandbox_x_domain; + application_type($1_t) + + type $1_file_t, sandbox_file_type; + files_type($1_file_t) + + can_exec($1_t, $1_file_t) + manage_dirs_pattern($1_t, $1_file_t, $1_file_t) + manage_files_pattern($1_t, $1_file_t, $1_file_t) + manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) + manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) + + type $1_devpts_t; + term_pty($1_devpts_t) + term_create_pty($1_t, $1_devpts_t) + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + + # window manager + miscfiles_setattr_fonts_cache_dirs($1_t) + allow $1_t self:capability setuid; + + type $1_client_t, sandbox_x_domain; + application_type($1_client_t) + + type $1_client_tmpfs_t, sandbox_tmpfs_type; + files_tmpfs_file($1_client_tmpfs_t) + + term_search_ptys($1_t) + allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr }; + term_create_pty($1_client_t,sandbox_devpts_t) + + manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) + fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) + # Pulseaudio tmpfs files with different MCS labels + dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; + + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + allow $1_t sandbox_xserver_t:process signal_perms; + + domtrans_pattern($1_t, $1_file_t, $1_client_t) + domain_entry_file($1_client_t, $1_file_t) + + # Random tmpfs_t that gets created when you run X. + fs_rw_tmpfs_files($1_t) + + manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) + manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) + manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) + allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; + ps_process_pattern(sandbox_xserver_t, $1_client_t) + ps_process_pattern(sandbox_xserver_t, $1_t) + allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; + allow sandbox_xserver_t $1_t:shm rw_shm_perms; + allow $1_client_t $1_t:unix_stream_socket connectto; + allow $1_t $1_client_t:unix_stream_socket connectto; + + can_exec($1_client_t, $1_file_t) + manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) + manage_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) +') + +######################################## +## +## allow domain to read, +## write sandbox_xserver tmp files +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_rw_xserver_tmpfs_files',` + gen_require(` + type sandbox_xserver_tmpfs_t; + ') + + allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; +') + +######################################## +## +## allow domain to manage +## sandbox tmpfs files +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_manage_tmpfs_files',` + gen_require(` + attribute sandbox_tmpfs_type; + ') + + allow $1 sandbox_tmpfs_type:file manage_file_perms; +') + +######################################## +## +## Delete sandbox files +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_delete_files',` + gen_require(` + attribute sandbox_file_type; + ') + + delete_files_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## +## +## Delete sandbox sock files +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_delete_sock_files',` + gen_require(` + attribute sandbox_file_type; + ') + + delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## +## +## Allow domain to set the attributes +## of the sandbox directory. +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_setattr_dirs',` + gen_require(` + attribute sandbox_file_type; + ') + + allow $1 sandbox_file_type:dir setattr; +') + +######################################## +## +## allow domain to delete sandbox files +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_delete_dirs',` + gen_require(` + attribute sandbox_file_type; + ') + + delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## +## +## allow domain to list sandbox dirs +## +## +## +## Domain allowed access +## +## +# +interface(`sandbox_list',` + gen_require(` + attribute sandbox_file_type; + ') + + allow $1 sandbox_file_type:dir list_dir_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-19 07:46:41.000000000 -0400 @@ -0,0 +1,397 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; +attribute sandbox_x_domain; +attribute sandbox_file_type; +attribute sandbox_web_type; +attribute sandbox_tmpfs_type; +attribute sandbox_x_type; + +######################################## +# +# Declarations +# + +sandbox_domain_template(sandbox) +sandbox_x_domain_template(sandbox_min) +sandbox_x_domain_template(sandbox_x) +sandbox_x_domain_template(sandbox_web) +sandbox_x_domain_template(sandbox_net) + +type sandbox_xserver_t; +domain_type(sandbox_xserver_t) +xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t) + +type sandbox_xserver_tmpfs_t; +files_tmpfs_file(sandbox_xserver_tmpfs_t) + +type sandbox_devpts_t; +term_pty(sandbox_devpts_t) +files_type(sandbox_devpts_t) + +######################################## +# +# sandbox xserver policy +# +allow sandbox_xserver_t self:process { execmem execstack }; +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; +allow sandbox_xserver_t self:shm create_shm_perms; +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +corecmd_exec_bin(sandbox_xserver_t) +corecmd_exec_shell(sandbox_xserver_t) + +corenet_all_recvfrom_unlabeled(sandbox_xserver_t) +corenet_all_recvfrom_netlabel(sandbox_xserver_t) +corenet_tcp_sendrecv_all_if(sandbox_xserver_t) +corenet_udp_sendrecv_all_if(sandbox_xserver_t) +corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t) +corenet_udp_sendrecv_all_nodes(sandbox_xserver_t) +corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) +corenet_udp_sendrecv_all_ports(sandbox_xserver_t) +corenet_tcp_bind_all_nodes(sandbox_xserver_t) +corenet_tcp_bind_xserver_port(sandbox_xserver_t) +corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) +corenet_sendrecv_all_client_packets(sandbox_xserver_t) + +dev_rwx_zero(sandbox_xserver_t) + +files_read_config_files(sandbox_xserver_t) +files_read_usr_files(sandbox_xserver_t) +files_search_home(sandbox_xserver_t) +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) +fs_list_inotifyfs(sandbox_xserver_t) + +miscfiles_read_fonts(sandbox_xserver_t) +miscfiles_read_localization(sandbox_xserver_t) + +kernel_read_system_state(sandbox_xserver_t) + +selinux_validate_context(sandbox_xserver_t) +selinux_compute_access_vector(sandbox_xserver_t) +selinux_compute_create_context(sandbox_xserver_t) + +auth_use_nsswitch(sandbox_xserver_t) + +logging_send_syslog_msg(sandbox_xserver_t) +logging_send_audit_msgs(sandbox_xserver_t) + +userdom_use_user_terminals(sandbox_xserver_t) +userdom_dontaudit_search_user_home_content(sandbox_xserver_t) + +xserver_entry_type(sandbox_xserver_t) + +optional_policy(` + dbus_system_bus_client(sandbox_xserver_t) + + optional_policy(` + hal_dbus_chat(sandbox_xserver_t) + ') +') + +######################################## +# +# sandbox local policy +# + +## internal communication is often done using fifo and unix sockets. +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:sem create_sem_perms; +allow sandbox_domain self:shm create_shm_perms; +allow sandbox_domain self:msgq create_msgq_perms; +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; +allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +dev_rw_all_inherited_chr_files(sandbox_domain) +dev_rw_all_inherited_blk_files(sandbox_domain) + +gen_require(` + type usr_t, lib_t, locale_t; + type var_t, var_run_t, rpm_log_t, locale_t; + attribute exec_type, configfile; +') + +files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) +files_entrypoint_all_files(sandbox_domain) + +files_read_config_files(sandbox_domain) +files_read_usr_files(sandbox_domain) +files_read_var_files(sandbox_domain) +files_dontaudit_search_all_dirs(sandbox_domain) + +miscfiles_read_localization(sandbox_domain) + +kernel_dontaudit_read_system_state(sandbox_domain) +corecmd_exec_all_executables(sandbox_domain) + +userdom_dontaudit_use_user_terminals(sandbox_domain) + +mta_dontaudit_read_spool_symlinks(sandbox_domain) + +######################################## +# +# sandbox_x_domain local policy +# +allow sandbox_x_domain self:fifo_file manage_file_perms; +allow sandbox_x_domain self:sem create_sem_perms; +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:msgq create_msgq_perms; +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; + +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + +files_search_home(sandbox_x_domain) +files_dontaudit_list_tmp(sandbox_x_domain) + +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) + +corecmd_exec_all_executables(sandbox_x_domain) + +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) +dev_read_sysfs(sandbox_x_domain) + +files_entrypoint_all_files(sandbox_x_domain) +files_read_config_files(sandbox_x_domain) +files_read_usr_files(sandbox_x_domain) +files_read_usr_symlinks(sandbox_x_domain) + +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) +fs_list_inotifyfs(sandbox_x_domain) + +auth_dontaudit_read_login_records(sandbox_x_domain) +auth_dontaudit_write_login_records(sandbox_x_domain) +auth_use_nsswitch(sandbox_x_domain) +auth_search_pam_console_data(sandbox_x_domain) + +init_read_utmp(sandbox_x_domain) +init_dontaudit_write_utmp(sandbox_x_domain) + +miscfiles_read_localization(sandbox_x_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) + +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) + +logging_send_syslog_msg(sandbox_x_domain) +logging_dontaudit_search_logs(sandbox_x_domain) + +miscfiles_read_fonts(sandbox_x_domain) + +storage_dontaudit_rw_fuse(sandbox_x_domain) + +optional_policy(` + cups_stream_connect(sandbox_x_domain) + cups_read_rw_config(sandbox_x_domain) +') + +optional_policy(` + dbus_system_bus_client(sandbox_x_domain) +') + +optional_policy(` + gnome_read_gconf_config(sandbox_x_domain) +') + +optional_policy(` + nscd_dontaudit_search_pid(sandbox_x_domain) +') + +optional_policy(` + sssd_dontaudit_search_lib(sandbox_x_domain) +') + +optional_policy(` + udev_read_db(sandbox_x_domain) +') + +userdom_dontaudit_use_user_terminals(sandbox_x_domain) +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) + +#============= sandbox_x_t ============== +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + +######################################## +# +# sandbox_x_client_t local policy +# +allow sandbox_x_client_t self:tcp_socket create_socket_perms; +allow sandbox_x_client_t self:udp_socket create_socket_perms; +allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; +allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; + +dev_read_rand(sandbox_x_client_t) + +corenet_tcp_connect_ipp_port(sandbox_x_client_t) + +auth_use_nsswitch(sandbox_x_client_t) + +selinux_get_fs_mount(sandbox_x_client_t) +selinux_validate_context(sandbox_x_client_t) +selinux_compute_access_vector(sandbox_x_client_t) +selinux_compute_create_context(sandbox_x_client_t) +selinux_compute_relabel_context(sandbox_x_client_t) +selinux_compute_user_contexts(sandbox_x_client_t) +seutil_read_default_contexts(sandbox_x_client_t) + +optional_policy(` + hal_dbus_chat(sandbox_x_client_t) +') + +######################################## +# +# sandbox_web_client_t local policy +# +typeattribute sandbox_web_client_t sandbox_web_type; + +allow sandbox_web_type self:capability { setuid setgid }; +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; +allow sandbox_web_type self:process setsched; +dontaudit sandbox_web_type self:process setrlimit; + +allow sandbox_web_type self:tcp_socket create_socket_perms; +allow sandbox_web_type self:udp_socket create_socket_perms; +allow sandbox_web_type self:dbus { acquire_svc send_msg }; +allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; + +kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) + +dev_read_rand(sandbox_web_type) +dev_write_sound(sandbox_web_type) +dev_read_sound(sandbox_web_type) + +# Browse the web, connect to printer +corenet_all_recvfrom_unlabeled(sandbox_web_type) +corenet_all_recvfrom_netlabel(sandbox_web_type) +corenet_tcp_sendrecv_all_if(sandbox_web_type) +corenet_raw_sendrecv_all_if(sandbox_web_type) +corenet_tcp_sendrecv_all_nodes(sandbox_web_type) +corenet_raw_sendrecv_all_nodes(sandbox_web_type) +corenet_tcp_sendrecv_http_port(sandbox_web_type) +corenet_tcp_sendrecv_http_cache_port(sandbox_web_type) +corenet_tcp_sendrecv_ftp_port(sandbox_web_type) +corenet_tcp_sendrecv_ipp_port(sandbox_web_type) +corenet_tcp_connect_http_port(sandbox_web_type) +corenet_tcp_connect_http_cache_port(sandbox_web_type) +corenet_tcp_connect_flash_port(sandbox_web_type) +corenet_tcp_connect_ftp_port(sandbox_web_type) +corenet_tcp_connect_ipp_port(sandbox_web_type) +corenet_tcp_connect_streaming_port(sandbox_web_type) +corenet_tcp_connect_pulseaudio_port(sandbox_web_type) +corenet_tcp_connect_speech_port(sandbox_web_type) +corenet_tcp_connect_generic_port(sandbox_web_type) +corenet_tcp_connect_soundd_port(sandbox_web_type) +corenet_tcp_connect_speech_port(sandbox_web_type) +corenet_sendrecv_http_client_packets(sandbox_web_type) +corenet_sendrecv_http_cache_client_packets(sandbox_web_type) +corenet_sendrecv_ftp_client_packets(sandbox_web_type) +corenet_sendrecv_ipp_client_packets(sandbox_web_type) +corenet_sendrecv_generic_client_packets(sandbox_web_type) +# Should not need other ports +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) + +files_dontaudit_getattr_all_dirs(sandbox_web_type) +files_dontaudit_list_mnt(sandbox_web_type) + +fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) +fs_dontaudit_getattr_all_fs(sandbox_web_type) + +storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type) + +auth_use_nsswitch(sandbox_web_type) + +dbus_system_bus_client(sandbox_web_type) +dbus_read_config(sandbox_web_type) +selinux_get_fs_mount(sandbox_web_type) +selinux_validate_context(sandbox_web_type) +selinux_compute_access_vector(sandbox_web_type) +selinux_compute_create_context(sandbox_web_type) +selinux_compute_relabel_context(sandbox_web_type) +selinux_compute_user_contexts(sandbox_web_type) +seutil_read_default_contexts(sandbox_web_type) + +userdom_rw_user_tmpfs_files(sandbox_web_type) +userdom_delete_user_tmpfs_files(sandbox_web_type) + +optional_policy(` + bluetooth_dontaudit_dbus_chat(sandbox_web_type) +') + +optional_policy(` + consolekit_dbus_chat(sandbox_web_type) +') + +optional_policy(` + hal_dbus_chat(sandbox_web_type) +') + +optional_policy(` + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) + nsplugin_manage_rw(sandbox_web_type) +') + +optional_policy(` + pulseaudio_stream_connect(sandbox_web_type) + allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms; +') + +optional_policy(` + rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type) +') + +optional_policy(` + networkmanager_dontaudit_dbus_chat(sandbox_web_type) +') + +optional_policy(` + udev_read_state(sandbox_web_type) +') + +######################################## +# +# sandbox_net_client_t local policy +# +typeattribute sandbox_net_client_t sandbox_web_type; + +corenet_all_recvfrom_unlabeled(sandbox_net_client_t) +corenet_all_recvfrom_netlabel(sandbox_net_client_t) +corenet_tcp_sendrecv_all_if(sandbox_net_client_t) +corenet_udp_sendrecv_all_if(sandbox_net_client_t) +corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t) +corenet_udp_sendrecv_all_nodes(sandbox_net_client_t) +corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) +corenet_udp_sendrecv_all_ports(sandbox_net_client_t) +corenet_tcp_connect_all_ports(sandbox_net_client_t) +corenet_sendrecv_all_client_packets(sandbox_net_client_t) + +optional_policy(` + mozilla_dontaudit_rw_user_home_files(sandbox_x_t) + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.8.8/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/seunshare.if 2010-07-30 14:06:53.000000000 -0400 @@ -53,8 +53,14 @@ ######################################## ## -## Role access for seunshare +## The role template for the seunshare module. ## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## ## ## ## Role allowed access. @@ -66,15 +72,28 @@ ## ## # -interface(`seunshare_role',` +interface(`seunshare_role_template',` gen_require(` - type seunshare_t; + attribute seunshare_domain; + type seunshare_exec_t; ') - role $2 types seunshare_t; + type $1_seunshare_t, seunshare_domain; + application_domain($1_seunshare_t, seunshare_exec_t) + role $2 types $1_seunshare_t; + + mls_process_set_level($1_seunshare_t) - seunshare_domtrans($1) + domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) + sandbox_transition($1_seunshare_t, $2) - ps_process_pattern($2, seunshare_t) - allow $2 seunshare_t:process signal; + ps_process_pattern($3, $1_seunshare_t) + allow $3 $1_seunshare_t:process signal_perms; + + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + + ifdef(`hide_broken_symptoms', ` + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-11 08:01:44.000000000 -0400 @@ -5,40 +5,45 @@ # Declarations # -type seunshare_t; +attribute seunshare_domain; type seunshare_exec_t; -application_domain(seunshare_t, seunshare_exec_t) -role system_r types seunshare_t; ######################################## # # seunshare local policy # +allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -allow seunshare_t self:process { setexec signal getcap setcap }; +allow seunshare_domain self:fifo_file rw_file_perms; +allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; -allow seunshare_t self:fifo_file rw_file_perms; -allow seunshare_t self:unix_stream_socket create_stream_socket_perms; +kernel_read_system_state(seunshare_domain) -corecmd_exec_shell(seunshare_t) -corecmd_exec_bin(seunshare_t) +corecmd_exec_shell(seunshare_domain) +corecmd_exec_bin(seunshare_domain) -files_read_etc_files(seunshare_t) -files_mounton_all_poly_members(seunshare_t) +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) -auth_use_nsswitch(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) +fs_manage_cgroup_files(seunshare_domain) -logging_send_syslog_msg(seunshare_t) +auth_use_nsswitch(seunshare_domain) -miscfiles_read_localization(seunshare_t) +logging_send_syslog_msg(seunshare_domain) -userdom_use_user_terminals(seunshare_t) +miscfiles_read_localization(seunshare_domain) + +userdom_use_user_terminals(seunshare_domain) ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) + fs_dontaudit_list_inotifyfs(seunshare_domain) optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ') ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.fc serefpolicy-3.8.8/policy/modules/apps/telepathy.fc --- nsaserefpolicy/policy/modules/apps/telepathy.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,14 @@ +HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) +HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) + +/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) + +/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) +/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) +/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) +/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) +/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.8.8/policy/modules/apps/telepathy.if --- nsaserefpolicy/policy/modules/apps/telepathy.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/telepathy.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,188 @@ + +## Telepathy framework. + +####################################### +## +## Creates basic types for telepathy +## domain +## +## +## +## Prefix for the domain. +## +## +# +# +template(`telepathy_domain_template',` + + gen_require(` + attribute telepathy_domain; + attribute telepathy_executable; + ') + + type telepathy_$1_t, telepathy_domain; + type telepathy_$1_exec_t, telepathy_executable; + application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ubac_constrained(telepathy_$1_t) + + type telepathy_$1_tmp_t; + files_tmp_file(telepathy_$1_tmp_t) + ubac_constrained(telepathy_$1_tmp_t) + + dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t) +') + +####################################### +## +## Role access for telepathy domains +### that executes via dbus-session +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`telepathy_dbus_session_role', ` + gen_require(` + attribute telepathy_domain; + ') + + role $1 types telepathy_domain; + + allow $2 telepathy_domain:process { ptrace signal_perms }; + ps_process_pattern($2, telepathy_domain) + + optional_policy(` + telepathy_dbus_chat($2) + ') + + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) +') + +######################################## +## +## Send DBus messages to and from +## all Telepathy domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`telepathy_dbus_chat', ` + gen_require(` + attribute telepathy_domain; + class dbus send_msg; + ') + + allow $1 telepathy_domain:dbus send_msg; + allow telepathy_domain $1:dbus send_msg; +') + +######################################## +## +## Send DBus messages to and from +## Telepathy Gabble. +## +## +## +## Domain allowed access. +## +## +# +interface(`telepathy_gabble_dbus_chat', ` + gen_require(` + type telepathy_gabble_t; + class dbus send_msg; + ') + + allow $1 telepathy_gabble_t:dbus send_msg; + allow telepathy_gabble_t $1:dbus send_msg; +') + +######################################## +## +## Read and write Telepathy Butterfly +## temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`telepathy_butterfly_rw_tmp_files', ` + gen_require(` + type telepathy_butterfly_tmp_t; + ') + + allow $1 telepathy_butterfly_tmp_t:file rw_file_perms; + files_search_tmp($1) +') + +######################################## +## +## Stream connect to Telepathy Gabble +## +## +## +## Domain allowed access. +## +## +# +interface(`telepathy_gabble_stream_connect', ` + gen_require(` + type telepathy_gabble_t, telepathy_gabble_tmp_t; + ') + + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) + files_search_tmp($1) +') + +####################################### +## +## Stream connect to telepathy MSN managers +## +## +## +## Domain allowed access. +## +## +# +interface(`telepathy_msn_stream_connect', ` + gen_require(` + type telepathy_msn_t, telepathy_msn_tmp_t; + ') + + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) + files_search_tmp($1) +') + + +######################################## +## +## Stream connect to Telepathy Salut +## +## +## +## Domain allowed access. +## +## +# +interface(`telepathy_salut_stream_connect', ` + gen_require(` + type telepathy_salut_t, telepathy_salut_tmp_t; + ') + + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) + files_search_tmp($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te --- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-19 05:59:57.000000000 -0400 @@ -0,0 +1,311 @@ + +policy_module(telepathy, 1.0.0) + +######################################## +# +# Declarations. +# + +## +##

+## Allow the Telepathy connection managers +## to connect to any generic TCP port. +##

+## +gen_tunable(telepathy_tcp_connect_generic_network_ports, false) + +attribute telepathy_domain; +attribute telepathy_executable; + +telepathy_domain_template(gabble) + +type telepathy_gabble_cache_home_t; +userdom_user_home_content(telepathy_gabble_cache_home_t) + +telepathy_domain_template(idle) +telepathy_domain_template(mission_control) + +type telepathy_mission_control_home_t; +userdom_user_home_content(telepathy_mission_control_home_t) + +type telepathy_mission_control_cache_home_t; +userdom_user_home_content(telepathy_mission_control_cache_home_t) + +telepathy_domain_template(msn) +telepathy_domain_template(salut) +telepathy_domain_template(sofiasip) +telepathy_domain_template(stream_engine) +telepathy_domain_template(sunshine) + +####################################### +# +# Telepathy Butterfly and Haze local policy. +# + +allow telepathy_msn_t self:process setsched; +allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_msn_t self:unix_dgram_socket { write create connect }; + +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file}) +userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file}) + +corenet_sendrecv_http_client_packets(telepathy_msn_t) +corenet_sendrecv_msnp_client_packets(telepathy_msn_t) +corenet_tcp_connect_http_port(telepathy_msn_t) +corenet_tcp_connect_msnp_port(telepathy_msn_t) + +corecmd_exec_bin(telepathy_msn_t) +corecmd_exec_shell(telepathy_msn_t) +corecmd_read_bin_symlinks(telepathy_msn_t) + +dev_read_urand(telepathy_msn_t) + +files_read_etc_files(telepathy_msn_t) +files_read_usr_files(telepathy_msn_t) + +kernel_read_system_state(telepathy_msn_t) + +auth_use_nsswitch(telepathy_msn_t) + +logging_send_syslog_msg(telepathy_msn_t) + +miscfiles_read_certs(telepathy_msn_t) + +sysnet_read_config(telepathy_msn_t) + +optional_policy(` + dbus_system_bus_client(telepathy_msn_t) +') + +optional_policy(` + gnome_read_gconf_home_files(telepathy_msn_t) +') + +####################################### +# +# Telepathy Gabble local policy. +# + +allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_gabble_t self:tcp_socket { listen accept }; +allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto }; + +manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) +manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) +files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) + +# ~/.cache/gabble/caps-cache.db-journal +optional_policy(` + manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) + manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) + gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file }) +') + +corenet_sendrecv_commplex_client_packets(telepathy_gabble_t) +corenet_sendrecv_http_client_packets(telepathy_gabble_t) +corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) +corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) + +corenet_tcp_connect_commplex_port(telepathy_gabble_t) +corenet_tcp_connect_http_port(telepathy_gabble_t) +corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) +corenet_tcp_connect_vnc_port(telepathy_gabble_t) + +dev_read_rand(telepathy_gabble_t) +dev_read_urand(telepathy_gabble_t) + +files_read_etc_files(telepathy_gabble_t) +files_read_usr_files(telepathy_gabble_t) + +miscfiles_read_certs(telepathy_gabble_t) + +sysnet_read_config(telepathy_gabble_t) + +optional_policy(` + dbus_system_bus_client(telepathy_gabble_t) +') + +tunable_policy(`use_nfs_home_dirs', ` + fs_manage_nfs_dirs(telepathy_gabble_t) + fs_manage_nfs_files(telepathy_gabble_t) +') + +tunable_policy(`use_samba_home_dirs', ` + fs_manage_cifs_dirs(telepathy_gabble_t) + fs_manage_cifs_files(telepathy_gabble_t) +') + +####################################### +# +# Telepathy Idle local policy. +# + +allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms; + +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) +corenet_tcp_connect_ircd_port(telepathy_idle_t) + +files_read_etc_files(telepathy_idle_t) + +sysnet_read_config(telepathy_idle_t) + +####################################### +# +# Telepathy Mission-Control local policy. +# + +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) +userdom_search_user_home_dirs(telepathy_mission_control_t) + +dev_read_rand(telepathy_mission_control_t) + +files_read_etc_files(telepathy_mission_control_t) +files_read_usr_files(telepathy_mission_control_t) + +tunable_policy(`use_nfs_home_dirs', ` + fs_manage_nfs_dirs(telepathy_mission_control_t) + fs_manage_nfs_files(telepathy_mission_control_t) +') + +tunable_policy(`use_samba_home_dirs', ` + fs_manage_cifs_dirs(telepathy_mission_control_t) + fs_manage_cifs_files(telepathy_mission_control_t) +') + +auth_use_nsswitch(telepathy_mission_control_t) + +# ~/.cache/.mc_connections. +optional_policy(` + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) + gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) +') + +optional_policy(` + gnome_read_gconf_home_files(telepathy_mission_control_t) + gnome_setattr_cache_home_dir(telepathy_mission_control_t) + gnome_read_generic_cache_files(telepathy_mission_control_t) +') + +####################################### +# +# Telepathy Salut local policy. +# + +allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_salut_t self:tcp_socket { accept listen }; + +manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) +files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) + +corenet_sendrecv_presence_server_packets(telepathy_salut_t) +corenet_tcp_bind_presence_port(telepathy_salut_t) +corenet_tcp_connect_presence_port(telepathy_salut_t) + +dev_read_urand(telepathy_salut_t) + +files_read_etc_files(telepathy_salut_t) + +sysnet_read_config(telepathy_salut_t) + +optional_policy(` + dbus_system_bus_client(telepathy_salut_t) + + optional_policy(` + avahi_dbus_chat(telepathy_salut_t) + ') +') + +####################################### +# +# Telepathy Sofiasip local policy. +# + +allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms; +allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; +allow telepathy_sofiasip_t self:tcp_socket { listen }; + +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) +corenet_tcp_connect_sip_port(telepathy_sofiasip_t) + +dev_read_urand(telepathy_sofiasip_t) + +kernel_request_load_module(telepathy_sofiasip_t) + +sysnet_read_config(telepathy_sofiasip_t) + +####################################### +# +# Telepathy Sunshine local policy. +# + +manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + +corecmd_list_bin(telepathy_sunshine_t) + +dev_read_urand(telepathy_sunshine_t) + +files_read_etc_files(telepathy_sunshine_t) +files_read_usr_files(telepathy_sunshine_t) + +kernel_read_system_state(telepathy_sunshine_t) + +optional_policy(` + xserver_read_xdm_pid(telepathy_sunshine_t) + xserver_stream_connect(telepathy_sunshine_t) +') + +####################################### +# +# telepathy domains common policy +# + +allow telepathy_domain self:process { getsched signal }; +allow telepathy_domain self:fifo_file rw_fifo_file_perms; +allow telepathy_domain self:tcp_socket create_socket_perms; +allow telepathy_domain self:udp_socket create_socket_perms; + +corenet_all_recvfrom_netlabel(telepathy_domain) +corenet_all_recvfrom_unlabeled(telepathy_domain) +corenet_raw_bind_generic_node(telepathy_domain) +corenet_raw_sendrecv_generic_if(telepathy_domain) +corenet_raw_sendrecv_generic_node(telepathy_domain) +corenet_tcp_bind_generic_node(telepathy_domain) +corenet_tcp_sendrecv_generic_if(telepathy_domain) +corenet_tcp_sendrecv_generic_node(telepathy_domain) +corenet_udp_bind_generic_node(telepathy_domain) + +fs_search_auto_mountpoints(telepathy_domain) + +miscfiles_read_localization(telepathy_domain) + +# This interface does not facilitate files_search_tmp which appears to be a bug. +userdom_stream_connect(telepathy_domain) +userdom_use_user_terminals(telepathy_domain) + +tunable_policy(`telepathy_tcp_connect_generic_network_ports', ` + corenet_tcp_connect_generic_port(telepathy_domain) + corenet_sendrecv_generic_client_packets(telepathy_domain) +') + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(telepathy_domain) +') + +optional_policy(` + nis_use_ypbind(telepathy_domain) +') + +optional_policy(` + telepathy_dbus_chat(telepathy_domain) +') + +optional_policy(` + xserver_rw_xdm_pipes(telepathy_domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.8.8/policy/modules/apps/userhelper.fc --- nsaserefpolicy/policy/modules/apps/userhelper.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/userhelper.fc 2010-07-30 14:06:53.000000000 -0400 @@ -7,3 +7,4 @@ # /usr # /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.8.8/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/userhelper.if 2010-07-30 14:06:53.000000000 -0400 @@ -25,6 +25,7 @@ gen_require(` attribute userhelper_type; type userhelper_exec_t, userhelper_conf_t; + class dbus send_msg; ') ######################################## @@ -245,7 +246,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -256,3 +257,58 @@ can_exec($1, userhelper_exec_t) ') + +####################################### +## +## The role template for the consolehelper module. +## +## +##

+## This template creates a derived domains which are used +## for consolehelper applications. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`userhelper_console_role_template',` + gen_require(` + type consolehelper_exec_t; + attribute consolehelper_domain; + class dbus send_msg; + ') + type $1_consolehelper_t, consolehelper_domain; + domain_type($1_consolehelper_t) + domain_entry_file($1_consolehelper_t, consolehelper_exec_t) + role $2 types $1_consolehelper_t; + + domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) + + allow $3 $1_consolehelper_t:dbus send_msg; + allow $1_consolehelper_t $3:dbus send_msg; + + auth_use_pam($1_consolehelper_t) + + optional_policy(` + shutdown_run($1_consolehelper_t, $2) + shutdown_send_sigchld($3) + ') + + optional_policy(` + xserver_read_xdm_pid($1_consolehelper_t) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.8.8/policy/modules/apps/userhelper.te --- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-07-30 14:06:53.000000000 -0400 @@ -6,9 +6,51 @@ # attribute userhelper_type; +attribute consolehelper_domain; type userhelper_conf_t; files_type(userhelper_conf_t) type userhelper_exec_t; application_executable_file(userhelper_exec_t) + +type consolehelper_exec_t; +application_executable_file(consolehelper_exec_t) + +######################################## +# +# consolehelper local policy +# + +allow consolehelper_domain self:capability { setgid setuid }; + +dontaudit consolehelper_domain userhelper_conf_t:file write; +read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) + +# Init script handling +domain_use_interactive_fds(consolehelper_domain) + +# internal communication is often done using fifo and unix sockets. +allow consolehelper_domain self:fifo_file rw_fifo_file_perms; +allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; + +kernel_read_kernel_sysctls(consolehelper_domain) + +corecmd_exec_bin(consolehelper_domain) + +files_read_etc_files(consolehelper_domain) + +auth_search_pam_console_data(consolehelper_domain) + +init_read_utmp(consolehelper_domain) + +miscfiles_read_localization(consolehelper_domain) + +userhelper_exec(consolehelper_domain) + +userdom_use_user_ptys(consolehelper_domain) +userdom_use_user_ttys(consolehelper_domain) + +optional_policy(` + xserver_stream_connect(consolehelper_domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.8.8/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/vmware.fc 2010-08-13 14:51:09.000000000 -0400 @@ -66,5 +66,6 @@ /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-30 14:06:53.000000000 -0400 @@ -126,6 +126,7 @@ dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) +dev_rw_generic_chr_files(vmware_host_t) domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.if serefpolicy-3.8.8/policy/modules/apps/webalizer.if --- nsaserefpolicy/policy/modules/apps/webalizer.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/webalizer.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.8.8/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/wine.fc 2010-07-30 14:06:53.000000000 -0400 @@ -2,6 +2,7 @@ /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-08-05 17:18:31.000000000 -0400 @@ -29,12 +29,16 @@ # template(`wine_role',` gen_require(` + type wine_t; + type wine_home_t; type wine_exec_t; ') role $1 types wine_t; domain_auto_trans($2, wine_exec_t, wine_t) + # Unrestricted inheritance from the caller. + allow $2 wine_t:process { noatsecure siginh rlimitinh }; allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; @@ -86,6 +90,7 @@ # template(`wine_role_template',` gen_require(` + type wine_t; type wine_exec_t; ') @@ -101,9 +106,16 @@ corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) + userdom_manage_tmpfs_role($2, $1_wine_t) + + domain_mmap_low_type($1_wine_t) + tunable_policy(`mmap_low_allowed',` + allow $1_wine_t self:memprotect mmap_zero; + ') - domain_mmap_low($1_wine_t) + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') optional_policy(` xserver_role($1_r, $1_wine_t) @@ -136,7 +148,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.8.8/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/wine.te 2010-07-30 14:06:53.000000000 -0400 @@ -1,5 +1,13 @@ policy_module(wine, 1.7.1) +## +##

+## Ignore wine mmap_zero errors +##

+## +# +gen_tunable(wine_mmap_zero_ignore, false) + ######################################## # # Declarations @@ -29,7 +37,13 @@ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -domain_mmap_low(wine_t) +domain_mmap_low_type(wine_t) +tunable_policy(`mmap_low_allowed',` + allow wine_t self:memprotect mmap_zero; +') +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') files_execmod_all_files(wine_t) @@ -40,7 +54,11 @@ ') optional_policy(` - unconfined_domain_noaudit(wine_t) + policykit_dbus_chat(wine_t) +') + +optional_policy(` + unconfined_domain(wine_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.te serefpolicy-3.8.8/policy/modules/apps/wireshark.te --- nsaserefpolicy/policy/modules/apps/wireshark.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/wireshark.te 2010-07-30 14:06:53.000000000 -0400 @@ -15,6 +15,7 @@ type wireshark_home_t; typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; +files_poly_member(wireshark_home_t) userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; @@ -70,6 +71,8 @@ kernel_read_system_state(wireshark_t) kernel_read_sysctl(wireshark_t) +corecmd_search_bin(wireshark_t) + corenet_tcp_connect_generic_port(wireshark_t) corenet_tcp_sendrecv_generic_if(wireshark_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.8.8/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/wm.if 2010-07-30 14:06:53.000000000 -0400 @@ -75,6 +75,10 @@ miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) + userdom_manage_home_role($2, $1_wm_t) + userdom_manage_tmpfs_role($2, $1_wm_t) + userdom_manage_tmp_role($2, $1_wm_t) + optional_policy(` dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-08-19 06:39:36.000000000 -0400 @@ -9,8 +9,10 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) # @@ -101,6 +103,9 @@ /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0) +/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -126,6 +131,7 @@ /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') +/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) # # /sbin @@ -145,6 +151,10 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -169,6 +179,7 @@ /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -220,6 +231,7 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -228,6 +240,8 @@ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) @@ -314,6 +328,7 @@ /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) ') ifdef(`distro_suse', ` @@ -340,3 +355,27 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') +/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) + +/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) + +/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-30 14:06:53.000000000 -0400 @@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) + allow $1 self:capability sys_chroot; ') ######################################## @@ -1030,6 +1031,7 @@ type bin_t; ') + manage_dirs_pattern($1, bin_t, exec_type) manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.fc serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc --- nsaserefpolicy/policy/modules/kernel/corenetwork.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc 2010-07-30 14:06:53.000000000 -0400 @@ -5,3 +5,6 @@ /dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) /dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) + +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-04 13:10:54.000000000 -0400 @@ -24,6 +24,7 @@ # type tun_tap_device_t; dev_node(tun_tap_device_t) +mls_trusted_object(tun_tap_device_t) ######################################## # @@ -64,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) +network_port(afs_client, udp,7001,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) @@ -72,12 +74,15 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) +network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) +network_port(apertus_ldp, tcp,539,s0, udp,539,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) +network_port(boinc, tcp,31416,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) @@ -85,6 +90,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) +network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0) network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) @@ -97,7 +103,9 @@ network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(epmap, tcp,135,s0, udp,135,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) @@ -124,29 +132,32 @@ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) +network_port(kerberos_admin, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) network_port(kismet, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lirc, tcp,8765,s0) +network_port(luci, tcp,8084,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) +network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) -network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) +network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(munin, tcp,4949,s0, udp,4949,s0) -network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0) +network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) -network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) +network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) @@ -154,12 +165,20 @@ network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) +network_port(piranha, tcp,3636,s0) +network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0) +network_port(pki_ra, tcp,12888-12889,s0) +network_port(pki_tps, tcp,7888-7889,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) network_port(postgrey, tcp,60000,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) +network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) @@ -174,24 +193,27 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) -network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) +network_port(router, udp,520-521,s0, tcp,521,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) network_port(sieve, tcp,4190,s0) -network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) +network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0) +network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) +network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) network_port(spamd, tcp,783,s0) network_port(speech, tcp,8036,s0) network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) +network_port(sype, tcp,9911,s0, udp,9911,s0) network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -201,16 +223,17 @@ network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) -network_port(varnishd, tcp,6081,s0, tcp,6082,s0) +network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) -network_port(vnc, tcp,5900,s0) +network_port(vnc, tcp,5900-5999,s0) network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -network_port(xserver, tcp,6000-6020,s0) +network_port(xserver, tcp,6000-6150,s0) +network_port(zarafa, tcp,236,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) network_port(zope, tcp,8021,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.8.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/devices.fc 2010-07-30 14:06:53.000000000 -0400 @@ -176,13 +176,12 @@ /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) -/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) +/lib/udev/devices(/.*) gen_context(system_u:object_r:device_t,s0) -ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev +/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) -') ifdef(`distro_redhat',` # originally from named.fc @@ -191,3 +190,8 @@ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') + +# +# /sys +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-16 07:06:37.000000000 -0400 @@ -461,6 +461,24 @@ ######################################## ## +## Allow relablefrom for generic character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabelfrom_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file relabelfrom; +') + +######################################## +## ## Dontaudit getattr for generic character device files. ## ## @@ -497,6 +515,24 @@ ######################################## ## +## Read generic character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file read_chr_file_perms; +') + +######################################## +## ## Read and write generic character device files. ## ## @@ -606,6 +642,24 @@ ######################################## ## +## Read symbolic links in device directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_generic_symlinks',` + gen_require(` + type device_t; + ') + + allow $1 device_t:lnk_file read_lnk_file_perms; +') + +######################################## +## ## Create, delete, read, and write symbolic links in device directories. ## ## @@ -1015,6 +1069,42 @@ ######################################## ## +## rw all inherited character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_all_inherited_chr_files',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## rw all inherited blk device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_all_inherited_blk_files',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:blk_file rw_inherited_blk_file_perms; +') + +######################################## +## ## Delete all block device files. ## ## @@ -1277,6 +1367,24 @@ ######################################## ## +## Relable the autofs device node. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabel_autofs_dev',` + gen_require(` + type autofs_device_t; + ') + + allow $1 autofs_device_t:chr_file relabel_chr_file_perms; +') + +######################################## +## ## Do not audit attempts to get the attributes of ## the autofs device node. ## @@ -3540,6 +3648,24 @@ ######################################## ## +## Associate a file to a sysfs filesystem. +## +## +## +## The type of the file to be associated to sysfs. +## +## +# +interface(`dev_associate_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem associate; +') + +######################################## +## ## Get the attributes of sysfs directories. ## ## @@ -3851,6 +3977,24 @@ ######################################## ## +## Write USB monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_usbmon_dev',` + gen_require(` + type device_t, usbmon_device_t; + ') + + write_chr_files_pattern($1, device_t, usbmon_device_t) +') + +######################################## +## ## Mount a usbfs filesystem. ## ## @@ -4161,11 +4305,10 @@ # interface(`dev_rw_vhost',` gen_require(` - type vhost_device_t; + type device_t, vhost_device_t; ') - list_dirs_pattern($1, vhost_device_t, vhost_device_t) - rw_files_pattern($1, vhost_device_t, vhost_device_t) + rw_chr_files_pattern($1, device_t, vhost_device_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.8.8/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/devices.te 2010-07-30 14:06:53.000000000 -0400 @@ -100,6 +100,7 @@ # type kvm_device_t; dev_node(kvm_device_t) +mls_trusted_object(kvm_device_t) # # Type for /dev/lirc @@ -300,5 +301,5 @@ # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-30 14:06:53.000000000 -0400 @@ -611,7 +611,7 @@ ######################################## ## -## Get the attributes of all domains of all domains. +## Get the attributes of all domains. ## ## ## @@ -630,7 +630,7 @@ ######################################## ## -## Get the attributes of all domains of all domains. +## Dontaudit geting the attributes of all domains. ## ## ## @@ -1372,13 +1372,11 @@ ## ## # -interface(`domain_mmap_low',` +interface(`domain_mmap_low_type',` gen_require(` attribute mmap_low_domain_type; ') - allow $1 self:memprotect mmap_zero; - typeattribute $1 mmap_low_domain_type; ') @@ -1445,3 +1443,22 @@ typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') + +######################################## +## +## Do not audit attempts to read or write +## all leaked sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_dontaudit_leaks',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:socket_class_set { read write }; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.8.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/domain.te 2010-07-30 14:06:53.000000000 -0400 @@ -4,6 +4,21 @@ # # Declarations # +## +##

+## Allow all domains to use other domains file descriptors +##

+## +# +gen_tunable(allow_domain_fd_use, true) + +## +##

+## Allow all domains to have the kernel load modules +##

+## +# +gen_tunable(domain_kernel_load_modules, false) # Mark process types as domains attribute domain; @@ -79,14 +94,17 @@ allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) +kernel_read_crypto_sysctls(domain) + # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) +kernel_dontaudit_search_debugfs(domain) # create child processes in the domain -allow domain self:process { fork sigchld }; +allow domain self:process { fork getsched sigchld }; # Use trusted objects in /dev dev_rw_null(domain) @@ -96,6 +114,13 @@ # list the root directory files_list_root(domain) +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) + +tunable_policy(`domain_kernel_load_modules',` + kernel_request_load_module(domain) +') + tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs @@ -105,8 +130,13 @@ ') optional_policy(` + afs_rw_cache(domain) +') + +optional_policy(` libs_use_ld_so(domain) libs_use_shared_libs(domain) + libs_read_lib_files(domain) ') optional_policy(` @@ -117,6 +147,8 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_append_xdm_home_files(domain) + xserver_dontaudit_write_log(domain) ') ######################################## @@ -135,6 +167,8 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; @@ -152,3 +186,77 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + +selinux_getattr_fs(domain) +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) + +seutil_dontaudit_read_config(domain) + +init_sigchld(domain) +init_signull(domain) + +ifdef(`distro_redhat',` + files_search_mnt(domain) + optional_policy(` + unconfined_use_fds(domain) + ') +') + +# these seem questionable: + +optional_policy(` + abrt_domtrans_helper(domain) + abrt_read_pid_files(domain) + abrt_read_state(domain) + abrt_signull(domain) + abrt_stream_connect(domain) +') + +optional_policy(` + rpm_use_fds(domain) + rpm_read_pipes(domain) + rpm_search_log(domain) + rpm_append_tmp_files(domain) + rpm_dontaudit_leaks(domain) + rpm_read_script_tmp_files(domain) + rpm_inherited_fifo(domain) +') + +optional_policy(` + sosreport_append_tmp_files(domain) +') + +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') + +optional_policy(` + cron_dontaudit_write_system_job_tmp_files(domain) + cron_rw_pipes(domain) + cron_rw_system_job_pipes(domain) +') + +ifdef(`hide_broken_symptoms',` + dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; +') + +optional_policy(` + ifdef(`hide_broken_symptoms',` + afs_rw_udp_sockets(domain) + ') +') + +optional_policy(` + ssh_rw_pipes(domain) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) + unconfined_sigchld(domain) +') + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.8.8/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/files.fc 2010-07-30 14:06:53.000000000 -0400 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) +/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') ifdef(`distro_suse',` @@ -64,6 +65,13 @@ /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) + + /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -74,7 +82,8 @@ /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) + +/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -95,7 +104,7 @@ # HOME_ROOT # expanded by genhomedircon # -HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) +HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> @@ -159,6 +168,12 @@ /proc -d <> /proc/.* <> +ifdef(`distro_redhat',` +/rhev -d gen_context(system_u:object_r:mnt_t,s0) +/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/rhev/[^/]*/.* <> +') + # # /selinux # @@ -172,12 +187,6 @@ /srv/.* gen_context(system_u:object_r:var_t,s0) # -# /sys -# -/sys -d <> -/sys/.* <> - -# # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) @@ -217,7 +226,6 @@ ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) - /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') @@ -233,6 +241,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> @@ -249,7 +259,7 @@ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> @@ -258,3 +268,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-11 09:28:41.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: seutil_relabelto_bin_policy($1) @@ -1446,6 +1444,24 @@ ######################################## ## +## Write all mount points. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + allow $1 mountpoint:dir write; +') + +######################################## +## ## List the contents of the root directory. ## ## @@ -2435,6 +2451,24 @@ ######################################## ## +## Remove entries from the etc directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_etc_dir_entry',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir del_entry_dir_perms; +') + +######################################## +## ## Execute generic files in /etc. ## ## @@ -3086,6 +3120,7 @@ ') allow $1 home_root_t:dir getattr; + allow $1 home_root_t:lnk_file getattr; ') ######################################## @@ -3106,6 +3141,7 @@ ') dontaudit $1 home_root_t:dir getattr; + dontaudit $1 home_root_t:lnk_file getattr; ') ######################################## @@ -3347,6 +3383,24 @@ allow $1 mnt_t:dir list_dir_perms; ') +###################################### +## +## dontaudit List the contents of /mnt. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_list_mnt',` + gen_require(` + type mnt_t; + ') + + dontaudit $1 mnt_t:dir list_dir_perms; +') + ######################################## ## ## Mount a filesystem on /mnt. @@ -3420,6 +3474,24 @@ read_files_pattern($1, mnt_t, mnt_t) ') +###################################### +## +## Read symbolic links in /mnt. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_mnt_symlinks',` + gen_require(` + type mnt_t; + ') + + read_lnk_files_pattern($1, mnt_t, mnt_t) +') + ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. @@ -3711,6 +3783,82 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') +####################################### +## +## Read manageable system configuration files in /etc +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') + + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) +') + +###################################### +## +## Manage manageable system configuration files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') + + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) +') + +###################################### +## +## Relabel manageable system configuration files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') + + relabelto_files_pattern($1, system_conf_t, system_conf_t) +') + +################################### +## +## Create files in /etc with the type used for +## the manageable system config files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') + + filetrans_pattern($1, etc_t, system_conf_t, file) +') + ######################################## ## ## Allow the specified type to associate @@ -3896,6 +4044,32 @@ ######################################## ## +## Allow shared library text relocations in tmp files. +## +## +##

+## Allow shared library text relocations in tmp files. +##

+##

+## This is added to support java policy. +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`files_execmod_tmp',` + gen_require(` + attribute tmpfile; + ') + + allow $1 tmpfile:file execmod; +') + +######################################## +## ## Manage temporary files and directories in /tmp. ## ## @@ -4109,6 +4283,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) + files_delete_isid_type_symlinks($1) + files_delete_isid_type_fifo_files($1) + files_delete_isid_type_sock_files($1) + files_delete_isid_type_blk_files($1) + files_delete_isid_type_chr_files($1) ') ######################################## @@ -5298,6 +5479,43 @@ search_dirs_pattern($1, var_t, var_run_t) ') +###################################### +## +## Add and remove entries from pid directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir rw_dir_perms; +') + +####################################### +## +## Create generic pid directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_var_run_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir create_dir_perms; +') + ######################################## ## ## Do not audit attempts to search @@ -5505,6 +5723,26 @@ ######################################## ## +## manage all pidfile directories +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_pids_dirs',` + gen_require(` + attribute pidfile; + ') + + manage_dirs_pattern($1,pidfile,pidfile) +') + + +######################################## +## ## Read all process ID files. ## ## @@ -5522,6 +5760,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) ') ######################################## @@ -5807,3 +6046,229 @@ typeattribute $1 files_unconfined_type; ') + +######################################## +## +## Create a core files in / +## +## +##

+## Create a core file in /, +##

+## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_root_files',` + gen_require(` + type root_t; + ') + + manage_files_pattern($1, root_t, root_t) +') + +######################################## +## +## Create a default directory +## +## +##

+## Create a default_t direcrory +##

+## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_create_default_dir',` + gen_require(` + type default_t; + ') + + allow $1 default_t:dir create; +') + +######################################## +## +## Create, default_t objects with an automatic +## type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object being created. +## +## +# +interface(`files_root_filetrans_default',` + gen_require(` + type root_t, default_t; + ') + + filetrans_pattern($1, root_t, default_t, $2) +') + +######################################## +## +## manage generic symbolic links +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_generic_pids_symlinks',` + gen_require(` + type var_run_t; + ') + + manage_lnk_files_pattern($1,var_run_t,var_run_t) +') + +######################################## +## +## Do not audit attempts to getattr +## all tmpfs files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + allow $1 tmpfsfile:file getattr; +') + +######################################## +## +## Do not audit attempts to read security files +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_security_files',` + gen_require(` + attribute security_file_type; + ') + + dontaudit $1 security_file_type:file read_file_perms; +') + +######################################## +## +## rw any files inherited from another process +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_rw_all_inherited_files',` + gen_require(` + attribute file_type; + ') + + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## Allow any file point to be the entrypoint of this domain +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_entrypoint_all_files',` + gen_require(` + attribute file_type; + ') + allow $1 file_type:file entrypoint; +') + +######################################## +## +## Do not audit attempts to rw inherited file perms +## of non security files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_all_non_security_leaks',` + gen_require(` + attribute non_security_file_type; + ') + + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; +') + +######################################## +## +## Do not audit attempts to read or write +## all leaked files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_leaks',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') + +######################################## +## +## Allow domain to create_file_ass all types +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_as_is_all_files',` + gen_require(` + attribute file_type; + class kernel_service create_files_as; + ') + + allow $1 file_type:kernel_service create_files_as; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.8.8/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/files.te 2010-07-30 14:06:53.000000000 -0400 @@ -11,6 +11,7 @@ attribute mountpoint; attribute pidfile; attribute configfile; +attribute etcfile; # For labeling types that are to be polyinstantiated attribute polydir; @@ -58,12 +59,21 @@ typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; +# system_conf_t is a new type of various +# files in /etc/ that can be managed and +# created by several domains. +# +type system_conf_t, configfile; +files_type(system_conf_t) +# compatibility aliases for removed type: +typealias system_conf_t alias iptables_conf_t; + # # etc_runtime_t is the type of various # files in /etc that are automatically # generated during initialization. # -type etc_runtime_t; +type etc_runtime_t, configfile; files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,3 @@ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-13 10:09:00.000000000 -0400 @@ -1233,7 +1233,7 @@ type cifs_t; ') - dontaudit $1 cifs_t:file rw_file_perms; + dontaudit $1 cifs_t:file rw_inherited_file_perms; ') ######################################## @@ -1496,6 +1496,25 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') +######################################## +## +## Make general progams in cifs an entrypoint for +## the specified domain. +## +## +## +## The domain for which cifs_t is an entrypoint. +## +## +# +interface(`fs_cifs_entry_type',` + gen_require(` + type cifs_t; + ') + + domain_entry_file($1, cifs_t) +') + ####################################### ## ## Create, read, write, and delete dirs @@ -1923,7 +1942,26 @@ ######################################## ## -## Read and write hugetlbfs files. +## Get the attributes of an hugetlbfs +## filesystem; +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_hugetlbfs',` + gen_require(` + type hugetlbfs_t; + ') + + allow $1 hugetlbfs_t:filesystem getattr; +') + +######################################## +## +## R/W hugetlbfs files. ## ## ## @@ -1938,6 +1976,41 @@ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') +######################################## +## +## Manage hugetlbfs dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_hugetlbfs_dirs',` + gen_require(` + type hugetlbfs_t; + ') + + manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +') + +######################################## +## +## List hugetlbfs dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_hugetlbfs',` + gen_require(` + type hugetlbfs_t; + ') + + allow $1 hugetlbfs_t:dir list_dir_perms; +') ######################################## ## @@ -1991,6 +2064,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; + fs_read_anon_inodefs_files($1) ') ######################################## @@ -2387,6 +2461,25 @@ ######################################## ## +## Make general progams in nfs an entrypoint for +## the specified domain. +## +## +## +## The domain for which nfs_t is an entrypoint. +## +## +# +interface(`fs_nfs_entry_type',` + gen_require(` + type nfs_t; + ') + + domain_entry_file($1, nfs_t) +') + +######################################## +## ## Append files ## on a NFS filesystem. ## @@ -2441,7 +2534,7 @@ type nfs_t; ') - dontaudit $1 nfs_t:file rw_file_perms; + dontaudit $1 nfs_t:file rw_inherited_file_perms; ') ######################################## @@ -2629,6 +2722,24 @@ ######################################## ## +## Do not audit attempts to write removable storage files. +## +## +## +## Domain not to audit. +## +## +# +interface(`fs_dontaudit_write_removable_files',` + gen_require(` + type removable_t; + ') + + dontaudit $1 removable_t:file write_file_perms; +') + +######################################## +## ## Read removable storage symbolic links. ## ## @@ -2837,7 +2948,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links -## on a CIFS or SMB network filesystem. +## on a NFS network filesystem. ## ## ## @@ -3962,6 +4073,24 @@ ######################################## ## +## dontaudit Read and write block nodes on tmpfs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_read_tmpfs_blk_dev',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; +') + +######################################## +## ## Relabel character nodes on tmpfs filesystems. ## ## @@ -4654,3 +4783,24 @@ typeattribute $1 filesystem_unconfined_type; ') + +######################################## +## +## Do not audit attempts to read or write +## all leaked filesystems files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_leaks',` + gen_require(` + attribute filesystem_type; + ') + + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-07-30 14:06:53.000000000 -0400 @@ -52,6 +52,7 @@ fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) +mls_trusted_object(anon_inodefs_t) type bdev_t; fs_type(bdev_t) @@ -67,7 +68,7 @@ files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) -type cgroup_t; +type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) @@ -106,6 +107,15 @@ allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) +# +# infinibandeventfs fs +# + +type infinibandeventfs_t; +fs_type(infinibandeventfs_t) +allow infinibandeventfs_t self:filesystem associate; +genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) + type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -248,6 +258,7 @@ type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) +files_type(removable_t) files_mountpoint(removable_t) # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-07-30 14:06:53.000000000 -0400 @@ -1977,7 +1977,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file getattr; + dontaudit $1 sysctl_type:file read_file_perms; ') ######################################## @@ -2845,6 +2845,24 @@ ######################################## ## +## Relabel to unlabeled context . +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelto_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir_file_class_set relabelto; +') + +######################################## +## ## Unconfined access to kernel module resources. ## ## @@ -2860,3 +2878,23 @@ typeattribute $1 kern_unconfined; ') + +######################################## +## +## Allow the specified domain to connect to +## the kernel with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_stream_connect',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:unix_stream_socket connectto; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.8.8/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/kernel.te 2010-07-30 14:06:53.000000000 -0400 @@ -156,6 +156,7 @@ # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +fs_associate(unlabeled_t) # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -255,7 +256,8 @@ selinux_load_policy(kernel_t) -term_use_console(kernel_t) +term_use_all_terms(kernel_t) +term_use_ptmx(kernel_t) corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) @@ -269,19 +271,29 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) +files_manage_mounttab(kernel_t) +files_manage_generic_spool_dirs(kernel_t) mcs_process_set_categories(kernel_t) +mcs_file_read_all(kernel_t) +mcs_file_write_all(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) + +logging_manage_generic_logs(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') +userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + optional_policy(` hotplug_search_config(kernel_t) ') @@ -358,6 +370,10 @@ unconfined_domain_noaudit(kernel_t) ') +optional_policy(` + xserver_xdm_manage_spool(kernel_t) +') + ######################################## # # Unlabeled process local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-30 14:06:53.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which # calls this interface must be in the base module: - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) +# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ') ######################################## @@ -202,6 +202,7 @@ type security_t; ') + selinux_dontaudit_getattr_fs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') @@ -223,6 +224,7 @@ type security_t; ') + selinux_get_fs_mount($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') @@ -404,6 +406,7 @@ ') allow $1 security_t:dir list_dir_perms; + allow $1 boolean_type:dir list_dir_perms; allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { @@ -622,3 +625,23 @@ typeattribute $1 selinux_unconfined_type; ') + +######################################## +## +## Generate a file context for a boolean type +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_genbool',` + gen_require(` + attribute boolean_type; + ') + + type $1, boolean_type; + fs_type($1) + mls_trusted_object($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-30 14:06:53.000000000 -0400 @@ -5,7 +5,7 @@ /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/[shmvx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) @@ -77,3 +77,6 @@ /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) + +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-16 07:00:32.000000000 -0400 @@ -101,6 +101,8 @@ dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; + #577012 + allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; typeattribute $1 fixed_disk_raw_read; ') @@ -203,6 +205,8 @@ type fixed_disk_device_t; ') + allow $1 self:capability mknod; + allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; dev_add_entry_generic_dirs($1) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-03 13:44:23.000000000 -0400 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; + type tty_device_t; ') - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; + dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## @@ -848,7 +850,7 @@ attribute ptynode; ') - dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; + dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; ') ######################################## @@ -1215,7 +1217,7 @@ type tty_device_t; ') - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## @@ -1252,10 +1254,12 @@ interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; + type tty_device_t; ') dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; + dontaudit $1 tty_device_t:chr_file getattr; ') ######################################## @@ -1352,7 +1356,7 @@ attribute ttynode; ') - dontaudit $1 ttynode:chr_file rw_chr_file_perms; + dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.8.8/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/auditadm.te 2010-07-30 14:06:53.000000000 -0400 @@ -28,10 +28,13 @@ logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t, auditadm_r) logging_run_auditd(auditadm_t, auditadm_r) +logging_stream_connect_syslog(auditadm_t) seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) +userdom_dontaudit_search_admin_dir(auditadm_t) + optional_policy(` consoletype_exec(auditadm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.8.8/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/guest.te 2010-07-30 14:06:53.000000000 -0400 @@ -14,4 +14,8 @@ # Local policy # -#gen_user(guest_u,, guest_r, s0, s0) +optional_policy(` + apache_role(guest_r, guest_t) +') + +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.8.8/policy/modules/roles/secadm.te --- nsaserefpolicy/policy/modules/roles/secadm.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/secadm.te 2010-07-30 14:06:53.000000000 -0400 @@ -9,6 +9,8 @@ userdom_unpriv_user_template(secadm) userdom_security_admin_template(secadm_t, secadm_r) +userdom_inherit_append_admin_home_files(secadm_t) +userdom_read_admin_home_files(secadm_t) ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-19 06:52:30.000000000 -0400 @@ -8,25 +8,60 @@ role staff_r; userdom_unpriv_user_template(staff) +fs_exec_noxattr(staff_t) + +# needed for sandbox +allow staff_t self:process setexec; ######################################## # # Local policy # +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) + +auth_domtrans_pam_console(staff_t) + +init_dbus_chat(staff_t) +init_dbus_chat_script(staff_t) + +seutil_read_module_store(staff_t) +seutil_run_newrole(staff_t, staff_r) +netutils_run_ping(staff_t, staff_r) +netutils_signal_ping(staff_t) + optional_policy(` apache_role(staff_r, staff_t) ') optional_policy(` + mozilla_run_plugin(staff_t, staff_r) +') + +ifndef(`distro_redhat',` + +optional_policy(` auth_role(staff_r, staff_t) ') +') optional_policy(` auditadm_role_change(staff_r) ') optional_policy(` + kerneloops_manage_tmp_files(staff_t) +') + +optional_policy(` + logadm_role_change(staff_r) +') + +ifndef(`distro_redhat',` +optional_policy(` bluetooth_role(staff_r, staff_t) ') @@ -94,12 +129,18 @@ oident_manage_user_content(staff_t) oident_relabel_user_content(staff_t) ') +') optional_policy(` postgresql_role(staff_r, staff_t) ') optional_policy(` + rtkit_scheduled(staff_t) +') + +ifndef(`distro_redhat',` +optional_policy(` pyzor_role(staff_r, staff_t) ') @@ -114,22 +155,27 @@ optional_policy(` screen_role_template(staff, staff_r, staff_t) ') +') optional_policy(` secadm_role_change(staff_r) ') +ifndef(`distro_redhat',` optional_policy(` spamassassin_role(staff_r, staff_t) ') +') optional_policy(` ssh_role_template(staff, staff_r, staff_t) ') +ifndef(`distro_redhat',` optional_policy(` su_role_template(staff, staff_r, staff_t) ') +') optional_policy(` sudo_role_template(staff, staff_r, staff_t) @@ -141,6 +187,11 @@ ') optional_policy(` + telepathy_dbus_session_role(staff_r, staff_t) +') + +ifndef(`distro_redhat',` +optional_policy(` thunderbird_role(staff_r, staff_t) ') @@ -164,6 +215,78 @@ wireshark_role(staff_r, staff_t) ') +') + +optional_policy(` + unconfined_role_change(staff_r) +') + +optional_policy(` + webadm_role_change(staff_r) +') + optional_policy(` xserver_role(staff_r, staff_t) ') + +domain_read_all_domains_state(staff_usertype) +domain_getattr_all_domains(staff_usertype) +domain_obj_id_change_exemption(staff_t) + +files_read_kernel_modules(staff_usertype) + +kernel_read_fs_sysctls(staff_usertype) + +modutils_read_module_config(staff_usertype) +modutils_read_module_deps(staff_usertype) + +miscfiles_read_hwdata(staff_usertype) + +term_use_unallocated_ttys(staff_usertype) + +optional_policy(` + accountsd_dbus_chat(staff_t) + accountsd_read_lib_files(staff_t) +') + +optional_policy(` + gnomeclock_dbus_chat(staff_t) +') + +optional_policy(` + firewallgui_dbus_chat(staff_t) +') + +optional_policy(` + lpd_list_spool(staff_t) +') + +optional_policy(` + kerneloops_dbus_chat(staff_t) +') + +optional_policy(` + rpm_dbus_chat(staff_usertype) +') + +optional_policy(` + sandbox_transition(staff_t, staff_r) +') + +optional_policy(` + screen_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) + setroubleshoot_dbus_chat_fixit(staff_t) +') + +optional_policy(` + virt_stream_connect(staff_t) +') + +optional_policy(` + userhelper_console_role_template(staff, staff_r, staff_usertype) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-08-18 09:32:07.000000000 -0400 @@ -27,17 +27,30 @@ corecmd_exec_shell(sysadm_t) +domain_dontaudit_read_all_domains_state(sysadm_t) + mls_process_read_up(sysadm_t) +mls_file_read_to_clearance(sysadm_t) +mls_process_write_to_clearance(sysadm_t) ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) +application_exec(sysadm_t) + init_exec(sysadm_t) +init_exec_script_files(sysadm_t) +init_dbus_chat(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +userdom_manage_user_tmp_dirs(sysadm_t) +userdom_manage_user_tmp_files(sysadm_t) +userdom_manage_user_tmp_symlinks(sysadm_t) +userdom_manage_user_tmp_chr_files(sysadm_t) +userdom_manage_user_tmp_blk_files(sysadm_t) ifdef(`direct_sysadm_daemon',` optional_policy(` @@ -55,6 +68,7 @@ logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) + logging_stream_connect_syslog(sysadm_t) ') tunable_policy(`allow_ptrace',` @@ -69,7 +83,9 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) + ifndef(`distro_redhat',` + apache_role(sysadm_r, sysadm_t) + ') ') optional_policy(` @@ -85,9 +101,11 @@ auditadm_role_change(sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` auth_role(sysadm_r, sysadm_t) ') +') optional_policy(` backup_run(sysadm_t, sysadm_r) @@ -97,17 +115,25 @@ bind_run_ndc(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` bluetooth_role(sysadm_r, sysadm_t) ') +') optional_policy(` bootloader_run(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` cdrecord_role(sysadm_r, sysadm_t) ') +') + +optional_policy(` + certmonger_dbus_chat(sysadm_t) +') optional_policy(` certwatch_run(sysadm_t, sysadm_r) @@ -125,16 +151,18 @@ consoletype_run(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` cron_admin_role(sysadm_r, sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) + dbus_role_template(sysadm, sysadm_r, sysadm_t) +') ') optional_policy(` - dbus_role_template(sysadm, sysadm_r, sysadm_t) + daemonstools_run_start(sysadm_t, sysadm_r) ') optional_policy(` @@ -159,9 +187,11 @@ dpkg_run(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` evolution_role(sysadm_r, sysadm_t) ') +') optional_policy(` firstboot_run(sysadm_t, sysadm_r) @@ -171,6 +201,7 @@ fstools_run(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` games_role(sysadm_r, sysadm_t) ') @@ -186,6 +217,7 @@ optional_policy(` gpg_role(sysadm_r, sysadm_t) ') +') optional_policy(` hostname_run(sysadm_t, sysadm_r) @@ -199,6 +231,13 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) + ipsec_run_setkey(sysadm_t, sysadm_r) + ipsec_run_racoon(sysadm_t, sysadm_r) + ipsec_stream_connect_racoon(sysadm_t) + + optional_policy(` + ipsec_mgmt_dbus_chat(sysadm_t) + ') ') optional_policy(` @@ -206,12 +245,18 @@ ') optional_policy(` + kerberos_exec_kadmind(sysadm_t) +') + +ifndef(`distro_redhat',` +optional_policy(` irc_role(sysadm_r, sysadm_t) ') optional_policy(` java_role(sysadm_r, sysadm_t) ') +') optional_policy(` kudzu_run(sysadm_t, sysadm_r) @@ -221,9 +266,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` lockdev_role(sysadm_r, sysadm_t) ') +') optional_policy(` logrotate_run(sysadm_t, sysadm_r) @@ -246,8 +293,10 @@ optional_policy(` mount_run(sysadm_t, sysadm_r) + mount_run_showmount(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') @@ -255,6 +304,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') +') optional_policy(` mta_role(sysadm_r, sysadm_t) @@ -269,6 +319,10 @@ ') optional_policy(` + ncftool_run(sysadm_t, sysadm_r) +') + +optional_policy(` netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) @@ -302,8 +356,14 @@ ') optional_policy(` + prelink_run(sysadm_t, sysadm_r) +') + +ifndef(`distro_redhat',` +optional_policy(` pyzor_role(sysadm_r, sysadm_t) ') +') optional_policy(` quota_run(sysadm_t, sysadm_r) @@ -313,9 +373,11 @@ raid_domtrans_mdadm(sysadm_t) ') +ifndef(`distro_redhat',` optional_policy(` razor_role(sysadm_r, sysadm_t) ') +') optional_policy(` rpc_domtrans_nfsd(sysadm_t) @@ -325,9 +387,11 @@ rpm_run(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` rssh_role(sysadm_r, sysadm_t) ') +') optional_policy(` rsync_exec(sysadm_t) @@ -352,8 +416,14 @@ ') optional_policy(` + shutdown_run(sysadm_t, sysadm_r) +') + +ifndef(`distro_redhat',` +optional_policy(` spamassassin_role(sysadm_r, sysadm_t) ') +') optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) @@ -376,9 +446,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` thunderbird_role(sysadm_r, sysadm_t) ') +') optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) @@ -387,17 +459,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` tvtime_role(sysadm_r, sysadm_t) ') +') optional_policy(` tzdata_domtrans(sysadm_t) ') +ifndef(`distro_redhat',` optional_policy(` uml_role(sysadm_r, sysadm_t) ') +') optional_policy(` unconfined_domtrans(sysadm_t) @@ -411,9 +487,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` userhelper_role_template(sysadm, sysadm_r, sysadm_t) ') +') optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) @@ -421,9 +499,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` vmware_role(sysadm_r, sysadm_t) ') +') + +optional_policy(` + vpn_run(sysadm_t, sysadm_r) +') optional_policy(` vpn_run(sysadm_t, sysadm_r) @@ -434,13 +518,30 @@ ') optional_policy(` + virt_stream_connect(sysadm_t) +') + +ifndef(`distro_redhat',` +optional_policy(` wireshark_role(sysadm_r, sysadm_t) ') optional_policy(` xserver_role(sysadm_r, sysadm_t) ') +') optional_policy(` yam_run(sysadm_t, sysadm_r) ') + +optional_policy(` + zebra_stream_connect(sysadm_t) +') + +init_script_role_transition(sysadm_r) + +files_read_kernel_modules(sysadm_t) +kernel_read_fs_sysctls(sysadm_t) +modutils_read_module_deps(sysadm_t) +miscfiles_read_hwdata(sysadm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,8 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if 2010-08-18 09:42:34.000000000 -0400 @@ -0,0 +1,687 @@ +## Unconfiend user role + +######################################## +## +## Change from the unconfineduser role. +## +## +##

+## Change from the unconfineduser role to +## the specified role. +##

+##

+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+## +## +## +## Role allowed access. +## +## +## +# +interface(`unconfined_role_change_to',` + gen_require(` + role unconfined_r; + ') + + allow unconfined_r $1; +') + +######################################## +## +## Transition to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_domtrans',` + gen_require(` + type unconfined_t, unconfined_exec_t; + ') + + domtrans_pattern($1,unconfined_exec_t,unconfined_t) +') + +######################################## +## +## Execute specified programs in the unconfined domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to allow the unconfined domain. +## +## +# +interface(`unconfined_run',` + gen_require(` + type unconfined_t; + ') + + unconfined_domtrans($1) + role $2 types unconfined_t; +') + +######################################## +## +## Transition to the unconfined domain by executing a shell. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_shell_domtrans',` + gen_require(` + attribute unconfined_login_domain; + ') + typeattribute $1 unconfined_login_domain; +') + +######################################## +## +## Allow unconfined to execute the specified program in +## the specified domain. +## +## +##

+## Allow unconfined to execute the specified program in +## the specified domain. +##

+##

+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+## +## +## +## Domain to execute in. +## +## +## +## +## Domain entry point file. +## +## +# +interface(`unconfined_domtrans_to',` + gen_require(` + type unconfined_t; + ') + + domtrans_pattern(unconfined_t,$2,$1) +') + +######################################## +## +## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +## +## +##

+## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +##

+##

+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+## +## +## +## Domain to execute in. +## +## +## +## +## Domain entry point file. +## +## +# +interface(`unconfined_run_to',` + gen_require(` + type unconfined_t; + role unconfined_r; + ') + + domtrans_pattern(unconfined_t,$2,$1) + role unconfined_r types $1; + userdom_use_user_terminals($1) +') + +######################################## +## +## Inherit file descriptors from the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_use_fds',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fd use; +') + +######################################## +## +## Send a SIGCHLD signal to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_sigchld',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process sigchld; +') + +######################################## +## +## Send a SIGNULL signal to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_signull',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signull; +') + +######################################## +## +## Send a SIGNULL signal to the unconfined execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_signull',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:process signull; +') + +######################################## +## +## Send a signal to the unconfined execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_signal',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:process signal; +') + +######################################## +## +## Send generic signals to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_signal',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signal; +') + +######################################## +## +## Read unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fifo_file read_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dontaudit_read_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file read; +') + +######################################## +## +## Read and write unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_stream',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Connect to the unconfined domain using +## a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_stream_connect',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket connectto; +') + +######################################## +## +## Do not audit attempts to read or write +## unconfined domain tcp sockets. +## +## +##

+## Do not audit attempts to read or write +## unconfined domain tcp sockets. +##

+##

+## This interface was added due to a broken +## symptom in ldconfig. +##

+## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_tcp_sockets',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:tcp_socket { read write }; +') + +######################################## +## +## Do not audit attempts to read or write +## unconfined domain packet sockets. +## +## +##

+## Do not audit attempts to read or write +## unconfined domain packet sockets. +##

+##

+## This interface was added due to a broken +## symptom. +##

+## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_packet_sockets',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:packet_socket { read write }; +') + +######################################## +## +## Create keys for the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_create_keys',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:key create; +') + +######################################## +## +## Send messages to the unconfined domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_send',` + gen_require(` + type unconfined_t; + class dbus send_msg; + ') + + allow $1 unconfined_t:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## unconfined_t over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_chat',` + gen_require(` + type unconfined_t; + class dbus send_msg; + ') + + allow $1 unconfined_t:dbus send_msg; + allow unconfined_t $1:dbus send_msg; +') + +######################################## +## +## Connect to the the unconfined DBUS +## for service (acquire_svc). +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_connect',` + gen_require(` + type unconfined_t; + class dbus acquire_svc; + ') + + allow $1 unconfined_t:dbus acquire_svc; +') + +######################################## +## +## Allow ptrace of unconfined domain +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process ptrace; +') + +######################################## +## +## Read and write to unconfined shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_rw_shm',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:shm rw_shm_perms; +') + +######################################## +## +## Read and write to unconfined execmem shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_execmem_rw_shm',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:shm rw_shm_perms; +') + +######################################## +## +## Transition to the unconfined_execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_domtrans',` + + gen_require(` + type unconfined_execmem_t; + ') + + execmem_domtrans($1, unconfined_execmem_t) +') + +######################################## +## +## execute the execmem applications +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_exec',` + + gen_require(` + type execmem_exec_t; + ') + + can_exec($1, execmem_exec_t) +') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_set_rlimitnh',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process rlimitinh; +') + +######################################## +## +## Get the process group of unconfined. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_getpgid',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process getpgid; +') + +######################################## +## +## Change to the unconfined role. +## +## +## +## Role allowed access. +## +## +## +# +interface(`unconfined_role_change',` + gen_require(` + role unconfined_r; + ') + + allow $1 unconfined_r; +') + +######################################## +## +## Allow domain to attach to TUN devices created by unconfined_t users. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_attach_tun_iface',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-19 06:51:51.000000000 -0400 @@ -0,0 +1,458 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## +# +# Declarations +# +attribute unconfined_login_domain; + +## +##

+## Transition to confined nsplugin domains from unconfined user +##

+## +gen_tunable(allow_unconfined_nsplugin_transition, false) + +## +##

+## Allow a user to login as an unconfined domain +##

+## +gen_tunable(unconfined_login, true) + +## +##

+## Transition to confined qemu domains from unconfined user +##

+## +gen_tunable(allow_unconfined_qemu_transition, false) + +# usage in this module of types created by these +# calls is not correct, however we dont currently +# have another method to add access to these types +userdom_base_user_template(unconfined) +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +userdom_unpriv_usertype(unconfined, unconfined_t) + +type unconfined_exec_t; +init_system_domain(unconfined_t, unconfined_exec_t) +role unconfined_r types unconfined_t; +role_transition system_r unconfined_exec_t unconfined_r; +allow system_r unconfined_r; + +domain_user_exemption_target(unconfined_t) +allow system_r unconfined_r; +allow unconfined_r system_r; +init_script_role_transition(unconfined_r) +role system_r types unconfined_t; +typealias unconfined_t alias unconfined_crontab_t; + +type unconfined_notrans_t; +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) +role unconfined_r types unconfined_notrans_t; + +######################################## +# +# Local policy +# + +dontaudit unconfined_t self:dir write; +dontaudit unconfined_t self:file setattr; + +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) +mls_file_write_all_levels(unconfined_t) + +init_run_daemon(unconfined_t, unconfined_r) +init_domtrans_script(unconfined_t) +init_telinit(unconfined_t) + +libs_run_ldconfig(unconfined_t, unconfined_r) + +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + +mount_run_unconfined(unconfined_t, unconfined_r) +# Unconfined running as system_r +mount_domtrans_unconfined(unconfined_t) + +seutil_run_setsebool(unconfined_t, unconfined_r) +seutil_run_setfiles(unconfined_t, unconfined_r) +seutil_run_semanage(unconfined_t, unconfined_r) + +unconfined_domain_noaudit(unconfined_t) + +userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) + +usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r) + +tunable_policy(`allow_execmem',` + allow unconfined_t self:process execmem; +') + +tunable_policy(`allow_execmem && allow_execstack',` + allow unconfined_t self:process execstack; +') + +tunable_policy(`allow_execmod',` + userdom_execmod_user_home_files(unconfined_usertype) +') + +tunable_policy(`unconfined_login',` + corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) + allow unconfined_t unconfined_login_domain:fd use; + allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; + allow unconfined_t unconfined_login_domain:process sigchld; +') + +optional_policy(` + gen_require(` + attribute unconfined_usertype; + ') + + nsplugin_role_notrans(unconfined_r, unconfined_usertype) + optional_policy(` + tunable_policy(`allow_unconfined_nsplugin_transition',` + nsplugin_domtrans(unconfined_usertype) + nsplugin_domtrans_config(unconfined_usertype) + ') + ') + + optional_policy(` + abrt_dbus_chat(unconfined_usertype) + abrt_run_helper(unconfined_usertype, unconfined_r) + ') + + optional_policy(` + avahi_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + certmonger_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + devicekit_dbus_chat(unconfined_usertype) + devicekit_dbus_chat_disk(unconfined_usertype) + devicekit_dbus_chat_power(unconfined_usertype) + ') + + optional_policy(` + hal_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + iptables_run(unconfined_usertype, unconfined_r) + ') + + optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + policykit_role(unconfined_r, unconfined_usertype) + ') + + optional_policy(` + rtkit_scheduled(unconfined_usertype) + ') + + optional_policy(` + setroubleshoot_dbus_chat(unconfined_usertype) + setroubleshoot_dbus_chat_fixit(unconfined_t) + ') + + optional_policy(` + sandbox_transition(unconfined_usertype, unconfined_r) + ') + + optional_policy(` + shutdown_run(unconfined_t, unconfined_r) + ') + + optional_policy(` + tzdata_run(unconfined_usertype, unconfined_r) + ') + + optional_policy(` + xserver_rw_shm(unconfined_usertype) + xserver_run_xauth(unconfined_usertype, unconfined_r) + xserver_dbus_chat_xdm(unconfined_usertype) + ') +') + +ifdef(`distro_gentoo',` + seutil_run_runinit(unconfined_t, unconfined_r) + seutil_init_script_run_runinit(unconfined_t, unconfined_r) +') + +optional_policy(` + accountsd_dbus_chat(unconfined_t) +') + +optional_policy(` + ada_run(unconfined_t, unconfined_r) +') + +optional_policy(` + apache_run_helper(unconfined_t, unconfined_r) +') + +optional_policy(` + bind_run_ndc(unconfined_t, unconfined_r) +') + +optional_policy(` + bootloader_run(unconfined_t, unconfined_r) +') + +optional_policy(` + cron_unconfined_role(unconfined_r, unconfined_t) +') + +optional_policy(` + chrome_role(unconfined_r, unconfined_t) +') + +optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) + + optional_policy(` + unconfined_domain(unconfined_dbusd_t) + unconfined_execmem_domtrans(unconfined_dbusd_t) + + optional_policy(` + xserver_rw_shm(unconfined_dbusd_t) + ') + ') + + init_dbus_chat(unconfined_usertype) + init_dbus_chat_script(unconfined_usertype) + + dbus_stub(unconfined_t) + + optional_policy(` + bluetooth_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + consolekit_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + cups_dbus_chat_config(unconfined_usertype) + ') + + optional_policy(` + fprintd_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + gnomeclock_dbus_chat(unconfined_usertype) + gnome_dbus_chat_gconfdefault(unconfined_usertype) + ') + + optional_policy(` + ipsec_mgmt_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + kerneloops_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + oddjob_dbus_chat(unconfined_usertype) + ') + + optional_policy(` + vpn_dbus_chat(unconfined_usertype) + ') +') + +optional_policy(` + firewallgui_dbus_chat(unconfined_usertype) +') + +optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + +optional_policy(` + ftp_run_ftpdctl(unconfined_t, unconfined_r) +') + +optional_policy(` + gpsd_run(unconfined_t, unconfined_r) +') + +optional_policy(` + java_run_unconfined(unconfined_t, unconfined_r) +') + +optional_policy(` + livecd_run(unconfined_t, unconfined_r) +') + +optional_policy(` + lpd_run_checkpc(unconfined_t, unconfined_r) +') + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) +') + +optional_policy(` + mono_role_template(unconfined, unconfined_r, unconfined_t) + unconfined_domain_noaudit(unconfined_mono_t) + role system_r types unconfined_mono_t; +') + +optional_policy(` + mozilla_run_plugin(unconfined_usertype, unconfined_r) +') + +optional_policy(` + ncftool_run(unconfined_t, unconfined_r) +') + +optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + +optional_policy(` + prelink_run(unconfined_t, unconfined_r) +') + +optional_policy(` + portmap_run_helper(unconfined_t, unconfined_r) +') + +#optional_policy(` +# ppp_run(unconfined_t, unconfined_r) +#') + +optional_policy(` + qemu_unconfined_role(unconfined_r) + + tunable_policy(`allow_unconfined_qemu_transition',` + qemu_domtrans(unconfined_t) + ',` + qemu_domtrans_unconfined(unconfined_t) +') +') + +optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) + rpm_dbus_chat(unconfined_t) +') + +optional_policy(` + samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r) +# samba_run_winbind_helper(unconfined_t, unconfined_r) + samba_run_smbcontrol(unconfined_t, unconfined_r) +') + +optional_policy(` + sendmail_run_unconfined(unconfined_t, unconfined_r) +') + +optional_policy(` + sysnet_run_dhcpc(unconfined_t, unconfined_r) + sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) +') + +optional_policy(` + telepathy_dbus_session_role(unconfined_r, unconfined_t) +') + +optional_policy(` + vbetool_run(unconfined_t, unconfined_r) +') + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) +') + +optional_policy(` + vpn_run(unconfined_t, unconfined_r) +') + +optional_policy(` + webalizer_run(unconfined_t, unconfined_r) +') + +optional_policy(` + wine_run(unconfined_t, unconfined_r) +') + +optional_policy(` + xserver_run(unconfined_t, unconfined_r) +') + +######################################## +# +# Unconfined Execmem Local policy +# + +optional_policy(` + execmem_role_template(unconfined, unconfined_r, unconfined_t) + typealias unconfined_execmem_t alias execmem_t; + typealias unconfined_execmem_t alias unconfined_openoffice_t; + unconfined_domain_noaudit(unconfined_execmem_t) + allow unconfined_execmem_t unconfined_t:process transition; + rpm_transition_script(unconfined_execmem_t) + role system_r types unconfined_execmem_t; + + optional_policy(` + init_dbus_chat_script(unconfined_execmem_t) + dbus_system_bus_client(unconfined_execmem_t) + unconfined_dbus_chat(unconfined_execmem_t) + unconfined_dbus_connect(unconfined_execmem_t) + ') + + optional_policy(` + tunable_policy(`allow_unconfined_nsplugin_transition',`', ` + nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) + ') + ') + + optional_policy(` + openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t) + ') +') + +######################################## +# +# Unconfined notrans Local policy +# + +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) +userdom_unpriv_usertype(unconfined, unconfined_notrans_t) +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) +domain_ptrace_all_domains(unconfined_notrans_t) + +######################################## +# +# Unconfined mount local policy +# + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.8.8/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-08-19 06:52:56.000000000 -0400 @@ -12,11 +12,18 @@ userdom_unpriv_user_template(user) +fs_exec_noxattr(user_t) + optional_policy(` apache_role(user_r, user_t) ') optional_policy(` + mozilla_run_plugin(user_t, user_r) +') + +ifndef(`distro_redhat',` +optional_policy(` auth_role(user_r, user_t) ') @@ -104,12 +111,30 @@ optional_policy(` rssh_role(user_r, user_t) ') +') + +optional_policy(` + rpm_dontaudit_dbus_chat(user_t) +') + +optional_policy(` + rtkit_scheduled(user_t) +') + +optional_policy(` + sandbox_transition(user_t, user_r) +') optional_policy(` screen_role_template(user, user_r, user_t) ') optional_policy(` + telepathy_dbus_session_role(user_r, user_t) +') + +ifndef(`distro_redhat',` +optional_policy(` spamassassin_role(user_r, user_t) ') @@ -149,6 +174,12 @@ wireshark_role(user_r, user_t) ') +') + +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') + optional_policy(` xserver_role(user_r, user_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-19 07:42:55.000000000 -0400 @@ -14,7 +14,7 @@ ## ##

-## Allow xguest to configure Network Manager +## Allow xguest to configure Network Manager and connect to apache ports ##

## gen_tunable(xguest_connect_network, true) @@ -29,12 +29,12 @@ role xguest_r; userdom_restricted_xwindows_user_template(xguest) +sysnet_dns_name_resolve(xguest_t) ######################################## # # Local policy # - ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) @@ -48,12 +48,21 @@ storage_raw_read_removable_device(xguest_t) ') ') +# Dontaudit fusermount +mount_dontaudit_exec_fusermount(xguest_t) + +allow xguest_t self:process execmem; +kernel_dontaudit_request_load_module(xguest_t) + +tunable_policy(`allow_execstack',` + allow xguest_t self:process execstack; +') # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` kernel_read_fs_sysctls(xguest_t) - + kernel_request_load_module(xguest_t) files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) @@ -62,10 +71,9 @@ fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) + fs_mount_fusefs(xguest_t) auth_list_pam_console_data(xguest_t) - - init_read_utmp(xguest_t) ') ') @@ -76,23 +84,87 @@ ') optional_policy(` + chrome_role(xguest_r, xguest_usertype) +') + + +optional_policy(` hal_dbus_chat(xguest_t) ') optional_policy(` - java_role(xguest_r, xguest_t) + apache_role(xguest_r, xguest_t) +') + +optional_policy(` + gnomeclock_dontaudit_dbus_chat(xguest_t) +') + +optional_policy(` + java_role_template(xguest, xguest_r, xguest_t) +') + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) ') optional_policy(` - mozilla_role(xguest_r, xguest_t) + mozilla_run_plugin(xguest_t, xguest_r) +') + +optional_policy(` + nsplugin_role(xguest_r, xguest_t) ') optional_policy(` tunable_policy(`xguest_connect_network',` + kernel_read_network_state(xguest_usertype) + networkmanager_dbus_chat(xguest_t) - corenet_tcp_connect_pulseaudio_port(xguest_t) - corenet_tcp_connect_ipp_port(xguest_t) + networkmanager_read_lib_files(xguest_t) + corenet_tcp_connect_pulseaudio_port(xguest_usertype) + corenet_all_recvfrom_unlabeled(xguest_usertype) + corenet_all_recvfrom_netlabel(xguest_usertype) + corenet_tcp_sendrecv_generic_if(xguest_usertype) + corenet_raw_sendrecv_generic_if(xguest_usertype) + corenet_tcp_sendrecv_generic_node(xguest_usertype) + corenet_raw_sendrecv_generic_node(xguest_usertype) + corenet_tcp_sendrecv_http_port(xguest_usertype) + corenet_tcp_sendrecv_http_cache_port(xguest_usertype) + corenet_tcp_sendrecv_ftp_port(xguest_usertype) + corenet_tcp_sendrecv_ipp_port(xguest_usertype) + corenet_tcp_connect_http_port(xguest_usertype) + corenet_tcp_connect_http_cache_port(xguest_usertype) + corenet_tcp_connect_flash_port(xguest_usertype) + corenet_tcp_connect_ftp_port(xguest_usertype) + corenet_tcp_connect_ipp_port(xguest_usertype) + corenet_tcp_connect_generic_port(xguest_usertype) + corenet_tcp_connect_soundd_port(xguest_usertype) + corenet_sendrecv_http_client_packets(xguest_usertype) + corenet_sendrecv_http_cache_client_packets(xguest_usertype) + corenet_sendrecv_ftp_client_packets(xguest_usertype) + corenet_sendrecv_ipp_client_packets(xguest_usertype) + corenet_sendrecv_generic_client_packets(xguest_usertype) + # Should not need other ports + corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype) + corenet_dontaudit_tcp_bind_generic_port(xguest_usertype) + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) ') + + optional_policy(` + telepathy_dbus_session_role(xguest_r, xguest_t) + ') +') + +optional_policy(` + gen_require(` + type mozilla_t; + ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; ') -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/abrt.fc 2010-07-30 14:06:53.000000000 -0400 @@ -15,6 +15,7 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.8.8/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/abrt.if 2010-08-10 07:15:12.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -130,6 +130,10 @@ ') domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) + +ifdef(`hide_broken_symptoms', ` + dontaudit abrt_helper_t $1:socket_class_set { read write }; +') ') ######################################## @@ -160,8 +164,25 @@ ######################################## ## -## Send and receive messages from -## abrt over dbus. +## Append abrt cache +## +## +## +## Domain allowed access. +## +## +# +interface(`abrt_append_cache_files',` + gen_require(` + type abrt_var_cache_t; + ') + + append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) +') + +######################################## +## +## Manage abrt cache ## ## ## @@ -169,7 +190,7 @@ ## ## # -interface(`abrt_cache_manage',` +interface(`abrt_manage_cache_files',` gen_require(` type abrt_var_cache_t; ') @@ -253,6 +274,24 @@ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') +######################################## +## +## Read and write abrt fifo files. +## +## +## +## Domain allowed access. +## +## +# +interface(`abrt_rw_fifo_file',` + gen_require(` + type abrt_t; + ') + + allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms; +') + ##################################### ## ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-03 09:01:25.000000000 -0400 @@ -5,6 +5,14 @@ # Declarations # +## +##

+## Allow ABRT to modify public files +## used for public file transfer services. +##

+## +gen_tunable(abrt_anon_write, false) + type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) @@ -50,7 +58,7 @@ allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { signal signull setsched getsched }; +allow abrt_t self:process { sigkill signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; @@ -69,6 +77,7 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) +can_exec(abrt_t, abrt_tmp_t) # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) @@ -82,7 +91,7 @@ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) +files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) @@ -121,6 +130,8 @@ files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) +files_dontaudit_read_all_symlinks(abrt_t) +files_dontaudit_getattr_all_sockets(abrt_t) fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) @@ -131,7 +142,7 @@ fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) -sysnet_read_config(abrt_t) +sysnet_dns_name_resolve(abrt_t) logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) @@ -140,6 +151,15 @@ miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) + +tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +') + +optional_policy(` + apache_read_modules(abrt_t) +') optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) @@ -150,7 +170,12 @@ ') optional_policy(` - policykit_dbus_chat(abrt_t) + nsplugin_read_rw_files(abrt_t) + nsplugin_read_home(abrt_t) +') + +optional_policy(` + policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) @@ -178,6 +203,12 @@ ') optional_policy(` + sosreport_domtrans(abrt_t) + sosreport_read_tmp_files(abrt_t) + sosreport_delete_tmp_files(abrt_t) +') + +optional_policy(` sssd_stream_connect(abrt_t) ') @@ -203,6 +234,7 @@ domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) +files_dontaudit_all_non_security_leaks(abrt_helper_t) fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) @@ -217,11 +249,26 @@ term_dontaudit_use_all_ptys(abrt_helper_t) ifdef(`hide_broken_symptoms', ` + domain_dontaudit_leaks(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') dev_dontaudit_read_all_blk_files(abrt_helper_t) dev_dontaudit_read_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) ') + + +ifdef(`hide_broken_symptoms', ` + gen_require(` + attribute domain; + ') + + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.8.8/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/afs.if 2010-07-30 14:06:53.000000000 -0400 @@ -63,7 +63,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.8.8/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/afs.te 2010-07-30 14:06:53.000000000 -0400 @@ -82,6 +82,10 @@ kernel_rw_afs_state(afs_t) +ifdef(`hide_broken_symptoms', ` + kernel_rw_unlabeled_files(afs_t) +') + corenet_all_recvfrom_unlabeled(afs_t) corenet_all_recvfrom_netlabel(afs_t) corenet_tcp_sendrecv_generic_if(afs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.8/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/aiccu.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,6 @@ +/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.8/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/aiccu.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,118 @@ +## Automatic IPv6 Connectivity Client Utility. + +######################################## +## +## Execute a domain transition to run aiccu. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`aiccu_domtrans',` + gen_require(` + type aiccu_t, aiccu_exec_t; + ') + + domtrans_pattern($1, aiccu_exec_t, aiccu_t) + corecmd_search_bin($1) +') + + +######################################## +## +## Execute aiccu server in the aiccu domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`aiccu_initrc_domtrans',` + gen_require(` + type aiccu_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, aiccu_initrc_exec_t) +') + +######################################## +## +## Read aiccu PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`aiccu_read_pid_files',` + gen_require(` + type aiccu_var_run_t; + ') + + allow $1 aiccu_var_run_t:file read_file_perms; + files_search_pids($1) +') + +######################################## +## +## Manage aiccu PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`aiccu_manage_var_run',` + gen_require(` + type aiccu_var_run_t; + ') + + manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t) + manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t) + manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t) + files_search_pids($1) +') + + +######################################## +## +## All of the rules required to administrate +## an aiccu environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`aiccu_admin',` + gen_require(` + type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; + type aiccu_var_run_t; + ') + + allow $1 aiccu_t:process { ptrace signal_perms }; + ps_process_pattern($1, aiccu_t) + + aiccu_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 aiccu_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, aiccu_etc_t) + files_search_etc($1) + + admin_pattern($1, aiccu_var_run_t) + files_search_pids($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.8/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/aiccu.te 2010-07-30 14:55:47.000000000 -0400 @@ -0,0 +1,71 @@ +policy_module(aiccu, 1.0.0) + +######################################## +# +# Declarations +# + +type aiccu_t; +type aiccu_exec_t; +init_daemon_domain(aiccu_t, aiccu_exec_t) + +type aiccu_initrc_exec_t; +init_script_file(aiccu_initrc_exec_t) + +type aiccu_etc_t; +files_config_file(aiccu_etc_t) + +type aiccu_var_run_t; +files_pid_file(aiccu_var_run_t) + +######################################## +# +# aiccu local policy +# + +allow aiccu_t self:capability { kill net_admin }; +dontaudit aiccu_t self:capability sys_tty_config; +allow aiccu_t self:process signal; +allow aiccu_t self:fifo_file rw_fifo_file_perms; +allow aiccu_t self:netlink_route_socket create_netlink_socket_perms; +allow aiccu_t self:tcp_socket create_stream_socket_perms; +allow aiccu_t self:tun_socket create_socket_perms; +allow aiccu_t self:udp_socket create_stream_socket_perms; +allow aiccu_t self:unix_stream_socket create_stream_socket_perms; + +allow aiccu_t aiccu_etc_t:file read_file_perms; + +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) + +kernel_read_system_state(aiccu_t) + +corecmd_exec_shell(aiccu_t) + +corenet_all_recvfrom_netlabel(aiccu_t) +corenet_all_recvfrom_unlabeled(aiccu_t) +corenet_tcp_bind_generic_node(aiccu_t) +corenet_tcp_sendrecv_generic_if(aiccu_t) +corenet_tcp_sendrecv_generic_node(aiccu_t) +corenet_tcp_sendrecv_generic_port(aiccu_t) +corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) +corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) +corenet_tcp_connect_sixxsconfig_port(aiccu_t) +corenet_rw_tun_tap_dev(aiccu_t) + +domain_use_interactive_fds(aiccu_t) + +dev_read_rand(aiccu_t) +dev_read_urand(aiccu_t) + +files_read_etc_files(aiccu_t) + +logging_send_syslog_msg(aiccu_t) + +miscfiles_read_localization(aiccu_t) + +modutils_domtrans_insmod(aiccu_t) + +sysnet_domtrans_ifconfig(aiccu_t) +sysnet_dns_name_resolve(aiccu_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.8/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/aisexec.te 2010-08-03 09:16:29.000000000 -0400 @@ -32,7 +32,7 @@ # aisexec local policy # -allow aisexec_t self:capability { sys_nice sys_resource ipc_lock }; +allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; @@ -81,6 +81,9 @@ miscfiles_read_localization(aisexec_t) +userdom_rw_semaphores(aisexec_t) +userdom_rw_unpriv_user_shared_mem(aisexec_t) + optional_policy(` ccs_stream_connect(aisexec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.8.8/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/amavis.if 2010-08-19 05:56:46.000000000 -0400 @@ -56,7 +56,7 @@ ') files_search_spool($1) - allow $1 amavis_spool_t:file read_file_perms; + read_files_pattern($1, amavis_spool_t, amavis_spool_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.8/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/amavis.te 2010-07-30 14:06:53.000000000 -0400 @@ -92,9 +92,10 @@ logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) # pid file +manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file }) +files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir }) kernel_read_kernel_sysctls(amavis_t) # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-08-20 07:38:00.000000000 -0400 @@ -2,7 +2,7 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) @@ -24,7 +24,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) @@ -43,8 +42,7 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -74,7 +72,8 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -86,7 +85,6 @@ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -109,3 +107,16 @@ /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-03 09:01:04.000000000 -0400 @@ -13,17 +13,13 @@ # template(`apache_content_template',` gen_require(` - attribute httpdcontent; attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_sys_content_t; ') - # allow write access to public file transfer - # services files. - gen_tunable(allow_httpd_$1_script_anon_write, false) - #This type is for webpages - type httpd_$1_content_t, httpdcontent; # customizable + type httpd_$1_content_t; # customizable; typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) @@ -41,11 +37,11 @@ corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - type httpd_$1_rw_content_t, httpdcontent; # customizable + type httpd_$1_rw_content_t; # customizable typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; files_type(httpd_$1_rw_content_t) - type httpd_$1_ra_content_t, httpdcontent; # customizable + type httpd_$1_ra_content_t; # customizable typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) @@ -54,7 +50,7 @@ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; @@ -86,7 +82,6 @@ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) @@ -95,6 +90,7 @@ dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) + application_exec_all(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) @@ -108,19 +104,6 @@ seutil_dontaudit_search_config(httpd_$1_script_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:file entrypoint; - - manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - can_exec(httpd_$1_script_t, httpdcontent) - ') - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -140,6 +123,7 @@ allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + allow httpd_t httpd_$1_script_t:unix_stream_socket connectto; ') tunable_policy(`httpd_enable_cgi',` @@ -148,14 +132,19 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; + # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_t httpd_$1_script_exec_t:file read_file_perms; + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; + allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; @@ -172,6 +161,7 @@ libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) + allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; ') optional_policy(` @@ -182,15 +172,13 @@ optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_$1_script_t) - ') ') optional_policy(` nscd_socket_use(httpd_$1_script_t) ') + + dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; ') ######################################## @@ -229,6 +217,13 @@ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) @@ -312,6 +307,25 @@ domtrans_pattern($1, httpd_exec_t, httpd_t) ') +###################################### +## +## Allow the specified domain to execute apache +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_exec',` + gen_require(` + type httpd_exec_t; + ') + + can_exec($1, httpd_exec_t) +') + ####################################### ## ## Send a generic signal to apache. @@ -400,7 +414,7 @@ type httpd_t; ') - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -526,6 +540,25 @@ ######################################## ## ## Allow the specified domain to delete +## Apache cache dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_delete_cache_dirs',` + gen_require(` + type httpd_cache_t; + ') + + delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) +') + +######################################## +## +## Allow the specified domain to delete ## Apache cache. ## ## @@ -740,6 +773,25 @@ ######################################## ## +## Allow the specified domain to read +## the apache module directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_read_modules',` + gen_require(` + type httpd_modules_t; + ') + + read_files_pattern($1, httpd_modules_t, httpd_modules_t) +') + +######################################## +## ## Allow the specified domain to list ## the contents of the apache modules ## directory. @@ -756,6 +808,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; + read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## @@ -814,6 +867,7 @@ ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) ') @@ -841,6 +895,74 @@ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') +###################################### +## +## Allow the specified domain to read +## apache system content rw files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`apache_read_sys_content_rw_files',` + gen_require(` + type httpd_sys_rw_content_t; + ') + + read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + +###################################### +## +## Allow the specified domain to manage +## apache system content rw files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`apache_manage_sys_content_rw',` + gen_require(` + type httpd_sys_rw_content_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + +######################################## +## +## Allow the specified domain to delete +## apache system content rw files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`apache_delete_sys_content_rw',` + gen_require(` + type httpd_sys_rw_content_t; + ') + + files_search_tmp($1) + delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + ######################################## ## ## Execute all web scripts in the system @@ -858,6 +980,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; + type httpd_sys_content_t; + ') + + tunable_policy(`httpd_enable_cgi',` + domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` @@ -945,7 +1072,7 @@ type httpd_squirrelmail_t; ') - allow $1 httpd_squirrelmail_t:file read_file_perms; + read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') ######################################## @@ -1086,6 +1213,25 @@ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') +###################################### +## +## Dontaudit attempts to read and write +## apache tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_dontaudit_rw_tmp_files',` + gen_require(` + type httpd_tmp_t; + ') + + dontaudit $1 httpd_tmp_t:file { read write }; +') + ######################################## ## ## Dontaudit attempts to write @@ -1102,7 +1248,7 @@ type httpd_tmp_t; ') - dontaudit $1 httpd_tmp_t:file write_file_perms; + dontaudit $1 httpd_tmp_t:file write; ') ######################################## @@ -1172,7 +1318,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t; + type httpd_initrc_exec_t, httpd_bool_t; ') allow $1 httpd_t:process { getattr ptrace signal_perms }; @@ -1202,12 +1348,43 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; - + ps_process_pattern($1, httpd_t) read_lnk_files_pattern($1, httpd_t, httpd_t) admin_pattern($1, httpdcontent) admin_pattern($1, httpd_script_exec_type) + + seutil_domtrans_setfiles($1) + admin_pattern($1, httpd_tmp_t) admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) + +ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t ) + seutil_setsebool_role_template($1, $3, $2) + allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; + allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; +') +') + +######################################## +## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_dontaudit_leaks',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 httpd_t:tcp_socket { read write }; + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-10 11:21:49.000000000 -0400 @@ -18,6 +18,8 @@ # Declarations # +selinux_genbool(httpd_bool_t) + ## ##

## Allow Apache to modify public files @@ -36,6 +38,20 @@ ## ##

+## Allow httpd scripts and modules execmem/execstack +##

+## +gen_tunable(httpd_execmem, false) + +## +##

+## Allow httpd daemon to change system limits +##

+## +gen_tunable(httpd_setrlimit, false) + +## +##

## Allow httpd to use built in scripting (usually php) ##

## @@ -50,6 +66,13 @@ ## ##

+## Allow HTTPD scripts and modules to connect to cobbler over the network. +##

+## +gen_tunable(httpd_can_network_connect_cobbler, false) + +## +##

## Allow HTTPD scripts and modules to connect to databases over the network. ##

## @@ -100,6 +123,13 @@ ## ##

+## Allow httpd to read user content +##

+## +gen_tunable(httpd_read_user_content, false) + +## +##

## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

## @@ -107,6 +137,13 @@ ## ##

+## Allow Apache to execute tmp content. +##

+## +gen_tunable(httpd_tmp_exec, false) + +## +##

## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. @@ -130,7 +167,7 @@ ## ##

-## Allow httpd to run gpg +## Allow httpd to run gpg in gpg-web domain ##

## gen_tunable(httpd_use_gpg, false) @@ -142,6 +179,13 @@ ## gen_tunable(httpd_use_nfs, false) +## +##

+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. +##

+## +gen_tunable(allow_httpd_sys_script_anon_write, false) + attribute httpdcontent; attribute httpd_user_content_type; @@ -216,7 +260,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) -typealias httpd_sys_content_t alias ntop_http_content_t; + +typeattribute httpd_sys_content_t httpdcontent; # customizable +typeattribute httpd_sys_rw_content_t httpdcontent; # customizable +typeattribute httpd_sys_ra_content_t httpdcontent; # customizable type httpd_tmp_t; files_tmp_file(httpd_tmp_t) @@ -226,6 +273,10 @@ apache_content_template(user) ubac_constrained(httpd_user_script_t) +typeattribute httpd_user_content_t httpdcontent; +typeattribute httpd_user_rw_content_t httpdcontent; +typeattribute httpd_user_ra_content_t httpdcontent; + userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) @@ -233,6 +284,7 @@ userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias httpd_unconfined_content_t; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; @@ -286,6 +338,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; @@ -355,6 +408,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) +kernel_search_network_sysctl(httpd_t) corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) @@ -365,8 +419,10 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) +corenet_udp_bind_generic_node(httpd_t) corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) +corenet_tcp_bind_ntop_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) @@ -378,12 +434,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) +fs_read_iso9660_files(httpd_t) +fs_read_anon_inodefs_files(httpd_t) auth_use_nsswitch(httpd_t) -# execute perl -corecmd_exec_bin(httpd_t) -corecmd_exec_shell(httpd_t) +application_exec_all(httpd_t) domain_use_interactive_fds(httpd_t) @@ -402,6 +458,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them +manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) libs_read_lib_files(httpd_t) @@ -416,16 +476,31 @@ userdom_use_unpriv_users_fds(httpd_t) +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; +') + tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -ifdef(`TODO', ` # # We need optionals to be able to be within booleans to make this work # tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) + logging_send_audit_msgs(httpd_t) +') + +## +##

+## Allow Apache to use mod_auth_pam +##

+## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` +tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -446,6 +521,16 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') + +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) +') + tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -456,6 +541,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) + manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) @@ -470,11 +559,25 @@ userdom_read_user_home_content_files(httpd_t) ') +tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` + can_exec(httpd_t, httpd_tmp_t) +') + +tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` + can_exec(httpd_sys_script_t, httpd_tmp_t) +') + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_nfs',` + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) @@ -484,7 +587,16 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) + mta_signal_system_mail(httpd_t) +') + +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ') tunable_policy(`httpd_ssi_exec',` @@ -500,8 +612,10 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) + userdom_use_user_terminals(httpd_suexec_t) ',` userdom_dontaudit_use_user_terminals(httpd_t) + userdom_dontaudit_use_user_terminals(httpd_suexec_t) ') optional_policy(` @@ -513,7 +627,13 @@ ') optional_policy(` - cobbler_search_lib(httpd_t) + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) + cobbler_read_content(httpd_t) + + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') optional_policy(` @@ -528,7 +648,7 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') - optional_policy(` +optional_policy(` dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` @@ -537,8 +657,12 @@ ') optional_policy(` + gitosis_read_lib_files(httpd_t) +') + +optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_domtrans(httpd_t) + gpg_domtrans_web(httpd_t) ') ') @@ -557,6 +681,7 @@ optional_policy(` # Allow httpd to work with mysql + mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) @@ -567,6 +692,7 @@ optional_policy(` nagios_read_config(httpd_t) + nagios_read_log(httpd_t) ') optional_policy(` @@ -577,12 +703,23 @@ ') optional_policy(` + rpc_search_nfs_state_data(httpd_t) +') + +tunable_policy(`httpd_execmem',` + allow httpd_t self:process { execmem execstack }; + allow httpd_sys_script_t self:process { execmem execstack }; + allow httpd_suexec_t self:process { execmem execstack }; +') + +optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) + postgresql_tcp_connect(httpd_sys_script_t) ') ') @@ -591,6 +728,11 @@ ') optional_policy(` + smokeping_getattr_lib_files(httpd_t) +') + +optional_policy(` + files_dontaudit_rw_usr_dirs(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') @@ -603,6 +745,10 @@ yam_read_content(httpd_t) ') +optional_policy(` + zarafa_stream_connect_server(httpd_t) +') + ######################################## # # Apache helper local policy @@ -618,6 +764,10 @@ userdom_use_user_terminals(httpd_helper_t) +tunable_policy(`httpd_tty_comm',` + userdom_use_user_terminals(httpd_helper_t) +') + ######################################## # # Apache PHP script local policy @@ -699,17 +849,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) dev_read_urand(httpd_suexec_t) +fs_read_iso9660_files(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) -# for shell scripts -corecmd_exec_bin(httpd_suexec_t) -corecmd_exec_shell(httpd_suexec_t) +application_exec_all(httpd_suexec_t) files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) @@ -740,10 +891,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) +read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) +read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) - + manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) +') +tunable_policy(`httpd_enable_cgi',` + domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -769,6 +931,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') +optional_policy(` + mysql_stream_connect(httpd_suexec_t) + mysql_rw_db_sockets(httpd_suexec_t) + mysql_read_config(httpd_suexec_t) +') + ######################################## # # Apache system script local policy @@ -792,9 +960,13 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) +logging_inherit_append_all_logs(httpd_sys_script_t) + # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) +auth_use_nsswitch(httpd_sys_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') @@ -803,6 +975,22 @@ mta_send_mail(httpd_sys_script_t) ') +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) + +tunable_policy(`httpd_use_nfs',` + fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) + fs_exec_nfs_files(httpd_sys_script_t) + + fs_manage_nfs_dirs(httpd_suexec_t) + fs_manage_nfs_files(httpd_suexec_t) + fs_manage_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) +') + tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -830,6 +1018,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_suexec_t) + fs_manage_cifs_files(httpd_suexec_t) + fs_manage_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) @@ -842,6 +1040,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) ') optional_policy(` @@ -891,11 +1090,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) + manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ') # allow accessing files/dirs below the users home dir tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_t) - userdom_search_user_home_dirs(httpd_suexec_t) - userdom_search_user_home_dirs(httpd_user_script_t) + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) +') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) + userdom_read_user_home_content_files(httpd_suexec_t) +') + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) ') + +# Removal of fastcgi, will cause problems without the following +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; +typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; +typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.8.8/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/apcupsd.te 2010-07-30 14:06:53.000000000 -0400 @@ -94,6 +94,10 @@ ') optional_policy(` + shutdown_domtrans(apcupsd_t) +') + +optional_policy(` mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.if serefpolicy-3.8.8/policy/modules/services/apm.if --- nsaserefpolicy/policy/modules/services/apm.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/apm.if 2010-07-30 14:06:53.000000000 -0400 @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -43,7 +43,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-30 14:06:53.000000000 -0400 @@ -62,6 +62,7 @@ dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; +allow apmd_t self:netlink_socket create_socket_perms; allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; @@ -81,6 +82,7 @@ kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) +dev_read_input(apmd_t) dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) @@ -144,6 +146,10 @@ # ifconfig_exec_t needs to be run in its own domain for Red Hat optional_policy(` + sssd_search_lib(apmd_t) + ') + + optional_policy(` sysnet_domtrans_ifconfig(apmd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-08-03 09:15:01.000000000 -0400 @@ -50,6 +50,7 @@ kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) kernel_read_proc_symlinks(arpwatch_t) +kernel_request_load_module(arpwatch_t) corenet_all_recvfrom_unlabeled(arpwatch_t) corenet_all_recvfrom_netlabel(arpwatch_t) @@ -63,6 +64,7 @@ corenet_udp_sendrecv_all_ports(arpwatch_t) dev_read_sysfs(arpwatch_t) +dev_read_usbmon_dev(arpwatch_t) dev_rw_generic_usb_dev(arpwatch_t) fs_getattr_all_fs(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.8/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/asterisk.te 2010-07-30 14:06:53.000000000 -0400 @@ -99,6 +99,7 @@ corenet_tcp_bind_generic_node(asterisk_t) corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) +corenet_tcp_bind_sip_port(asterisk_t) corenet_udp_bind_asterisk_port(asterisk_t) corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_asterisk_server_packets(asterisk_t) @@ -109,6 +110,7 @@ corenet_sendrecv_generic_server_packets(asterisk_t) corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) +corenet_tcp_connect_sip_port(asterisk_t) dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) @@ -147,6 +149,10 @@ ') optional_policy(` + postfix_domtrans_postdrop(asterisk_t) +') + +optional_policy(` postgresql_stream_connect(asterisk_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.8.8/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/automount.if 2010-07-30 14:06:53.000000000 -0400 @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.8.8/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/automount.te 2010-07-30 14:06:53.000000000 -0400 @@ -145,6 +145,7 @@ # Run mount in the mount_t domain. mount_domtrans(automount_t) +mount_domtrans_showmount(automount_t) mount_signal(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.8.8/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/avahi.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -90,6 +90,7 @@ class dbus send_msg; ') + allow avahi_t $1:file read; allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.8.8/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/avahi.te 2010-07-30 14:06:53.000000000 -0400 @@ -37,10 +37,11 @@ manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) +manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) allow avahi_t avahi_var_run_t:dir setattr; -files_pid_filetrans(avahi_t, avahi_var_run_t, file) +files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) kernel_read_system_state(avahi_t) kernel_read_kernel_sysctls(avahi_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-08-12 16:43:18.000000000 -0400 @@ -308,6 +308,27 @@ ######################################## ## +## Read BIND zone files. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_read_log',` + gen_require(` + type named_zone_t; + type named_log_t; + ') + + files_search_var($1) + allow $1 named_zone_t:dir search_dir_perms; + read_files_pattern($1, named_log_t, named_log_t) +') + +######################################## +## ## Manage BIND zone files. ## ## @@ -359,9 +380,9 @@ interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_lib_t, named_var_run_t; + type named_conf_t, named_var_run_t; type named_cache_t, named_zone_t; - type dnssec_t, ndc_t; + type dnssec_t, ndc_t, named_keytab_t; type named_initrc_exec_t; ') @@ -391,8 +412,7 @@ admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) - files_list_var_lib($1) - admin_pattern($1, named_var_lib_t) + admin_pattern($1, named_keytab_t) files_list_pids($1) admin_pattern($1, named_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.8.8/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/bind.te 2010-07-30 14:06:53.000000000 -0400 @@ -89,9 +89,10 @@ manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) +manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) manage_files_pattern(named_t, named_var_run_t, named_var_run_t) manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) -files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) +files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir }) # read zone files allow named_t named_zone_t:dir list_dir_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.8/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/bitlbee.te 2010-07-30 14:06:53.000000000 -0400 @@ -27,6 +27,7 @@ # Local policy # # +allow bitlbee_t self:capability { setgid setuid }; allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; @@ -80,6 +81,10 @@ libs_legacy_use_shared_libs(bitlbee_t) +auth_use_nsswitch(bitlbee_t) + +logging_send_syslog_msg(bitlbee_t) + miscfiles_read_localization(bitlbee_t) sysnet_dns_name_resolve(bitlbee_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.8/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/bluetooth.if 2010-07-30 14:06:53.000000000 -0400 @@ -64,7 +64,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -117,11 +117,32 @@ ######################################## ## +## dontaudit Send and receive messages from +## bluetooth over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`bluetooth_dontaudit_dbus_chat',` + gen_require(` + type bluetooth_t; + class dbus send_msg; + ') + + dontaudit $1 bluetooth_t:dbus send_msg; + dontaudit bluetooth_t $1:dbus send_msg; +') + +######################################## +## ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -136,7 +157,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -194,7 +215,7 @@ interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_var_lib_t, bluetooth_var_run_t; type bluetooth_conf_t, bluetooth_conf_rw_t; type bluetooth_initrc_exec_t; ') @@ -217,9 +238,6 @@ admin_pattern($1, bluetooth_conf_t) admin_pattern($1, bluetooth_conf_rw_t) - files_list_spool($1) - admin_pattern($1, bluetooth_spool_t) - files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.8/policy/modules/services/boinc.fc --- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/boinc.fc 2010-08-10 07:13:34.000000000 -0400 @@ -0,0 +1,8 @@ + +/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + +/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) + +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.8.8/policy/modules/services/boinc.if --- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/boinc.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,151 @@ + +## policy for boinc + +######################################## +## +## Execute a domain transition to run boinc. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`boinc_domtrans',` + gen_require(` + type boinc_t, boinc_exec_t; + ') + + domtrans_pattern($1, boinc_exec_t, boinc_t) +') + +####################################### +## +## Execute boinc server in the boinc domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`boinc_initrc_domtrans',` + gen_require(` + type boinc_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, boinc_initrc_exec_t) +') + +######################################## +## +## Search boinc lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`boinc_search_lib',` + gen_require(` + type boinc_var_lib_t; + ') + + allow $1 boinc_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read boinc lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`boinc_read_lib_files',` + gen_require(` + type boinc_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## boinc lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`boinc_manage_lib_files',` + gen_require(` + type boinc_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + +######################################## +## +## Manage boinc var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`boinc_manage_var_lib',` + gen_require(` + type boinc_var_lib_t; + ') + + manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) + manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) + manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + +######################################## +## +## All of the rules required to administrate +## an boinc environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`boinc_admin',` + gen_require(` + type boinc_t, boinc_initrc_exec_t; + type boinc_var_lib_t; + ') + + allow $1 boinc_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, boinc_t, boinc_t) + + boinc_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 boinc_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-20 07:29:39.000000000 -0400 @@ -0,0 +1,146 @@ +policy_module(boinc,1.0.0) + +######################################## +# +# Declarations +# + +type boinc_t; +type boinc_exec_t; +init_daemon_domain(boinc_t, boinc_exec_t) + +type boinc_initrc_exec_t; +init_script_file(boinc_initrc_exec_t) + +type boinc_tmp_t; +files_tmp_file(boinc_tmp_t) + +type boinc_tmpfs_t; +files_tmpfs_file(boinc_tmpfs_t) + +type boinc_var_lib_t; +files_type(boinc_var_lib_t) + +type boinc_project_t; +domain_type(boinc_project_t) +role system_r types boinc_project_t; + +permissive boinc_project_t; + +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + +######################################## +# +# boinc local policy +# + +allow boinc_t self:capability { kill }; +allow boinc_t self:process { setsched }; + +allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; +allow boinc_t self:tcp_socket create_stream_socket_perms; +allow boinc_t self:sem create_sem_perms; +allow boinc_t self:shm create_shm_perms; + +manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) +manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) +files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + +manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) +fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file) + +exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } ) + +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + +kernel_read_system_state(boinc_t) + +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) + +corecmd_exec_bin(boinc_t) +corecmd_exec_shell(boinc_t) + +corenet_all_recvfrom_unlabeled(boinc_t) +corenet_all_recvfrom_netlabel(boinc_t) +corenet_tcp_sendrecv_generic_if(boinc_t) +corenet_udp_sendrecv_generic_if(boinc_t) +corenet_tcp_sendrecv_generic_node(boinc_t) +corenet_udp_sendrecv_generic_node(boinc_t) +corenet_tcp_sendrecv_all_ports(boinc_t) +corenet_udp_sendrecv_all_ports(boinc_t) +corenet_tcp_bind_generic_node(boinc_t) +corenet_udp_bind_generic_node(boinc_t) +corenet_tcp_bind_boinc_port(boinc_t) +corenet_tcp_connect_boinc_port(boinc_t) +corenet_tcp_connect_http_port(boinc_t) +corenet_tcp_connect_http_cache_port(boinc_t) + +dev_list_sysfs(boinc_t) +dev_read_rand(boinc_t) +dev_read_urand(boinc_t) +dev_read_sysfs(boinc_t) + +domain_read_all_domains_state(boinc_t) + +files_dontaudit_getattr_boot_dirs(boinc_t) + +files_read_etc_files(boinc_t) +files_read_usr_files(boinc_t) + +fs_getattr_all_fs(boinc_t) + +term_dontaudit_getattr_ptmx(boinc_t) + +miscfiles_read_localization(boinc_t) +miscfiles_read_certs(boinc_t) + +logging_send_syslog_msg(boinc_t) + +sysnet_dns_name_resolve(boinc_t) + +mta_send_mail(boinc_t) + +######################################## +# +# boinc-projects local policy +# + +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +allow boinc_t boinc_project_t:process sigkill; + +allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; + +allow boinc_project_t self:fifo_file rw_fifo_file_perms; + +allow boinc_project_t boinc_project_var_lib_t:file entrypoint; +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir }) + +allow boinc_project_t boinc_project_var_lib_t:file execmod; + +allow boinc_project_t boinc_t:shm rw_shm_perms; +allow boinc_project_t boinc_tmpfs_t:file { read write }; + +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) + +kernel_read_system_state(boinc_project_t) +kernel_read_kernel_sysctls(boinc_project_t) +kernel_search_vm_sysctl(boinc_project_t) +kernel_read_network_state(boinc_project_t) + +corenet_tcp_connect_boinc_port(boinc_project_t) + +dev_rw_xserver_misc(boinc_project_t) + +miscfiles_read_localization(boinc_project_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc --- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,4 @@ + +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if --- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,81 @@ +## Bugzilla server + +######################################## +## +## Allow the specified domain to search +## bugzilla directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`bugzilla_search_dirs',` + gen_require(` + type httpd_bugzilla_content_t; + ') + + allow $1 httpd_bugzilla_content_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## bugzilla script unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`bugzilla_dontaudit_rw_script_stream_sockets',` + gen_require(` + type httpd_bugzilla_script_t; + ') + + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## +## All of the rules required to administrate +## an bugzilla environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the bugzilla domain. +## +## +## +# +interface(`bugzilla_admin',` + gen_require(` + type httpd_bugzilla_script_t; + type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; + type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t; + type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t; + ') + + allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_bugzilla_script_t) + + files_list_tmp($1) + admin_pattern($1, httpd_bugzilla_tmp_t) + + files_search_var_lib(httpd_bugzilla_script_t) + + apache_search_sys_content($1) + admin_pattern($1, httpd_bugzilla_script_exec_t) + admin_pattern($1, httpd_bugzilla_script_t) + admin_pattern($1, httpd_bugzilla_content_t) + admin_pattern($1, httpd_bugzilla_htaccess_t) + admin_pattern($1, httpd_bugzilla_rw_content_t) + admin_pattern($1, httpd_bugzilla_ra_content_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te --- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,56 @@ +policy_module(bugzilla, 1.0) + +######################################## +# +# Declarations +# + +apache_content_template(bugzilla) + +type httpd_bugzilla_tmp_t; +files_tmp_file(httpd_bugzilla_tmp_t) + +######################################## +# +# bugzilla local policy +# + +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; +allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; +allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) +corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) +corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) +corenet_tcp_connect_http_port(httpd_bugzilla_script_t) +corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + +manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) +manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) +files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) + +files_search_var_lib(httpd_bugzilla_script_t) + +mta_send_mail(httpd_bugzilla_script_t) + +sysnet_read_config(httpd_bugzilla_script_t) +sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,29 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +# Written by David Howells (dhowells@redhat.com) +# Karl MacMillan (kmacmill@redhat.com) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version +# 2 of the License, or (at your option) any later version. +# +############################################################################### + +# +# Define the contexts to be assigned to various files and directories of +# importance to the CacheFiles kernel module and userspace management daemon. +# + +# cachefilesd executable will have: +# label: system_u:object_r:cachefilesd_exec_t +# MLS sensitivity: s0 +# MCS categories: + +/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) +/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) +/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.8.8/policy/modules/services/cachefilesd.if --- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,41 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +# Written by David Howells (dhowells@redhat.com) +# Karl MacMillan (kmacmill@redhat.com) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version +# 2 of the License, or (at your option) any later version. +# +############################################################################### + +# +# Define the policy interface for the CacheFiles userspace management daemon. +# + +## policy for cachefilesd + +######################################## +## +## Execute a domain transition to run cachefilesd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cachefilesd_domtrans',` + gen_require(` + type cachefilesd_t, cachefilesd_exec_t; + ') + + domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t) + + allow $1 cachefilesd_t:fd use; + allow cachefilesd_t $1:fd use; + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.8.8/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,147 @@ +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. +# Written by David Howells (dhowells@redhat.com) +# Karl MacMillan (kmacmill@redhat.com) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version +# 2 of the License, or (at your option) any later version. +# +############################################################################### + +# +# This security policy governs access by the CacheFiles kernel module and +# userspace management daemon to the files and directories in the on-disk +# cache, on behalf of the processes accessing the cache through a network +# filesystem such as NFS +# +policy_module(cachefilesd,1.0.17) + +############################################################################### +# +# Declarations +# +require { type kernel_t; } + +# +# Files in the cache are created by the cachefiles module with security ID +# cachefiles_var_t +# +type cachefiles_var_t; +files_type(cachefiles_var_t) + +# +# The /dev/cachefiles character device has security ID cachefiles_dev_t +# +type cachefiles_dev_t; +dev_node(cachefiles_dev_t) + +# +# The cachefilesd daemon normally runs with security ID cachefilesd_t +# +type cachefilesd_t; +type cachefilesd_exec_t; +domain_type(cachefilesd_t) +init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) + +# +# The cachefilesd daemon pid file context +# +type cachefilesd_var_run_t; +files_pid_file(cachefilesd_var_run_t) + +# +# The CacheFiles kernel module causes processes accessing the cache files to do +# so acting as security ID cachefiles_kernel_t +# +type cachefiles_kernel_t; +domain_type(cachefiles_kernel_t) +domain_obj_id_change_exemption(cachefiles_kernel_t) +role system_r types cachefiles_kernel_t; + +############################################################################### +# +# Permit RPM to deal with files in the cache +# +rpm_use_script_fds(cachefilesd_t) + +############################################################################### +# +# cachefilesd local policy +# +# These define what cachefilesd is permitted to do. This doesn't include very +# much: startup stuff, logging, pid file, scanning the cache superstructure and +# deleting files from the cache. It is not permitted to read/write files in +# the cache. +# +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow +# rules. +# +allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override }; + +# Basic access +files_read_etc_files(cachefilesd_t) +libs_use_ld_so(cachefilesd_t) +libs_use_shared_libs(cachefilesd_t) +miscfiles_read_localization(cachefilesd_t) +logging_send_syslog_msg(cachefilesd_t) +init_dontaudit_use_script_ptys(cachefilesd_t) +term_dontaudit_use_generic_ptys(cachefilesd_t) +term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) + +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; +manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) +manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) +files_pid_file(cachefilesd_var_run_t) +files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) +files_create_as_is_all_files(cachefilesd_t) + +# Allow access to cachefiles device file +allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; + +# Allow access to cache superstructure +allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir }; +allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; + +# Permit statfs on the backing filesystem +fs_getattr_xattr_fs(cachefilesd_t) + +############################################################################### +# +# When cachefilesd invokes the kernel module to begin caching, it has to tell +# the kernel module the security context in which it should act, and this +# policy has to approve that. +# +# There are two parts to this: +# +# (1) the security context used by the module to access files in the cache, +# as set by the 'secctx' command in /etc/cachefilesd.conf, and +# +allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override }; + +# +# (2) the label that will be assigned to new files and directories created in +# the cache by the module, which will be the same as the label on the +# directory pointed to by the 'dir' command. +# +allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as }; + +############################################################################### +# +# cachefiles kernel module local policy +# +# This governs what the kernel module is allowed to do the contents of the +# cache. +# +allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; +allow cachefiles_kernel_t initrc_t:process sigchld; + +manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) +manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) + +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.8.8/policy/modules/services/canna.te --- nsaserefpolicy/policy/modules/services/canna.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/canna.te 2010-07-30 14:06:53.000000000 -0400 @@ -42,9 +42,10 @@ manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) files_var_lib_filetrans(canna_t, canna_var_lib_t, file) +manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file }) +files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.8.8/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ccs.te 2010-07-30 14:06:53.000000000 -0400 @@ -118,5 +118,10 @@ ') optional_policy(` + qpidd_rw_semaphores(ccs_t) + qpidd_rw_shm(ccs_t) +') + +optional_policy(` unconfined_use_fds(ccs_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.8.8/policy/modules/services/certmaster.if --- nsaserefpolicy/policy/modules/services/certmaster.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/certmaster.if 2010-07-30 14:06:53.000000000 -0400 @@ -18,6 +18,25 @@ domtrans_pattern($1, certmaster_exec_t, certmaster_t) ') +#################################### +## +## Execute certmaster. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_exec',` + gen_require(` + type certmaster_exec_t; + ') + + can_exec($1, certmaster_exec_t) + corecmd_search_bin($1) +') + ####################################### ## ## read certmaster logs. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.8.8/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/certmonger.if 2010-07-30 14:06:53.000000000 -0400 @@ -45,7 +45,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -167,8 +167,8 @@ allow $2 system_r; files_search_var_lib($1) - admin_pattern($1, cermonger_var_lib_t) + admin_pattern($1, certmonger_var_lib_t) files_search_pids($1) - admin_pattern($1, cermonger_var_run_t) + admin_pattern($1, certmonger_var_run_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.8/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/certmonger.te 2010-07-30 14:06:53.000000000 -0400 @@ -68,5 +68,5 @@ ') optional_policy(` - unconfined_dbus_send(certmonger_t) + pcscd_stream_connect(certmonger_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.8/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cgroup.te 2010-08-10 07:20:55.000000000 -0400 @@ -18,8 +18,8 @@ type cgrules_etc_t; files_config_file(cgrules_etc_t) -type cgconfig_t; -type cgconfig_exec_t; +type cgconfig_t alias cgconfigparser_t; +type cgconfig_exec_t alias cgconfigparser_exec_t; init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; @@ -33,7 +33,7 @@ # cgconfig personal policy. # -allow cgconfig_t self:capability { chown sys_admin }; +allow cgconfig_t self:capability { dac_override fowner chown sys_admin }; allow cgconfig_t cgconfig_etc_t:file read_file_perms; @@ -53,7 +53,7 @@ # cgred personal policy. # -allow cgred_t self:capability { net_admin sys_ptrace dac_override }; +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; @@ -65,6 +65,7 @@ kernel_read_system_state(cgred_t) domain_read_all_domains_state(cgred_t) +domain_setpriority_all_domains(cgred_t) files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.8.8/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/chronyd.if 2010-07-30 14:06:53.000000000 -0400 @@ -19,6 +19,24 @@ domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') +######################################## +## +## Execute chronyd server in the chronyd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_initrc_domtrans',` + gen_require(` + type chronyd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, chronyd_initrc_exec_t) +') + #################################### ## ## Execute chronyd @@ -56,6 +74,64 @@ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') +######################################## +## +## Read and write chronyd shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_rw_shm',` + gen_require(` + type chronyd_t, chronyd_tmpfs_t; + ') + + allow $1 chronyd_t:shm rw_shm_perms; + allow $1 chronyd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) + read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## +## Read chronyd keys files. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_read_keys',` + gen_require(` + type chronyd_keys_t; + ') + + read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) +') + +######################################## +## +## Append chronyd keys files. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_append_keys',` + gen_require(` + type chronyd_keys_t; + ') + + append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) +') + #################################### ## ## All of the rules required to administrate @@ -77,6 +153,7 @@ gen_require(` type chronyd_t, chronyd_var_log_t; type chronyd_var_run_t, chronyd_var_lib_t; + type chronyd_tmpfs_t; type chronyd_initrc_exec_t, chronyd_keys_t; ') @@ -100,6 +177,5 @@ files_search_pids($1) admin_pattern($1, chronyd_var_run_t) - files_search_tmp($1) - admin_pattern($1, chronyd_tmp_t) + admin_pattern($1, chronyd_tmpfs_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.8.8/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/chronyd.te 2010-07-30 14:06:53.000000000 -0400 @@ -15,6 +15,9 @@ type chronyd_keys_t; files_type(chronyd_keys_t) +type chronyd_tmpfs_t; +files_tmpfs_file(chronyd_tmpfs_t) + type chronyd_var_lib_t; files_type(chronyd_var_lib_t) @@ -37,6 +40,10 @@ allow chronyd_t chronyd_keys_t:file read_file_perms; +manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) +manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) +fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) + manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) @@ -50,6 +57,7 @@ manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) +corenet_udp_bind_generic_node(chronyd_t) corenet_udp_bind_ntp_port(chronyd_t) # bind to udp/323 corenet_udp_bind_chronyd_port(chronyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-18 19:16:59.000000000 -0400 @@ -80,6 +80,7 @@ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) # var/lib files for clamd +manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) @@ -89,9 +90,10 @@ logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) # pid file +manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) +files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir }) kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) @@ -147,8 +149,10 @@ tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; + allow clamscan_t self:process execmem; ', ` dontaudit clamd_t self:process execmem; + dontaudit clamscan_t self:process execmem; ') ######################################## @@ -182,6 +186,9 @@ allow freshclam_t clamd_var_log_t:dir search_dir_perms; logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +kernel_read_kernel_sysctls(freshclam_t) +kernel_read_system_state(freshclam_t) + corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) @@ -189,6 +196,7 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_connect_clamd_port(freshclam_t) corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) @@ -207,6 +215,8 @@ clamav_stream_connect(freshclam_t) +userdom_stream_connect(freshclam_t) + optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.8/policy/modules/services/cmirrord.fc --- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) + +/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) + +/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.8/policy/modules/services/cmirrord.if --- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cmirrord.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,118 @@ + +## policy for cmirrord + +######################################## +## +## Execute a domain transition to run cmirrord. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cmirrord_domtrans',` + gen_require(` + type cmirrord_t, cmirrord_exec_t; + ') + + domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) +') + +######################################## +## +## Execute cmirrord server in the cmirrord domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`cmirrord_initrc_domtrans',` + gen_require(` + type cmirrord_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) +') + +######################################## +## +## Read cmirrord PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cmirrord_read_pid_files',` + gen_require(` + type cmirrord_var_run_t; + ') + + files_search_pids($1) + allow $1 cmirrord_var_run_t:file read_file_perms; +') + +####################################### +## +## Read and write to cmirrord shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`cmirrord_rw_shm',` + gen_require(` + type cmirrord_t; + type cmirrord_tmpfs_t; + ') + + allow $1 cmirrord_t:shm { rw_shm_perms destroy }; + allow $1 cmirrord_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## +## All of the rules required to administrate +## an cmirrord environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cmirrord_admin',` + gen_require(` + type cmirrord_t; + type cmirrord_initrc_exec_t; + type cmirrord_var_run_t; + ') + + allow $1 cmirrord_t:process { ptrace signal_perms }; + ps_process_pattern($1, cmirrord_t) + + cmirrord_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cmirrord_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, cmirrord_var_run_t) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.8.8/policy/modules/services/cmirrord.te --- nsaserefpolicy/policy/modules/services/cmirrord.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cmirrord.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,56 @@ +policy_module(cmirrord,1.0.0) + +######################################## +# +# Declarations +# + +type cmirrord_t; +type cmirrord_exec_t; +init_daemon_domain(cmirrord_t, cmirrord_exec_t) + +permissive cmirrord_t; + +type cmirrord_initrc_exec_t; +init_script_file(cmirrord_initrc_exec_t) + +type cmirrord_tmpfs_t; +files_tmpfs_file(cmirrord_tmpfs_t) + +type cmirrord_var_run_t; +files_pid_file(cmirrord_var_run_t) + +######################################## +# +# cmirrord local policy +# + +allow cmirrord_t self:capability { net_admin kill }; +allow cmirrord_t self:process signal; + +allow cmirrord_t self:fifo_file rw_fifo_file_perms; + +allow cmirrord_t self:sem create_sem_perms; +allow cmirrord_t self:shm create_shm_perms; +allow cmirrord_t self:netlink_socket create_socket_perms; +allow cmirrord_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) + +manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) +manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) +files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file }) + +domain_use_interactive_fds(cmirrord_t) + +files_read_etc_files(cmirrord_t) + +logging_send_syslog_msg(cmirrord_t) + +miscfiles_read_localization(cmirrord_t) + +optional_policy(` + corosync_stream_connect(cmirrord_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.8.8/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cobbler.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,7 +1,32 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) + +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) + +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_content_t,s0) + +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) + +# This should removable when cobbler package installs /var/www/cobbler/rendered +/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0) + +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) +/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.8.8/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cobbler.if 2010-07-30 14:06:53.000000000 -0400 @@ -1,14 +1,4 @@ ## Cobbler installation server. -## -##

-## Cobbler is a Linux installation server that allows for -## rapid setup of network installation environments. It -## glues together and automates many associated Linux -## tasks so you do not have to hop between lots of various -## commands and applications when rolling out new systems, -## and, in some cases, changing existing ones. -##

-## ######################################## ## @@ -26,6 +16,7 @@ ') domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) + corecmd_search_bin($1) ') ######################################## @@ -34,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed to transition. ## ## # @@ -48,7 +39,7 @@ ######################################## ## -## Read Cobbler content in /etc +## List Cobbler configuration. ## ## ## @@ -56,19 +47,18 @@ ## ## # -interface(`cobbler_read_config',` +interface(`cobbler_list_config',` gen_require(` type cobbler_etc_t; ') - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); + list_dirs_pattern($1, cobbler_content_t, cobbler_content_t) files_search_etc($1) ') ######################################## ## -## Do not audit attempts to read and write -## Cobbler log files (leaked fd). +## Read Cobbler configuration files. ## ## ## @@ -76,17 +66,18 @@ ## ## # -interface(`cobbler_dontaudit_rw_log',` +interface(`cobbler_read_config',` gen_require(` - type cobbler_var_log_t; + type cobbler_etc_t; ') - dontaudit $1 cobbler_var_log_t:file rw_file_perms; + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) + files_search_etc($1) ') ######################################## ## -## Search cobbler dirs in /var/lib +## Manage cobbler content. ## ## ## @@ -94,18 +85,20 @@ ## ## # -interface(`cobbler_search_lib',` +interface(`cobbler_manage_content',` gen_require(` - type cobbler_var_lib_t; + type cobbler_content_t; ') - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_dirs_pattern($1, cobbler_content_t, cobbler_content_t) + manage_files_pattern($1, cobbler_content_t, cobbler_content_t) + manage_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t) files_search_var_lib($1) ') ######################################## ## -## Read cobbler files in /var/lib +## Read cobbler content. ## ## ## @@ -113,18 +106,19 @@ ## ## # -interface(`cobbler_read_lib_files',` +interface(`cobbler_read_content',` gen_require(` - type cobbler_var_lib_t; + type cobbler_content_t; ') - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + read_files_pattern($1, cobbler_content_t, cobbler_content_t) + read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t) files_search_var_lib($1) ') ######################################## ## -## Manage cobbler files in /var/lib +## Search cobbler content. ## ## ## @@ -132,17 +126,56 @@ ## ## # -interface(`cobbler_manage_lib_files',` +interface(`cobbler_search_content',` gen_require(` - type cobbler_var_lib_t; + type cobbler_content_t; ') - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + search_dirs_pattern($1, cobbler_content_t, cobbler_content_t) + read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t) files_search_var_lib($1) ') ######################################## ## +## Read and write Cobbler log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + rw_files_pattern($1, cobbler_var_log_t, cobbler_var_log_t) + logging_search_logs($1) +') + +######################################## +## +## Do not audit attempts to read and write +## Cobbler log files (leaked fd). +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms; +') + +######################################## +## ## All of the rules required to administrate ## an cobblerd environment ## @@ -160,26 +193,44 @@ # interface(`cobblerd_admin',` gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t; + type cobblerd_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t; ') allow $1 cobblerd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, cobblerd_t, cobblerd_t) - files_search_etc($1) + cobblerd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cobblerd_initrc_exec_t system_r; + allow $2 system_r; + admin_pattern($1, cobbler_etc_t) + files_search_etc($1) + admin_pattern($1, cobbler_content_t) files_list_var_lib($1) - admin_pattern($1, cobbler_var_lib_t) - logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) + logging_search_logs($1) - admin_pattern($1, httpd_cobbler_content_rw_t) + # below may want to be removed. + tunable_policy(`cobbler_anon_write',` + miscfiles_manage_public_files($1) + ') - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; + optional_policy(` + gen_require(` + type httpd_cobbler_content_t; + ') + + # manage /var/www/cobbler + admin_pattern($1, httpd_cobbler_content_t) + apache_search_sys_content($1) + ') + + optional_policy(` + # traverse /var/lib/tftpdir to get to cobbler_content_t there. + tftp_search_rw_content($1) + ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-08-05 09:43:50.000000000 -0400 @@ -1,3 +1,4 @@ + policy_module(cobbler, 1.1.0) ######################################## @@ -7,11 +8,33 @@ ## ##

-## Allow Cobbler to modify public files -## used for public file transfer services. +## Allow Cobbler to modify public files +## used for public file transfer services. ##

## gen_tunable(cobbler_anon_write, false) + +## +##

+## Allow Cobbler to connect to the +## network using TCP. +##

+## +gen_tunable(cobbler_can_network_connect, false) + +## +##

+## Allow Cobbler to access cifs file systems. +##

+## +gen_tunable(cobbler_use_cifs, false) + +## +##

+## Allow Cobbler to access nfs file systems. +##

+## +gen_tunable(cobbler_use_nfs, false) type cobblerd_t; type cobblerd_exec_t; @@ -23,28 +46,46 @@ type cobbler_etc_t; files_config_file(cobbler_etc_t) +type cobbler_content_t; +typealias cobbler_content_t alias cobbler_var_lib_t; +files_type(cobbler_content_t) + type cobbler_var_log_t; logging_log_file(cobbler_var_log_t) -type cobbler_var_lib_t; -files_type(cobbler_var_lib_t) +type cobbler_tmp_t; +files_tmp_file(cobbler_tmp_t) + +# Cobbler check is not supported and is silently ignored. ######################################## # -# Cobbler personal policy. +# Cobbler local policy. # -allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; +allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; +dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config }; + allow cobblerd_t self:process { getsched setsched signal }; allow cobblerd_t self:fifo_file rw_fifo_file_perms; +allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; +allow cobblerd_t self:udp_socket create_socket_perms; +allow cobblerd_t self:unix_dgram_socket create_socket_perms; list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) -manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) +# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t. +dontaudit cobblerd_t cobbler_content_t:dir relabel_dir_perms; + +manage_dirs_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t) +manage_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t) +manage_lnk_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t) +files_var_lib_filetrans(cobblerd_t, cobbler_content_t, { dir file lnk_file }) + +# Something really needs to write to cobbler.log. Ideally this should not be happening. +allow cobblerd_t cobbler_var_log_t:file write; append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) @@ -52,39 +93,93 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) +manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) +manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) +files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) + kernel_read_system_state(cobblerd_t) +kernel_dontaudit_search_network_state(cobblerd_t) corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) corenet_all_recvfrom_netlabel(cobblerd_t) corenet_all_recvfrom_unlabeled(cobblerd_t) -corenet_sendrecv_cobbler_server_packets(cobblerd_t) -corenet_tcp_bind_cobbler_port(cobblerd_t) corenet_tcp_bind_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_if(cobblerd_t) corenet_tcp_sendrecv_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_port(cobblerd_t) +corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_sendrecv_cobbler_port(cobblerd_t) +corenet_sendrecv_cobbler_server_packets(cobblerd_t) +# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect. +corenet_tcp_connect_ftp_port(cobblerd_t) +corenet_tcp_sendrecv_ftp_port(cobblerd_t) +corenet_sendrecv_ftp_client_packets(cobblerd_t) +corenet_tcp_connect_http_port(cobblerd_t) +corenet_tcp_sendrecv_http_port(cobblerd_t) +corenet_sendrecv_http_client_packets(cobblerd_t) dev_read_urand(cobblerd_t) +domain_dontaudit_exec_all_entry_files(cobblerd_t) +domain_dontaudit_read_all_domains_state(cobblerd_t) + +files_read_etc_files(cobblerd_t) +# mtab +files_read_etc_runtime_files(cobblerd_t) files_read_usr_files(cobblerd_t) files_list_boot(cobblerd_t) +files_read_boot_files(cobblerd_t) files_list_tmp(cobblerd_t) -# read /etc/nsswitch.conf -files_read_etc_files(cobblerd_t) + +# read from mounted images (install media) +fs_read_iso9660_files(cobblerd_t) + +init_dontaudit_read_all_script_files(cobblerd_t) + +term_use_console(cobblerd_t) miscfiles_read_localization(cobblerd_t) miscfiles_read_public_files(cobblerd_t) +selinux_dontaudit_read_fs(cobblerd_t) + sysnet_read_config(cobblerd_t) sysnet_rw_dhcp_config(cobblerd_t) sysnet_write_config(cobblerd_t) +userdom_dontaudit_use_user_terminals(cobblerd_t) +userdom_dontaudit_search_user_home_dirs(cobblerd_t) +userdom_dontaudit_search_admin_dir(cobblerd_t) + tunable_policy(`cobbler_anon_write',` miscfiles_manage_public_files(cobblerd_t) ') +tunable_policy(`cobbler_can_network_connect',` + corenet_tcp_connect_all_ports(cobblerd_t) + corenet_tcp_sendrecv_all_ports(cobblerd_t) + corenet_sendrecv_all_client_packets(cobblerd_t) +') + +tunable_policy(`cobbler_use_cifs',` + fs_manage_cifs_dirs(cobblerd_t) + fs_manage_cifs_files(cobblerd_t) + fs_manage_cifs_symlinks(cobblerd_t) +') + +tunable_policy(`cobbler_use_nfs',` + fs_manage_nfs_dirs(cobblerd_t) + fs_manage_nfs_files(cobblerd_t) + fs_manage_nfs_symlinks(cobblerd_t) +') + +optional_policy(` + # Cobbler traverses /var/www to get to /var/www/cobbler/* + apache_search_sys_content(cobblerd_t) +') + optional_policy(` bind_read_config(cobblerd_t) bind_write_config(cobblerd_t) @@ -95,6 +190,10 @@ ') optional_policy(` + certmaster_exec(cobblerd_t) +') + +optional_policy(` dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) ') @@ -106,16 +205,28 @@ ') optional_policy(` + gnome_dontaudit_search_config(cobblerd_t) +') + +optional_policy(` rpm_exec(cobblerd_t) ') optional_policy(` - rsync_read_config(cobblerd_t) - rsync_write_config(cobblerd_t) + rsync_exec(cobblerd_t) + rsync_manage_config(cobblerd_t) + # cobbler creates /etc/rsync.conf if its not there. + rsync_filetrans_config(cobblerd_t, file) ') optional_policy(` - tftp_manage_rw_content(cobblerd_t) + # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images. + # tftp_manage_rw_content(cobblerd_t) can be used instead if: + # 1. cobbler package installs /var/lib/tftpdir/images. + # 2. no FILES in /var/lib/TFTPDIR are hard linked. + # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg) + # are any of those hard linked? + tftp_filetrans_tftpdir(cobblerd_t, cobbler_content_t, { dir file }) ') ######################################## @@ -123,6 +234,18 @@ # Cobbler web local policy. # -apache_content_template(cobbler) -manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +# This should be removable when cobbler package installs /var/www/cobbler/rendered. +optional_policy(` + gen_require(` + attribute httpdcontent; + ') + + apache_content_template(cobbler) + # To filetrans the /var/www/cobbler/rendered directory to cobbler_content_t. + # I added "file" to it for now because fenris02 reported that cobbler buildiso tried to create a file with type + # httpd_cobbler_content_t and i do not know where exaclty. Google reports it should be /var/www/cobbler/pub but + # that directory should have been labeled cobbler_content_t. + filetrans_pattern(cobblerd_t, httpd_cobbler_content_t, cobbler_content_t, { dir file }) + # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t. + dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.8.8/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/consolekit.if 2010-08-11 08:07:53.000000000 -0400 @@ -95,3 +95,22 @@ files_search_pids($1) read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ') + +######################################## +## +## List consolekit PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_list_pid_files',` + gen_require(` + type consolekit_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/consolekit.te 2010-07-30 14:06:53.000000000 -0400 @@ -15,6 +15,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) +type consolekit_tmpfs_t; +files_tmpfs_file(consolekit_tmpfs_t) + ######################################## # # consolekit local policy @@ -69,7 +72,10 @@ miscfiles_read_localization(consolekit_t) +# consolekit needs to be able to ptrace all logged in users +userdom_ptrace_all_users(consolekit_t) userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_dontaudit_getattr_admin_home_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) hal_ptrace(consolekit_t) @@ -83,6 +89,10 @@ ') optional_policy(` + cron_read_system_job_lib_files(consolekit_t) +') + +optional_policy(` dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` @@ -99,16 +109,21 @@ ') optional_policy(` - policykit_dbus_chat(consolekit_t) + networkmanager_append_log(consolekit_t) +') + +optional_policy(` + policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) ') optional_policy(` - type consolekit_tmpfs_t; - files_tmpfs_file(consolekit_tmpfs_t) + shutdown_domtrans(consolekit_t) +') +optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) @@ -125,5 +140,6 @@ optional_policy(` #reading .Xauthity + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.8.8/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/corosync.fc 2010-07-30 14:06:53.000000000 -0400 @@ -3,6 +3,7 @@ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.8/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/corosync.te 2010-07-30 14:06:53.000000000 -0400 @@ -5,6 +5,13 @@ # Declarations # +## +##

+## Allow corosync to read and write generic tmpfs files. +##

+## +gen_tunable(allow_corosync_rw_tmpfs, false) + type corosync_t; type corosync_exec_t; init_daemon_domain(corosync_t, corosync_exec_t) @@ -32,8 +39,8 @@ # corosync local policy # -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; +allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock }; +allow corosync_t self:process { setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; @@ -41,6 +48,8 @@ allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms; +can_exec(corosync_t, corosync_exec_t) + manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) @@ -63,8 +72,10 @@ files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) kernel_read_system_state(corosync_t) +kernel_read_network_state(corosync_t) corecmd_exec_bin(corosync_t) +corecmd_exec_shell(corosync_t) corenet_udp_bind_netsupport_port(corosync_t) @@ -73,6 +84,7 @@ domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) +files_read_usr_files(corosync_t) auth_use_nsswitch(corosync_t) @@ -83,19 +95,26 @@ miscfiles_read_localization(corosync_t) +userdom_delete_user_tmpfs_files(corosync_t) userdom_rw_user_tmpfs_files(corosync_t) +tunable_policy(`allow_corosync_rw_tmpfs',` + fs_rw_tmpfs_files(corosync_t) +') + optional_policy(` ccs_read_config(corosync_t) ') optional_policy(` - # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(corosync_t) - - rhcs_rw_fenced_semaphores(corosync_t) + cmirrord_rw_shm(corosync_t) +') - rhcs_rw_gfs_controld_semaphores(corosync_t) +optional_policy(` + # to communication with RHCS + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.8.8/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/courier.if 2010-07-30 14:06:53.000000000 -0400 @@ -38,10 +38,12 @@ read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) allow courier_$1_t courier_etc_t:dir list_dir_perms; + manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) files_search_pids(courier_$1_t) + files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) kernel_read_system_state(courier_$1_t) kernel_read_kernel_sysctls(courier_$1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.8.8/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/courier.te 2010-07-30 14:06:53.000000000 -0400 @@ -48,6 +48,7 @@ allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; +allow courier_authdaemon_t courier_tcpd_t:fd use; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.8/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cron.fc 2010-07-30 14:06:53.000000000 -0400 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -45,3 +45,7 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-30 14:06:53.000000000 -0400 @@ -12,6 +12,10 @@ ## # template(`cron_common_crontab_template',` + gen_require(` + type crond_t, crond_var_run_t; + ') + ############################## # # Declarations @@ -34,8 +38,12 @@ allow $1_t self:process { setsched signal_perms }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t, $1_tmp_t, file) + allow $1_t crond_t:process signal; + allow $1_t crond_var_run_t:file read_file_perms; + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) # create files in /var/spool/cron manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) @@ -62,6 +70,7 @@ logging_send_syslog_msg($1_t) logging_send_audit_msgs($1_t) + logging_set_loginuid($1_t) init_dontaudit_write_utmp($1_t) init_read_utmp($1_t) @@ -76,6 +85,7 @@ userdom_use_user_terminals($1_t) # Read user crontabs userdom_read_user_home_content_files($1_t) + userdom_read_user_home_content_symlinks($1_t) tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator @@ -106,6 +116,8 @@ interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; + type user_cron_spool_t; + type crond_t; ') role $1 types { cronjob_t crontab_t }; @@ -116,6 +128,13 @@ # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) + allow crond_t $2:process transition; + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + + # needs to be authorized SELinux context for cron + allow $2 user_cron_spool_t:file entrypoint; + # crontab shows up in user ps ps_process_pattern($2, crontab_t) allow $2 crontab_t:process signal; @@ -154,27 +173,14 @@ # interface(`cron_unconfined_role',` gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; + type unconfined_cronjob_t; ') - role $1 types { unconfined_cronjob_t crontab_t }; + role $1 types unconfined_cronjob_t; # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - optional_policy(` gen_require(` class dbus send_msg; @@ -308,7 +314,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -408,7 +414,43 @@ type crond_t; ') - allow $1 crond_t:fifo_file { getattr read write }; + allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## Read and write inherited user spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_user_spool_files',` + gen_require(` + type user_cron_spool_t; + ') + + allow $1 user_cron_spool_t:file rw_inherited_file_perms; +') + +######################################## +## +## Read and write inherited spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_spool_files',` + gen_require(` + type cron_spool_t; + ') + + allow $1 cron_spool_t:file rw_inherited_file_perms; ') ######################################## @@ -554,7 +596,7 @@ type system_cronjob_t; ') - allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; + allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -587,11 +629,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` - type system_cronjob_tmp_t; + type system_cronjob_tmp_t, cron_var_run_t; ') files_search_tmp($1) allow $1 system_cronjob_tmp_t:file read_file_perms; + + files_search_pids($1) + allow $1 cron_var_run_t:file read_file_perms; ') ######################################## @@ -627,7 +672,48 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; + type cron_var_run_t; + type system_cronjob_var_run_t; ') dontaudit $1 system_cronjob_tmp_t:file write_file_perms; + dontaudit $1 cron_var_run_t:file write_file_perms; +') + +######################################## +## +## Read temporary files from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_read_system_job_lib_files',` + gen_require(` + type system_cronjob_var_lib_t; + ') + + + read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## +## +## Manage files from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_manage_system_job_lib_files',` + gen_require(` + type system_cronjob_var_lib_t; + ') + + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400 @@ -63,9 +63,12 @@ type crond_tmp_t; files_tmp_file(crond_tmp_t) +files_poly_parent(crond_tmp_t) +mta_system_content(crond_tmp_t) type crond_var_run_t; files_pid_file(crond_var_run_t) +mta_system_content(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) @@ -79,6 +82,7 @@ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +allow admin_crontab_t crond_t:process signal; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) @@ -87,6 +91,7 @@ init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; +domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) @@ -108,6 +113,14 @@ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) +mta_system_content(user_cron_spool_t) + +type system_cronjob_var_lib_t; +files_type(system_cronjob_var_lib_t) +typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) ######################################## # @@ -138,7 +151,7 @@ allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; @@ -193,6 +206,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) +domain_subj_id_change_exemption(crond_t) +domain_role_change_exemption(crond_t) files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) @@ -208,7 +223,9 @@ auth_use_nsswitch(crond_t) +logging_send_audit_msgs(crond_t) logging_send_syslog_msg(crond_t) +logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -219,8 +236,10 @@ userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) +userdom_create_all_users_keys(crond_t) mta_send_mail(crond_t) +mta_system_content(cron_spool_t) ifdef(`distro_debian',` # pam_limits is used @@ -240,8 +259,17 @@ ') ') -tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(crond_t) +') + +optional_policy(` + apache_search_sys_content(crond_t) +') + +optional_policy(` + djbdns_search_tinydns_keys(crond_t) + djbdns_link_tinydns_keys(crond_t) ') optional_policy(` @@ -250,6 +278,20 @@ ') optional_policy(` + # these should probably be unconfined_crond_t + dbus_system_bus_client(crond_t) + init_dbus_send_script(crond_t) +') + +optional_policy(` + mono_domtrans(crond_t) +') + +tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; +') + +optional_policy(` amanda_search_var_lib(crond_t) ') @@ -259,6 +301,8 @@ optional_policy(` hal_dbus_chat(crond_t) + hal_write_log(crond_t) + hal_dbus_chat(system_cronjob_t) ') optional_policy(` @@ -290,6 +334,8 @@ # allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +dontaudit system_cronjob_t self:capability sys_ptrace; + allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; @@ -301,10 +347,17 @@ # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron -allow system_cronjob_t cron_var_lib_t:file manage_file_perms; +allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) +allow system_cronjob_t cron_var_run_t:file manage_file_perms; +files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) + allow system_cronjob_t system_cron_spool_t:file read_file_perms; + +# anacron forces the following +manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) + # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that @@ -324,6 +377,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; +allow crond_t system_cronjob_t:key manage_key_perms; # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; @@ -335,9 +389,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +# var/lib files for system_crond +files_search_var_lib(system_cronjob_t) +manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + # Read from /var/spool/cron. allow system_cronjob_t cron_spool_t:dir list_dir_perms; -allow system_cronjob_t cron_spool_t:file read_file_perms; +allow system_cronjob_t cron_spool_t:file rw_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) @@ -360,6 +418,7 @@ dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) +dev_read_sysfs(system_cronjob_t) fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) @@ -386,6 +445,7 @@ # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) +files_create_boot_flag(system_cronjob_t) init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) @@ -410,6 +470,8 @@ ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + allow crond_t system_cron_spool_t:file manage_file_perms; + # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) @@ -434,6 +496,8 @@ apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) + apache_delete_cache_dirs(system_cronjob_t) + apache_delete_cache_files(system_cronjob_t) ') optional_policy(` @@ -441,6 +505,14 @@ ') optional_policy(` + dbus_system_bus_client(system_cronjob_t) +') + +optional_policy(` + exim_read_spool_files(system_cronjob_t) +') + +optional_policy(` ftp_read_log(system_cronjob_t) ') @@ -451,15 +523,24 @@ ') optional_policy(` + livecd_read_tmp_files(system_cronjob_t) +') + +optional_policy(` lpd_list_spool(system_cronjob_t) ') optional_policy(` + mono_domtrans(system_cronjob_t) +') + +optional_policy(` mrtg_append_create_logs(system_cronjob_t) ') optional_policy(` mta_send_mail(system_cronjob_t) + mta_system_content(system_cron_spool_t) ') optional_policy(` @@ -475,7 +556,7 @@ prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) - prelink_relabelfrom_lib(system_cronjob_t) + prelink_relabel_lib(system_cronjob_t) ') optional_policy(` @@ -490,6 +571,7 @@ optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) + spamassassin_manage_home_client(system_cronjob_t) ') optional_policy(` @@ -497,6 +579,9 @@ ') optional_policy(` + unconfined_dbus_send(crond_t) + unconfined_shell_domtrans(crond_t) + unconfined_domain(crond_t) unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') @@ -590,6 +675,7 @@ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) tunable_policy(`fcron_crond', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-30 14:06:53.000000000 -0400 @@ -71,3 +71,9 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + +/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.8.8/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cups.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -33,7 +33,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -124,7 +124,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -314,7 +314,7 @@ interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; + type cupsd_etc_t, cupsd_log_t; type cupsd_config_var_run_t, cupsd_lpd_var_run_t; type cupsd_var_run_t, ptal_etc_t; type ptal_var_run_t, hplip_var_run_t; @@ -341,9 +341,6 @@ admin_pattern($1, cupsd_lpd_var_run_t) - admin_pattern($1, cupsd_spool_t) - files_list_spool($1) - admin_pattern($1, cupsd_tmp_t) files_list_tmp($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-08-11 08:24:50.000000000 -0400 @@ -15,6 +15,7 @@ type cupsd_t; type cupsd_exec_t; init_daemon_domain(cupsd_t, cupsd_exec_t) +mls_trusted_object(cupsd_t) type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -123,6 +124,7 @@ files_search_etc(cupsd_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) +can_exec(cupsd_t, cupsd_interface_t) manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) @@ -137,6 +139,7 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; files_lock_filetrans(cupsd_t, cupsd_lock_t, file) +manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -147,10 +150,11 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:dir setattr; +manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) +files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file }) allow cupsd_t hplip_t:process { signal sigkill }; @@ -297,8 +301,10 @@ hal_dbus_chat(cupsd_t) ') + # talk to processes that do not have policy optional_policy(` unconfined_dbus_chat(cupsd_t) + files_write_generic_pid_pipes(cupsd_t) ') ') @@ -371,8 +377,9 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms; +manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) +files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) @@ -425,6 +432,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) +userdom_rw_user_tmp_files(cupsd_config_t) cups_stream_connect(cupsd_config_t) @@ -453,6 +461,10 @@ ') optional_policy(` + gnome_dontaudit_search_config(cupsd_config_t) +') + +optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) @@ -587,13 +599,19 @@ miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) +miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) +userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) +userdom_dontaudit_search_admin_dir(cups_pdf_t) lpd_manage_spool(cups_pdf_t) +optional_policy(` + gnome_read_config(cups_pdf_t) +') tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.8.8/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cvs.te 2010-07-30 14:06:53.000000000 -0400 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.8.8/policy/modules/services/cyphesis.te --- nsaserefpolicy/policy/modules/services/cyphesis.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cyphesis.te 2010-07-30 14:06:53.000000000 -0400 @@ -36,9 +36,10 @@ allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) +manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file }) +files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file }) kernel_read_system_state(cyphesis_t) kernel_read_kernel_sysctls(cyphesis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.8/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-07-30 14:06:53.000000000 -0400 @@ -135,6 +135,7 @@ ') optional_policy(` + files_dontaudit_write_usr_dirs(cyrus_t) snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dbus.if 2010-07-30 14:06:53.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; + attribute dbusd_unconfined; attribute session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; + type $1_t; ') ############################## @@ -76,7 +78,7 @@ allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; @@ -91,7 +93,7 @@ allow $3 $1_dbusd_t:process { signull sigkill signal }; # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) + corecmd_bin_domtrans($1_dbusd_t, $1_t) allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; @@ -149,13 +151,20 @@ term_use_all_terms($1_dbusd_t) - userdom_read_user_home_content_files($1_dbusd_t) + userdom_dontaudit_search_admin_dir($1_dbusd_t) + userdom_manage_user_home_content_dirs($1_dbusd_t) + userdom_manage_user_home_content_files($1_dbusd_t) + userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file }) ifdef(`hide_broken_symptoms', ` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') optional_policy(` + gnome_read_gconf_home_files($1_dbusd_t) + ') + + optional_policy(` hal_dbus_chat($1_dbusd_t) ') @@ -181,10 +190,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; + attribute dbusd_unconfined; ') # SE-DBus specific permissions allow $1 { system_dbusd_t self }:dbus send_msg; + allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) @@ -434,10 +445,21 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) + init_stream_connect($1) + ps_process_pattern(system_dbusd_t, $1) + userdom_dontaudit_search_admin_dir($1) userdom_read_all_users_state($1) + optional_policy(` + rpm_script_dbus_chat($1) + ') + + optional_policy(` + unconfined_dbus_send($1) + ') + ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.8/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dbus.te 2010-07-30 14:06:53.000000000 -0400 @@ -74,9 +74,10 @@ read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) +files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) @@ -121,7 +122,9 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) +init_bin_domtrans_spec(system_dbusd_t) init_domtrans_script(system_dbusd_t) +init_rw_stream_sockets(system_dbusd_t) logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) @@ -141,7 +144,15 @@ ') optional_policy(` - policykit_dbus_chat(system_dbusd_t) + gnome_exec_gconf(system_dbusd_t) +') + +optional_policy(` + networkmanager_initrc_domtrans(system_dbusd_t) +') + +optional_policy(` + policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) ') @@ -158,5 +169,12 @@ # # Unconfined access to this module # - allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; + +optional_policy(` + xserver_use_xdm_fds(session_bus_type) + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.8.8/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dcc.te 2010-07-30 14:06:53.000000000 -0400 @@ -231,8 +231,9 @@ manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) +manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -files_pid_filetrans(dccd_t, dccd_var_run_t, file) +files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir }) kernel_read_system_state(dccd_t) kernel_read_kernel_sysctls(dccd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.8.8/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/denyhosts.if 2010-07-30 14:06:53.000000000 -0400 @@ -32,7 +32,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-08-13 13:33:16.000000000 -0400 @@ -25,7 +25,8 @@ # # DenyHosts personal policy. # - +# Bug #588563 +allow denyhosts_t self:capability sys_tty_config; allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; @@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) +corenet_tcp_connect_sype_port(denyhosts_t) corenet_sendrecv_smtp_client_packets(denyhosts_t) dev_read_urand(denyhosts_t) files_read_etc_files(denyhosts_t) +files_read_usr_files(denyhosts_t) # /var/log/secure logging_read_generic_logs(denyhosts_t) +logging_send_syslog_msg(denyhosts_t) miscfiles_read_localization(denyhosts_t) +sysnet_dns_name_resolve(denyhosts_t) sysnet_manage_config(denyhosts_t) sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') + +optional_policy(` + gnome_dontaudit_search_config(denyhosts_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-10 11:09:06.000000000 -0400 @@ -75,10 +75,12 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) +kernel_list_unlabeled(devicekit_disk_t) kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) @@ -105,8 +107,10 @@ files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) -files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_dirs(devicekit_disk_t) files_getattr_all_files(devicekit_disk_t) +files_getattr_all_pipes(devicekit_disk_t) +files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) @@ -178,13 +182,19 @@ virt_manage_images(devicekit_disk_t) ') +optional_policy(` + unconfined_domain(devicekit_t) + unconfined_domain(devicekit_power_t) + unconfined_domain(devicekit_disk_t) +') + ######################################## # # DeviceKit-Power local policy # allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process getsched; +allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.8.8/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dhcp.if 2010-07-30 14:06:53.000000000 -0400 @@ -45,7 +45,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.8.8/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dhcp.te 2010-07-30 14:06:53.000000000 -0400 @@ -111,6 +111,11 @@ ') optional_policy(` + # Should we dontaudit or not? + cobbler_rw_log(dhcpd_t) +') + +optional_policy(` dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.8.8/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/djbdns.te 2010-07-30 14:06:53.000000000 -0400 @@ -22,6 +22,8 @@ # Local policy for axfrdns component # +files_config_file(djbdns_axfrdns_conf_t) + daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.8.8/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -45,7 +45,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.8/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.te 2010-07-30 14:06:53.000000000 -0400 @@ -92,7 +92,11 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) optional_policy(` - cobbler_read_lib_files(dnsmasq_t) + cobbler_read_content(dnsmasq_t) +') + +optional_policy(` + cron_manage_pid_files(dnsmasq_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.8.8/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dovecot.fc 2010-07-30 14:06:53.000000000 -0400 @@ -25,7 +25,7 @@ ifdef(`distro_redhat', ` /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.8.8/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dovecot.if 2010-07-30 14:06:53.000000000 -0400 @@ -93,12 +93,14 @@ # interface(`dovecot_admin',` gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_log_t; + type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; type dovecot_spool_t, dovecot_var_lib_t; - type dovecot_var_run_t; + type dovecot_var_run_t, dovecot_tmp_t; + type dovecot_var_log_t; type dovecot_cert_t, dovecot_passwd_t; type dovecot_initrc_exec_t; + type dovecot_keytab_t; ') allow $1 dovecot_t:process { ptrace signal_perms }; @@ -112,8 +114,11 @@ files_list_etc($1) admin_pattern($1, dovecot_etc_t) - logging_list_logs($1) - admin_pattern($1, dovecot_log_t) + files_list_tmp($1) + admin_pattern($1, dovecot_auth_tmp_t) + admin_pattern($1, dovecot_tmp_t) + + admin_pattern($1, dovecot_keytab_t) files_list_spool($1) admin_pattern($1, dovecot_spool_t) @@ -121,6 +126,9 @@ files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) + logging_search_logs($1) + admin_pattern($1, dovecot_var_log_t) + files_list_pids($1) admin_pattern($1, dovecot_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400 @@ -18,7 +18,7 @@ files_tmp_file(dovecot_auth_tmp_t) type dovecot_cert_t; -files_type(dovecot_cert_t) +miscfiles_cert_type(dovecot_cert_t) type dovecot_deliver_t; type dovecot_deliver_exec_t; @@ -58,7 +58,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; +allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; @@ -72,7 +72,8 @@ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -allow dovecot_t dovecot_etc_t:file read_file_perms; +allow dovecot_t dovecot_etc_t:dir list_dir_perms; +read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) @@ -94,10 +95,11 @@ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) +files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file }) kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) @@ -242,6 +244,7 @@ ') optional_policy(` + postfix_manage_private_sockets(dovecot_auth_t) postfix_search_spool(dovecot_auth_t) ') @@ -253,19 +256,26 @@ allow dovecot_deliver_t dovecot_t:process signull; -allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; +read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; +allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms; + +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + kernel_read_all_sysctls(dovecot_deliver_t) kernel_read_system_state(dovecot_deliver_t) +corecmd_exec_bin(dovecot_deliver_t) + files_read_etc_files(dovecot_deliver_t) files_read_etc_runtime_files(dovecot_deliver_t) auth_use_nsswitch(dovecot_deliver_t) logging_send_syslog_msg(dovecot_deliver_t) -logging_search_logs(dovecot_auth_t) +logging_search_logs(dovecot_deliver_t) miscfiles_read_localization(dovecot_deliver_t) @@ -302,4 +312,5 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.8.8/policy/modules/services/exim.fc --- nsaserefpolicy/policy/modules/services/exim.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/exim.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) + /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.8.8/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/exim.if 2010-07-30 14:06:53.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## ## +## Execute exim in the exim domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_initrc_domtrans', ` + gen_require(` + type exim_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, exim_initrc_exec_t) +') + +######################################## +## ## Do not audit attempts to read, ## exim tmp files ## @@ -194,3 +212,46 @@ manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') + +######################################## +## +## All of the rules required to administrate +## an exim environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`exim_admin', ` + gen_require(` + type exim_t, exim_initrc_exec_t, exim_log_t; + type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') + + allow $1 exim_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, exim_t, exim_t) + + exim_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 exim_initrc_exec_t system_r; + allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, exim_log_t) + + files_search_tmp($1) + admin_pattern($1, exim_tmp_t) + + files_search_spool($1) + admin_pattern($1, exim_spool_t) + + files_search_pids($1) + admin_pattern($1, exim_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.8/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/exim.te 2010-07-30 14:06:53.000000000 -0400 @@ -35,6 +35,9 @@ application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) +type exim_initrc_exec_t; +init_script_file(exim_initrc_exec_t) + type exim_log_t; logging_log_file(exim_log_t) @@ -171,6 +174,10 @@ ') optional_policy(` + nagios_search_spool(exim_t) +') + +optional_policy(` tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') @@ -184,6 +191,7 @@ optional_policy(` procmail_domtrans(exim_t) + procmail_read_home_files(exim_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.8/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/fail2ban.if 2010-07-30 14:06:53.000000000 -0400 @@ -138,6 +138,26 @@ ######################################## ## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_dontaudit_leaks',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:tcp_socket { read write }; + dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## ## All of the rules required to administrate ## an fail2ban environment ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.8.8/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/fail2ban.te 2010-07-30 14:06:53.000000000 -0400 @@ -94,5 +94,9 @@ ') optional_policy(` + gnome_dontaudit_search_config(fail2ban_t) +') + +optional_policy(` iptables_domtrans(fail2ban_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.8.8/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/fetchmail.te 2010-07-30 14:06:53.000000000 -0400 @@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) +manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file) +files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/finger.if serefpolicy-3.8.8/policy/modules/services/finger.if --- nsaserefpolicy/policy/modules/services/finger.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/finger.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.8.8/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/fprintd.te 2010-07-30 14:06:53.000000000 -0400 @@ -54,4 +54,5 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) + policykit_dbus_chat_auth(fprintd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.8.8/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ftp.fc 2010-07-30 14:06:53.000000000 -0400 @@ -29,3 +29,4 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.8/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ftp.te 2010-07-30 14:06:53.000000000 -0400 @@ -40,6 +40,13 @@ ## ##

+## Allow ftp servers to use connect to mysql database +##

+## +gen_tunable(ftpd_connect_db, false) + +## +##

## Allow ftp to read and write files in the user home directories ##

## @@ -70,6 +77,14 @@ ## gen_tunable(sftpd_full_access, false) +## +##

+## Allow interlnal-sftp to read and write files +## in the user ssh home directories. +##

+## +gen_tunable(sftpd_write_ssh_home, false) + type anon_sftpd_t; typealias anon_sftpd_t alias sftpd_anon_t; domain_type(anon_sftpd_t) @@ -115,6 +130,10 @@ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) ') +ifdef(`enable_mls',` + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) +') + ######################################## # # anon-sftp local policy @@ -133,7 +152,7 @@ # ftpd local policy # -allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; +allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; @@ -151,7 +170,6 @@ manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) @@ -270,10 +288,13 @@ # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_dirs(ftpd_t) - userdom_manage_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_symlinks(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) + userdom_manage_user_home_content(ftpd_t) + userdom_manage_user_tmp_files(ftpd_t) + userdom_tmp_filetrans_user_tmp(ftpd_t, file) +', ` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -316,6 +337,23 @@ ') optional_policy(` + tunable_policy(`ftpd_connect_db',` + mysql_stream_connect(ftpd_t) + ') +') + +optional_policy(` + tunable_policy(`ftpd_connect_db',` + postgresql_stream_connect(ftpd_t) + ') +') + +tunable_policy(`ftpd_connect_db',` + corenet_tcp_connect_mysqld_port(ftpd_t) + corenet_tcp_connect_postgresql_port(ftpd_t) +') + +optional_policy(` inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` @@ -362,21 +400,33 @@ # # sftpd local policy # - files_read_etc_files(sftpd_t) # allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t) + +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + auth_manage_all_files_except_shadow(sftpd_t) +') + +tunable_policy(`sftpd_write_ssh_home',` + ssh_manage_home_files(sftpd_t) +') tunable_policy(`sftpd_enable_homedirs',` allow sftpd_t self:capability { dac_override dac_read_search }; # allow access to /home files_list_home(sftpd_t) - userdom_manage_user_home_content_files(sftpd_t) - userdom_manage_user_home_content_dirs(sftpd_t) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_read_user_home_content_files(sftpd_t) + userdom_manage_user_home_content(sftpd_t) +', ` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.8.8/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/git.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,12 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0) + +/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0) + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) /var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.8.8/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/git.if 2010-07-30 14:06:53.000000000 -0400 @@ -1 +1,525 @@ -## GIT revision control system +## Fast Version Control System. +## +##

+## A really simple TCP git daemon that normally listens on +## port DEFAULT_GIT_PORT aka 9418. It waits for a +## connection asking for a service, and will serve that +## service if it is enabled. +##

+## + +####################################### +## +## Role access for Git daemon session. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`git_session_role',` + gen_require(` + type git_session_t, gitd_exec_t; + type git_session_content_t; + ') + + ######################################## + # + # Git daemon session shared declarations. + # + + role $1 types git_session_t; + + ######################################## + # + # Git daemon session shared policy. + # + + domtrans_pattern($2, gitd_exec_t, git_session_t) + + allow $2 git_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, git_session_t) +') + +######################################## +## +## Create a set of derived types for Git +## daemon shared repository content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`git_content_template',` + + gen_require(` + attribute git_system_content; + attribute git_content; + ') + + ######################################## + # + # Git daemon content shared declarations. + # + + type git_$1_content_t, git_system_content, git_content; + files_type(git_$1_content_t) +') + +######################################## +## +## Create a set of derived types for Git +## daemon shared repository roles. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`git_role_template',` + + gen_require(` + class context contains; + role system_r; + ') + + ######################################## + # + # Git daemon role shared declarations. + # + + attribute $1_usertype; + + type $1_t; + userdom_unpriv_usertype($1, $1_t) + domain_type($1_t) + + role $1_r types $1_t; + allow system_r $1_r; + + ######################################## + # + # Git daemon role shared policy. + # + + allow $1_t self:context contains; + allow $1_t self:fifo_file rw_fifo_file_perms; + + corecmd_exec_bin($1_t) + corecmd_bin_entry_type($1_t) + corecmd_shell_entry_type($1_t) + + domain_interactive_fd($1_t) + domain_user_exemption_target($1_t) + + kernel_read_system_state($1_t) + + files_read_etc_files($1_t) + files_dontaudit_search_home($1_t) + + miscfiles_read_localization($1_t) + + git_rwx_generic_system_content($1_t) + + ssh_rw_stream_sockets($1_t) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1_t) + fs_manage_cifs_dirs($1_t) + fs_manage_cifs_files($1_t) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1_t) + fs_manage_nfs_dirs($1_t) + fs_manage_nfs_files($1_t) + ') + + optional_policy(` + nscd_read_pid($1_t) + ') +') + +####################################### +## +## Allow specified domain access to the +## specified Git daemon content. +## +## +## +## Domain allowed access. +## +## +## +## +## Type of the object that access is allowed to. +## +## +# +interface(`git_content_delegation',` + gen_require(` + type $1, $2; + ') + + exec_files_pattern($1, $2, $2) + manage_dirs_pattern($1, $2, $2) + manage_files_pattern($1, $2, $2) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to manage +## and execute all Git daemon content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_rwx_all_content',` + gen_require(` + attribute git_content; + ') + + exec_files_pattern($1, git_content, git_content) + manage_dirs_pattern($1, git_content, git_content) + manage_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to manage +## and execute all Git daemon system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_rwx_all_system_content',` + gen_require(` + attribute git_system_content; + ') + + exec_files_pattern($1, git_system_content, git_system_content) + manage_dirs_pattern($1, git_system_content, git_system_content) + manage_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to manage +## and execute Git daemon generic system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_rwx_generic_system_content',` + gen_require(` + type git_system_content_t; + ') + + exec_files_pattern($1, git_system_content_t, git_system_content_t) + manage_dirs_pattern($1, git_system_content_t, git_system_content_t) + manage_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to read +## all Git daemon content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_all_content_files',` + gen_require(` + attribute git_content; + ') + + list_dirs_pattern($1, git_content, git_content) + read_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to read +## Git daemon session content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_session_content_files',` + gen_require(` + type git_session_content_t; + ') + + list_dirs_pattern($1, git_session_content_t, git_session_content_t) + read_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to read +## all Git daemon system content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_all_system_content_files',` + gen_require(` + attribute git_system_content; + ') + + list_dirs_pattern($1, git_system_content, git_system_content) + read_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to read +## Git daemon generic system content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_read_generic_system_content_files',` + gen_require(` + type git_system_content_t; + ') + + list_dirs_pattern($1, git_system_content_t, git_system_content_t) + read_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') +') + +######################################## +## +## Allow the specified domain to relabel +## all Git daemon content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_all_content',` + gen_require(` + attribute git_content; + ') + + relabel_dirs_pattern($1, git_content, git_content) + relabel_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) +') + +######################################## +## +## Allow the specified domain to relabel +## all Git daemon system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_all_system_content',` + gen_require(` + attribute git_system_content; + ') + + relabel_dirs_pattern($1, git_system_content, git_system_content) + relabel_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) +') + +######################################## +## +## Allow the specified domain to relabel +## Git daemon generic system content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_generic_system_content',` + gen_require(` + type git_system_content_t; + ') + + relabel_dirs_pattern($1, git_system_content_t, git_system_content_t) + relabel_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) +') + +######################################## +## +## Allow the specified domain to relabel +## Git daemon session content. +## +## +## +## Domain allowed access. +## +## +# +interface(`git_relabel_session_content',` + gen_require(` + type git_session_content_t; + ') + + relabel_dirs_pattern($1, git_session_content_t, git_session_content_t) + relabel_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.8.8/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/git.te 2010-07-30 14:06:53.000000000 -0400 @@ -1,8 +1,192 @@ -policy_module(git, 1.0) +policy_module(git, 1.0.3) + +## +##

+## Allow Git daemon system to search home directories. +##

+## +gen_tunable(git_system_enable_homedirs, false) + +## +##

+## Allow Git daemon system to access cifs file systems. +##

+## +gen_tunable(git_system_use_cifs, false) + +## +##

+## Allow Git daemon system to access nfs file systems. +##

+## +gen_tunable(git_system_use_nfs, false) + +######################################## +# +# Git daemon global private declarations. +# + +attribute git_domains; +attribute git_system_content; +attribute git_content; + +type gitd_exec_t; + +######################################## +# +# Git daemon system private declarations. +# + +type git_system_t, git_domains; +inetd_service_domain(git_system_t, gitd_exec_t) +role system_r types git_system_t; + +type git_system_content_t, git_system_content, git_content; +files_type(git_system_content_t) +typealias git_system_content_t alias git_data_t; + +######################################## +# +# Git daemon session private declarations. +# + +## +##

+## Allow Git daemon session to bind +## tcp sockets to all unreserved ports. +##

+## +gen_tunable(git_session_bind_all_unreserved_ports, false) + +type git_session_t, git_domains; +application_domain(git_session_t, gitd_exec_t) +ubac_constrained(git_session_t) + +type git_session_content_t, git_content; +userdom_user_home_content(git_session_content_t) + +######################################## +# +# Git daemon global private policy. +# + +allow git_domains self:fifo_file rw_fifo_file_perms; +allow git_domains self:netlink_route_socket create_netlink_socket_perms; +allow git_domains self:tcp_socket create_socket_perms; +allow git_domains self:udp_socket create_socket_perms; +allow git_domains self:unix_dgram_socket create_socket_perms; + +corenet_all_recvfrom_netlabel(git_domains) +corenet_all_recvfrom_unlabeled(git_domains) +corenet_tcp_bind_generic_node(git_domains) +corenet_tcp_sendrecv_generic_if(git_domains) +corenet_tcp_sendrecv_generic_node(git_domains) +corenet_tcp_sendrecv_generic_port(git_domains) +corenet_tcp_bind_git_port(git_domains) +corenet_sendrecv_git_server_packets(git_domains) + +corecmd_exec_bin(git_domains) + +files_read_etc_files(git_domains) +files_read_usr_files(git_domains) + +fs_search_auto_mountpoints(git_domains) + +kernel_read_system_state(git_domains) + +auth_use_nsswitch(git_domains) + +logging_send_syslog_msg(git_domains) + +miscfiles_read_localization(git_domains) + +sysnet_read_config(git_domains) + +optional_policy(` + automount_dontaudit_getattr_tmp_dirs(git_domains) +') + +optional_policy(` + nis_use_ypbind(git_domains) +') + +######################################## +# +# Git daemon system repository private policy. +# + +list_dirs_pattern(git_system_t, git_content, git_content) +read_files_pattern(git_system_t, git_content, git_content) +files_search_var_lib(git_system_t) + +tunable_policy(`git_system_enable_homedirs', ` + userdom_search_user_home_dirs(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +') + +tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_cifs', ` + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +') + +tunable_policy(`git_system_use_nfs', ` + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +') ######################################## # -# Declarations +# Git daemon session repository private policy. # -apache_content_template(git) +allow git_session_t self:tcp_socket { accept listen }; + +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) +userdom_search_user_home_dirs(git_session_t) + +userdom_use_user_terminals(git_session_t) + +tunable_policy(`git_session_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_sendrecv_generic_server_packets(git_session_t) +') + +tunable_policy(`use_nfs_home_dirs', ` + fs_list_nfs(git_session_t) + fs_read_nfs_files(git_session_t) +') + +tunable_policy(`use_samba_home_dirs', ` + fs_list_cifs(git_session_t) + fs_read_cifs_files(git_session_t) +') + +######################################## +# +# cgi git Declarations +# + +optional_policy(` + apache_content_template(git) + git_read_all_content_files(httpd_git_script_t) + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +') + +######################################## +# +# Git-shell private policy. +# + +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.8.8/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/gnomeclock.if 2010-07-30 14:06:53.000000000 -0400 @@ -63,3 +63,24 @@ allow $1 gnomeclock_t:dbus send_msg; allow gnomeclock_t $1:dbus send_msg; ') + +######################################## +## +## Do not audit send and receive messages from +## gnomeclock over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnomeclock_dontaudit_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + dontaudit $1 gnomeclock_t:dbus send_msg; + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.8.8/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/gpsd.te 2010-07-30 14:06:53.000000000 -0400 @@ -56,6 +56,10 @@ miscfiles_read_localization(gpsd_t) optional_policy(` + chronyd_rw_shm(gpsd_t) +') + +optional_policy(` dbus_system_bus_client(gpsd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.8.8/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/hal.if 2010-07-30 14:06:53.000000000 -0400 @@ -377,6 +377,26 @@ ######################################## ## +## Do not audit attempts to read +## hald PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_dontaudit_read_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + allow $1 hald_var_run_t:file read_inherited_file_perms; +') + +######################################## +## ## Read/Write hald PID files. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.8/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/hal.te 2010-07-30 14:06:53.000000000 -0400 @@ -54,6 +54,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) +typealias hald_log_t alias pmtools_log_t; +typealias hald_var_run_t alias pmtools_var_run_t; + ######################################## # # Local policy @@ -99,7 +102,7 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) -kernel_search_network_sysctl(hald_t) +kernel_rw_net_sysctls(hald_t) kernel_setsched(hald_t) kernel_request_load_module(hald_t) @@ -125,6 +128,7 @@ dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) dev_manage_generic_chr_files(hald_t) +dev_manage_generic_blk_files(hald_t) dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) @@ -211,10 +215,13 @@ seutil_read_default_contexts(hald_t) seutil_read_file_contexts(hald_t) -sysnet_read_config(hald_t) +sysnet_delete_dhcpc_pid(hald_t) sysnet_domtrans_dhcpc(hald_t) sysnet_domtrans_ifconfig(hald_t) +sysnet_read_config(hald_t) sysnet_read_dhcp_config(hald_t) +sysnet_read_dhcpc_pid(hald_t) +sysnet_signal_dhcpc(hald_t) userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) @@ -268,6 +275,10 @@ ') optional_policy(` + gnome_read_config(hald_t) +') + +optional_policy(` gpm_dontaudit_getattr_gpmctl(hald_t) ') @@ -318,6 +329,10 @@ ') optional_policy(` + shutdown_domtrans(hald_t) +') + +optional_policy(` udev_domtrans(hald_t) udev_read_db(hald_t) ') @@ -338,6 +353,10 @@ virt_manage_images(hald_t) ') +optional_policy(` + xserver_read_pid(hald_t) +') + ######################################## # # Hal acl local policy @@ -358,6 +377,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) +allow hald_t hald_var_run_t:dir mounton; corecmd_exec_bin(hald_acl_t) @@ -470,6 +490,10 @@ miscfiles_read_localization(hald_keymap_t) +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) + ######################################## # # Local hald dccm policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.8.8/policy/modules/services/hddtemp.fc --- nsaserefpolicy/policy/modules/services/hddtemp.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/hddtemp.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,5 +1,3 @@ /etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) -/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) - /usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.8/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/icecast.te 2010-07-30 14:06:53.000000000 -0400 @@ -37,6 +37,8 @@ manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +kernel_read_system_state(icecast_t) + corenet_tcp_bind_soundd_port(icecast_t) # Init script handling @@ -51,5 +53,9 @@ sysnet_dns_name_resolve(icecast_t) optional_policy(` + apache_read_sys_content(icecast_t) +') + +optional_policy(` rtkit_scheduled(icecast_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.8.8/policy/modules/services/inetd.if --- nsaserefpolicy/policy/modules/services/inetd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/inetd.if 2010-07-30 14:06:53.000000000 -0400 @@ -178,7 +178,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -192,7 +192,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.8/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/inn.te 2010-07-30 14:06:53.000000000 -0400 @@ -56,7 +56,7 @@ manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -files_pid_filetrans(innd_t, innd_var_run_t, file) +files_pid_filetrans(innd_t, innd_var_run_t, { dir file }) manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) @@ -105,6 +105,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) +userdom_dgram_send(innd_t) mta_send_mail(innd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc 2010-07-30 14:06:53.000000000 -0400 @@ -8,7 +8,7 @@ /etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +/etc/rc\.d/init\.d/kadmin -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/kerberos.te 2010-07-30 14:06:53.000000000 -0400 @@ -126,10 +126,13 @@ corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) +corenet_tcp_bind_kerberos_password_port(kadmind_t) corenet_udp_bind_kerberos_admin_port(kadmind_t) +corenet_udp_bind_kerberos_password_port(kadmind_t) corenet_tcp_bind_reserved_port(kadmind_t) corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) +corenet_sendrecv_kerberos_password_server_packets(kadmind_t) dev_read_sysfs(kadmind_t) dev_read_rand(kadmind_t) @@ -198,8 +201,7 @@ allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) -allow krb5kdc_t krb5kdc_principal_t:file read_file_perms; -dontaudit krb5kdc_t krb5kdc_principal_t:file write; +allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc 2010-07-30 14:06:53.000000000 -0400 @@ -3,3 +3,5 @@ /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.8.8/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.if 2010-07-30 14:06:53.000000000 -0400 @@ -60,7 +60,7 @@ ') allow $1 ksmtuned_t:process { ptrace signal_perms }; - ps_process_pattern(ksmtumed_t) + ps_process_pattern($1, ksmtuned_t) files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.8.8/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.te 2010-07-30 14:06:53.000000000 -0400 @@ -9,6 +9,9 @@ type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) +type ksmtuned_log_t; +logging_log_file(ksmtuned_log_t) + type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) @@ -23,6 +26,10 @@ allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; allow ksmtuned_t self:fifo_file rw_file_perms; +manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir }) + manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) @@ -31,9 +38,15 @@ dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) corecmd_exec_bin(ksmtuned_t) files_read_etc_files(ksmtuned_t) +mls_file_read_to_clearance(ksmtuned_t) + +term_use_all_terms(ksmtuned_t) + miscfiles_read_localization(ksmtuned_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.8.8/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ldap.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,6 +1,8 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) @@ -15,3 +17,4 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.8.8/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ldap.if 2010-07-30 14:06:53.000000000 -0400 @@ -1,5 +1,43 @@ ## OpenLDAP directory server +####################################### +## +## Execute OpenLDAP in the ldap domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ldap_domtrans',` + gen_require(` + type slapd_t, slapd_exec_t; + ') + + domtrans_pattern($1, slapd_exec_t, slapd_t) + +') + +####################################### +## +## Execute OpenLDAP server in the ldap domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ldap_initrc_domtrans',` + gen_require(` + type slapd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) +') + + ######################################## ## ## Read the contents of the OpenLDAP @@ -21,6 +59,25 @@ ######################################## ## +## Read the contents of the OpenLDAP +## database files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ldap_read_db_files',` + gen_require(` + type slapd_db_t; + ') + + read_files_pattern($1, slapd_db_t, slapd_db_t) +') + +######################################## +## ## Read the OpenLDAP configuration files. ## ## @@ -71,6 +128,30 @@ files_search_pids($1) allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; + + optional_policy(` + ldap_stream_connect_dirsrv($1) + ') +') + +######################################## +## +## Connect to dirsrv over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`ldap_stream_connect_dirsrv',` + gen_require(` + type dirsrv_t, dirsrv_var_run_t; + ') + + files_search_pids($1) + allow $1 dirsrv_var_run_t:sock_file write; + allow $1 dirsrv_t:unix_stream_socket connectto; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.8/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-08-12 15:47:23.000000000 -0400 @@ -10,7 +10,7 @@ init_daemon_domain(slapd_t, slapd_exec_t) type slapd_cert_t; -files_type(slapd_cert_t) +miscfiles_cert_type(slapd_cert_t) type slapd_db_t; files_type(slapd_db_t) @@ -27,9 +27,15 @@ type slapd_replog_t; files_type(slapd_replog_t) +type slapd_log_t; +logging_log_file(slapd_log_t) + type slapd_tmp_t; files_tmp_file(slapd_tmp_t) +type slapd_tmpfs_t; +files_tmpfs_file(slapd_tmpfs_t) + type slapd_var_run_t; files_pid_file(slapd_var_run_t) @@ -67,13 +73,21 @@ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) +manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) + manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) +manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) +fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) + +manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) +files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.8.8/policy/modules/services/lircd.if --- nsaserefpolicy/policy/modules/services/lircd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/lircd.if 2010-07-30 14:06:53.000000000 -0400 @@ -45,7 +45,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.8.8/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/lircd.te 2010-07-30 14:06:53.000000000 -0400 @@ -24,6 +24,7 @@ # allow lircd_t self:capability { chown kill sys_admin }; +allow lircd_t self:process { fork signal }; allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:unix_dgram_socket create_socket_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; @@ -34,7 +35,7 @@ manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) +files_pid_filetrans(lircd_t, lircd_var_run_t, { file dir }) # /dev/lircd socket dev_filetrans(lircd_t, lircd_var_run_t, sock_file) @@ -44,7 +45,7 @@ corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) -dev_read_generic_usb_dev(lircd_t) +dev_rw_generic_usb_dev(lircd_t) dev_read_mouse(lircd_t) dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.te serefpolicy-3.8.8/policy/modules/services/lpd.te --- nsaserefpolicy/policy/modules/services/lpd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/lpd.te 2010-07-30 14:06:53.000000000 -0400 @@ -145,9 +145,10 @@ manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) +manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t, file) +files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) @@ -308,12 +309,14 @@ ') tunable_policy(`use_nfs_home_dirs',` + files_list_home(lpr_t) fs_list_auto_mountpoints(lpr_t) fs_read_nfs_files(lpr_t) fs_read_nfs_symlinks(lpr_t) ') tunable_policy(`use_samba_home_dirs',` + files_list_home(lpr_t) fs_list_auto_mountpoints(lpr_t) fs_read_cifs_files(lpr_t) fs_read_cifs_symlinks(lpr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.8.8/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/mailman.if 2010-08-18 09:30:10.000000000 -0400 @@ -74,7 +74,7 @@ corecmd_exec_all_executables(mailman_$1_t) files_exec_etc_files(mailman_$1_t) - files_list_usr(mailman_$1_t) + files_read_usr_files(mailman_$1_t) files_list_var(mailman_$1_t) files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.8.8/policy/modules/services/memcached.if --- nsaserefpolicy/policy/modules/services/memcached.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/memcached.if 2010-07-30 14:06:53.000000000 -0400 @@ -59,6 +59,7 @@ gen_require(` type memcached_t; type memcached_initrc_exec_t; + type memcached_var_run_t; ') allow $1 memcached_t:process { ptrace signal_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.8.8/policy/modules/services/milter.if --- nsaserefpolicy/policy/modules/services/milter.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/milter.if 2010-07-30 14:06:53.000000000 -0400 @@ -37,6 +37,8 @@ files_read_etc_files($1_milter_t) + kernel_dontaudit_read_system_state($1_milter_t) + miscfiles_read_localization($1_milter_t) logging_send_syslog_msg($1_milter_t) @@ -82,6 +84,24 @@ ######################################## ## +## Allow setattr of milter dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`milter_setattr_all_dirs',` + gen_require(` + attribute milter_data_type; + ') + + setattr_dirs_pattern($1, milter_data_type, milter_data_type) +') + +######################################## +## ## Manage spamassassin milter state ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.8/policy/modules/services/mock.fc --- nsaserefpolicy/policy/modules/services/mock.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mock.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,6 @@ + +/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) + +/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) + +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.8/policy/modules/services/mock.if --- nsaserefpolicy/policy/modules/services/mock.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mock.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,238 @@ + +## policy for mock + +######################################## +## +## Execute a domain transition to run mock. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mock_domtrans',` + gen_require(` + type mock_t, mock_exec_t; + ') + + domtrans_pattern($1, mock_exec_t, mock_t) +') + + +######################################## +## +## Search mock lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_search_lib',` + gen_require(` + type mock_var_lib_t; + ') + + allow $1 mock_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read mock lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_read_lib_files',` + gen_require(` + type mock_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## mock lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_manage_lib_files',` + gen_require(` + type mock_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## +## +## Manage mock lib dirs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_manage_lib_dirs',` + gen_require(` + type mock_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################### +## +## Manage mock lib symlinks. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_manage_lib_symlinks',` + gen_require(` + type mock_var_lib_t; + ') + + files_search_var_lib($1) + manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## +## +## Manage mock lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_manage_lib_chr_files',` + gen_require(` + type mock_var_lib_t; + ') + + files_search_var_lib($1) + manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## +## +## Execute mock in the mock domain, and +## allow the specified role the mock domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the mock domain. +## +## +# +interface(`mock_run',` + gen_require(` + type mock_t; + ') + + mock_domtrans($1) + role $2 types mock_t; +') + +######################################## +## +## Role access for mock +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`mock_role',` + gen_require(` + type mock_t; + ') + + role $1 types mock_t; + + mock_domtrans($2) + + ps_process_pattern($2, mock_t) + allow $2 mock_t:process signal; +') + +####################################### +## +## Send a generic signal to mock. +## +## +## +## Domain allowed access. +## +## +# +interface(`mock_signal',` + gen_require(` + type mock_t; + ') + + allow $1 mock_t:process signal; +') + +######################################## +## +## All of the rules required to administrate +## an mock environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`mock_admin',` + gen_require(` + type mock_t; + type mock_var_lib_t; + ') + + allow $1 mock_t:process { ptrace signal_perms }; + ps_process_pattern($1, mock_t) + + files_search_var_lib($1) + admin_pattern($1, mock_var_lib_t) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.8/policy/modules/services/mock.te --- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mock.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,98 @@ +policy_module(mock,1.0.0) + +######################################## +# +# Declarations +# + +type mock_t; +type mock_exec_t; +application_domain(mock_t, mock_exec_t) +domain_role_change_exemption(mock_t) +domain_system_change_exemption(mock_t) +role system_r types mock_t; + +permissive mock_t; + +type mock_cache_t; +files_type(mock_cache_t) + +type mock_tmp_t; +files_tmp_file(mock_tmp_t) + +type mock_var_lib_t; +files_type(mock_var_lib_t) + +######################################## +# +# mock local policy +# +allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill }; +dontaudit mock_t self:process { siginh noatsecure rlimitinh }; +allow mock_t self:fifo_file manage_fifo_file_perms; +allow mock_t self:unix_stream_socket create_stream_socket_perms; +allow mock_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t) +manage_files_pattern(mock_t, mock_cache_t, mock_cache_t) +files_var_filetrans(mock_t, mock_cache_t, { dir file } ) + +manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) +manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) +files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } ) +can_exec(mock_t, mock_tmp_t) + +manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } ) +can_exec(mock_t, mock_var_lib_t) +allow mock_t mock_var_lib_t:dir mounton; + +kernel_list_proc(mock_t) +kernel_read_irq_sysctls(mock_t) +kernel_read_system_state(mock_t) +kernel_read_kernel_sysctls(mock_t) +kernel_request_load_module(mock_t) + +corecmd_exec_bin(mock_t) +corecmd_exec_shell(mock_t) + +corenet_tcp_connect_http_port(mock_t) + +dev_read_urand(mock_t) + +domain_read_all_domains_state(mock_t) +domain_use_interactive_fds(mock_t) + +files_read_etc_files(mock_t) +files_read_usr_files(mock_t) + +fs_getattr_all_fs(mock_t) + +selinux_get_enforce_mode(mock_t) + +auth_use_nsswitch(mock_t) + +init_exec(mock_t) + +libs_domtrans_ldconfig(mock_t) + +logging_send_audit_msgs(mock_t) +logging_send_syslog_msg(mock_t) + +miscfiles_read_localization(mock_t) + +mount_domtrans(mock_t) + +optional_policy(` + rpm_exec(mock_t) + rpm_manage_db(mock_t) + rpm_entry_type(mock_t) +') + +optional_policy(` + apache_read_sys_content_rw_files(mock_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.8/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/modemmanager.te 2010-07-30 14:06:53.000000000 -0400 @@ -16,7 +16,8 @@ # ModemManager local policy # -allow modemmanager_t self:process signal; +allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; +allow modemmanager_t self:process { getsched signal }; allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -28,6 +29,7 @@ files_read_etc_files(modemmanager_t) +term_use_generic_ptys(modemmanager_t) term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) @@ -37,5 +39,9 @@ networkmanager_dbus_chat(modemmanager_t) optional_policy(` + policykit_dbus_chat(modemmanager_t) +') + +optional_policy(` udev_read_db(modemmanager_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc --- nsaserefpolicy/policy/modules/services/mojomojo.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,5 @@ +/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) + +/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) + +/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if --- nsaserefpolicy/policy/modules/services/mojomojo.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,43 @@ +## Mojomojo server + +######################################## +## +## All of the rules required to administrate +## an mojomojo environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the mojomojo domain. +## +## +## +# +interface(`mojomojo_admin',` + gen_require(` + type httpd_mojomojo_script_t; + type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; + type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t; + type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; + ') + + allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_mojomojo_script_t) + + files_list_tmp($1) + admin_pattern($1, httpd_mojomojo_tmp_t) + + files_search_var_lib(httpd_mojomojo_script_t) + + apache_search_sys_content($1) + admin_pattern($1, httpd_mojomojo_script_exec_t) + admin_pattern($1, httpd_mojomojo_script_t) + admin_pattern($1, httpd_mojomojo_content_t) + admin_pattern($1, httpd_mojomojo_htaccess_t) + admin_pattern($1, httpd_mojomojo_rw_content_t) + admin_pattern($1, httpd_mojomojo_ra_content_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te --- nsaserefpolicy/policy/modules/services/mojomojo.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,45 @@ +policy_module(mojomojo, 1.0) + +######################################## +# +# Declarations +# + +apache_content_template(mojomojo) + +type httpd_mojomojo_tmp_t; +files_tmp_file(httpd_mojomojo_tmp_t) + +######################################## +# +# mojomojo local policy +# + +allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; + +manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) +manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) +files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) + +corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) +corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) + +corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) + +corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) + +files_search_var_lib(httpd_mojomojo_script_t) + +mta_send_mail(httpd_mojomojo_script_t) + +sysnet_dns_name_resolve(httpd_mojomojo_script_t) + +optional_policy(` + mysql_stream_connect(httpd_mojomojo_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_mojomojo_script_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc --- nsaserefpolicy/policy/modules/services/mpd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mpd.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,10 @@ + +/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) + +/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) + +/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0) + +/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) +/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.8.8/policy/modules/services/mpd.if --- nsaserefpolicy/policy/modules/services/mpd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mpd.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,274 @@ + +## policy for daemon for playing music + +######################################## +## +## Execute a domain transition to run mpd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mpd_domtrans',` + gen_require(` + type mpd_t, mpd_exec_t; + ') + + domtrans_pattern($1, mpd_exec_t, mpd_t) +') + + +######################################## +## +## Execute mpd server in the mpd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_initrc_domtrans',` + gen_require(` + type mpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, mpd_initrc_exec_t) +') + +####################################### +## +## Read mpd data files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_read_data_files',` + gen_require(` + type mpd_data_t; + ') + + files_search_var_lib($1) + mpd_search_lib($1) + read_files_pattern($1, mpd_data_t, mpd_data_t) +') + +####################################### +## +## Read mpd tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_read_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + files_search_var_lib($1) + mpd_search_lib($1) + read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +################################### +## +## Manage mpd tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_manage_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + files_search_var_lib($1) + mpd_search_lib($1) + manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) + manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +###################################### +## +## Manage mpd data files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_manage_data_files',` + gen_require(` + type mpd_data_t; + ') + + files_search_var_lib($1) + mpd_search_lib($1) + manage_files_pattern($1, mpd_data_t, mpd_data_t) +') + +######################################## +## +## Search mpd lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_search_lib',` + gen_require(` + type mpd_var_lib_t; + ') + + allow $1 mpd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read mpd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_read_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## mpd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_manage_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +####################################### +## +## Create an object in the root directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`mpd_var_lib_filetrans',` + gen_require(` + type mpd_var_lib_t; + ') + + filetrans_pattern($1, mpd_var_lib_t, $2, $3) +') + +######################################## +## +## Manage mpd lib dirs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mpd_manage_lib_dirs',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## +## All of the rules required to administrate +## an mpd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`mpd_admin',` + gen_require(` + type mpd_t; + type mpd_initrc_exec_t; + type mpd_etc_t; + type mpd_data_t; + type mpd_log_t; + type mpd_var_lib_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, mpd_t) + + mpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mpd_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, mpd_etc_t) + files_search_etc($1) + + files_search_var_lib($1) + admin_pattern($1, mpd_var_lib_t) + + mpd_search_lib($1) + admin_pattern($1, mpd_data_t) + + admin_pattern($1, mpd_log_t) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.8.8/policy/modules/services/mpd.te --- nsaserefpolicy/policy/modules/services/mpd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mpd.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,111 @@ +policy_module(mpd,1.0.0) + +######################################## +# +# Declarations +# + +type mpd_t; +type mpd_exec_t; +init_daemon_domain(mpd_t, mpd_exec_t) + +permissive mpd_t; + +type mpd_initrc_exec_t; +init_script_file(mpd_initrc_exec_t) + +type mpd_etc_t; +files_config_file(mpd_etc_t) + +# type for music content +type mpd_data_t; +files_type(mpd_data_t) + +type mpd_log_t; +logging_log_file(mpd_log_t) + +type mpd_tmp_t; +files_tmp_file(mpd_tmp_t) + +type mpd_tmpfs_t; +files_tmpfs_file(mpd_tmpfs_t) + +type mpd_var_lib_t; +files_type(mpd_var_lib_t) + +######################################## +# +# mpd local policy +# + +#cjp: dac_override bug in mpd relating to mpd.log file +allow mpd_t self:capability { dac_override kill setgid setuid }; +allow mpd_t self:process { getsched setsched setrlimit signal signull }; + +allow mpd_t self:fifo_file rw_fifo_file_perms; +allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow mpd_t self:tcp_socket create_stream_socket_perms; +allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; + +read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) + +manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) +manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) + +manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file }) + +manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) +manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t) +fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file ) + +manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) + +kernel_read_system_state(mpd_t) +kernel_read_kernel_sysctls(mpd_t) + +corecmd_exec_bin(mpd_t) + +corenet_sendrecv_pulseaudio_client_packets(mpd_t) +corenet_tcp_connect_http_port(mpd_t) +corenet_tcp_connect_http_cache_port(mpd_t) +corenet_tcp_connect_pulseaudio_port(mpd_t) +corenet_tcp_bind_mpd_port(mpd_t) +corenet_tcp_bind_soundd_port(mpd_t) + +dev_read_sysfs(mpd_t) + +files_read_usr_files(mpd_t) + +fs_getattr_tmpfs(mpd_t) +fs_list_inotifyfs(mpd_t) +fs_rw_anon_inodefs_files(mpd_t) + +auth_use_nsswitch(mpd_t) + +logging_send_syslog_msg(mpd_t) + +miscfiles_read_localization(mpd_t) + +userdom_read_home_audio_files(mpd_t) +userdom_read_user_tmpfs_files(mpd_t) + +optional_policy(` + dbus_system_bus_client(mpd_t) +') + +optional_policy(` + pulseaudio_exec(mpd_t) + pulseaudio_stream_connect(mpd_t) + pulseaudio_signull(mpd_t) +') + +optional_policy(` + udev_read_db(mpd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-18 09:25:56.000000000 -0400 @@ -1,4 +1,5 @@ -HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -11,6 +12,9 @@ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') +/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) +/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) + /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-18 06:49:03.000000000 -0400 @@ -220,6 +220,25 @@ application_executable_file($1) ') +###################################### +## +## Dontaudit read and write an leaked file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_dontaudit_leaks_system_mail',` + gen_require(` + type system_mail_t; + ') + + dontaudit $1 system_mail_t:fifo_file write; + dontaudit $1 system_mail_t:tcp_socket { read write }; +') + ######################################## ## ## Make the specified type by a system MTA. @@ -330,12 +349,6 @@ ') typeattribute $1 mta_user_agent; - - optional_policy(` - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) - ') ') ######################################## @@ -362,6 +375,10 @@ allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; + + ifdef(`hide_broken_symptoms', ` + dontaudit system_mail_t $1:socket_class_set { read write }; + ') ') ######################################## @@ -391,12 +408,15 @@ # interface(`mta_sendmail_domtrans',` gen_require(` - type sendmail_exec_t; + attribute mta_exec_type; ') files_search_usr($1) + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; corecmd_read_bin_symlinks($1) - domain_auto_trans($1, sendmail_exec_t, $2) + + allow $2 mta_exec_type:file entrypoint; + domtrans_pattern($1, mta_exec_type, $2) ') ######################################## @@ -474,7 +494,8 @@ type etc_mail_t; ') - write_files_pattern($1, etc_mail_t, etc_mail_t) + manage_files_pattern($1, etc_mail_t, etc_mail_t) + allow $1 etc_mail_t:file setattr; ') ######################################## @@ -698,7 +719,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; - rw_files_pattern($1, mail_spool_t, mail_spool_t) + manage_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') @@ -899,3 +920,43 @@ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') + +######################################## +## +## Type transition files created in calling dir +## to the mail address aliases type. +## +## +## +## Domain allowed access. +## +## +## +## +## Directory to transition on. +## +## +# +interface(`mta_filetrans_aliases',` + filetrans_pattern($1, $2, etc_aliases_t, file) +') + +###################################### +## +## ALlow domain to read mail content in the homedir +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_read_home',` + gen_require(` + type mail_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_search_admin_dir($1) + read_files_pattern($1, mail_home_t, mail_home_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-17 07:17:58.000000000 -0400 @@ -20,8 +20,8 @@ type etc_mail_t; files_config_file(etc_mail_t) -type mail_forward_t; -files_type(mail_forward_t) +type mail_home_t alias mail_forward_t; +userdom_user_home_content(mail_home_t) type mqueue_spool_t; files_mountpoint(mqueue_spool_t) @@ -50,22 +50,9 @@ # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; -allow system_mail_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) -allow system_mail_t mail_forward_t:file read_file_perms; - -allow system_mail_t mta_exec_type:file entrypoint; - -can_exec(system_mail_t, mta_exec_type) - -kernel_read_system_state(system_mail_t) -kernel_read_network_state(system_mail_t) -kernel_request_load_module(system_mail_t) - dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) @@ -82,6 +69,9 @@ userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) + +logging_append_all_logs(system_mail_t) optional_policy(` apache_read_squirrelmail_data(system_mail_t) @@ -92,6 +82,12 @@ apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_write_tmp_files(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets(mta_user_agent) + apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) + apache_append_log(mta_user_agent) ') optional_policy(` @@ -103,6 +99,11 @@ ') optional_policy(` + bugzilla_search_dirs(system_mail_t) + bugzilla_dontaudit_rw_script_stream_sockets(system_mail_t) +') + +optional_policy(` clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') @@ -111,6 +112,8 @@ cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) + cron_rw_inherited_spool_files(system_mail_t) + cron_rw_inherited_user_spool_files(system_mail_t) ') optional_policy(` @@ -124,12 +127,8 @@ ') optional_policy(` - exim_domtrans(system_mail_t) - exim_manage_log(system_mail_t) -') - -optional_policy(` fail2ban_append_log(system_mail_t) + fail2ban_dontaudit_leaks(system_mail_t) ') optional_policy(` @@ -146,6 +145,10 @@ ') optional_policy(` + munin_dontaudit_leaks(system_mail_t) +') + +optional_policy(` nagios_read_tmp_files(system_mail_t) ') @@ -158,18 +161,6 @@ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) - - # postfix needs this for newaliases - files_getattr_tmp_dirs(system_mail_t) - - postfix_exec_master(system_mail_t) - postfix_read_config(system_mail_t) - postfix_search_spool(system_mail_t) - - ifdef(`distro_redhat',` - # compatability for old default main.cf - postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') ') optional_policy(` @@ -189,6 +180,10 @@ ') optional_policy(` + spamd_stream_connect(system_mail_t) +') + +optional_policy(` smartmon_read_tmp_files(system_mail_t) ') @@ -220,7 +215,8 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) +userdom_search_admin_dir(mailserver_delivery) +read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) @@ -249,6 +245,10 @@ mailman_read_data_symlinks(mailserver_delivery) ') +optional_policy(` + uucp_domtrans_uux(mailserver_delivery) +') + ######################################## # # User send mail local policy @@ -292,3 +292,42 @@ postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') + +######################################## +# +# Comman user_mail_domain policy +# + +allow user_mail_domain self:fifo_file rw_fifo_file_perms; +allow user_mail_domain mta_exec_type:file entrypoint; + +can_exec(user_mail_domain, mta_exec_type) + +allow system_mail_t user_mail_domain:file read_file_perms; + +read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t) + +kernel_read_system_state(user_mail_domain) +kernel_read_network_state(user_mail_domain) +kernel_request_load_module(user_mail_domain) + + + +optional_policy(` + # postfix needs this for newaliases + files_getattr_tmp_dirs(user_mail_domain) + + postfix_exec_master(user_mail_domain) + postfix_read_config(user_mail_domain) + postfix_search_spool(user_mail_domain) + + ifdef(`distro_redhat',` + # compatability for old default main.cf + postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) + ') +') + +optional_policy(` + exim_domtrans(user_mail_domain) + exim_manage_log(user_mail_domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.8.8/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/munin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -63,6 +63,7 @@ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.8.8/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/munin.if 2010-07-30 14:06:53.000000000 -0400 @@ -13,10 +13,11 @@ # template(`munin_plugin_template',` gen_require(` - type munin_t, munin_exec_t, munin_etc_t; + type munin_t; + attribute munin_plugin_domain; ') - type $1_munin_plugin_t; + type $1_munin_plugin_t, munin_plugin_domain; type $1_munin_plugin_exec_t; typealias $1_munin_plugin_t alias munin_$1_plugin_t; typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; @@ -36,17 +37,8 @@ # automatic transition rules from munin domain # to specific munin plugin domain domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) + allow munin_t $1_munin_plugin_t:process signal; - allow $1_munin_plugin_t munin_exec_t:file read_file_perms; - allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms; - - read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t) - - kernel_read_system_state($1_munin_plugin_t) - - corecmd_exec_bin($1_munin_plugin_t) - - miscfiles_read_localization($1_munin_plugin_t) ') ######################################## @@ -92,6 +84,24 @@ files_search_etc($1) ') +###################################### +## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`munin_dontaudit_leaks',` + gen_require(` + type munin_t; + ') + + dontaudit $1 munin_t:tcp_socket { read write }; +') + ####################################### ## ## Append to the munin log. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.8/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-08-05 16:45:38.000000000 -0400 @@ -5,6 +5,8 @@ # Declarations # +attribute munin_plugin_domain; + type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t) @@ -24,6 +26,9 @@ type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t) +type munin_plugin_state_t; +files_type(munin_plugin_state_t) + type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -40,7 +45,7 @@ # Local policy # -allow munin_t self:capability { chown dac_override setgid setuid }; +allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -71,9 +76,12 @@ manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) files_search_var_lib(munin_t) +manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, file) +files_pid_filetrans(munin_t, munin_var_run_t, { file dir }) + +read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) @@ -116,6 +124,7 @@ miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) +miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) @@ -145,6 +154,7 @@ optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) + mta_list_queue(munin_t) mta_read_queue(munin_t) ') @@ -159,6 +169,7 @@ optional_policy(` postfix_list_spool(munin_t) + postfix_getattr_spool_files(munin_t) ') optional_policy(` @@ -182,6 +193,7 @@ # local policy for disk plugins # +allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -190,15 +202,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) -files_read_etc_files(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) -fs_getattr_all_fs(disk_munin_plugin_t) - +dev_getattr_lvm_control(disk_munin_plugin_t) dev_read_sysfs(disk_munin_plugin_t) dev_read_urand(disk_munin_plugin_t) -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) +storage_raw_read_fixed_disk(disk_munin_plugin_t) sysnet_read_config(disk_munin_plugin_t) @@ -221,19 +231,17 @@ dev_read_urand(mail_munin_plugin_t) -files_read_etc_files(mail_munin_plugin_t) - -fs_getattr_all_fs(mail_munin_plugin_t) - logging_read_generic_logs(mail_munin_plugin_t) mta_read_config(mail_munin_plugin_t) mta_send_mail(mail_munin_plugin_t) +mta_list_queue(mail_munin_plugin_t) mta_read_queue(mail_munin_plugin_t) optional_policy(` postfix_read_config(mail_munin_plugin_t) postfix_list_spool(mail_munin_plugin_t) + postfix_getattr_spool_files(mail_munin_plugin_t) ') optional_policy(` @@ -255,10 +263,6 @@ dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) -fs_getattr_all_fs(services_munin_plugin_t) - -files_read_etc_files(services_munin_plugin_t) - sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -286,6 +290,10 @@ snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') +optional_policy(` + varnishd_read_lib_files(services_munin_plugin_t) +') + ################################## # # local policy for system plugins @@ -298,10 +306,6 @@ kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) -corecmd_exec_shell(system_munin_plugin_t) - -fs_getattr_all_fs(system_munin_plugin_t) - dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) @@ -313,3 +317,29 @@ sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) +term_getattr_all_ptys(system_munin_plugin_t) + +################################ +# +# local policy for munin plugin domains +# + +allow munin_plugin_domain munin_exec_t:file read_file_perms; +allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; + +# creates plugin state files +manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) + +read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) + +kernel_read_system_state(munin_plugin_domain) + +corecmd_exec_bin(munin_plugin_domain) +corecmd_exec_shell(munin_plugin_domain) + +files_read_etc_files(munin_plugin_domain) +files_read_usr_files(munin_plugin_domain) + +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.8.8/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/mysql.te 2010-07-30 14:06:53.000000000 -0400 @@ -64,6 +64,7 @@ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) @@ -78,9 +79,10 @@ manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) +manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) +files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) @@ -156,6 +158,7 @@ allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; +allow mysqld_safe_t self:process { setsched getsched setrlimit }; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) @@ -175,6 +178,7 @@ domain_read_all_domains_state(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.8.8/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nagios.if 2010-07-30 14:06:53.000000000 -0400 @@ -159,6 +159,26 @@ ######################################## ## +## Allow the specified domain to read +## nagios temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nagios_rw_inerited_tmp_files',` + gen_require(` + type nagios_tmp_t; + ') + + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) +') + +######################################## +## ## Execute the nagios NRPE with ## a domain transition. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.8.8/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nagios.te 2010-07-30 14:06:53.000000000 -0400 @@ -107,13 +107,11 @@ files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) files_search_spool(nagios_t) +files_read_usr_files(nagios_t) fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -# for who -init_read_utmp(nagios_t) - auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -126,8 +124,6 @@ mta_send_mail(nagios_t) optional_policy(` - netutils_domtrans_ping(nagios_t) - netutils_signal_ping(nagios_t) netutils_kill_ping(nagios_t) ') @@ -340,6 +336,8 @@ optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) + netutils_signal_ping(nagios_services_plugin_t) + netutils_kill_ping(nagios_services_plugin_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.8.8/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/networkmanager.fc 2010-07-30 14:06:53.000000000 -0400 @@ -2,6 +2,10 @@ /etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.8.8/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/networkmanager.if 2010-07-30 14:06:53.000000000 -0400 @@ -137,6 +137,27 @@ ######################################## ## +## Send and receive messages from +## NetworkManager over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`networkmanager_dontaudit_dbus_chat',` + gen_require(` + type NetworkManager_t; + class dbus send_msg; + ') + + dontaudit $1 NetworkManager_t:dbus send_msg; + dontaudit NetworkManager_t $1:dbus send_msg; +') + +######################################## +## ## Send a generic signal to NetworkManager ## ## @@ -191,3 +212,50 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') + +######################################## +## +## Execute NetworkManager in the NetworkManager domain, and +## allow the specified role the NetworkManager domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the NetworkManager domain. +## +## +## +# +interface(`networkmanager_run',` + gen_require(` + type NetworkManager_t, NetworkManager_exec_t; + ') + + networkmanager_domtrans($1) + role $2 types NetworkManager_t; +') + +######################################## +## +## Allow the specified domain to append +## to Network Manager log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`networkmanager_append_log',` + gen_require(` + type NetworkManager_log_t; + ') + + logging_search_logs($1) + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/networkmanager.te 2010-07-30 14:06:53.000000000 -0400 @@ -35,7 +35,7 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; @@ -44,7 +44,7 @@ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; -allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom }; +allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; @@ -55,6 +55,7 @@ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) +can_exec(NetworkManager_t, NetworkManager_tmp_t) manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) @@ -141,22 +142,32 @@ sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) sysnet_delete_dhcpc_pid(NetworkManager_t) +sysnet_kill_dhcpc(NetworkManager_t) +sysnet_read_dhcpc_state(NetworkManager_t) +sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) # in /etc created by NetworkManager will be labelled net_conf_t. sysnet_manage_config(NetworkManager_t) sysnet_etc_filetrans_config(NetworkManager_t) +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) # Read gnome-keyring +userdom_read_home_certs(NetworkManager_t) userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) + +cron_read_system_job_lib_files(NetworkManager_t) optional_policy(` avahi_domtrans(NetworkManager_t) avahi_kill(NetworkManager_t) avahi_signal(NetworkManager_t) avahi_signull(NetworkManager_t) + avahi_dbus_chat(NetworkManager_t) ') optional_policy(` @@ -172,7 +183,7 @@ ') optional_policy(` - consoletype_exec(NetworkManager_t) + consoletype_domtrans(NetworkManager_t) ') optional_policy(` @@ -202,6 +213,13 @@ ') optional_policy(` + ipsec_domtrans_mgmt(NetworkManager_t) + ipsec_kill_mgmt(NetworkManager_t) + ipsec_signal_mgmt(NetworkManager_t) + ipsec_signull_mgmt(NetworkManager_t) +') + +optional_policy(` iptables_domtrans(NetworkManager_t) ') @@ -263,6 +281,7 @@ vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) + vpn_relabelfrom_tun_socket(NetworkManager_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,5 +1,5 @@ /etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/yppasswdd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) @@ -11,6 +11,7 @@ /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.8.8/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nis.if 2010-08-05 14:51:55.000000000 -0400 @@ -19,7 +19,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -49,12 +49,12 @@ corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_all_reserved_ports($1) corenet_tcp_connect_generic_port($1) corenet_dontaudit_tcp_connect_all_ports($1) corenet_sendrecv_portmap_client_packets($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.8.8/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nscd.if 2010-07-30 14:06:53.000000000 -0400 @@ -60,7 +60,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -121,6 +121,24 @@ ######################################## ## +## Use nscd services +## +## +## +## Domain allowed access. +## +## +# +interface(`nscd_use',` + tunable_policy(`nscd_use_shm',` + nscd_shm_use($1) + ',` + nscd_socket_use($1) + ') +') + +######################################## +## ## Use NSCD services by mapping the database from ## an inherited NSCD file descriptor. ## @@ -168,7 +186,7 @@ type nscd_var_run_t; ') - dontaudit $1 nscd_var_run_t:dir search; + dontaudit $1 nscd_var_run_t:dir search_dir_perms; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.8.8/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nscd.te 2010-07-30 14:06:53.000000000 -0400 @@ -1,9 +1,16 @@ -policy_module(nscd, 1.10.0) +policy_module(nscd, 1.10.1) gen_require(` class nscd all_nscd_perms; ') +## +##

+## Allow confined applications to use nscd shared memory. +##

+## +gen_tunable(nscd_use_shm, false) + ######################################## # # Declarations @@ -30,7 +37,7 @@ # Local policy # -allow nscd_t self:capability { kill setgid setuid }; +allow nscd_t self:capability { kill setgid setuid sys_ptrace }; dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; @@ -47,9 +54,10 @@ allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t, nscd_log_t, file) +manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) corecmd_search_bin(nscd_t) can_exec(nscd_t, nscd_exec_t) @@ -90,6 +98,7 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) +domain_search_all_domains_state(nscd_t) files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) @@ -112,6 +121,10 @@ userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` + accountsd_dontaudit_rw_fifo_file(nscd_t) +') + +optional_policy(` cron_read_system_job_tmp_files(nscd_t) ') @@ -127,3 +140,16 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') + +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.8.8/policy/modules/services/nslcd.if --- nsaserefpolicy/policy/modules/services/nslcd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nslcd.if 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.8.8/policy/modules/services/nslcd.te --- nsaserefpolicy/policy/modules/services/nslcd.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nslcd.te 2010-07-30 14:06:53.000000000 -0400 @@ -34,6 +34,8 @@ manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +kernel_read_system_state(nslcd_t) + files_read_etc_files(nslcd_t) auth_use_nsswitch(nslcd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.8.8/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ntp.if 2010-07-30 14:06:53.000000000 -0400 @@ -22,7 +22,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -67,7 +67,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -86,7 +86,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -104,7 +104,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.8.8/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ntp.te 2010-07-30 14:06:53.000000000 -0400 @@ -96,9 +96,12 @@ dev_read_sysfs(ntpd_t) # for SSP dev_read_urand(ntpd_t) +dev_rw_realtime_clock(ntpd_t) fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +# Necessary to communicate with gpsd devices +fs_rw_tmpfs_files(ntpd_t) term_use_ptmx(ntpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nut.te 2010-07-30 14:06:53.000000000 -0400 @@ -41,7 +41,7 @@ manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file }) +files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file dir }) kernel_read_kernel_sysctls(nut_upsd_t) @@ -103,6 +103,10 @@ mta_send_mail(nut_upsmon_t) +optional_policy(` + shutdown_domtrans(nut_upsmon_t) +') + ######################################## # # Local policy for upsdrvctl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.8.8/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nx.if 2010-07-30 14:06:53.000000000 -0400 @@ -35,6 +35,7 @@ allow $1 nx_server_var_lib_t:dir search_dir_perms; read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.8.8/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/nx.te 2010-07-30 14:06:53.000000000 -0400 @@ -27,6 +27,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) +type nx_server_home_ssh_t; +files_type(nx_server_home_ssh_t) + ######################################## # # NX server local policy @@ -50,6 +53,9 @@ manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) +manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) +manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) + kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.8.8/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/oddjob.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,5 @@ /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.8.8/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/oddjob.if 2010-08-10 05:23:35.000000000 -0400 @@ -22,6 +22,25 @@ domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') +##################################### +## +## Do not audit attempts to read and write +## oddjob fifo file. +## +## +## +## Domain allowed access. +## +## +# +interface(`oddjob_dontaudit_rw_fifo_file',` + gen_require(` + type shutdown_t; + ') + + dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; +') + ######################################## ## ## Make the specified program domain accessable @@ -44,6 +63,7 @@ ') domtrans_pattern(oddjob_t, $2, $1) + domain_user_exemption_target($1) ') ######################################## @@ -67,6 +87,24 @@ allow oddjob_t $1:dbus send_msg; ') +###################################### +## +## Send a SIGCHLD signal to oddjob. +## +## +## +## Domain allowed access. +## +## +# +interface(`oddjob_sigchld',` + gen_require(` + type oddjob_t; + ') + + allow $1 oddjob_t:process sigchld; +') + ######################################## ## ## Execute a domain transition to run oddjob_mkhomedir. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.8.8/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/oddjob.te 2010-07-30 14:06:53.000000000 -0400 @@ -99,8 +99,7 @@ # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_files(oddjob_mkhomedir_t) userdom_manage_user_home_dirs(oddjob_mkhomedir_t) -userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.8.8/policy/modules/services/oident.te --- nsaserefpolicy/policy/modules/services/oident.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/oident.te 2010-07-30 14:06:53.000000000 -0400 @@ -48,6 +48,7 @@ kernel_read_network_state(oidentd_t) kernel_read_network_state_symlinks(oidentd_t) kernel_read_sysctl(oidentd_t) +kernel_request_load_module(oidentd_t) logging_send_syslog_msg(oidentd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.8.8/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/openct.te 2010-07-30 14:06:53.000000000 -0400 @@ -20,9 +20,10 @@ dontaudit openct_t self:capability sys_tty_config; allow openct_t self:process signal_perms; +manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file }) +files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file dir }) kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-18 09:44:00.000000000 -0400 @@ -24,6 +24,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) +type openvpn_tmp_t; +files_tmp_file(openvpn_tmp_t) + type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) @@ -58,9 +61,13 @@ manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) @@ -68,6 +75,7 @@ kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) +kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -113,6 +121,8 @@ sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) +userdom_read_home_certs(openvpn_t) +userdom_attach_admin_tun_iface(openvpn_t) tunable_policy(`openvpn_enable_homedirs',` userdom_read_user_home_content_files(openvpn_t) @@ -138,3 +148,7 @@ networkmanager_dbus_chat(openvpn_t) ') + +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.8.8/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/pcscd.te 2010-08-04 14:25:34.000000000 -0400 @@ -44,7 +44,8 @@ dev_rw_generic_usb_dev(pcscd_t) dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) -dev_search_sysfs(pcscd_t) +dev_list_sysfs(pcscd_t) +dev_read_sysfs(pcscd_t) files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.8.8/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/pegasus.te 2010-07-30 14:06:53.000000000 -0400 @@ -29,7 +29,7 @@ # Local policy # -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; +allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; @@ -57,14 +57,17 @@ files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; +manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -files_pid_filetrans(pegasus_t, pegasus_var_run_t, file) +files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) kernel_read_kernel_sysctls(pegasus_t) kernel_read_fs_sysctls(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) kernel_read_net_sysctls(pegasus_t) +kernel_read_xen_state(pegasus_t) +kernel_write_xen_state(pegasus_t) corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) @@ -95,13 +98,12 @@ auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) +auth_read_shadow(pegasus_t) domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -files_read_etc_files(pegasus_t) -files_list_var_lib(pegasus_t) -files_read_var_lib_files(pegasus_t) +files_read_all_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) @@ -114,7 +116,6 @@ miscfiles_read_localization(pegasus_t) -sysnet_read_config(pegasus_t) sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) @@ -125,6 +126,14 @@ ') optional_policy(` + samba_manage_config(pegasus_t) +') + +optional_policy(` + ssh_exec(pegasus_t) +') + +optional_policy(` seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') @@ -136,3 +145,13 @@ optional_policy(` unconfined_signull(pegasus_t) ') + +optional_policy(` + virt_domtrans(pegasus_t) + virt_manage_config(pegasus_t) +') + +optional_policy(` + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perdition.if serefpolicy-3.8.8/policy/modules/services/perdition.if --- nsaserefpolicy/policy/modules/services/perdition.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/perdition.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.8.8/policy/modules/services/piranha.fc --- nsaserefpolicy/policy/modules/services/piranha.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/piranha.fc 2010-08-04 13:10:54.000000000 -0400 @@ -0,0 +1,26 @@ + +/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) + +# RHEL6 +#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) + +/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) + +/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0) + +/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) +/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) +/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) +/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0) + +/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0) +/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) +/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) + +/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0) + +/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0) +/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0) +/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0) +/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.8.8/policy/modules/services/piranha.if --- nsaserefpolicy/policy/modules/services/piranha.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/piranha.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,175 @@ + +## policy for piranha + +####################################### +## +## Creates types and rules for a basic +## cluster init daemon domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`piranha_domain_template',` + + gen_require(` + attribute piranha_domain; + ') + + ############################## + # + # piranha_$1_t declarations + # + + type piranha_$1_t, piranha_domain; + type piranha_$1_exec_t; + init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) + + # pid files + type piranha_$1_var_run_t; + files_pid_file(piranha_$1_var_run_t) + + ############################## + # + # piranha_$1_t local policy + # + + manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { file }) +') + +######################################## +## +## Execute a domain transition to run fos. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`piranha_domtrans_fos',` + gen_require(` + type piranha_fos_t, piranha_fos_exec_t; + ') + + domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) +') + +####################################### +## +## Execute a domain transition to run lvsd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`piranha_domtrans_lvs',` + gen_require(` + type piranha_lvs_t, piranha_lvs_exec_t; + ') + + domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) +') + +####################################### +## +## Execute a domain transition to run pulse. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`piranha_domtrans_pulse',` + gen_require(` + type piranha_pulse_t, piranha_pulse_exec_t; + ') + + domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) +') + +####################################### +## +## Execute pulse server in the pulse domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`piranha_pulse_initrc_domtrans',` + gen_require(` + type piranha_pulse_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) +') + +######################################## +## +## Allow the specified domain to read piranha's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`piranha_read_log',` + gen_require(` + type piranha_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, piranha_log_t, piranha_log_t) +') + +######################################## +## +## Allow the specified domain to append +## piranha log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`piranha_append_log',` + gen_require(` + type piranha_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, piranha_log_t, piranha_log_t) +') + +######################################## +## +## Allow domain to manage piranha log files +## +## +## +## Domain to not audit. +## +## +# +interface(`piranha_manage_log',` + gen_require(` + type piranha_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, piranha_log_t, piranha_log_t) + manage_files_pattern($1, piranha_log_t, piranha_log_t) + manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.8/policy/modules/services/piranha.te --- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-08-10 05:23:35.000000000 -0400 @@ -0,0 +1,216 @@ +policy_module(piranha,1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allow piranha-lvs domain to connect to the network using TCP. +##

+## +gen_tunable(piranha_lvs_can_network_connect, false) + +attribute piranha_domain; + +piranha_domain_template(fos) + +piranha_domain_template(lvs) + +piranha_domain_template(pulse) + +type piranha_pulse_initrc_exec_t; +init_script_file(piranha_pulse_initrc_exec_t) + +piranha_domain_template(web) + +type piranha_web_tmpfs_t; +files_tmpfs_file(piranha_web_tmpfs_t) + +type piranha_web_conf_t; +files_type(piranha_web_conf_t) + +type piranha_web_data_t; +files_type(piranha_web_data_t) + +type piranha_web_tmp_t; +files_tmp_file(piranha_web_tmp_t) + +type piranha_etc_rw_t; +files_type(piranha_etc_rw_t) + +type piranha_log_t; +logging_log_file(piranha_log_t) + +####################################### +# +# piranha-fos local policy +# + +kernel_read_kernel_sysctls(piranha_fos_t) + +domain_read_all_domains_state(piranha_fos_t) + +consoletype_exec(piranha_fos_t) + +# start and stop services +init_domtrans_script(piranha_fos_t) + +######################################## +# +# piranha-gui local policy +# + +allow piranha_web_t self:capability { setuid sys_nice kill setgid }; +allow piranha_web_t self:process { getsched setsched signal signull ptrace }; +allow piranha_web_t self:rawip_socket create_socket_perms; + +allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; +allow piranha_web_t self:sem create_sem_perms; +allow piranha_web_t self:shm create_shm_perms; + +manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) +manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) +files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file) + +read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t) + +rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) + +manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) +manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) +logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } ) + +can_exec(piranha_web_t, piranha_web_tmp_t) +manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) +manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) +files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) + +manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) +manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) +fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file }) + +piranha_pulse_initrc_domtrans(piranha_web_t) + +kernel_read_kernel_sysctls(piranha_web_t) + +corenet_tcp_bind_http_cache_port(piranha_web_t) +corenet_tcp_bind_luci_port(piranha_web_t) +corenet_tcp_bind_piranha_port(piranha_web_t) +corenet_tcp_connect_ricci_port(piranha_web_t) + +dev_read_urand(piranha_web_t) + +domain_read_all_domains_state(piranha_web_t) + +files_read_usr_files(piranha_web_t) + +consoletype_exec(piranha_web_t) + +optional_policy(` + apache_read_config(piranha_web_t) + apache_exec_modules(piranha_web_t) + apache_exec(piranha_web_t) +') + +optional_policy(` + sasl_connect(piranha_web_t) +') + +###################################### +# +# piranha-lvs local policy +# + +# neede by nanny +allow piranha_lvs_t self:capability { net_raw sys_nice }; + +allow piranha_lvs_t self:process signal; + +allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; +allow piranha_lvs_t self:rawip_socket create_socket_perms; + +kernel_read_kernel_sysctls(piranha_lvs_t) + +# needed by nanny +corenet_tcp_connect_ftp_port(piranha_lvs_t) +corenet_tcp_connect_http_port(piranha_lvs_t) + +sysnet_dns_name_resolve(piranha_lvs_t) + +# needed by nanny +tunable_policy(`piranha_lvs_can_network_connect',` + corenet_tcp_connect_all_ports(piranha_lvs_t) +') + +# needed by ipvsadm +optional_policy(` + iptables_domtrans(piranha_lvs_t) +') + +####################################### +# +# piranha-pulse local policy +# + +allow piranha_pulse_t self:packet_socket create_socket_perms; + +# pulse starts fos and lvs daemon +domtrans_pattern(piranha_fos_t, piranha_fos_exec_t, piranha_fos_t) +allow piranha_pulse_t piranha_fos_t:process signal; + +domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t) +allow piranha_pulse_t piranha_lvs_t:process signal; + +corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) + +sysnet_dns_name_resolve(piranha_pulse_t) + +optional_policy(` + netutils_domtrans_ping(piranha_pulse_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(piranha_pulse_t) +') + +#################################### +# +# piranha domains common policy +# + +allow piranha_domain self:fifo_file rw_fifo_file_perms; +allow piranha_domain self:tcp_socket create_stream_socket_perms; +allow piranha_domain self:udp_socket create_socket_perms; +allow piranha_domain self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) + +kernel_read_system_state(piranha_domain) +kernel_read_network_state(piranha_domain) + +corenet_all_recvfrom_unlabeled(piranha_domain) +corenet_all_recvfrom_netlabel(piranha_domain) +corenet_tcp_sendrecv_generic_if(piranha_domain) +corenet_udp_sendrecv_generic_if(piranha_domain) +corenet_tcp_sendrecv_generic_node(piranha_domain) +corenet_udp_sendrecv_generic_node(piranha_domain) +corenet_tcp_sendrecv_all_ports(piranha_domain) +corenet_udp_sendrecv_all_ports(piranha_domain) +corenet_tcp_bind_generic_node(piranha_domain) +corenet_udp_bind_generic_node(piranha_domain) + +files_read_etc_files(piranha_domain) + +corecmd_exec_bin(piranha_domain) +corecmd_exec_shell(piranha_domain) + +libs_use_ld_so(piranha_domain) +libs_use_shared_libs(piranha_domain) + +logging_send_syslog_msg(piranha_domain) + +miscfiles_read_localization(piranha_domain) + +sysnet_read_config(piranha_domain) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.8.8/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te 2010-07-30 14:06:53.000000000 -0400 @@ -60,10 +60,14 @@ files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) +term_use_unallocated_ttys(plymouthd_t) + miscfiles_read_localization(plymouthd_t) miscfiles_read_fonts(plymouthd_t) miscfiles_manage_fonts_cache(plymouthd_t) +userdom_read_admin_home_files(plymouthd_t) + ######################################## # # Plymouth private policy @@ -74,6 +78,7 @@ allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) +kernel_stream_connect(plymouth_t) domain_use_interactive_fds(plymouth_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.8.8/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/policykit.fc 2010-07-30 14:06:53.000000000 -0400 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.8.8/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/policykit.if 2010-07-30 14:06:53.000000000 -0400 @@ -17,12 +17,37 @@ class dbus send_msg; ') + ps_process_pattern(policykit_t, $1) + allow $1 policykit_t:dbus send_msg; allow policykit_t $1:dbus send_msg; ') ######################################## ## +## Send and receive messages from +## policykit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_dbus_chat_auth',` + gen_require(` + type policykit_auth_t; + class dbus send_msg; + ') + + ps_process_pattern(policykit_auth_t, $1) + + allow $1 policykit_auth_t:dbus send_msg; + allow policykit_auth_t $1:dbus send_msg; +') + +######################################## +## ## Execute a domain transition to run polkit_auth. ## ## @@ -62,6 +87,9 @@ policykit_domtrans_auth($1) role $2 types policykit_auth_t; + + allow $1 policykit_auth_t:process signal; + ps_process_pattern(policykit_auth_t, $1) ') ######################################## @@ -206,4 +234,47 @@ files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) + + # Broken placement + cron_read_system_job_lib_files($1) +') + +####################################### +## +## The per role template for the policykit module. +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +template(`policykit_role',` + policykit_run_auth($2, $1) + policykit_run_grant($2, $1) + policykit_read_lib($2) + policykit_read_reload($2) + policykit_dbus_chat($2) +') +######################################## +## +## Send generic signal to policy_auth +## +## +## +## Domain allowed to transition. +## +## +# +interface(`policykit_signal_auth',` + gen_require(` + type policykit_auth_t; + ') + + allow $1 policykit_auth_t:process signal; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 09:09:19.000000000 -0400 @@ -24,6 +24,9 @@ type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) +type policykit_tmp_t; +files_tmp_file(policykit_tmp_t) + type policykit_var_lib_t alias polkit_var_lib_t; files_type(policykit_var_lib_t) @@ -35,11 +38,12 @@ # policykit local policy # -allow policykit_t self:capability { setgid setuid }; -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; +allow policykit_t self:process { getsched getattr signal }; +allow policykit_t self:fifo_file rw_fifo_file_perms; + allow policykit_t self:unix_dgram_socket create_socket_perms; -allow policykit_t self:unix_stream_socket create_stream_socket_perms; +allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; policykit_domtrans_auth(policykit_t) @@ -56,56 +60,107 @@ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) +kernel_read_system_state(policykit_t) kernel_read_kernel_sysctls(policykit_t) +domain_read_all_domains_state(policykit_t) + files_read_etc_files(policykit_t) files_read_usr_files(policykit_t) +files_dontaudit_search_all_mountpoints(policykit_t) + +fs_list_inotifyfs(policykit_t) auth_use_nsswitch(policykit_t) +auth_read_var_auth(policykit_t) logging_send_syslog_msg(policykit_t) miscfiles_read_localization(policykit_t) +userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) +userdom_dontaudit_search_admin_dir(policykit_t) + +optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') + + optional_policy(` + rpm_dbus_chat(policykit_t) + ') +') + +optional_policy(` + consolekit_list_pid_files(policykit_t) + consolekit_read_pid_files(policykit_t) +') + +optional_policy(` + gnome_read_config(policykit_t) +') ######################################## # # polkit_auth local policy # -allow policykit_auth_t self:capability setgid; -allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:capability { setgid setuid }; +dontaudit policykit_auth_t self:capability sys_tty_config; +allow policykit_auth_t self:process { getattr getsched signal }; +allow policykit_auth_t self:fifo_file rw_fifo_file_perms; + allow policykit_auth_t self:unix_dgram_socket create_socket_perms; allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; +policykit_dbus_chat(policykit_auth_t) + +kernel_read_system_state(policykit_auth_t) + can_exec(policykit_auth_t, policykit_auth_exec_t) -corecmd_search_bin(policykit_auth_t) +corecmd_exec_bin(policykit_auth_t) rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) +manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) +manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) +files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir }) + manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) -kernel_read_system_state(policykit_auth_t) +kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) + +dev_read_video_dev(policykit_auth_t) files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) +files_search_home(policykit_auth_t) + +fs_getattr_all_fs(polkit_auth_t) +fs_search_tmpfs(polkit_auth_t) auth_use_nsswitch(policykit_auth_t) +auth_domtrans_chk_passwd(policykit_auth_t) logging_send_syslog_msg(policykit_auth_t) miscfiles_read_localization(policykit_auth_t) +miscfiles_read_fonts(policykit_auth_t) +miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_dontaudit_write_user_tmp_files(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) optional_policy(` - dbus_system_bus_client(policykit_auth_t) + dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) dbus_session_bus_client(policykit_auth_t) optional_policy(` @@ -118,6 +173,14 @@ hal_read_state(policykit_auth_t) ') +optional_policy(` + xserver_stream_connect(policykit_auth_t) + xserver_xdm_append_log(policykit_auth_t) + xserver_read_xdm_pid(policykit_auth_t) + xserver_search_xdm_lib(policykit_auth_t) + xserver_create_xdm_tmp_sockets(policykit_auth_t) +') + ######################################## # # polkit_grant local policy @@ -125,7 +188,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; -allow policykit_grant_t self:fifo_file rw_file_perms; +allow policykit_grant_t self:fifo_file rw_fifo_file_perms; + allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; @@ -155,9 +219,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` - dbus_system_bus_client(policykit_grant_t) + cron_manage_system_job_lib_files(policykit_grant_t) +') optional_policy(` + dbus_system_bus_client(policykit_grant_t) + optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') ') @@ -169,7 +236,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; -allow policykit_resolve_t self:fifo_file rw_file_perms; +allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; + allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.if serefpolicy-3.8.8/policy/modules/services/portmap.if --- nsaserefpolicy/policy/modules/services/portmap.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/portmap.if 2010-07-30 14:06:53.000000000 -0400 @@ -52,7 +52,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -80,7 +80,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.8.8/policy/modules/services/portreserve.fc --- nsaserefpolicy/policy/modules/services/portreserve.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/portreserve.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) + /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.8.8/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/portreserve.if 2010-07-30 14:06:53.000000000 -0400 @@ -18,6 +18,24 @@ domtrans_pattern($1, portreserve_exec_t, portreserve_t) ') +######################################## +## +## Execute portreserve in the portreserve domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`portreserve_initrc_domtrans', ` + gen_require(` + type portreserve_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, portreserve_initrc_exec_t) +') + ####################################### ## ## Allow the specified domain to read @@ -64,3 +82,40 @@ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ') + +######################################## +## +## All of the rules required to administrate +## an portreserve environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`portreserve_admin', ` + gen_require(` + type portreserve_t, portreserve_etc_t; + type portreserve_initrc_exec_t, portreserve_var_run_t; + ') + + allow $1 portreserve_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, portreserve_t, portreserve_t) + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 portreserve_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, portreserve_etc_t) + + files_search_pids($1) + admin_pattern($1, portreserve_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.8.8/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/portreserve.te 2010-07-30 14:06:53.000000000 -0400 @@ -9,6 +9,9 @@ type portreserve_exec_t; init_daemon_domain(portreserve_t, portreserve_exec_t) +type portreserve_initrc_exec_t; +init_script_file(portreserve_initrc_exec_t) + type portreserve_etc_t; files_type(portreserve_etc_t) @@ -35,7 +38,7 @@ manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file }) +files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) corecmd_getattr_bin_files(portreserve_t) @@ -47,3 +50,5 @@ corenet_udp_bind_all_ports(portreserve_t) files_read_etc_files(portreserve_t) + +userdom_dontaudit_search_user_home_content(portreserve_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.8.8/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/postfix.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,5 @@ # postfix +/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) /etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) ifdef(`distro_redhat', ` /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) @@ -29,12 +30,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/postfix.if 2010-07-30 14:06:53.000000000 -0400 @@ -376,6 +376,25 @@ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') + +######################################## +## +## Execute the master postfix in the postfix master domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_initrc_domtrans', ` + gen_require(` + type postfix_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, postfix_initrc_exec_t) +') + ######################################## ## ## Execute the master postfix program in the @@ -529,6 +548,25 @@ ######################################## ## +## Getattr postfix mail spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; + ') + + files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) +') + +######################################## +## ## Search postfix mail spool directories. ## ## @@ -539,10 +577,10 @@ # interface(`postfix_search_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') - allow $1 postfix_spool_t:dir search_dir_perms; + allow $1 postfix_spool_type:dir search_dir_perms; files_search_spool($1) ') @@ -558,10 +596,10 @@ # interface(`postfix_list_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') - allow $1 postfix_spool_t:dir list_dir_perms; + allow $1 postfix_spool_type:dir list_dir_perms; files_search_spool($1) ') @@ -577,11 +615,11 @@ # interface(`postfix_read_spool_files',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) + read_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## @@ -596,11 +634,11 @@ # interface(`postfix_manage_spool_files',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) + manage_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## @@ -621,3 +659,101 @@ typeattribute $1 postfix_user_domtrans; ') + +######################################## +## +## All of the rules required to administrate +## an postfix environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`postfix_admin', ` + gen_require(` + type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; + type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; + type postfix_smtpd_t; + + attribute postfix_spool_type; + + type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; + type postfix_var_run_t; + + type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + ') + + allow $1 postfix_bounce_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_bounce_t, postfix_bounce_t) + + allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t) + + allow $1 postfix_local_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_local_t, postfix_local_t) + + allow $1 postfix_master_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_master_t, postfix_master_t) + + allow $1 postfix_pickup_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_pickup_t, postfix_pickup_t) + + allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t) + + allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t) + + postfix_run_map($1,$2) + postfix_run_postdrop($1,$2) + + postfix_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postfix_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, postfix_data_t) + + files_list_etc($1) + admin_pattern($1, postfix_etc_t) + + files_search_spool($1) + admin_pattern($1,postfix_spool_type) + + admin_pattern($1, postfix_var_run_t) + + files_search_tmp($1) + admin_pattern($1, postfix_map_tmp_t) + + admin_pattern($1, postfix_prng_t) + + admin_pattern($1, postfix_public_t) +') + +######################################## +## +## Execute the master postdrop in the +## postfix_postdrop domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_run_postdrop',` + gen_require(` + type postfix_postdrop_t; + ') + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-30 14:06:53.000000000 -0400 @@ -5,6 +5,15 @@ # Declarations # +## +##

+## Allow postfix_local domain full write access to mail_spool directories +## +##

+## +gen_tunable(allow_postfix_local_write_mail_spool, false) + +attribute postfix_spool_type; attribute postfix_user_domains; # domains that transition to the # postfix user domains @@ -12,7 +21,7 @@ postfix_server_domain_template(bounce) -type postfix_spool_bounce_t; +type postfix_spool_bounce_t, postfix_spool_type; files_type(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) @@ -26,12 +35,21 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) +# Handle vacation script +mta_send_mail(postfix_local_t) + +userdom_read_user_home_content_files(postfix_local_t) + +tunable_policy(`allow_postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') + # Program for creating database files type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) role system_r types postfix_map_t; - + type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) @@ -41,6 +59,9 @@ # generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) +type postfix_initrc_exec_t; +init_script_file(postfix_initrc_exec_t) + postfix_server_domain_template(pickup) postfix_server_domain_template(pipe) @@ -49,6 +70,7 @@ mta_mailserver_user_agent(postfix_postdrop_t) postfix_user_domain_template(postqueue) +mta_mailserver_user_agent(postfix_postqueue_t) type postfix_private_t; files_type(postfix_private_t) @@ -65,13 +87,13 @@ postfix_server_domain_template(smtpd) -type postfix_spool_t; +type postfix_spool_t, postfix_spool_type; files_type(postfix_spool_t) -type postfix_spool_maildrop_t; +type postfix_spool_maildrop_t, postfix_spool_type; files_type(postfix_spool_maildrop_t) -type postfix_spool_flush_t; +type postfix_spool_flush_t, postfix_spool_type; files_type(postfix_spool_flush_t) type postfix_public_t; @@ -99,7 +121,9 @@ allow postfix_master_t self:udp_socket create_socket_perms; allow postfix_master_t self:process setrlimit; +allow postfix_master_t postfix_etc_t:dir rw_dir_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms; +mta_filetrans_aliases(postfix_master_t, postfix_etc_t) can_exec(postfix_master_t, postfix_exec_t) @@ -150,6 +174,9 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) +corenet_udp_bind_generic_node(postfix_master_t) +corenet_udp_bind_all_unreserved_ports(postfix_master_t) +corenet_dontaudit_udp_bind_all_ports(postfix_master_t) corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) @@ -167,6 +194,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) +files_search_var_lib(postfix_master_t) +files_search_tmp(postfix_master_t) term_dontaudit_search_ptys(postfix_master_t) @@ -304,9 +333,17 @@ ') optional_policy(` + nagios_search_spool(postfix_local_t) +') + +optional_policy(` procmail_domtrans(postfix_local_t) ') +optional_policy(` + zarafa_deliver_domtrans(postfix_local_t) +') + ######################################## # # Postfix map local policy @@ -420,6 +457,7 @@ optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) + spamassassin_kill_client(postfix_pipe_t) ') optional_policy(` @@ -588,6 +626,11 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) + +# postfix checks the size of all mounted file systems +fs_getattr_all_dirs(postfix_smtpd_t) +fs_getattr_all_fs(postfix_smtpd_t) + mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -630,3 +673,8 @@ # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) + +userdom_manage_user_home_dirs(postfix_virtual_t) +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.8.8/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/postgresql.if 2010-07-30 14:06:53.000000000 -0400 @@ -223,7 +223,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.8.8/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/postgresql.te 2010-07-30 14:06:53.000000000 -0400 @@ -202,9 +202,10 @@ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) +manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) +files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file dir }) kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.8.8/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/postgrey.te 2010-07-30 14:06:53.000000000 -0400 @@ -47,9 +47,10 @@ manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) +manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file }) +files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file dir }) kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.8.8/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ppp.if 2010-07-30 14:06:53.000000000 -0400 @@ -326,7 +326,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.8.8/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ppp.te 2010-07-30 14:06:53.000000000 -0400 @@ -70,7 +70,7 @@ # PPPD Local policy # -allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; +allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override }; dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process { getsched signal }; allow pppd_t self:fifo_file rw_fifo_file_perms; @@ -104,8 +104,9 @@ manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) +manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -files_pid_filetrans(pppd_t, pppd_var_run_t, file) +files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) allow pppd_t pptp_t:process signal; @@ -194,6 +195,8 @@ optional_policy(` mta_send_mail(pppd_t) + mta_system_content(pppd_etc_t) + mta_system_content(pppd_etc_rw_t) ') optional_policy(` @@ -243,9 +246,10 @@ allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) +manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -files_pid_filetrans(pptp_t, pptp_var_run_t, file) +files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.8.8/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/prelude.te 2010-07-30 14:06:53.000000000 -0400 @@ -72,9 +72,10 @@ manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) files_search_var_lib(prelude_t) +manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -files_pid_filetrans(prelude_t, prelude_var_run_t, file) +files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) kernel_read_system_state(prelude_t) kernel_read_sysctl(prelude_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.8/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/procmail.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,5 @@ +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.8.8/policy/modules/services/procmail.if --- nsaserefpolicy/policy/modules/services/procmail.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/procmail.if 2010-07-30 14:06:53.000000000 -0400 @@ -77,3 +77,23 @@ files_search_tmp($1) rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ') + +######################################## +## +## Read procmail home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_read_home_files',` + gen_require(` + type procmail_home_t; + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, procmail_home_t, procmail_home_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.8.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/procmail.te 2010-07-30 14:06:53.000000000 -0400 @@ -10,6 +10,9 @@ application_domain(procmail_t, procmail_exec_t) role system_r types procmail_t; +type procmail_home_t; +userdom_user_home_content(procmail_home_t) + type procmail_log_t; logging_log_file(procmail_log_t) @@ -76,9 +79,15 @@ files_read_usr_files(procmail_t) logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) miscfiles_read_localization(procmail_t) +list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t) +read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) +userdom_search_user_home_dirs(procmail_t) +userdom_search_admin_dir(procmail_t) + # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) @@ -87,8 +96,8 @@ userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) -# Do not audit attempts to access /root. -userdom_dontaudit_search_user_home_dirs(procmail_t) +# Execute user executables +userdom_exec_user_bin_files(procmail_t) mta_manage_spool(procmail_t) mta_read_queue(procmail_t) @@ -128,6 +137,10 @@ ') optional_policy(` + nagios_search_spool(procmail_t) +') + +optional_policy(` pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.8.8/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/psad.if 2010-07-30 14:06:53.000000000 -0400 @@ -176,6 +176,26 @@ ######################################## ## +## Allow the specified domain to write to psad's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`psad_write_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + write_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + +######################################## +## ## Read and write psad fifo files. ## ## @@ -234,7 +254,7 @@ gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; type psad_initrc_exec_t, psad_var_lib_t; - type psad_tmp_t; + type psad_tmp_t, psad_etc_t; ') allow $1 psad_t:process { ptrace signal_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.8/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/psad.te 2010-07-30 14:06:53.000000000 -0400 @@ -53,9 +53,10 @@ logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) # pid file +manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file }) +files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) # tmp files manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) @@ -85,6 +86,7 @@ dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) +files_read_usr_files(psad_t) fs_getattr_all_fs(psad_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.8/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/puppet.te 2010-07-30 14:06:53.000000000 -0400 @@ -63,7 +63,7 @@ manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib(puppet_t) -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) @@ -179,21 +179,26 @@ allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) +allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto }; manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto }; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto }; manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) +allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto }; kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) +kernel_read_kernel_sysctls(puppetmaster_t) corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) @@ -214,13 +219,19 @@ files_read_etc_files(puppetmaster_t) files_search_var_lib(puppetmaster_t) +selinux_validate_context(puppetmaster_t) + logging_send_syslog_msg(puppetmaster_t) miscfiles_read_localization(puppetmaster_t) +seutil_read_file_contexts(puppetmaster_t) + sysnet_dns_name_resolve(puppetmaster_t) sysnet_run_ifconfig(puppetmaster_t, system_r) +mta_send_mail(puppetmaster_t) + optional_policy(` hostname_exec(puppetmaster_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.8.8/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/pyzor.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.8.8/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/pyzor.if 2010-07-30 14:06:53.000000000 -0400 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') + +######################################## +## +## All of the rules required to administrate +## an pyzor environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the pyzor domain. +## +## +## +# +interface(`pyzor_admin',` + gen_require(` + type pyzord_t, pyzor_tmp_t, pyzord_log_t; + type pyzor_etc_t, pyzor_var_lib_t; + type pyzord_initrc_exec_t; + ') + + allow $1 pyzord_t:process { ptrace signal_perms }; + ps_process_pattern($1, pyzord_t) + + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pyzord_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, pyzor_tmp_t) + + logging_list_logs($1) + admin_pattern($1, pyzord_log_t) + + files_list_etc($1) + admin_pattern($1, pyzor_etc_t) + + files_list_var_lib($1) + admin_pattern($1, pyzor_var_lib_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.8.8/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/pyzor.te 2010-07-30 14:06:53.000000000 -0400 @@ -5,6 +5,38 @@ # Declarations # + +ifdef(`distro_redhat',` + + gen_require(` + type spamc_t; + type spamc_exec_t; + type spamd_t; + type spamd_initrc_exec_t; + type spamd_exec_t; + type spamc_tmp_t; + type spamd_log_t; + type spamd_var_lib_t; + type spamd_etc_t; + type spamc_tmp_t; + type spamc_home_t; + ') + + typealias spamc_t alias pyzor_t; + typealias spamc_exec_t alias pyzor_exec_t; + typealias spamd_t alias pyzord_t; + typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; + typealias spamd_exec_t alias pyzord_exec_t; + typealias spamc_tmp_t alias pyzor_tmp_t; + typealias spamd_log_t alias pyzor_log_t; + typealias spamd_log_t alias pyzord_log_t; + typealias spamd_var_lib_t alias pyzor_var_lib_t; + typealias spamd_etc_t alias pyzor_etc_t; + typealias spamc_home_t alias pyzor_home_t; + typealias spamc_home_t alias user_pyzor_home_t; + +',` + type pyzor_t; type pyzor_exec_t; typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; @@ -39,6 +71,7 @@ type pyzord_log_t; logging_log_file(pyzord_log_t) +') ######################################## # @@ -76,12 +109,16 @@ dev_read_urand(pyzor_t) +fs_getattr_xattr_fs(pyzor_t) + files_read_etc_files(pyzor_t) auth_use_nsswitch(pyzor_t) miscfiles_read_localization(pyzor_t) +mta_read_queue(pyzor_t) + userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.8.8/policy/modules/services/qpidd.fc --- nsaserefpolicy/policy/modules/services/qpidd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/qpidd.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) + +/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) + +/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) + +/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.8.8/policy/modules/services/qpidd.if --- nsaserefpolicy/policy/modules/services/qpidd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/qpidd.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,236 @@ + +## policy for qpidd + +######################################## +## +## Execute a domain transition to run qpidd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`qpidd_domtrans',` + gen_require(` + type qpidd_t, qpidd_exec_t; + ') + + domtrans_pattern($1, qpidd_exec_t, qpidd_t) +') + + +######################################## +## +## Execute qpidd server in the qpidd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_initrc_domtrans',` + gen_require(` + type qpidd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, qpidd_initrc_exec_t) +') + +######################################## +## +## Read qpidd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_read_pid_files',` + gen_require(` + type qpidd_var_run_t; + ') + + files_search_pids($1) + allow $1 qpidd_var_run_t:file read_file_perms; +') + +######################################## +## +## Manage qpidd var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_manage_var_run',` + gen_require(` + type qpidd_var_run_t; + ') + + manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) +') + + +######################################## +## +## Search qpidd lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_search_lib',` + gen_require(` + type qpidd_var_lib_t; + ') + + allow $1 qpidd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read qpidd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_read_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## qpidd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_manage_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## +## +## Manage qpidd var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_manage_var_lib',` + gen_require(` + type qpidd_var_lib_t; + ') + + manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + + +######################################## +## +## All of the rules required to administrate +## an qpidd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`qpidd_admin',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, qpidd_t, qpidd_t) + + + gen_require(` + type qpidd_initrc_exec_t; + ') + + # Allow qpidd_t to restart the apache service + qpidd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 qpidd_initrc_exec_t system_r; + allow $2 system_r; + + qpidd_manage_var_run($1) + + qpidd_manage_var_lib($1) + +') + +##################################### +## +## Allow read and write access to qpidd semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_rw_semaphores',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:sem rw_sem_perms; +') + +######################################## +## +## Read and write to qpidd shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`qpidd_rw_shm',` + gen_require(` + type qpidd_t; + ') + + allow $1 qpidd_t:shm rw_shm_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.8.8/policy/modules/services/qpidd.te --- nsaserefpolicy/policy/modules/services/qpidd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/qpidd.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,59 @@ +policy_module(qpidd,1.0.0) + +######################################## +# +# Declarations +# + +type qpidd_t; +type qpidd_exec_t; +init_daemon_domain(qpidd_t, qpidd_exec_t) + +type qpidd_initrc_exec_t; +init_script_file(qpidd_initrc_exec_t) + +type qpidd_var_run_t; +files_pid_file(qpidd_var_run_t) + +type qpidd_var_lib_t; +files_type(qpidd_var_lib_t) + +######################################## +# +# qpidd local policy +# + +allow qpidd_t self:process { setsched signull }; +allow qpidd_t self:fifo_file rw_fifo_file_perms; +allow qpidd_t self:sem create_sem_perms; +allow qpidd_t self:shm create_shm_perms; +allow qpidd_t self:tcp_socket create_stream_socket_perms; +allow qpidd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } ) + +manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) + +kernel_read_system_state(qpidd_t) + +corenet_all_recvfrom_unlabeled(qpidd_t) +corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) +corenet_tcp_sendrecv_generic_if(qpidd_t) +corenet_tcp_sendrecv_generic_node(qpidd_t) +corenet_tcp_sendrecv_all_ports(qpidd_t) +corenet_tcp_bind_amqp_port(qpidd_t) + +dev_read_urand(qpidd_t) + +files_read_etc_files(qpidd_t) + +logging_send_syslog_msg(qpidd_t) + +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.8.8/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/radius.te 2010-07-30 14:06:53.000000000 -0400 @@ -36,7 +36,7 @@ # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setsched sigkill signal }; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; @@ -59,8 +59,9 @@ manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file }) +files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.8.8/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/radvd.te 2010-07-30 14:06:53.000000000 -0400 @@ -33,8 +33,9 @@ allow radvd_t radvd_etc_t:file read_file_perms; +manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -files_pid_filetrans(radvd_t, radvd_var_run_t, file) +files_pid_filetrans(radvd_t, radvd_var_run_t, { file dir }) kernel_read_kernel_sysctls(radvd_t) kernel_rw_net_sysctls(radvd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.8.8/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/razor.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.8.8/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/razor.if 2010-07-30 14:06:53.000000000 -0400 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) ') + +######################################## +## +## Create, read, write, and delete razor files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +template(`razor_manage_user_home_files',` + gen_require(` + type razor_home_t; + ') + + files_search_home($1) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, razor_home_t, razor_home_t) + read_lnk_files_pattern($1, razor_home_t, razor_home_t) +') + +######################################## +## +## read razor lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`razor_read_lib_files',` + gen_require(` + type razor_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.8.8/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/razor.te 2010-07-30 14:06:53.000000000 -0400 @@ -5,6 +5,32 @@ # Declarations # +ifdef(`distro_redhat',` + + gen_require(` + type spamc_t; + type spamc_exec_t; + type spamd_log_t; + type spamd_spool_t; + type spamd_var_lib_t; + type spamd_etc_t; + type spamc_home_t; + type spamc_tmp_t; + ') + + typealias spamc_t alias razor_t; + typealias spamc_exec_t alias razor_exec_t; + typealias spamd_log_t alias razor_log_t; + typealias spamd_var_lib_t alias razor_var_lib_t; + typealias spamd_etc_t alias razor_etc_t; + typealias spamc_home_t alias razor_home_t; + typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; + typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; + typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; + typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; + +',` + type razor_exec_t; corecmd_executable_file(razor_exec_t) @@ -14,6 +40,7 @@ type razor_home_t; typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +files_poly_member(razor_home_t) userdom_user_home_content(razor_home_t) type razor_log_t; @@ -100,6 +127,8 @@ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) +auth_use_nsswitch(razor_t) + logging_send_syslog_msg(razor_t) userdom_search_user_home_dirs(razor_t) @@ -118,5 +147,7 @@ ') optional_policy(` - nscd_socket_use(razor_t) + milter_manage_spamass_state(razor_t) +') + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.8.8/policy/modules/services/remotelogin.if --- nsaserefpolicy/policy/modules/services/remotelogin.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/remotelogin.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -24,7 +24,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.8.8/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rgmanager.if 2010-07-30 14:06:53.000000000 -0400 @@ -75,3 +75,64 @@ fs_search_tmpfs($1) manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ') + +####################################### +## +## Allow read and write access to rgmanager semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`rgmanager_rw_semaphores',` + gen_require(` + type rgmanager_t; + ') + + allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; +') + +###################################### +## +## All of the rules required to administrate +## an rgmanager environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the rgmanager domain. +## +## +## +# +interface(`rgmanager_admin',` + gen_require(` + type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + ') + + allow $1 rgmanager_t:process { ptrace signal_perms }; + read_files_pattern($1, rgmanager_t, rgmanager_t) + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rgmanager_initrc_exec_t system_r; + allow $2 system_r; + + files_search_tmp($1) + admin_pattern($1, rgmanager_tmp_t) + + admin_pattern($1, rgmanager_tmpfs_t) + + logging_search_logs($1) + admin_pattern($1, rgmanager_var_log_t) + + files_search_pids($1) + admin_pattern($1, rgmanager_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-07-30 14:06:53.000000000 -0400 @@ -17,6 +17,9 @@ domain_type(rgmanager_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t) +type rgmanager_initrc_exec_t; +init_script_file(rgmanager_initrc_exec_t) + type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) @@ -55,11 +58,14 @@ manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) +manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) +files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir }) +kernel_kill(rgmanager_t) kernel_read_kernel_sysctls(rgmanager_t) +kernel_read_rpc_sysctls(rgmanager_t) kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) @@ -78,14 +84,19 @@ domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) -files_list_all(rgmanager_t) +files_create_var_run_dirs(rgmanager_t) files_getattr_all_symlinks(rgmanager_t) +files_list_all(rgmanager_t) files_manage_mnt_dirs(rgmanager_t) +files_manage_mnt_files(rgmanager_t) +files_manage_mnt_symlinks(rgmanager_t) +files_manage_isid_type_files(rgmanager_t) files_manage_isid_type_dirs(rgmanager_t) fs_getattr_xattr_fs(rgmanager_t) fs_getattr_all_fs(rgmanager_t) +storage_raw_read_fixed_disk(rgmanager_t) storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) @@ -140,6 +151,11 @@ ') optional_policy(` + ldap_initrc_domtrans(rgmanager_t) + ldap_domtrans(rgmanager_t) +') + +optional_policy(` mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400 @@ -1,6 +1,7 @@ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.8/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rhcs.if 2010-07-30 14:06:53.000000000 -0400 @@ -14,6 +14,8 @@ template(`rhcs_domain_template',` gen_require(` attribute cluster_domain; + attribute cluster_tmpfs; + attribute cluster_pid; ') ############################## @@ -25,13 +27,13 @@ type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) - type $1_tmpfs_t; + type $1_tmpfs_t, cluster_tmpfs; files_tmpfs_file($1_tmpfs_t) type $1_var_log_t; logging_log_file($1_var_log_t) - type $1_var_run_t; + type $1_var_run_t, cluster_pid; files_pid_file($1_var_run_t) ############################## @@ -335,6 +337,67 @@ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') +######################################## +## +## Read and write to group shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_rw_cluster_shm',` + gen_require(` + attribute cluster_domain; + attribute cluster_tmpfs; + ') + + allow $1 cluster_domain:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) +') + +#################################### +## +## Read and write access to cluster domains semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_rw_cluster_semaphores',` + gen_require(` + type cluster_domain; + ') + + allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') + +#################################### +## +## Connect to cluster domains over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_stream_connect_cluster',` + gen_require(` + attribute cluster_domain; + attribute cluster_pid; + ') + + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) +') + ###################################### ## ## Execute a domain transition to run qdiskd. @@ -353,3 +416,21 @@ corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) ') + +######################################## +## +## Allow domain to read qdiskd tmpfs files +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_read_qdiskd_tmpfs_files',` + gen_require(` + type qdiskd_tmpfs_t; + ') + + allow $1 qdiskd_tmpfs_t:file read_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.8/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rhcs.te 2010-07-30 14:06:53.000000000 -0400 @@ -13,6 +13,8 @@ gen_tunable(fenced_can_network_connect, false) attribute cluster_domain; +attribute cluster_tmpfs; +attribute cluster_pid; rhcs_domain_template(dlm_controld) @@ -55,17 +57,13 @@ init_rw_script_tmp_files(dlm_controld_t) -optional_policy(` - ccs_stream_connect(dlm_controld_t) -') - ####################################### # # fenced local policy # allow fenced_t self:capability { sys_rawio sys_resource }; -allow fenced_t self:process getsched; +allow fenced_t self:process { getsched signal_perms }; allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; @@ -82,7 +80,10 @@ stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) +kernel_read_system_state(fenced_t) + corecmd_exec_bin(fenced_t) +corecmd_exec_shell(fenced_t) corenet_tcp_connect_http_port(fenced_t) @@ -106,7 +107,6 @@ optional_policy(` ccs_read_config(fenced_t) - ccs_stream_connect(fenced_t) ') optional_policy(` @@ -139,10 +139,6 @@ init_rw_script_tmp_files(gfs_controld_t) optional_policy(` - ccs_stream_connect(gfs_controld_t) -') - -optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') @@ -168,7 +164,7 @@ # qdiskd local policy # -allow qdiskd_t self:capability ipc_lock; +allow qdiskd_t self:capability { ipc_lock sys_boot }; allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; @@ -207,10 +203,6 @@ auth_use_nsswitch(qdiskd_t) optional_policy(` - ccs_stream_connect(qdiskd_t) -') - -optional_policy(` netutils_domtrans_ping(qdiskd_t) ') @@ -236,5 +228,9 @@ miscfiles_read_localization(cluster_domain) optional_policy(` + ccs_stream_connect(cluster_domain) +') + +optional_policy(` corosync_stream_connect(cluster_domain) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.8.8/policy/modules/services/rhgb.if --- nsaserefpolicy/policy/modules/services/rhgb.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rhgb.if 2010-08-03 15:21:15.000000000 -0400 @@ -22,7 +22,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -76,7 +76,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -95,7 +95,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -113,7 +113,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -131,7 +131,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -185,7 +185,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.8.8/policy/modules/services/ricci.fc --- nsaserefpolicy/policy/modules/services/ricci.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ricci.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) + /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if --- nsaserefpolicy/policy/modules/services/ricci.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-08-10 05:23:35.000000000 -0400 @@ -18,6 +18,24 @@ domtrans_pattern($1, ricci_exec_t, ricci_t) ') +####################################### +## +## Execute ricci server in the ricci domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ricci_initrc_domtrans', ` + gen_require(` + type ricci_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ricci_initrc_exec_t) +') + ######################################## ## ## Execute a domain transition to run ricci_modcluster. @@ -96,6 +114,24 @@ ######################################## ## +## Read and write to ricci_modcluserd temporary file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`ricci_rw_modclusterd_tmpfs_files',` + gen_require(` + type ricci_modcluserd_tmpfs_t; + ') + + allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms; +') + +######################################## +## ## Execute a domain transition to run ricci_modlog. ## ## @@ -165,3 +201,67 @@ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') + +#################################### +## +## Allow the specified domain to manage ricci's lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ricci_manage_lib_files',` + gen_require(` + type ricci_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) + manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) +') + +######################################## +## +## All of the rules required to administrate +## an ricci environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ricci_admin',` + gen_require(` + type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; + type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + ') + + allow $1 ricci_t:process { ptrace signal_perms }; + ps_process_pattern($1, ricci_t) + + ricci_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ricci_initrc_exec_t system_r; + allow $2 system_r; + + files_search_tmp($1) + admin_pattern($1, ricci_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, ricci_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, ricci_var_log_t) + + files_search_pids($1) + admin_pattern($1, ricci_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-10 05:23:35.000000000 -0400 @@ -10,6 +10,9 @@ domain_type(ricci_t) init_daemon_domain(ricci_t, ricci_exec_t) +type ricci_initrc_exec_t; +init_script_file(ricci_initrc_exec_t) + type ricci_tmp_t; files_tmp_file(ricci_tmp_t) @@ -42,6 +45,9 @@ domain_type(ricci_modclusterd_t) init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) +type ricci_modclusterd_tmpfs_t; +files_tmpfs_file(ricci_modclusterd_tmpfs_t) + type ricci_modlog_t; type ricci_modlog_exec_t; domain_type(ricci_modlog_t) @@ -105,6 +111,7 @@ files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_t) +kernel_read_system_state(ricci_t) corecmd_exec_bin(ricci_t) @@ -170,6 +177,10 @@ ') optional_policy(` + shutdown_domtrans(ricci_t) +') + +optional_policy(` unconfined_use_fds(ricci_t) ') @@ -241,6 +252,10 @@ ') optional_policy(` + rgmanager_stream_connect(ricci_modclusterd_t) +') + +optional_policy(` # XXX This has got to go. unconfined_domain(ricci_modcluster_t) ') @@ -261,6 +276,10 @@ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; +manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) +manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) +fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file }) + allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) @@ -272,6 +291,7 @@ kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) +kernel_request_load_module(ricci_modclusterd_t) corecmd_exec_bin(ricci_modclusterd_t) @@ -444,6 +464,12 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) +files_create_default_dir(ricci_modstorage_t) +files_root_filetrans_default(ricci_modstorage_t, dir) +files_mounton_default(ricci_modstorage_t) +files_manage_default_dirs(ricci_modstorage_t) +files_manage_default_files(ricci_modstorage_t) + storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.8.8/policy/modules/services/rlogin.fc --- nsaserefpolicy/policy/modules/services/rlogin.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rlogin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,7 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.8.8/policy/modules/services/rlogin.if --- nsaserefpolicy/policy/modules/services/rlogin.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rlogin.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.8.8/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rlogin.te 2010-07-30 14:06:53.000000000 -0400 @@ -43,7 +43,6 @@ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) @@ -88,6 +87,9 @@ userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) +userdom_search_admin_dir(rlogind_t) +userdom_manage_user_tmp_files(rlogind_t) +userdom_tmp_filetrans_user_tmp(rlogind_t, file) remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.8.8/policy/modules/services/rpcbind.fc --- nsaserefpolicy/policy/modules/services/rpcbind.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rpcbind.fc 2010-08-20 07:30:37.000000000 -0400 @@ -2,6 +2,7 @@ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) +/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.8.8/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if 2010-07-30 14:06:53.000000000 -0400 @@ -141,7 +141,7 @@ allow $1 rpcbind_t:process { ptrace signal_perms }; ps_process_pattern($1, rpcbind_t) - init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) + init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.8/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rpcbind.te 2010-07-30 14:06:53.000000000 -0400 @@ -71,3 +71,7 @@ ifdef(`hide_broken_symptoms',` dontaudit rpcbind_t self:udp_socket listen; ') + +optional_policy(` + nis_use_ypbind(rpcbind_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.8/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rpc.if 2010-07-30 14:06:53.000000000 -0400 @@ -128,7 +128,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -143,7 +143,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -161,7 +161,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -179,7 +179,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -197,7 +197,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -233,7 +233,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -246,6 +246,26 @@ allow rpcd_t $1:process signal; ') +######################################## +## +## Execute rpcd in the rcpd domain, and +## allow the specified role the rpcd domain. +## +## +## +## The role to be allowed the rpcd domain. +## +## +# +interface(`rpc_run_rpcd',` + gen_require(` + type rpcd_t; + ') + + rpc_domtrans_rpcd($1) + role $2 types rpcd_t; +') + ####################################### ## ## Execute domain in rpcd domain. @@ -414,4 +434,5 @@ files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.8.8/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rpc.te 2010-07-30 14:06:53.000000000 -0400 @@ -63,8 +63,9 @@ allow rpcd_t self:fifo_file rw_fifo_file_perms; allow rpcd_t rpcd_var_run_t:dir setattr; +manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(rpcd_t, rpcd_var_run_t, file) +files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) @@ -97,15 +98,26 @@ seutil_dontaudit_search_config(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) +userdom_read_user_home_content_files(rpcd_t) + optional_policy(` automount_signal(rpcd_t) automount_dontaudit_write_pipes(rpcd_t) ') optional_policy(` + domain_unconfined_signal(rpcd_t) +') + +optional_policy(` nis_read_ypserv_config(rpcd_t) ') +optional_policy(` + rgmanager_manage_tmp_files(rpcd_t) +') + ######################################## # # NFSD local policy @@ -120,6 +132,7 @@ kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) +kernel_setsched(nfsd_t) corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) @@ -160,6 +173,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) @@ -218,6 +232,8 @@ userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) + userdom_write_user_tmp_files(gssd_t) + files_read_generic_tmp_files(gssd_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.if serefpolicy-3.8.8/policy/modules/services/rshd.if --- nsaserefpolicy/policy/modules/services/rshd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rshd.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.8.8/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rshd.te 2010-07-30 14:06:53.000000000 -0400 @@ -66,6 +66,7 @@ seutil_read_default_contexts(rshd_t) userdom_search_user_home_content(rshd_t) +userdom_manage_tmp_role(system_r, rshd_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.8.8/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rsync.if 2010-07-30 14:06:53.000000000 -0400 @@ -119,7 +119,7 @@ type rsync_etc_t; ') - allow $1 rsync_etc_t:file read_file_perms; + read_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') @@ -138,6 +138,49 @@ type rsync_etc_t; ') - allow $1 rsync_etc_t:file read_file_perms; + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') + +######################################## +## +## Manage rsync config files. +## +## +## +## Domain allowed. +## +## +# +interface(`rsync_manage_config',` + gen_require(` + type rsync_etc_t; + ') + + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +') + +######################################## +## +## Create objects in etc directories +## with rsync etc type. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Class of the object being created. +## +## +# +interface(`rsync_filetrans_config',` + gen_require(` + type rsync_etc_t; + ') + + files_etc_filetrans($1, rsync_etc_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.8.8/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rsync.te 2010-07-30 14:06:53.000000000 -0400 @@ -7,6 +7,13 @@ ## ##

+## Allow rsync to run as a client +##

+## +gen_tunable(rsync_client, false) + +## +##

## Allow rsync to export any files/directories read only. ##

## @@ -23,7 +30,6 @@ type rsync_t; type rsync_exec_t; -init_daemon_domain(rsync_t, rsync_exec_t) application_executable_file(rsync_exec_t) role system_r types rsync_t; @@ -59,7 +65,7 @@ allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; #end for identd -allow rsync_t rsync_etc_t:file read_file_perms; +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) @@ -122,6 +128,7 @@ ') tunable_policy(`rsync_export_all_ro',` + files_getattr_all_pipes(rsync_t) fs_read_noxattr_fs_files(rsync_t) fs_read_nfs_files(rsync_t) fs_read_cifs_files(rsync_t) @@ -130,4 +137,19 @@ auth_read_all_symlinks_except_shadow(rsync_t) auth_tunable_read_shadow(rsync_t) ') + +tunable_policy(`rsync_client',` + corenet_tcp_connect_rsync_port(rsync_t) + corenet_tcp_connect_ssh_port(rsync_t) + manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +') + +optional_policy(` + tunable_policy(`rsync_client',` + ssh_exec(rsync_t) + ') +') + auth_can_read_shadow_passwords(rsync_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.8.8/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rtkit.if 2010-07-30 14:06:53.000000000 -0400 @@ -41,6 +41,27 @@ ######################################## ## +## Do not audit send and receive messages from +## rtkit_daemon over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rtkit_daemon_dontaudit_dbus_chat',` + gen_require(` + type rtkit_daemon_t; + class dbus send_msg; + ') + + dontaudit $1 rtkit_daemon_t:dbus send_msg; + dontaudit rtkit_daemon_t $1:dbus send_msg; +') + +######################################## +## ## Allow rtkit to control scheduling for your process ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.8.8/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rtkit.te 2010-07-30 14:06:53.000000000 -0400 @@ -8,6 +8,7 @@ type rtkit_daemon_t; type rtkit_daemon_exec_t; dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) +init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.8.8/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/samba.fc 2010-07-30 14:06:53.000000000 -0400 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.8.8/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/samba.if 2010-07-30 14:06:53.000000000 -0400 @@ -10,7 +10,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -46,7 +46,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -64,7 +64,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -79,12 +79,31 @@ ######################################## ## +## Execute samba net in the samba_unconfined_net domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_domtrans_unconfined_net',` + gen_require(` + type samba_unconfined_net_t, samba_net_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) +') + +######################################## +## ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -103,13 +122,57 @@ role $2 types samba_net_t; ') +####################################### +## +## The role for the samba module. +## +## +## +## The role to be allowed the samba_net domain. +## +## +# +template(`samba_role_notrans',` + gen_require(` + type smbd_t; + ') + + role $1 types smbd_t; +') + +######################################## +## +## Execute samba net in the samba_unconfined_net domain, and +## allow the specified role the samba_unconfined_net domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the samba_unconfined_net domain. +## +## +## +# +interface(`samba_run_unconfined_net',` + gen_require(` + type samba_unconfined_net_t; + ') + + samba_domtrans_unconfined_net($1) + role $2 types samba_unconfined_net_t; +') + ######################################## ## ## Execute smbmount in the smbmount domain. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -260,7 +323,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -412,6 +475,7 @@ files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## @@ -464,7 +528,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -554,7 +618,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -564,6 +628,7 @@ ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_helper_t:process signal; ') ######################################## @@ -573,7 +638,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -644,6 +709,36 @@ ######################################## ## +## Create a set of derived types for apache +## web content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`samba_helper_template',` + gen_require(` + type smbd_t; + ') + #This type is for samba helper scripts + type samba_$1_script_t; + domain_type(samba_$1_script_t) + role system_r types samba_$1_script_t; + + # This type is used for executable scripts files + type samba_$1_script_exec_t; + corecmd_shell_entry_type(samba_$1_script_t) + domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; + +') + +######################################## +## ## All of the rules required to administrate ## an samba environment ## @@ -664,7 +759,7 @@ type nmbd_t, nmbd_var_run_t; type smbd_t, smbd_tmp_t; type smbd_var_run_t; - type smbd_spool_t; + type samba_initrc_exec_t; type samba_log_t, samba_var_t; type samba_etc_t, samba_share_t; @@ -675,7 +770,7 @@ type winbind_var_run_t, winbind_tmp_t; type winbind_log_t; - type samba_initrc_exec_t; + type samba_unconfined_script_t, samba_unconfined_script_exec_t; ') allow $1 smbd_t:process { ptrace signal_perms }; @@ -684,6 +779,9 @@ allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) + allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) + samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) @@ -709,9 +807,6 @@ admin_pattern($1, samba_var_t) files_list_var($1) - admin_pattern($1, smbd_spool_t) - files_list_spool($1) - admin_pattern($1, smbd_var_run_t) files_list_pids($1) @@ -727,4 +822,5 @@ admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-08-12 16:45:59.000000000 -0400 @@ -152,9 +152,6 @@ type winbind_log_t; logging_log_file(winbind_log_t) -type winbind_tmp_t; -files_tmp_file(winbind_tmp_t) - type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -230,7 +227,7 @@ # # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; +allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -279,7 +276,7 @@ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) -files_pid_filetrans(smbd_t, smbd_var_run_t, file) +files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) allow smbd_t swat_t:process signal; @@ -323,6 +320,7 @@ dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) +fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) @@ -385,12 +383,7 @@ ') tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content_dirs(smbd_t) - userdom_manage_user_home_content_files(smbd_t) - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) - userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) + userdom_manage_user_home_content(smbd_t) ') # Support Samba sharing of NFS mount points @@ -445,8 +438,8 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) - userdom_home_filetrans_user_home_dir(smbd_t) ') +userdom_home_filetrans_user_home_dir(smbd_t) tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) @@ -462,8 +455,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) - userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ') +userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ######################################## # @@ -484,8 +477,9 @@ allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) +files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file }) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) @@ -567,6 +561,7 @@ allow smbcontrol_t winbind_t:process { signal signull }; +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -677,7 +672,7 @@ allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; -allow swat_t smbd_var_run_t:file { lock unlink }; +allow swat_t nmbd_var_run_t:file read_file_perms; allow swat_t smbd_port_t:tcp_socket name_bind; @@ -692,12 +687,14 @@ manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) +files_list_var_lib(swat_t) allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; allow swat_t smbd_var_run_t:file read_file_perms; +allow swat_t smbd_var_run_t:file { lock unlink }; manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) @@ -710,6 +707,7 @@ domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; +read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; @@ -754,6 +752,8 @@ miscfiles_read_localization(swat_t) +userdom_dontaudit_search_admin_dir(swat_t) + optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) @@ -806,14 +806,14 @@ allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) -manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) +userdom_manage_user_tmp_dirs(winbind_t) +userdom_manage_user_tmp_files(winbind_t) +userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) +manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, file) +files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) @@ -833,6 +833,7 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) +corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) @@ -922,6 +923,18 @@ # optional_policy(` + type samba_unconfined_net_t; + domain_type(samba_unconfined_net_t) + domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) + role system_r types samba_unconfined_net_t; + + unconfined_domain(samba_unconfined_net_t) + + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_user_terminals(samba_unconfined_net_t) +') + type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) @@ -932,9 +945,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; +optional_policy(` unconfined_domain(samba_unconfined_script_t) +') tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ') +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.8.8/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/sasl.te 2010-07-30 14:06:53.000000000 -0400 @@ -42,13 +42,17 @@ manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file) +files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) +#577519 +corecmd_exec_bin(saslauthd_t) + corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.8.8/policy/modules/services/sendmail.fc --- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/sendmail.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,6 @@ +/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) + /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.8.8/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/sendmail.if 2010-07-30 14:06:53.000000000 -0400 @@ -57,6 +57,24 @@ allow sendmail_t $1:process sigchld; ') +####################################### +## +## Execute sendmail in the sendmail domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sendmail_initrc_domtrans', ` + gen_require(` + type sendmail_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) +') + ######################################## ## ## Execute the sendmail program in the sendmail domain. @@ -295,3 +313,50 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') + +######################################## +## +## All of the rules required to administrate +## an sendmail environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`sendmail_admin',` + gen_require(` + type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; + type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + type mail_spool_t; + ') + + allow $1 sendmail_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, sendmail_t, sendmail_t) + + allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t) + + sendmail_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sendmail_initrc_exec_t system_r; + + logging_search_logs($1) + admin_pattern($1, sendmail_log_t) + + files_search_tmp($1) + admin_pattern($1, sendmail_tmp_t) + + files_search_pids($1) + admin_pattern($1, sendmail_var_run_t) + + files_search_spool($1) + admin_pattern($1, mail_spool_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.8.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/sendmail.te 2010-07-30 14:06:53.000000000 -0400 @@ -19,6 +19,9 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +type sendmail_initrc_exec_t; +init_script_file(sendmail_initrc_exec_t) + type unconfined_sendmail_t; application_domain(unconfined_sendmail_t, sendmail_exec_t) role system_r types unconfined_sendmail_t; @@ -84,12 +87,14 @@ files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) +files_read_all_tmp_files(sendmail_t) init_use_fds(sendmail_t) init_use_script_ptys(sendmail_t) # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console init_read_utmp(sendmail_t) init_dontaudit_write_utmp(sendmail_t) +init_rw_script_tmp_files(sendmail_t) auth_use_nsswitch(sendmail_t) @@ -103,7 +108,7 @@ miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -userdom_dontaudit_search_user_home_dirs(sendmail_t) +userdom_read_user_home_content_files(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) @@ -149,7 +154,9 @@ ') optional_policy(` + postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) + postfix_domtrans_postqueue(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') @@ -168,6 +175,10 @@ ') optional_policy(` + spamd_stream_connect(sendmail_t) +') + +optional_policy(` udev_read_db(sendmail_t) ') @@ -183,5 +194,5 @@ optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) + unconfined_domain_noaudit(unconfined_sendmail_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if 2010-07-30 14:06:53.000000000 -0400 @@ -105,6 +105,25 @@ ######################################## ## +## Dontaudit read/write to a setroubleshoot leaked sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`setroubleshoot_fixit_dontaudit_leaks',` + gen_require(` + type setroubleshoot_fixit_t; + ') + + dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write }; + dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write }; +') + +######################################## +## ## All of the rules required to administrate ## an setroubleshoot environment ## @@ -117,7 +136,7 @@ # interface(`setroubleshoot_admin',` gen_require(` - type setroubleshootd_t, setroubleshoot_log_t; + type setroubleshootd_t, setroubleshoot_var_log_t; type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; ') @@ -125,7 +144,7 @@ ps_process_pattern($1, setroubleshootd_t) logging_list_logs($1) - admin_pattern($1, setroubleshoot_log_t) + admin_pattern($1, setroubleshoot_var_log_t) files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te 2010-07-30 14:06:53.000000000 -0400 @@ -32,6 +32,8 @@ allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run +allow setroubleshootd_t self:process { execmem execstack }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -49,14 +51,17 @@ logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file +manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) +files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) +kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) @@ -121,6 +126,10 @@ userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` + locate_read_lib_files(setroubleshootd_t) +') + +optional_policy(` dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') @@ -152,6 +161,7 @@ corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) @@ -164,6 +174,13 @@ miscfiles_read_localization(setroubleshoot_fixit_t) +userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) +userdom_signull_unpriv_users(setroubleshoot_fixit_t) + +optional_policy(` + gnome_dontaudit_search_config(setroubleshoot_fixit_t) +') + optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.8.8/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/smartmon.te 2010-08-05 14:48:00.000000000 -0400 @@ -82,6 +82,8 @@ storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) +storage_read_scsi_generic(fsdaemon_t) +storage_write_scsi_generic(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.8.8/policy/modules/services/smokeping.te --- nsaserefpolicy/policy/modules/services/smokeping.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/smokeping.te 2010-07-30 14:06:53.000000000 -0400 @@ -23,6 +23,7 @@ # smokeping local policy # +dontaudit smokeping_t self:capability { dac_read_search dac_override }; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:udp_socket create_socket_perms; allow smokeping_t self:unix_stream_socket create_stream_socket_perms; @@ -44,6 +45,7 @@ files_search_tmp(smokeping_t) auth_use_nsswitch(smokeping_t) +auth_dontaudit_read_shadow(smokeping_t) logging_send_syslog_msg(smokeping_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.8.8/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/snmp.fc 2010-07-30 14:06:53.000000000 -0400 @@ -18,7 +18,7 @@ /var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.8.8/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/snmp.te 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,7 @@ # # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; +allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; @@ -43,8 +43,9 @@ files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) +manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) +files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) @@ -97,6 +98,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) +storage_dontaudit_write_removable_device(snmpd_t) auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.8.8/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/snort.te 2010-07-30 14:06:53.000000000 -0400 @@ -61,6 +61,7 @@ kernel_read_proc_symlinks(snort_t) kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) +kernel_read_network_state(snort_t) corenet_all_recvfrom_unlabeled(snort_t) corenet_all_recvfrom_netlabel(snort_t) @@ -77,6 +78,7 @@ dev_read_sysfs(snort_t) dev_read_rand(snort_t) dev_read_urand(snort_t) +dev_read_usbmon_dev(snort_t) # Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon # Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? dev_rw_generic_usb_dev(snort_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.8.8/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/spamassassin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) +/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) + +/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) +/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.8.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/spamassassin.if 2010-07-30 14:06:53.000000000 -0400 @@ -64,7 +64,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -111,6 +111,45 @@ ') domtrans_pattern($1, spamc_exec_t, spamc_t) + allow $1 spamc_exec_t:file ioctl; +') + +######################################## +## +## Send kill signal to spamassassin client +## +## +## +## Domain allowed access. +## +## +# +interface(`spamassassin_kill_client',` + gen_require(` + type spamc_t; + ') + + allow $1 spamc_t:process sigkill; +') + +######################################## +## +## Manage spamc home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`spamassassin_manage_home_client',` + gen_require(` + type spamc_home_t; + ') + + manage_dirs_pattern($1, spamc_home_t, spamc_home_t) + manage_files_pattern($1, spamc_home_t, spamc_home_t) + manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') ######################################## @@ -166,7 +205,9 @@ ') files_search_var_lib($1) + list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') ######################################## @@ -195,7 +236,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -225,3 +266,69 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') + +######################################## +## +## Connect to run spamd. +## +## +## +## Domain allowed to connect. +## +## +# +interface(`spamd_stream_connect',` + gen_require(` + type spamd_t, spamd_var_run_t, spamd_spool_t; + ') + + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + +######################################## +## +## All of the rules required to administrate +## an spamassassin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the spamassassin domain. +## +## +## +# +interface(`spamassassin_spamd_admin',` + gen_require(` + type spamd_t, spamd_tmp_t, spamd_log_t; + type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_initrc_exec_t; + ') + + allow $1 spamd_t:process { ptrace signal_perms }; + ps_process_pattern($1, spamd_t) + + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 spamd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, spamd_tmp_t) + + logging_list_logs($1) + admin_pattern($1, spamd_log_t) + + files_list_spool($1) + admin_pattern($1, spamd_spool_t) + + files_list_var_lib($1) + admin_pattern($1, spamd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.8.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/spamassassin.te 2010-07-30 14:06:53.000000000 -0400 @@ -19,6 +19,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) +ifdef(`distro_redhat',` +# spamassassin client executable +type spamc_t; +type spamc_exec_t; +application_domain(spamc_t, spamc_exec_t) +role system_r types spamc_t; + +type spamd_etc_t; +files_config_file(spamd_etc_t) + +typealias spamc_exec_t alias spamassassin_exec_t; +typealias spamc_t alias spamassassin_t; + +type spamc_home_t; +userdom_user_home_content(spamc_home_t) +typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; +typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; + +type spamc_tmp_t; +files_tmp_file(spamc_tmp_t) +typealias spamc_tmp_t alias spamassassin_tmp_t; +typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; + +typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +', ` type spamassassin_t; type spamassassin_exec_t; typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; @@ -30,6 +59,7 @@ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; userdom_user_home_content(spamassassin_home_t) +files_poly_member(spamassassin_home_t) type spamassassin_tmp_t; typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; @@ -49,10 +79,21 @@ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; files_tmp_file(spamc_tmp_t) ubac_constrained(spamc_tmp_t) +') type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t, spamd_exec_t) +can_exec(spamd_t, spamd_exec_t) + +type spamd_compiled_t; +files_type(spamd_compiled_t) + +type spamd_initrc_exec_t; +init_script_file(spamd_initrc_exec_t) + +type spamd_log_t; +logging_log_file(spamd_log_t) type spamd_spool_t; files_type(spamd_spool_t) @@ -108,6 +149,7 @@ dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) +fs_getattr_all_fs(spamassassin_t) # this should probably be removed corecmd_list_bin(spamassassin_t) @@ -148,6 +190,9 @@ corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) + corenet_udp_bind_generic_node(spamassassin_t) + corenet_udp_bind_generic_port(spamassassin_t) + corenet_dontaudit_udp_bind_all_ports(spamassassin_t) sysnet_read_config(spamassassin_t) ') @@ -184,6 +229,8 @@ optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) + sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t) + sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) ') ######################################## @@ -205,16 +252,33 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_tcp_connect_spamd_port(spamc_t) + +can_exec(spamc_t, spamc_exec_t) manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) +manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_append_user_home_content_files(spamc_t) + # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; +spamd_stream_connect(spamc_t) kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) @@ -244,9 +308,16 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) +files_list_var_lib(spamc_t) +list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +fs_search_auto_mountpoints(spamc_t) logging_send_syslog_msg(spamc_t) +auth_use_nsswitch(spamc_t) + miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: @@ -254,27 +325,40 @@ sysnet_read_config(spamc_t) +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamc_t) + fs_manage_nfs_files(spamc_t) + fs_manage_nfs_symlinks(spamc_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamc_t) + fs_manage_cifs_files(spamc_t) + fs_manage_cifs_symlinks(spamc_t) +') + optional_policy(` # Allow connection to spamd socket above evolution_stream_connect(spamc_t) ') optional_policy(` - # Needed for pyzor/razor called from spamd milter_manage_spamass_state(spamc_t) ') optional_policy(` - nis_use_ypbind(spamc_t) -') - -optional_policy(` - nscd_socket_use(spamc_t) + postfix_domtrans_postdrop(spamc_t) + postfix_search_spool(spamc_t) + postfix_rw_local_pipes(spamc_t) ') optional_policy(` + mta_send_mail(spamc_t) mta_read_config(spamc_t) + mta_read_queue(spamc_t) sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) + sendmail_dontaudit_rw_tcp_sockets(spamc_t) ') ######################################## @@ -286,7 +370,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; +allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; @@ -302,10 +386,17 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; -allow spamd_t self:netlink_route_socket r_netlink_socket_perms; + +can_exec(spamd_t, spamd_compiled_t) +manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) +manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) + +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) +logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) @@ -314,11 +405,13 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; -read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) +manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) +manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) @@ -367,22 +460,27 @@ init_dontaudit_rw_utmp(spamd_t) +auth_use_nsswitch(spamd_t) + logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) -sysnet_read_config(spamd_t) -sysnet_use_ldap(spamd_t) -sysnet_dns_name_resolve(spamd_t) - userdom_use_unpriv_users_fds(spamd_t) userdom_search_user_home_dirs(spamd_t) +optional_policy(` + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) +') + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamd_t) fs_manage_nfs_files(spamd_t) ') tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamd_t) fs_manage_cifs_files(spamd_t) ') @@ -399,7 +497,9 @@ ') optional_policy(` + dcc_domtrans_cdcc(spamd_t) dcc_domtrans_client(spamd_t) + dcc_signal_client(spamd_t) dcc_stream_connect_dccifd(spamd_t) ') @@ -416,10 +516,6 @@ ') optional_policy(` - nis_use_ypbind(spamd_t) -') - -optional_policy(` postfix_read_config(spamd_t) ') @@ -437,6 +533,10 @@ optional_policy(` razor_domtrans(spamd_t) + razor_read_lib_files(spamd_t) + tunable_policy(`spamd_enable_home_dirs',` + razor_manage_user_home_files(spamd_t) + ') ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.8.8/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/squid.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.8.8/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ssh.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,9 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + +/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) @@ -14,3 +19,7 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.8.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ssh.if 2010-07-30 14:06:53.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; + type ssh_home_t; ') ############################## @@ -47,10 +48,6 @@ application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; - type $1_ssh_home_t; - files_type($1_ssh_home_t) - typealias $1_ssh_home_t alias $1_home_ssh_t; - ############################## # # Client local policy @@ -93,18 +90,18 @@ ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config - manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) + manage_files_pattern($2, ssh_home_t, ssh_home_t) + manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) + manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) + read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config - allow ssh_server $1_ssh_home_t:dir list_dir_perms; - read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) + allow ssh_server ssh_home_t:dir list_dir_perms; + read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) + read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) @@ -116,6 +113,8 @@ corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) + corenet_tcp_bind_generic_node($1_ssh_t) + corenet_tcp_bind_all_unreserved_ports($1_ssh_t) dev_read_urand($1_ssh_t) @@ -181,9 +180,9 @@ type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { signal getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: @@ -206,6 +205,7 @@ kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) + kernel_request_load_module(ssh_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) @@ -220,8 +220,11 @@ corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) - corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) + # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) fs_dontaudit_getattr_all_fs($1_t) @@ -234,6 +237,7 @@ corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) + domain_dyntrans_type($1_t) files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -243,9 +247,9 @@ miscfiles_read_localization($1_t) - userdom_create_all_users_keys($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) # Allow checking users mail at login mta_getattr_spool($1_t) @@ -268,6 +272,14 @@ files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') + + optional_policy(` + rlogin_read_home_content($1_t) + ') + + optional_policy(` + shutdown_getattr_exec_files($1_t) + ') ') ######################################## @@ -338,6 +350,7 @@ manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) + userdom_manage_tmp_role($2, ssh_t) ############################## # @@ -584,6 +597,25 @@ domtrans_pattern($1, sshd_exec_t, sshd_t) ') + +######################################## +## +## Execute sshd server in the sshd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_initrc_domtrans',` + gen_require(` + type sshd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sshd_initrc_exec_t) +') + ######################################## ## ## Execute the ssh client in the caller domain. @@ -735,3 +767,22 @@ files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +######################################## +## +## Send a null signal to sshd processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_signull',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:process signull; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.8.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ssh.te 2010-07-30 14:06:53.000000000 -0400 @@ -19,6 +19,13 @@ ## gen_tunable(ssh_sysadm_login, false) +## +##

+## allow sshd to forward port connections +##

+## +gen_tunable(sshd_forward_ports, false) + attribute ssh_server; attribute ssh_agent_type; @@ -33,13 +40,12 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) +type sshd_initrc_exec_t; +init_script_file(sshd_initrc_exec_t) + type sshd_key_t; files_type(sshd_key_t) -type sshd_tmp_t; -files_tmp_file(sshd_tmp_t) -files_poly_parent(sshd_tmp_t) - ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') @@ -99,11 +105,6 @@ # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; -# Access the ssh temporary files. -allow ssh_t sshd_tmp_t:dir manage_dir_perms; -allow ssh_t sshd_tmp_t:file manage_file_perms; -files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir }) - manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) @@ -113,6 +114,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) +userdom_stream_connect(ssh_t) # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) @@ -124,9 +126,10 @@ read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config -allow ssh_server ssh_home_t:dir list_dir_perms; -read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir) +userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir) kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) @@ -138,6 +141,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) +corenet_tcp_bind_generic_node(ssh_t) +corenet_tcp_bind_all_unreserved_ports(ssh_t) dev_read_urand(ssh_t) @@ -169,8 +174,10 @@ userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) -# needs to read krb tgt +# needs to read krb/write tgt userdom_read_user_tmp_files(ssh_t) +userdom_write_user_tmp_files(ssh_t) +userdom_read_user_home_content_symlinks(ssh_t) tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) @@ -200,6 +207,54 @@ xserver_domtrans_xauth(ssh_t) ') +######################################## +# +# ssh_keygen local policy +# + +# ssh_keygen_t is the type of the ssh-keygen program when run at install time +# and by sysadm_t + +dontaudit ssh_keygen_t self:capability sys_tty_config; +allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; + +allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; + +allow ssh_keygen_t sshd_key_t:file manage_file_perms; +files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) + +kernel_read_kernel_sysctls(ssh_keygen_t) + +fs_search_auto_mountpoints(ssh_keygen_t) + +dev_read_sysfs(ssh_keygen_t) +dev_read_urand(ssh_keygen_t) + +term_dontaudit_use_console(ssh_keygen_t) + +domain_use_interactive_fds(ssh_keygen_t) + +files_read_etc_files(ssh_keygen_t) + +init_use_fds(ssh_keygen_t) +init_use_script_ptys(ssh_keygen_t) + +logging_send_syslog_msg(ssh_keygen_t) + +userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) + +optional_policy(` + nscd_socket_use(ssh_keygen_t) +') + +optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) +') + +optional_policy(` + udev_read_db(ssh_keygen_t) +') + ############################## # # ssh_keysign_t local policy @@ -233,44 +288,65 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; -manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) +allow sshd_t self:process setcurrent; kernel_search_key(sshd_t) kernel_link_key(sshd_t) term_use_all_ptys(sshd_t) term_setattr_all_ptys(sshd_t) +term_setattr_all_ttys(sshd_t) term_relabelto_all_ptys(sshd_t) +term_use_ptmx(sshd_t) # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +tunable_policy(`sshd_forward_ports', ` + corenet_tcp_bind_all_unreserved_ports(sshd_t) + corenet_tcp_connect_all_ports(sshd_t) +') + +userdom_read_user_home_content_files(sshd_t) +userdom_read_user_home_content_symlinks(sshd_t) +userdom_search_admin_dir(sshd_t) +userdom_manage_tmp_role(system_r, sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to # display the tty. # some versions of sshd on the new SE Linux require setattr - userdom_spec_domtrans_all_users(sshd_t) userdom_signal_all_users(sshd_t) -',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) ') +userdom_spec_domtrans_unpriv_users(sshd_t) +userdom_signal_unpriv_users(sshd_t) + optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` + kerberos_keytab_template(sshd, sshd_t) +') + +optional_policy(` + ftp_dyntrans_sftpd(sshd_t) + ftp_dyntrans_anon_sftpd(sshd_t) +') + +optional_policy(` + gitosis_manage_lib_files(sshd_t) +') + +optional_policy(` inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` - kerberos_keytab_template(sshd, sshd_t) + nx_read_home_files(sshd_t) ') optional_policy(` @@ -284,6 +360,11 @@ ') optional_policy(` + usermanage_domtrans_passwd(sshd_t) + usermanage_read_crack_db(sshd_t) +') + +optional_policy(` unconfined_shell_domtrans(sshd_t) ') @@ -353,10 +434,6 @@ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` - nscd_socket_use(ssh_keygen_t) -') - -optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.8.8/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/sssd.te 2010-08-18 07:03:35.000000000 -0400 @@ -28,9 +28,10 @@ # # sssd local policy # -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; +allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) @@ -48,6 +49,7 @@ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) @@ -80,6 +82,8 @@ miscfiles_read_localization(sssd_t) +userdom_manage_tmp_role(system_r, sssd_t) + optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.8.8/policy/modules/services/stunnel.te --- nsaserefpolicy/policy/modules/services/stunnel.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/stunnel.te 2010-07-30 14:06:53.000000000 -0400 @@ -46,8 +46,9 @@ manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) +manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -files_pid_filetrans(stunnel_t, stunnel_var_run_t, file) +files_pid_filetrans(stunnel_t, stunnel_var_run_t, { file dir }) kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.8/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/sysstat.te 2010-07-30 14:06:53.000000000 -0400 @@ -18,8 +18,7 @@ # Local policy # -allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; -dontaudit sysstat_t self:capability sys_admin; +allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) @@ -68,3 +67,8 @@ optional_policy(` logging_send_syslog_msg(sysstat_t) ') + +optional_policy(` + nscd_socket_use(sysstat_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.8.8/policy/modules/services/tcpd.if --- nsaserefpolicy/policy/modules/services/tcpd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tcpd.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.8.8/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/telnet.te 2010-07-30 14:06:53.000000000 -0400 @@ -38,7 +38,6 @@ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) @@ -85,6 +84,8 @@ userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) +userdom_manage_user_tmp_files(telnetd_t) +userdom_tmp_filetrans_user_tmp(telnetd_t, file) optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.8.8/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tftp.if 2010-07-30 14:06:53.000000000 -0400 @@ -16,6 +16,26 @@ ') read_files_pattern($1, tftpdir_t, tftpdir_t) + read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) +') + +######################################## +## +## Search tftp /var/lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`tftp_search_rw_content',` + gen_require(` + type tftpdir_rw_t; + ') + + search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + files_search_var_lib($1) ') ######################################## @@ -40,6 +60,36 @@ ######################################## ## +## Create objects in tftpdir directories +## with specified types. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Class of the object being created. +## +## +# +interface(`tftp_filetrans_tftpdir',` + gen_require(` + type tftpdir_rw_t; + ') + + filetrans_pattern($1, tftpdir_rw_t, $2, $3) + files_search_var_lib($1) +') + +######################################## +## ## All of the rules required to administrate ## an tftp environment ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.8.8/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tftp.te 2010-07-30 14:06:53.000000000 -0400 @@ -94,6 +94,10 @@ ') optional_policy(` + cobbler_read_content(tftpd_t) +') + +optional_policy(` inetd_udp_service_domain(tftpd_t, tftpd_exec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.8.8/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tgtd.te 2010-07-30 14:06:53.000000000 -0400 @@ -59,8 +59,12 @@ files_read_etc_files(tgtd_t) +fs_read_anon_inodefs_files(tgtd_t) + storage_manage_fixed_disk(tgtd_t) logging_send_syslog_msg(tgtd_t) miscfiles_read_localization(tgtd_t) + +iscsi_manage_semaphores(tgtd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.8.8/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tor.te 2010-08-18 07:42:58.000000000 -0400 @@ -67,9 +67,10 @@ logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) # pid file +manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file }) +files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file dir }) kernel_read_system_state(tor_t) @@ -88,6 +89,7 @@ corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) +corenet_udp_bind_dns_port(tor_t) # tor uses crypto and needs random dev_read_urand(tor_t) @@ -100,6 +102,8 @@ auth_use_nsswitch(tor_t) +logging_send_syslog_msg(tor_t) + miscfiles_read_localization(tor_t) tunable_policy(`tor_bind_all_unreserved_ports', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.8.8/policy/modules/services/tuned.if --- nsaserefpolicy/policy/modules/services/tuned.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tuned.if 2010-07-30 14:06:53.000000000 -0400 @@ -81,7 +81,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.8.8/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/tuned.te 2010-07-30 14:06:53.000000000 -0400 @@ -24,6 +24,7 @@ # dontaudit tuned_t self:capability { dac_override sys_tty_config }; +allow tuned_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -58,6 +59,10 @@ fstools_domtrans(tuned_t) ') +optional_policy(` + gnome_dontaudit_search_config(tuned_t) +') + # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.8.8/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ucspitcp.te 2010-07-30 14:06:53.000000000 -0400 @@ -91,3 +91,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) ') + +optional_policy(` + daemontools_sigchld_run(ucspitcp_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-17 06:53:12.000000000 -0400 @@ -31,6 +31,7 @@ allow ulogd_t self:capability net_admin; allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) @@ -43,6 +44,15 @@ manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) -files_search_etc(ulogd_t) +files_read_etc_files(ulogd_t) +files_read_usr_files(ulogd_t) miscfiles_read_localization(ulogd_t) + +optional_policy(` + mysql_stream_connect(ulogd_t) +') + +optional_policy(` + postgresql_stream_connect(ulogd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,3 +1,3 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) -/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.8.8/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/uucp.te 2010-08-04 13:17:33.000000000 -0400 @@ -83,6 +83,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) corenet_tcp_sendrecv_all_ports(uucpd_t) corenet_udp_sendrecv_all_ports(uucpd_t) +corenet_tcp_connect_ssh_port(uucpd_t) dev_read_urand(uucpd_t) @@ -113,6 +114,10 @@ kerberos_use(uucpd_t) ') +optional_policy(` + ssh_exec(uucpd_t) +') + ######################################## # # UUX Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.8.8/policy/modules/services/varnishd.if --- nsaserefpolicy/policy/modules/services/varnishd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/varnishd.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -56,6 +56,25 @@ read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) ') +##################################### +## +## Read varnish lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`varnishd_read_lib_files',` + gen_require(` + type varnishd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) +') + ####################################### ## ## Read varnish logs. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te --- nsaserefpolicy/policy/modules/services/varnishd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/varnishd.te 2010-07-30 14:55:56.000000000 -0400 @@ -50,7 +50,8 @@ # varnishd local policy # -allow varnishd_t self:capability { dac_override ipc_lock setuid setgid }; +allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +dontaudit varnishd_t self:capability sys_tty_config; allow varnishd_t self:process signal; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-07-27 16:12:33.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -42,7 +42,7 @@ ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # @@ -209,7 +209,7 @@ type vhostmd_t, vhostmd_initrc_exec_t; ') - allow $1 vhostmd_t:process { ptrace signal_perms getattr }; + allow $1 vhostmd_t:process { ptrace signal_perms }; ps_process_pattern($1, vhostmd_t) vhostmd_initrc_domtrans($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.8/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-08-10 07:10:27.000000000 -0400 @@ -44,6 +44,8 @@ corenet_tcp_connect_soundd_port(vhostmd_t) +# 579803 +files_list_tmp(vhostmd_t) files_read_etc_files(vhostmd_t) files_read_usr_files(vhostmd_t) @@ -66,6 +68,7 @@ optional_policy(` virt_stream_connect(vhostmd_t) + virt_write_content(vhostmd_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-08-13 13:57:22.000000000 -0400 @@ -13,17 +13,19 @@ /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.8.8/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/virt.if 2010-08-10 07:08:50.000000000 -0400 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) role system_r types $1_t; type $1_devpts_t; @@ -35,17 +36,18 @@ type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) - - type $1_var_run_t; - files_pid_file($1_var_run_t) + dev_associate_sysfs($1_image_t) allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1_t, $1_devpts_t) manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) + manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) + rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) + fs_hugetlbfs_filetrans($1_t, $1_image_t, file) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) @@ -57,18 +59,6 @@ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) - manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file }) - stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) - optional_policy(` xserver_rw_shm($1_t) ') @@ -171,6 +161,7 @@ files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') ######################################## @@ -192,6 +183,7 @@ files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') ######################################## @@ -231,6 +223,24 @@ ######################################## ## +## Allow domain to write virt image files +## +## +## +## Domain to not audit. +## +## +# +interface(`virt_write_content',` + gen_require(` + type virt_content_t; + ') + + allow $1 virt_content_t:file write_file_perms; +') + +######################################## +## ## Read virt PID files. ## ## @@ -308,6 +318,24 @@ ######################################## ## +## Dontaudit inherited read virt lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_dontaudit_read_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') + +######################################## +## ## Create, read, write, and delete ## virt lib files. ## @@ -433,15 +461,15 @@ ## ## # -interface(`virt_manage_svirt_cache',` +interface(`virt_manage_cache',` gen_require(` - type svirt_cache_t; + type virt_cache_t; ') files_search_var($1) - manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) - manage_files_pattern($1, svirt_cache_t, svirt_cache_t) - manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) + manage_dirs_pattern($1, virt_cache_t, virt_cache_t) + manage_files_pattern($1, virt_cache_t, virt_cache_t) + manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) ') ######################################## @@ -516,3 +544,51 @@ virt_manage_log($1) ') + +######################################## +## +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the sandbox domain. +## +## +# +interface(`virt_transition_svirt',` + gen_require(` + type svirt_t; + ') + + allow $1 svirt_t:process transition; + role $2 types svirt_t; + + optional_policy(` + ptchown_run(svirt_t, $2) + ') +') + +######################################## +## +## Do not audit attempts to write virt daemon unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_dontaudit_write_pipes',` + gen_require(` + type virtd_t; + ') + + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-10 05:23:35.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations # +attribute virsh_transition_domain; ## ##

@@ -50,12 +51,12 @@ virt_domain_template(svirt) role system_r types svirt_t; -type svirt_cache_t; -files_type(svirt_cache_t) - attribute virt_domain; attribute virt_image_type; +type virt_cache_t alias svirt_cache_t; +files_type(virt_cache_t) + type virt_etc_t; files_config_file(virt_etc_t) @@ -65,20 +66,25 @@ # virt Image files type virt_image_t; # customizable virt_image(virt_image_t) +files_mountpoint(virt_image_t) # virt Image files type virt_content_t; # customizable virt_image(virt_content_t) userdom_user_home_content(virt_content_t) +type virt_tmp_t; +files_tmp_file(virt_tmp_t) + type virt_log_t; logging_log_file(virt_log_t) +mls_trusted_object(virt_log_t) type virt_var_run_t; files_pid_file(virt_var_run_t) type virt_var_lib_t; -files_type(virt_var_lib_t) +files_mountpoint(virt_var_lib_t) type virtd_t; type virtd_exec_t; @@ -89,6 +95,11 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) +type qemu_var_run_t; +typealias qemu_var_run_t alias svirt_var_run_t; +files_pid_file(qemu_var_run_t) +mls_trusted_object(qemu_var_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') @@ -104,15 +115,12 @@ allow svirt_t self:udp_socket create_socket_perms; -manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) - read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) allow svirt_t svirt_image_t:dir search_dir_perms; manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) +manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t) fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) @@ -147,11 +155,15 @@ tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) + fs_manage_nfs_named_sockets(svirt_t) + fs_read_nfs_symlinks(svirt_t) ') tunable_policy(`virt_use_samba',` fs_manage_cifs_dirs(svirt_t) fs_manage_cifs_files(svirt_t) + fs_manage_cifs_named_sockets(svirt_t) + fs_read_cifs_symlinks(virtd_t) ') tunable_policy(`virt_use_sysfs',` @@ -160,6 +172,7 @@ tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) + dev_read_sysfs(svirt_t) fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') @@ -168,28 +181,39 @@ xen_rw_image_files(svirt_t) ') +optional_policy(` + xen_rw_image_files(svirt_t) +') + ######################################## # # virtd local policy # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; allow virtd_t self:fifo_file rw_fifo_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; allow virtd_t self:tun_socket create_socket_perms; +allow virtd_t self:rawip_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) -manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) +manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) +manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) manage_files_pattern(virtd_t, virt_content_t, virt_content_t) allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virtd_t qemu_var_run_t:file relabel_file_perms; +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -200,9 +224,15 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file { relabelfrom relabelto }; allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) +can_exec(virtd_t, virt_tmp_t) + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) logging_log_filetrans(virtd_t, virt_log_t, { file dir }) @@ -220,6 +250,7 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) +kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) @@ -243,18 +274,25 @@ dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) +dev_rw_vhost(virtd_t) # Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) +domain_read_all_domains_state(virtd_t) files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) +files_read_usr_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) -files_manage_etc_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +files_manage_system_conf_files(virtd_t) +files_manage_system_conf_files(virtd_t) +files_etc_filetrans_system_conf(virtd_t) fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) @@ -262,6 +300,17 @@ fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) +fs_manage_hugetlbfs_dirs(virtd_t) +fs_rw_hugetlbfs_files(virtd_t) + +mls_fd_share_all_levels(virtd_t) +mls_file_read_to_clearance(virtd_t) +mls_file_write_to_clearance(virtd_t) +mls_process_write_to_clearance(virtd_t) +mls_net_write_within_range(virtd_t) +mls_socket_write_to_clearance(virtd_t) +mls_socket_read_to_clearance(virtd_t) +mls_rangetrans_source(virtd_t) mcs_process_set_categories(virtd_t) @@ -286,15 +335,22 @@ logging_send_syslog_msg(virtd_t) +selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) sysnet_domtrans_ifconfig(virtd_t) sysnet_read_config(virtd_t) +userdom_list_admin_dir(virtd_t) userdom_getattr_all_users(virtd_t) userdom_list_user_home_content(virtd_t) userdom_read_all_users_state(virtd_t) userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) @@ -365,6 +421,7 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) + qemu_entry_type(virt_domain) ') optional_policy(` @@ -402,6 +459,19 @@ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) + +manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; + append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) @@ -422,6 +492,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) +dev_read_generic_symlinks(virt_domain) dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) @@ -429,10 +500,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) +dev_rw_vhost(virt_domain) domain_use_interactive_fds(virt_domain) files_read_etc_files(virt_domain) +files_read_mnt_symlinks(virt_domain) files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) @@ -440,6 +513,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) + +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) @@ -457,8 +535,121 @@ ') optional_policy(` + pulseaudio_dontaudit_exec(virt_domain) +') + +optional_policy(` virt_read_config(virt_domain) virt_read_lib_files(virt_domain) virt_read_content(virt_domain) virt_stream_connect(virt_domain) ') + +######################################## +# +# xm local policy +# +type virsh_t; +type virsh_exec_t; +domain_type(virsh_t) +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; + +allow virsh_t self:capability { dac_override ipc_lock sys_tty_config }; +allow virsh_t self:process { getcap getsched setcap signal }; + +# internal communication is often done using fifo and unix sockets. +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) + +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; + +kernel_read_system_state(virsh_t) +kernel_read_network_state(virsh_t) +kernel_read_kernel_sysctls(virsh_t) +kernel_read_sysctl(virsh_t) +kernel_read_xen_state(virsh_t) +kernel_write_xen_state(virsh_t) + +corecmd_exec_bin(virsh_t) +corecmd_exec_shell(virsh_t) + +corenet_tcp_sendrecv_generic_if(virsh_t) +corenet_tcp_sendrecv_generic_node(virsh_t) +corenet_tcp_connect_soundd_port(virsh_t) + +dev_read_urand(virsh_t) +dev_read_sysfs(virsh_t) + +files_read_etc_runtime_files(virsh_t) +files_read_usr_files(virsh_t) +files_list_mnt(virsh_t) +# Some common macros (you might be able to remove some) +files_read_etc_files(virsh_t) + +fs_getattr_all_fs(virsh_t) +fs_manage_xenfs_dirs(virsh_t) +fs_manage_xenfs_files(virsh_t) +fs_search_auto_mountpoints(virsh_t) + +storage_raw_read_fixed_disk(virsh_t) + +term_use_all_terms(virsh_t) + +init_stream_connect_script(virsh_t) +init_rw_script_stream_sockets(virsh_t) +init_use_fds(virsh_t) + +miscfiles_read_localization(virsh_t) + +sysnet_dns_name_resolve(virsh_t) + +optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_append_log(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) +') + +optional_policy(` + dbus_system_bus_client(virsh_t) + + optional_policy(` + hal_dbus_chat(virsh_t) + ') +') + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) + vhostmd_stream_connect(virsh_t) + vhostmd_dontaudit_rw_stream_connect(virsh_t) +') + +optional_policy(` + virt_domtrans(virsh_t) + virt_manage_images(virsh_t) + virt_manage_config(virsh_t) + virt_stream_connect(virsh_t) +') + +optional_policy(` + ssh_basic_client_template(virsh, virsh_t, system_r) + + kernel_read_xen_state(virsh_ssh_t) + kernel_write_xen_state(virsh_ssh_t) + + dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp(virsh_ssh_t) + + fs_manage_xenfs_dirs(virsh_ssh_t) + fs_manage_xenfs_files(virsh_ssh_t) + + userdom_search_admin_dir(virsh_ssh_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.8.8/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/w3c.te 2010-07-30 14:06:53.000000000 -0400 @@ -7,11 +7,18 @@ apache_content_template(w3c_validator) +type httpd_w3c_validator_tmp_t; +files_tmp_file(httpd_w3c_validator_tmp_t) + ######################################## # # Local policy # +manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) +manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) +files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) + corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) @@ -22,3 +29,5 @@ miscfiles_read_certs(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.8.8/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/xserver.fc 2010-07-30 14:06:53.000000000 -0400 @@ -2,13 +2,23 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) +/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev # @@ -20,6 +30,8 @@ /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) +/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) + /etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -32,11 +44,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) -ifdef(`distro_redhat',` -/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -') - # # /opt # @@ -47,21 +54,23 @@ # /tmp # -/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.ICE-unix/.* -s <> -/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.X11-unix/.* -s <> +/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) +/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) +/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) # # /usr # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` @@ -89,17 +98,43 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + +/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + +/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') + +/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-07-30 14:06:53.000000000 -0400 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; + class dbus send_msg; ') role $1 types { xserver_t xauth_t iceauth_t }; @@ -31,7 +32,7 @@ allow xserver_t $2:shm rw_shm_perms; domtrans_pattern($2, xserver_exec_t, xserver_t) - allow xserver_t $2:process signal; + allow xserver_t $2:process { getpgid signal }; allow xserver_t $2:shm rw_shm_perms; @@ -45,6 +46,7 @@ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) + allow $2 xserver_tmp_t:sock_file unlink; files_search_tmp($2) # Communicate via System V shared memory. @@ -56,6 +58,10 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) +ifdef(`hide_broken_symptoms', ` + dontaudit iceauth_t $2:socket_class_set { read write }; +') + allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) @@ -71,9 +77,13 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; + allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; + dontaudit $2 xdm_tmp_t:dir setattr; + + allow $2 xdm_t:dbus send_msg; + allow xdm_t $2:dbus send_msg; # Client read xserver shm allow $2 xserver_t:fd use; @@ -89,14 +99,19 @@ dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) + tunable_policy(`user_direct_dri',` + dev_rw_dri($2) + ',` + dev_dontaudit_rw_dri($2) + ') + # GNOME checks for usb and other devices: dev_rw_usbfs($2) miscfiles_read_fonts($2) + miscfiles_setattr_fonts_cache_dirs($2) xserver_common_x_domain_template(user, $2) - xserver_unconfined($2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) @@ -148,6 +163,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; + mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) @@ -197,7 +213,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; + allow $1 xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; @@ -291,12 +307,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $1 xauth_home_t:file { getattr read }; - allow $1 iceauth_home_t:file { getattr read }; + allow $1 xauth_home_t:file read_file_perms; + allow $1 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file { getattr read write ioctl }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; @@ -355,6 +371,12 @@ class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; + class x_client destroy; + class x_server manage; + class x_screen { saver_setattr saver_hide saver_show }; + class x_pointer { get_property set_property manage }; + class x_keyboard { read manage }; + type xdm_t, xserver_t; ') ############################## @@ -386,6 +408,15 @@ allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; + + allow $2 xdm_t:x_drawable { hide read add_child manage }; + allow $2 xdm_t:x_client destroy; + + allow $2 root_xdrawable_t:x_drawable write; + allow $2 xserver_t:x_server manage; + allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show }; + allow $2 xserver_t:x_pointer { get_property set_property manage }; + allow $2 xserver_t:x_keyboard { read manage }; ') ####################################### @@ -476,6 +507,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) + xserver_read_xdm_pid($2) # X object manager xserver_object_types_template($1) @@ -545,6 +577,27 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) +ifdef(`hide_broken_symptoms', ` + dontaudit xauth_t $1:socket_class_set { read write }; +') +') + +######################################## +##

+## Dontaudit exec of Xauthority program. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dontaudit_exec_xauth',` + gen_require(` + type xauth_exec_t; + ') + + dontaudit $1 xauth_exec_t:file execute; ') ######################################## @@ -598,6 +651,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) + xserver_read_xdm_pid($1) ') ######################################## @@ -725,10 +779,12 @@ interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_tmp_t; + type xdm_var_run_t; ') files_search_tmp($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ') ######################################## @@ -805,7 +861,7 @@ ') files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; + read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ') ######################################## @@ -916,7 +972,7 @@ type xserver_log_t; ') - dontaudit $1 xserver_log_t:file { append write }; + dontaudit $1 xserver_log_t:file rw_inherited_file_perms; ') ######################################## @@ -964,6 +1020,44 @@ ######################################## ## +## Read xdm config files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_read_xdm_etc_files',` + gen_require(` + type xdm_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## +## Manage xdm config files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_manage_xdm_etc_files',` + gen_require(` + type xdm_etc_t; + ') + + files_search_etc($1) + manage_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## ## Read xdm temporary files. ## ## @@ -1224,9 +1318,20 @@ class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; + class x_screen all_x_screen_perms; + class x_drawable { manage }; + type root_xdrawable_t; + attribute x_domain; + class x_drawable { read manage setattr show }; + class x_resource { write read }; ') allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + allow $1 xserver_t:{ x_screen } setattr; + + allow $1 x_domain:x_drawable { read manage setattr show }; + allow $1 x_domain:x_resource { write read }; + allow $1 root_xdrawable_t:x_drawable { manage read }; ') ######################################## @@ -1250,3 +1355,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## +## Dontaudit append to .xsession-errors file +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` + type xdm_home_t; + type xserver_tmp_t; + ') + + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; + dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files($1) + ') +') + +######################################## +## +## append to .xsession-errors file +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_append_xdm_home_files',` + gen_require(` + type xdm_home_t; + type xserver_tmp_t; + ') + + allow $1 xdm_home_t:file append_file_perms; + allow $1 xserver_tmp_t:file append_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files($1) + ') +') + +######################################## +## +## Manage the xdm_spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_manage_spool',` + gen_require(` + type xdm_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, xdm_spool_t, xdm_spool_t) +') + +######################################## +## +## Send and receive messages from +## xdm over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dbus_chat_xdm',` + gen_require(` + type xdm_t; + class dbus send_msg; + ') + + allow $1 xdm_t:dbus send_msg; + allow xdm_t $1:dbus send_msg; +') + +######################################## +## +## Read xserver files created in /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_pid',` + gen_require(` + type xserver_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## +## +## Execute xserver files created in /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_exec_pid',` + gen_require(` + type xserver_var_run_t; + ') + + files_search_pids($1) + exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## +## +## Write xserver files created in /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_write_pid',` + gen_require(` + type xserver_var_run_t; + ') + + files_search_pids($1) + write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## +## +## Allow append the xdm +## log files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_xdm_append_log',` + gen_require(` + type xdm_log_t; + attribute xdmhomewriter; + ') + + typeattribute $1 xdmhomewriter; + append_files_pattern($1, xdm_log_t, xdm_log_t) +') + +######################################## +## +## Read a user Iceauthority domain. +## +## +## +## Domain allowed access. +## +## +# +template(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') + + # Read .Iceauthority file + allow $1 iceauth_home_t:file read_file_perms; +') + +######################################## +## +## Read user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`xserver_rw_inherited_user_fonts',` + gen_require(` + type user_fonts_t; + type user_fonts_config_t; + ') + + allow $1 user_fonts_t:file rw_inherited_file_perms; + allow $1 user_fonts_t:file read_lnk_file_perms; + + allow $1 user_fonts_config_t:file rw_inherited_file_perms; +') + +######################################## +## +## Search XDM var lib dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_search_xdm_lib',` + gen_require(` + type xdm_var_lib_t; + ') + + allow $1 xdm_var_lib_t:dir search_dir_perms; +') + + +######################################## +## +## Make an X executable an entrypoint for the specified domain. +## +## +## +## The domain for which the shell is an entrypoint. +## +## +# +interface(`xserver_entry_type',` + gen_require(` + type xserver_exec_t; + ') + + domain_entry_file($1, xserver_exec_t) +') + +######################################## +## +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the xserver domain. +## +## +# +interface(`xserver_run',` + gen_require(` + type xserver_t; + ') + + xserver_domtrans($1) + role $2 types xserver_t; +') + +######################################## +## +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the xserver domain. +## +## +# +interface(`xserver_run_xauth',` + gen_require(` + type xauth_t; + ') + + xserver_domtrans_xauth($1) + role $2 types xauth_t; +') +######################################## +## +## Read user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`xserver_manage_home_fonts',` + gen_require(` + type user_fonts_t; + type user_fonts_config_t; + ') + + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + manage_files_pattern($1, user_fonts_t, user_fonts_t) + manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-11 08:03:36.000000000 -0400 @@ -35,6 +35,13 @@ ## ##

+## Allows XServer to execute writable memory +##

+## +gen_tunable(allow_xserver_execmem, false) + +## +##

## Allow xdm logins as sysadm ##

## @@ -47,6 +54,16 @@ ## gen_tunable(xserver_object_manager, false) +## +##

+## Allow regular users direct dri device access +##

+## +gen_tunable(user_direct_dri, false) + +attribute xdmhomewriter; +attribute x_userdomain; + attribute x_domain; # X Events @@ -109,21 +126,26 @@ type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; +typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; userdom_user_home_content(user_fonts_t) type user_fonts_cache_t; typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; +; userdom_user_home_content(user_fonts_cache_t) type user_fonts_config_t; typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; +typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) type iceauth_t; type iceauth_exec_t; typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { xguest_iceauth_t }; typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; application_domain(iceauth_t, iceauth_exec_t) ubac_constrained(iceauth_t) @@ -131,22 +153,28 @@ type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +typealias iceauth_home_t alias { xguest_iceauth_home_t }; +files_poly_member(iceauth_home_t) userdom_user_home_content(iceauth_home_t) type xauth_t; type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; +typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; application_domain(xauth_t, xauth_exec_t) ubac_constrained(xauth_t) type xauth_home_t; typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; +files_poly_member(xauth_home_t) userdom_user_home_content(xauth_home_t) type xauth_tmp_t; typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; +typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) @@ -161,15 +189,21 @@ type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) -init_daemon_domain(xdm_t, xdm_exec_t) +init_system_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) type xdm_lock_t; files_lock_file(xdm_lock_t) +type xdm_etc_t; +files_config_file(xdm_etc_t) + type xdm_rw_etc_t; -files_type(xdm_rw_etc_t) +files_config_file(xdm_rw_etc_t) + +type xdm_spool_t; +files_type(xdm_spool_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -177,13 +211,27 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) +type xserver_var_lib_t; +files_type(xserver_var_lib_t) + +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) + type xdm_tmp_t; files_tmp_file(xdm_tmp_t) -typealias xdm_tmp_t alias ice_tmp_t; +typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; +typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; +ubac_constrained(xdm_tmp_t) type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) +type xdm_home_t; +userdom_user_home_content(xdm_home_t) + +type xdm_log_t; +logging_log_file(xdm_log_t) + # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) @@ -196,15 +244,9 @@ init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) -type xserver_tmp_t; -typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -files_tmp_file(xserver_tmp_t) -ubac_constrained(xserver_tmp_t) - type xserver_tmpfs_t; -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; +typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; +typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) @@ -234,9 +276,13 @@ allow xdm_t iceauth_home_t:file read_file_perms; +dev_read_rand(iceauth_t) + fs_search_auto_mountpoints(iceauth_t) userdom_use_user_terminals(iceauth_t) +userdom_read_user_tmp_files(iceauth_t) +userdom_read_all_users_state(iceauth_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) @@ -246,30 +292,64 @@ fs_manage_cifs_files(iceauth_t) ') +ifdef(`hide_broken_symptoms', ` + dev_dontaudit_read_urand(iceauth_t) + dev_dontaudit_rw_dri(iceauth_t) + dev_dontaudit_rw_generic_dev_nodes(iceauth_t) + fs_dontaudit_list_inotifyfs(iceauth_t) + fs_dontaudit_rw_anon_inodefs_files(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) + + userdom_dontaudit_read_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_tmp_files(iceauth_t) + + optional_policy(` + mozilla_dontaudit_rw_user_home_files(iceauth_t) + ') +') + ######################################## # # Xauth local policy # +allow xauth_t self:capability dac_override; allow xauth_t self:process signal; allow xauth_t self:unix_stream_socket create_stream_socket_perms; +allow xauth_t xdm_t:process sigchld; +allow xauth_t xserver_t:unix_stream_socket connectto; + +corenet_tcp_connect_xserver_port(xauth_t) + allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) + +manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) +manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) -allow xdm_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) + +kernel_read_system_state(xauth_t) domain_use_interactive_fds(xauth_t) +domain_dontaudit_leaks(xauth_t) files_read_etc_files(xauth_t) +files_read_usr_files(xauth_t) files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) +files_dontaudit_leaks(xauth_t) +files_var_lib_filetrans(xauth_t, xauth_home_t, file) -fs_getattr_xattr_fs(xauth_t) +fs_dontaudit_leaks(xauth_t) +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) # cjp: why? @@ -279,17 +359,37 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) + +ifdef(`hide_broken_symptoms', ` + fs_dontaudit_rw_anon_inodefs_files(xauth_t) + fs_dontaudit_list_inotifyfs(xauth_t) + userdom_manage_user_home_content_files(xauth_t) + userdom_manage_user_tmp_files(xauth_t) + dev_dontaudit_rw_generic_dev_nodes(xauth_t) + miscfiles_read_fonts(xauth_t) +') xserver_rw_xdm_tmp_files(xauth_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(xauth_t) + fs_read_nfs_symlinks(xauth_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(xauth_t) ') +ifdef(`hide_broken_symptoms', ` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) +') + +optional_policy(` + nx_var_lib_filetrans(xauth_t, xauth_home_t, file) +') + optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -301,20 +401,33 @@ # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; +allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; +allow xdm_t self:process { getattr getcap setcap }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; +allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; +allow xdm_t xauth_home_t:file manage_file_perms; + allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) +userdom_signull_unpriv_users(xdm_t) +userdom_dontaudit_read_admin_home_lnk_files(xdm_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) @@ -322,32 +435,55 @@ allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) +read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) +read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +fs_getattr_all_fs(xdm_t) +fs_list_inotifyfs(xdm_t) +fs_read_noxattr_fs_files(xdm_t) +fs_dontaudit_list_fusefs(xdm_t) +fs_manage_cgroup_dirs(xdm_t) +fs_manage_cgroup_files(xdm_t) + +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) + +files_search_spool(xdm_t) +manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) +manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) +# Read machine-id +files_read_var_lib_files(xdm_t) manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) -allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:process { signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; @@ -355,10 +491,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) + +ps_process_pattern(xserver_t, xdm_t) allow xserver_t xdm_t:process signal; allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; +read_files_pattern(xdm_t, xserver_t, xserver_t) # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -367,15 +506,22 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) +manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) kernel_read_system_state(xdm_t) +kernel_read_device_sysctls(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) +kernel_request_load_module(xdm_t) +kernel_stream_connect(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) @@ -390,11 +536,14 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) +corenet_udp_bind_ipp_port(xdm_t) +corenet_udp_bind_xdmcp_port(xdm_t) corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t corenet_dontaudit_tcp_bind_all_ports(xdm_t) +dev_rwx_zero(xdm_t) dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) @@ -402,6 +551,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) +dev_rw_input_dev(xdm_t) dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) @@ -410,18 +560,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) -dev_getattr_video_dev(xdm_t) +dev_read_video_dev(xdm_t) +dev_write_video_dev(xdm_t) dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) -dev_getattr_sound_dev(xdm_t) -dev_setattr_sound_dev(xdm_t) +dev_read_sound(xdm_t) +dev_write_sound(xdm_t) dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) +domain_dontaudit_ptrace_all_domains(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) @@ -432,9 +586,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) +files_dontaudit_getattr_boot_dirs(xdm_t) +files_dontaudit_write_usr_files(xdm_t) +files_dontaudit_getattr_all_dirs(xdm_t) +files_dontaudit_getattr_all_symlinks(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) +fs_rw_anon_inodefs_files(xdm_t) +fs_mount_tmpfs(xdm_t) + +mls_socket_write_to_clearance(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) @@ -443,28 +605,36 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) +storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) +term_use_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +term_relabel_all_ttys(xdm_t) +term_relabel_unallocated_ttys(xdm_t) auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) +auth_signal_pam(xdm_t) auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) # Run telinit->init to shutdown. init_telinit(xdm_t) +init_dbus_chat(xdm_t) libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) +miscfiles_search_man_pages(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) - -sysnet_read_config(xdm_t) +miscfiles_manage_fonts_cache(xdm_t) +miscfiles_manage_localization(xdm_t) +miscfiles_read_hwdata(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -473,6 +643,13 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +userdom_stream_connect(xdm_t) +userdom_manage_user_tmp_dirs(xdm_t) +userdom_manage_user_tmp_files(xdm_t) +userdom_manage_user_tmp_sockets(xdm_t) +userdom_manage_tmpfs_role(system_r, xdm_t) + +application_signal(xdm_t) xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) @@ -504,11 +681,17 @@ ') optional_policy(` + accountsd_read_lib_files(xdm_t) +') + +optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ') optional_policy(` consolekit_dbus_chat(xdm_t) + consolekit_read_log(xdm_t) ') optional_policy(` @@ -516,12 +699,51 @@ ') optional_policy(` + # Use dbus to start other processes as xdm_t + dbus_role_template(xdm, system_r, xdm_t) + + dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; + xserver_xdm_append_log(xdm_dbusd_t) + xserver_read_xdm_pid(xdm_dbusd_t) + + corecmd_bin_entry_type(xdm_t) + + dbus_system_bus_client(xdm_t) + + optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') + + optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') + + optional_policy(` + hal_dbus_chat(xdm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') + +') + + +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) ') optional_policy(` + gnome_manage_config(xdm_t) + gnome_manage_gconf_home_files(xdm_t) + gnome_read_config(xdm_t) + gnome_read_gconf_config(xdm_t) +') + +optional_policy(` hostname_exec(xdm_t) ') @@ -539,20 +761,63 @@ ') optional_policy(` + policykit_dbus_chat(xdm_t) + policykit_domtrans_auth(xdm_t) + policykit_read_lib(xdm_t) + policykit_read_reload(xdm_t) + policykit_signal_auth(xdm_t) +') + +optional_policy(` + pcscd_stream_connect(xdm_t) +') + +optional_policy(` + plymouthd_search_spool(xdm_t) + plymouthd_exec_plymouth(xdm_t) +') + +optional_policy(` + pulseaudio_exec(xdm_t) + pulseaudio_dbus_chat(xdm_t) + pulseaudio_stream_connect(xdm_t) +') + +optional_policy(` resmgr_stream_connect(xdm_t) ') +# On crash gdm execs gdb to dump stack +optional_policy(` + rpm_exec(xdm_t) + rpm_read_db(xdm_t) + rpm_dontaudit_manage_db(xdm_t) +') + +optional_policy(` + rtkit_scheduled(xdm_t) +') + optional_policy(` seutil_sigchld_newrole(xdm_t) ') optional_policy(` + ssh_signull(xdm_t) +') + +optional_policy(` + shutdown_domtrans(xdm_t) +') + +optional_policy(` udev_read_db(xdm_t) ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) + unconfined_shell_domtrans(xdm_t) + unconfined_signal(xdm_t) +') ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; @@ -561,7 +826,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') -') optional_policy(` userhelper_dontaudit_search_config(xdm_t) @@ -572,6 +836,10 @@ ') optional_policy(` + wm_exec(xdm_t) +') + +optional_policy(` xfs_stream_connect(xdm_t) ') @@ -596,10 +864,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow xserver_t self:memprotect mmap_zero; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; @@ -611,6 +878,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; +allow xserver_t self:netlink_selinux_socket create_socket_perms; +allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; + +# Device rules +allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; +allow x_domain xserver_t:x_screen getattr; + +allow xserver_t { input_xevent_t input_xevent_type }:x_event send; + +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) + +allow xserver_t xauth_home_t:file read_file_perms; manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) @@ -630,12 +909,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) -domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) -allow xserver_t xauth_home_t:file read_file_perms; +manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) + +manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) @@ -643,6 +929,7 @@ # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) +kernel_request_load_module(xserver_t) # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) @@ -669,7 +956,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) -dev_filetrans_dri(xserver_t) dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer @@ -679,9 +965,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) +dev_read_raw_memory(xserver_t) +dev_write_raw_memory(xserver_t) dev_rwx_zero(xserver_t) -domain_mmap_low(xserver_t) +domain_dontaudit_read_all_domains_state(xserver_t) +domain_signal_all_domains(xserver_t) files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) @@ -696,8 +985,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) +fs_rw_tmpfs_files(xserver_t) mls_xwin_read_to_clearance(xserver_t) +mls_process_write_to_clearance(xserver_t) +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) +mls_file_upgrade(xserver_t) selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) @@ -719,11 +1013,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) +miscfiles_read_hwdata(xserver_t) modutils_domtrans_insmod(xserver_t) # read x_contexts seutil_read_default_contexts(xserver_t) +seutil_read_config(xserver_t) +seutil_read_file_contexts(xserver_t) userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) @@ -775,12 +1072,28 @@ ') optional_policy(` + devicekit_signal_power(xserver_t) +') + +optional_policy(` rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') optional_policy(` - unconfined_domain_noaudit(xserver_t) + setrans_translate_context(xserver_t) +') + +optional_policy(` + sandbox_rw_xserver_tmpfs_files(xserver_t) +') + +optional_policy(` + udev_read_db(xserver_t) +') + +optional_policy(` + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') @@ -804,10 +1117,10 @@ # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! -allow xserver_t xdm_var_lib_t:file { getattr read }; +allow xserver_t xdm_var_lib_t:file read_file_perms; dontaudit xserver_t xdm_var_lib_t:dir search; -allow xserver_t xdm_var_run_t:file read_file_perms; +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) @@ -828,6 +1141,13 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) +userdom_read_all_users_state(xserver_t) + +xserver_use_user_fonts(xserver_t) + +optional_policy(` + userhelper_search_config(xserver_t) +') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) @@ -843,11 +1163,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) - hal_dbus_chat(xserver_t) + + optional_policy(` + hal_dbus_chat(xserver_t) + ') ') optional_policy(` - resmgr_stream_connect(xdm_t) + mono_rw_shm(xserver_t) ') optional_policy(` @@ -993,3 +1316,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; + +optional_policy(` + unconfined_rw_shm(xserver_t) + unconfined_execmem_rw_shm(xserver_t) + + # xserver signals unconfined user on startx + unconfined_signal(xserver_t) + unconfined_getpgid(xserver_t) +') + +tunable_policy(`allow_xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') + +# Hack to handle the problem of using the nvidia blobs +tunable_policy(`allow_execmem',` + allow xdm_t self:process execmem; +') + +tunable_policy(`allow_execstack',` + allow xdm_t self:process { execstack execmem }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files(xdmhomewriter) +') + +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.8.8/policy/modules/services/zabbix.te --- nsaserefpolicy/policy/modules/services/zabbix.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/zabbix.te 2010-07-30 14:06:53.000000000 -0400 @@ -35,8 +35,9 @@ logging_log_filetrans(zabbix_t, zabbix_log_t, file) # pid file +manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_t, zabbix_var_run_t, file) +files_pid_filetrans(zabbix_t, zabbix_var_run_t, { file dir }) files_read_etc_files(zabbix_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.fc serefpolicy-3.8.8/policy/modules/services/zarafa.fc --- nsaserefpolicy/policy/modules/services/zarafa.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/zarafa.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,27 @@ + +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + +/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) + +/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) + +/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) + +/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) + +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) + +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) + +/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) +/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) + +/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) +/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.if serefpolicy-3.8.8/policy/modules/services/zarafa.if --- nsaserefpolicy/policy/modules/services/zarafa.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/zarafa.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,105 @@ + +## policy for zarafa services + +###################################### +## +## Creates types and rules for a basic +## zararfa init daemon domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`zarafa_domain_template',` + + gen_require(` + attribute zarafa_domain; + ') + + ############################## + # + # $1_t declarations + # + + type zarafa_$1_t, zarafa_domain; + type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + + type zarafa_$1_log_t; + logging_log_file(zarafa_$1_log_t) + + type zarafa_$1_var_run_t; + files_pid_file(zarafa_$1_var_run_t) + + ############################## + # + # $1_t local policy + # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t) + + manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) + #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t) + logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file }) +') + +######################################## +## +## Execute a domain transition to run zarafa_server. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`zarafa_server_domtrans',` + gen_require(` + type zarafa_server_t, zarafa_server_exec_t; + ') + + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) +') + + +######################################## +## +## Execute a domain transition to run zarafa_deliver. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`zarafa_deliver_domtrans',` + gen_require(` + type zarafa_deliver_t, zarafa_deliver_exec_t; + ') + + domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) +') + +####################################### +## +## Connect to zarafa-server unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`zarafa_stream_connect_server',` + gen_require(` + type zarafa_server_t, zarafa_server_var_run_t; + ') + + stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.te serefpolicy-3.8.8/policy/modules/services/zarafa.te --- nsaserefpolicy/policy/modules/services/zarafa.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/zarafa.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,133 @@ +policy_module(zarafa, 1.0.0) + +######################################## +# +# Declarations +# + +attribute zarafa_domain; + +zarafa_domain_template(monitor) +zarafa_domain_template(ical) +zarafa_domain_template(server) +zarafa_domain_template(spooler) +zarafa_domain_template(gateway) +zarafa_domain_template(deliver) + +type zarafa_deliver_tmp_t; +files_tmp_file(zarafa_deliver_tmp_t) + +type zarafa_etc_t; +files_config_file(zarafa_etc_t) + +type zarafa_share_t; +files_type(zarafa_share_t) + +permissive zarafa_server_t; +permissive zarafa_spooler_t; +permissive zarafa_gateway_t; +permissive zarafa_deliver_t; +permissive zarafa_ical_t; +permissive zarafa_monitor_t; + +######################################## +# +# zarafa-deliver local policy +# + +manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) +manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) +files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) + +#temporary +#allow zarafa_deliver_t port_t:tcp_socket name_bind; + +######################################## +# +# zarafa_server local policy +# + +allow zarafa_server_t self:capability { chown kill net_bind_service}; +allow zarafa_server_t self:process { setrlimit signal }; + +corenet_tcp_bind_zarafa_port(zarafa_server_t) + +files_read_usr_files(zarafa_server_t) + +logging_send_syslog_msg(zarafa_server_t) +logging_send_audit_msgs(zarafa_server_t) + +sysnet_dns_name_resolve(zarafa_server_t) + +optional_policy(` + mysql_stream_connect(zarafa_server_t) +') + +optional_policy(` + kerberos_use(zarafa_server_t) +') + +######################################## +# +# zarafa_spooler local policy +# + +allow zarafa_spooler_t self:capability { chown kill }; +allow zarafa_spooler_t self:process { signal }; + +corenet_tcp_connect_smtp_port(zarafa_spooler_t) + +######################################## +# +# zarafa_gateway local policy +# + +allow zarafa_gateway_t self:capability { chown kill }; +allow zarafa_gateway_t self:process { setrlimit signal }; + +corenet_tcp_bind_pop_port(zarafa_gateway_t) + +####################################### +# +# zarafa-ical local policy +# + +allow zarafa_ical_t self:capability chown; + +corenet_tcp_bind_http_cache_port(zarafa_ical_t) + +###################################### +# +# zarafa-monitor local policy +# + +allow zarafa_monitor_t self:capability chown; + +######################################## +# +# zarafa domains local policy +# + +# bad permission on /etc/zarafa +allow zarafa_domain self:capability { dac_override setgid setuid }; + +allow zarafa_domain self:fifo_file rw_fifo_file_perms; +allow zarafa_domain self:tcp_socket create_stream_socket_perms; +allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; + +stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + +read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) + +kernel_read_system_state(zarafa_domain) + +files_read_etc_files(zarafa_domain) + +auth_use_nsswitch(zarafa_domain) + +miscfiles_read_localization(zarafa_domain) + +# temporary rules +optional_policy(` + apache_content_template(zarafa) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.8.8/policy/modules/services/zebra.te --- nsaserefpolicy/policy/modules/services/zebra.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/zebra.te 2010-07-30 14:06:53.000000000 -0400 @@ -61,9 +61,10 @@ allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) +manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file }) +files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file dir }) kernel_read_system_state(zebra_t) kernel_read_network_state(zebra_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.8.8/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/application.if 2010-08-03 14:32:57.000000000 -0400 @@ -130,3 +130,21 @@ allow $1 application_domain_type:process signull; ') + +######################################## +## +## Send signal to all application domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`application_signal',` + gen_require(` + attribute application_domain_type; + ') + + allow $1 application_domain_type:process signal; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.8.8/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/application.te 2010-07-30 14:06:53.000000000 -0400 @@ -6,6 +6,22 @@ # Executables to be run by user attribute application_exec_type; +userdom_inherit_append_user_home_content_files(application_domain_type) +userdom_inherit_append_admin_home_files(application_domain_type) +userdom_inherit_append_user_tmp_files(application_domain_type) +logging_inherit_append_all_logs(application_domain_type) + +files_dontaudit_search_all_dirs(application_domain_type) + +optional_policy(` + afs_rw_udp_sockets(application_domain_type) +') + +optional_policy(` + cron_rw_inherited_user_spool_files(application_domain_type) + cron_sigchld(application_domain_type) +') + optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.8.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/authlogin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -10,6 +10,7 @@ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-13 13:17:18.000000000 -0400 @@ -91,9 +91,12 @@ interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; + attribute polydomain; ') domain_type($1) + typeattribute $1 polydomain; + domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) @@ -107,6 +110,7 @@ allow $1 self:capability ipc_lock; allow $1 self:process setkeycreate; allow $1 self:key manage_key_perms; + userdom_manage_all_users_keys($1) files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) @@ -126,6 +130,8 @@ files_read_etc_files($1) fs_list_auto_mountpoints($1) + fs_manage_cgroup_dirs($1) + fs_manage_cgroup_files($1) selinux_get_fs_mount($1) selinux_validate_context($1) @@ -141,6 +147,7 @@ mls_process_set_level($1) mls_fd_share_all_levels($1) + auth_manage_pam_pid($1) auth_use_pam($1) init_rw_utmp($1) @@ -151,8 +158,38 @@ seutil_read_config($1) seutil_read_default_contexts($1) - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) + userdom_set_rlimitnh($1) + userdom_read_user_home_content_symlinks($1) + userdom_delete_user_tmp_files($1) + userdom_search_admin_dir($1) + + optional_policy(` + afs_rw_udp_sockets($1) + ') + + optional_policy(` + kerberos_read_config($1) + ') + + optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) + ') + + optional_policy(` + corecmd_exec_bin($1) + storage_getattr_fixed_disk_dev($1) + mount_domtrans($1) + ') + + optional_policy(` + fprintd_dbus_chat($1) + ') + + optional_policy(` + ssh_agent_exec($1) + ssh_read_user_home_files($1) + userdom_read_user_home_content_files($1) ') ') @@ -365,13 +402,15 @@ ') optional_policy(` - pcscd_read_pub_files($1) + pcscd_manage_pub_files($1) + pcscd_manage_pub_pipes($1) pcscd_stream_connect($1) ') optional_policy(` samba_stream_connect_winbind($1) ') + auth_domtrans_upd_passwd($1) ') ######################################## @@ -418,6 +457,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; + auth_run_upd_passwd($1, $2) ') ######################################## @@ -874,6 +914,26 @@ ######################################## ## +## Read var auth files. Used by various other applications +## and pam applets etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_read_var_auth',` + gen_require(` + type var_auth_t; + ') + + files_search_var($1) + read_files_pattern($1, var_auth_t, var_auth_t) +') + +######################################## +## ## Manage var auth files. Used by various other applications ## and pam applets etc. ## @@ -1500,6 +1560,8 @@ # interface(`auth_use_nsswitch',` + allow $1 self:netlink_route_socket r_netlink_socket_perms; + files_list_var_lib($1) # read /etc/nsswitch.conf @@ -1531,7 +1593,15 @@ ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) + ') + + optional_policy(` + nslcd_stream_connect($1) + ') + + optional_policy(` + sssd_stream_connect($1) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.8.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/authlogin.te 2010-07-30 14:06:53.000000000 -0400 @@ -8,6 +8,7 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +attribute polydomain; type auth_cache_t; logging_log_file(auth_cache_t) @@ -83,7 +84,7 @@ allow chkpwd_t self:capability { dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; -allow chkpwd_t self:process getattr; +allow chkpwd_t self:process { getattr signal }; allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) @@ -394,3 +395,11 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(polydomain) + userdom_manage_user_home_content_dirs(polydomain) + userdom_manage_user_home_content_files(polydomain) + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.if serefpolicy-3.8.8/policy/modules/system/clock.if --- nsaserefpolicy/policy/modules/system/clock.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/clock.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -50,7 +50,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.8.8/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/daemontools.if 2010-07-30 14:06:53.000000000 -0400 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') +###################################### +## +## Execute svc_start in the svc_start domain, and +## allow the specified role the svc_start domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the svc_start domain. +## +## +## +# +interface(`daemonstools_run_start',` + gen_require(` + type svc_start_t; + ') + + daemontools_domtrans_start($1) + role $2 types svc_start_t; +') + ######################################## ## ## Execute in the svc_run_t domain. @@ -127,6 +153,24 @@ allow $1 svc_svc_t:file read_file_perms; ') +###################################### +## +## Search svc_svc_t directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`daemontools_search_svc_dir',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir search_dir_perms; +') + ######################################## ## ## Allow a domain to create svc_svc_t files. @@ -148,3 +192,21 @@ allow $1 svc_svc_t:file manage_file_perms; allow $1 svc_svc_t:lnk_file { read create }; ') + +###################################### +## +## Send a SIGCHLD signal to svc_run domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`daemontools_sigchld_run',` + gen_require(` + type svc_run_t; + ') + + allow $1 svc_run_t:process sigchld; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.8.8/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/daemontools.te 2010-07-30 14:06:53.000000000 -0400 @@ -38,7 +38,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) +term_write_console(svc_multilog_t) + init_use_fds(svc_multilog_t) +init_dontaudit_use_script_fds(svc_multilog_t) # writes to /var/log/*/* logging_manage_generic_logs(svc_multilog_t) @@ -52,7 +55,7 @@ # ie. softlimit, setuidgid, envuidgid, envdir, fghack .. # -allow svc_run_t self:capability { setgid setuid chown fsetid }; +allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource }; allow svc_run_t self:process setrlimit; allow svc_run_t self:fifo_file rw_fifo_file_perms; allow svc_run_t self:unix_stream_socket create_stream_socket_perms; @@ -64,9 +67,13 @@ kernel_read_system_state(svc_run_t) +dev_read_urand(svc_run_t) + corecmd_exec_bin(svc_run_t) corecmd_exec_shell(svc_run_t) +term_write_console(svc_run_t) + files_read_etc_files(svc_run_t) files_read_etc_runtime_files(svc_run_t) files_search_pids(svc_run_t) @@ -88,21 +95,36 @@ # ie svc, svscan, supervise ... # -allow svc_start_t svc_run_t:process signal; +allow svc_start_t svc_run_t:process { signal setrlimit }; allow svc_start_t self:fifo_file rw_fifo_file_perms; allow svc_start_t self:capability kill; +allow svc_start_t self:tcp_socket create_stream_socket_perms; allow svc_start_t self:unix_stream_socket create_socket_perms; can_exec(svc_start_t, svc_start_exec_t) +mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) + +kernel_read_kernel_sysctls(svc_start_t) +kernel_read_system_state(svc_start_t) + corecmd_exec_bin(svc_start_t) corecmd_exec_shell(svc_start_t) +corenet_tcp_bind_generic_node(svc_start_t) +corenet_tcp_bind_generic_port(svc_start_t) + +term_write_console(svc_start_t) + files_read_etc_files(svc_start_t) files_read_etc_runtime_files(svc_start_t) files_search_var(svc_start_t) files_search_pids(svc_start_t) +logging_send_syslog_msg(svc_start_t) + +miscfiles_read_localization(svc_start_t) + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.8.8/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/fstools.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -23,7 +22,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.8.8/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/fstools.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -26,7 +26,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -51,7 +51,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -106,7 +106,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -125,7 +125,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -143,7 +143,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-07-30 14:06:53.000000000 -0400 @@ -117,6 +117,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +fs_manage_nfs_files(fsadm_t) +fs_manage_cifs_files(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs @@ -147,7 +149,7 @@ seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) +term_use_all_terms(fsadm_t) ifdef(`distro_redhat',` optional_policy(` @@ -166,6 +168,14 @@ ') optional_policy(` + hal_dontaudit_write_log(fsadm_t) +') + +optional_policy(` + livecd_rw_tmp_files(fsadm_t) +') + +optional_policy(` nis_use_ypbind(fsadm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.8.8/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/getty.te 2010-07-30 14:06:53.000000000 -0400 @@ -83,7 +83,7 @@ term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) -term_dontaudit_use_console(getty_t) +term_use_console(getty_t) auth_rw_login_records(getty_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.8.8/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/hostname.te 2010-07-30 14:06:53.000000000 -0400 @@ -26,15 +26,18 @@ dev_read_sysfs(hostname_t) +domain_dontaudit_leaks(hostname_t) domain_use_interactive_fds(hostname_t) files_read_etc_files(hostname_t) +files_dontaudit_leaks(hostname_t) files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(hostname_t) fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) +fs_dontaudit_leaks(hostname_t) fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) @@ -53,6 +56,10 @@ sysnet_dns_name_resolve(hostname_t) optional_policy(` + nis_use_ypbind(hostname_t) +') + +optional_policy(` xen_append_log(hostname_t) xen_dontaudit_use_fds(hostname_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.if serefpolicy-3.8.8/policy/modules/system/hotplug.if --- nsaserefpolicy/policy/modules/system/hotplug.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/hotplug.if 2010-07-30 14:06:53.000000000 -0400 @@ -139,7 +139,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-08-11 08:14:12.000000000 -0400 @@ -23,7 +23,7 @@ # allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; +dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; @@ -39,14 +39,16 @@ can_exec(hotplug_t, hotplug_exec_t) +manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) -files_pid_filetrans(hotplug_t, hotplug_var_run_t, file) +files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file }) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) kernel_read_system_state(hotplug_t) +kernel_read_network_state(hotplug_t) kernel_read_kernel_sysctls(hotplug_t) -kernel_read_net_sysctls(hotplug_t) +kernel_rw_net_sysctls(hotplug_t) files_read_kernel_modules(hotplug_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,13 @@ # # /sbin # +/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + +# +# /sbin +# /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -44,6 +50,9 @@ /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) + +/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) # # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-07-30 14:06:53.000000000 -0400 @@ -105,7 +105,11 @@ role system_r types $1; - domtrans_pattern(init_t,$2,$1) + tunable_policy(`init_systemd',`', ` + domtrans_pattern(init_t,$2,$1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray @@ -193,8 +197,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; + type init_t; role system_r; attribute daemon; + attribute initrc_transition_domain; ') typeattribute $1 daemon; @@ -205,6 +211,20 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; + + tunable_policy(`init_upstart || init_systemd',` + # Handle upstart direct transition to a executable + domtrans_pattern(init_t,$2,$1) + allow init_t $1:process siginh; + ') + + tunable_policy(`init_systemd',` + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') # daemons started from init will # inherit fds from init for the console @@ -285,7 +305,7 @@ type initrc_t; ') - init_daemon_domain($1,$2) +# init_daemon_domain($1,$2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; @@ -336,8 +356,10 @@ # interface(`init_system_domain',` gen_require(` + type init_t; type initrc_t; role system_r; + attribute initrc_transition_domain; ') application_domain($1,$2) @@ -345,6 +367,17 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; + + tunable_policy(`init_systemd',` + # Handle upstart/systemd direct transition to a executable + domtrans_pattern(init_t,$2,$1) + allow init_t $1:process siginh; + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray @@ -353,6 +386,37 @@ kernel_dontaudit_use_fds($1) ') ') + + userdom_dontaudit_search_user_home_dirs($1) + userdom_dontaudit_rw_stream($1) + userdom_dontaudit_write_user_tmp_files($1) + + tunable_policy(`allow_daemons_use_tty',` + term_use_all_ttys($1) + term_use_all_ptys($1) + ',` + term_dontaudit_use_all_ttys($1) + term_dontaudit_use_all_ptys($1) + ') + + # these apps are often redirect output to random log files + logging_inherit_append_all_logs($1) + + optional_policy(` + cron_rw_pipes($1) + ') + + optional_policy(` + xserver_dontaudit_append_xdm_home_files($1) + ') + + optional_policy(` + unconfined_dontaudit_rw_pipes($1) + unconfined_dontaudit_rw_stream($1) + userdom_dontaudit_read_user_tmp_files($1) + ') + + init_rw_script_stream_sockets($1) ') ######################################## @@ -669,12 +733,14 @@ type initctl_t; ') + corecmd_exec_bin($1) + dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; init_exec($1) - tunable_policy(`init_upstart',` + tunable_policy(`init_upstart || init_systemd',` gen_require(` type init_t; ') @@ -682,6 +748,8 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; + #576913 + allow $1 init_t:unix_stream_socket connectto; ') ') @@ -754,18 +822,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; ') files_list_etc($1) - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) + spec_domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') @@ -781,19 +850,41 @@ # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; files_list_etc($1) - domtrans_pattern($1, initrc_exec_t, initrc_t) + domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') +') + +######################################## +## +## Execute a file in a bin directory +## in the initrc_t domain +## +## +## +## Domain allowed access. +## +## +# +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; ') + + corecmd_bin_domtrans($1, initrc_t) ') ######################################## @@ -849,8 +940,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') @@ -1338,6 +1431,27 @@ ######################################## ## ## Send and receive messages from +## init over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_chat',` + gen_require(` + type init_t; + class dbus send_msg; + ') + + allow $1 init_t:dbus send_msg; + allow init_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from ## init scripts over dbus. ## ## @@ -1637,7 +1751,7 @@ type initrc_var_run_t; ') - dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; + dontaudit $1 initrc_var_run_t:file rw_file_perms; ') ######################################## @@ -1712,3 +1826,94 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') + +######################################## +## +## Transition to system_r when execute an init script +## +## +##

+## Execute a init script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Role to transition from. +## +## +# +interface(`init_script_role_transition',` + gen_require(` + attribute init_script_file_type; + ') + + role_transition $1 init_script_file_type system_r; +') + +######################################## +## +## dontaudit read and write an leaked init scrip file descriptors +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dontaudit_script_leaks',` + gen_require(` + type initrc_t; + ') + + dontaudit $1 initrc_t:tcp_socket { read write }; + dontaudit $1 initrc_t:udp_socket { read write }; + dontaudit $1 initrc_t:unix_dgram_socket { read write }; + dontaudit $1 initrc_t:unix_stream_socket { read write }; + dontaudit $1 initrc_t:shm rw_shm_perms; + init_dontaudit_use_script_ptys($1) + init_dontaudit_use_script_fds($1) +') + + +######################################## +## +## Allow the specified domain to connect to +## the init process with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stream_connect',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket connectto; +') + +######################################## +## +## Allow the specified domain to read/write to +## init with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-17 09:55:08.000000000 -0400 @@ -16,6 +16,27 @@ ## gen_tunable(init_upstart, false) +## +##

+## Enable support for systemd as the init program. +##

+## +gen_tunable(init_systemd, false) + +## +##

+## Allow all daemons the ability to read/write terminals +##

+## +gen_tunable(allow_daemons_use_tty, false) + +## +##

+## Allow all daemons to write corefiles to / +##

+## +gen_tunable(allow_daemons_dump_core, false) + # used for direct running of init scripts # by admin domains attribute direct_run_init; @@ -25,6 +46,7 @@ attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; +attribute initrc_transition_domain; # Mark process types as daemons attribute daemon; @@ -32,7 +54,7 @@ # # init_t is the domain of the init process. # -type init_t; +type init_t, initrc_transition_domain; type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) @@ -63,6 +85,7 @@ # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) +corecmd_bin_entry_type(initrc_t) type initrc_devpts_t; term_pty(initrc_devpts_t) @@ -87,7 +110,7 @@ # # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ audit_control audit_write sys_module }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -100,7 +123,9 @@ # Re-exec itself can_exec(init_t, init_exec_t) -allow init_t initrc_t:unix_stream_socket connectto; +allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow initrc_t init_t:fifo_file rw_fifo_file_perms; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; @@ -120,15 +145,19 @@ corecmd_exec_bin(init_t) dev_read_sysfs(init_t) +dev_read_urand(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) +domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) +domain_read_all_domains_state(init_t) files_read_etc_files(init_t) +files_read_all_pids(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) @@ -167,6 +196,8 @@ miscfiles_read_localization(init_t) +allow init_t self:process setsched; + ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') @@ -177,7 +208,7 @@ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') -tunable_policy(`init_upstart',` +tunable_policy(`init_upstart || init_systemd',` corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. @@ -185,15 +216,68 @@ sysadm_shell_domtrans(init_t) ') +storage_raw_rw_fixed_disk(init_t) +modutils_domtrans_insmod(init_t) + +tunable_policy(`init_systemd',` + allow init_t self:process { setsockcreate setfscreate }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + # Until systemd is fixed + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; + allow init_t self:netlink_route_socket create_netlink_socket_perms; + + kernel_list_unlabeled(init_t) + kernel_read_network_state(init_t) + + dev_write_kmsg(init_t) + dev_rw_autofs(init_t) + dev_manage_generic_dirs(init_t) + dev_manage_generic_files(init_t) + dev_read_generic_chr_files(init_t) + dev_relabelfrom_generic_chr_files(init_t) + dev_relabel_autofs_dev(init_t) + + files_mounton_all_mountpoints(init_t) + files_manage_all_pids_dirs(init_t) + + fs_manage_cgroup_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) + fs_mount_all_fs(init_t) + fs_list_auto_mountpoints(init_t) + fs_read_cgroup_files(init_t) + fs_write_cgroup_files(init_t) + + selinux_compute_create_context(init_t) + selinux_validate_context(init_t) + + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) +') + optional_policy(` auth_rw_login_records(init_t) ') optional_policy(` + consolekit_manage_log(init_t) +') + +optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) ') optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) +') + +optional_policy(` nscd_socket_use(init_t) ') @@ -202,6 +286,10 @@ ') optional_policy(` + udev_read_db(init_t) +') + +optional_policy(` unconfined_domain(init_t) ') @@ -211,7 +299,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; @@ -240,6 +328,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_manage_generic_pids_symlinks(initrc_t) can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) @@ -257,11 +346,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) +kernel_request_load_module(initrc_t) kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) +kernel_stream_connect(initrc_t) +files_read_kernel_modules(initrc_t) +files_read_config_files(initrc_t) +files_read_var_lib_symlinks(initrc_t) +files_setattr_pid_dirs(initrc_t) files_read_kernel_symbol_table(initrc_t) +files_exec_etc_files(initrc_t) +files_manage_etc_symlinks(initrc_t) + +fs_manage_tmpfs_dirs(initrc_t) +fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) corecmd_exec_all_executables(initrc_t) @@ -297,11 +397,13 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) +domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -320,8 +422,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) -files_delete_all_locks(initrc_t) +files_manage_all_locks(initrc_t) +files_manage_boot_files(initrc_t) files_read_all_pids(initrc_t) +files_delete_root_files(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) @@ -337,6 +441,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) +files_manage_mnt_dirs(initrc_t) +files_manage_mnt_files(initrc_t) fs_delete_cgroup_dirs(initrc_t) fs_list_cgroup_dirs(initrc_t) @@ -350,6 +456,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) +fs_search_all(initrc_t) +fs_getattr_nfsd_files(initrc_t) # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) @@ -362,6 +470,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) +mls_socket_write_to_clearance(initrc_t) selinux_get_enforce_mode(initrc_t) @@ -393,13 +502,14 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_certs(initrc_t) +miscfiles_manage_cert_files(initrc_t) modutils_read_module_config(initrc_t) modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) +userdom_read_admin_home_files(initrc_t) userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such @@ -472,7 +582,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd - kernel_dontaudit_use_fds(initrc_t) + kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd @@ -518,6 +628,19 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) + ') + + optional_policy(` + gnome_manage_gconf_config(initrc_t) + ') + + optional_policy(` + ldap_read_db_files(initrc_t) + ') + + optional_policy(` + pulseaudio_stream_connect(initrc_t) ') optional_policy(` @@ -525,10 +648,17 @@ rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') + optional_policy(` + rpcbind_stream_connect(initrc_t) + ') optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) + sysnet_manage_dhcpc_state(initrc_t) + sysnet_relabelfrom_dhcpc_state(initrc_t) + sysnet_relabelfrom_net_conf(initrc_t) + sysnet_relabelto_net_conf(initrc_t) ') optional_policy(` @@ -543,6 +673,35 @@ ') ') +domain_dontaudit_use_interactive_fds(daemon) + +userdom_dontaudit_list_admin_dir(daemon) +userdom_dontaudit_search_user_tmp(daemon) + +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + term_use_all_ttys(daemon) + term_use_all_ptys(daemon) +',` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) + term_dontaudit_use_all_ttys(daemon) + term_dontaudit_use_all_ptys(daemon) + ') + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` + files_manage_root_files(daemon) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) + unconfined_dontaudit_rw_stream(daemon) + userdom_dontaudit_read_user_tmp_files(daemon) + userdom_dontaudit_write_user_tmp_files(daemon) +') + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) @@ -555,6 +714,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) + # webmin seems to cause this. + apache_search_sys_content(daemon) ') optional_policy(` @@ -571,6 +732,7 @@ optional_policy(` cgroup_stream_connect(initrc_t) + domain_setpriority_all_domains(initrc_t) ') optional_policy(` @@ -583,6 +745,11 @@ ') optional_policy(` + chronyd_append_keys(initrc_t) + chronyd_read_keys(initrc_t) +') + +optional_policy(` dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) @@ -599,6 +766,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) + dbus_manage_lib_files(initrc_t) optional_policy(` consolekit_dbus_chat(initrc_t) @@ -700,7 +868,12 @@ ') optional_policy(` + milter_setattr_all_dirs(initrc_t) +') + +optional_policy(` mta_read_config(initrc_t) + mta_write_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -723,6 +896,10 @@ ') optional_policy(` + plymouthd_stream_connect(initrc_t) +') + +optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') @@ -744,6 +921,10 @@ ') optional_policy(` + ricci_manage_lib_files(initrc_t) +') + +optional_policy(` fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) @@ -765,8 +946,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) - # why is this needed: - rpm_manage_db(initrc_t) ') optional_policy(` @@ -775,14 +954,21 @@ ') optional_policy(` + # shorewall-init script run /var/lib/shorewall/firewall + shorewall_domtrans_lib(initrc_t) +') + +optional_policy(` squid_read_config(initrc_t) squid_manage_logs(initrc_t) ') +ifdef(`enabled_mls',` optional_policy(` # allow init scripts to su su_restricted_domain_template(initrc, initrc_t, system_r) ') +') optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) @@ -804,11 +990,19 @@ ') optional_policy(` - virt_manage_svirt_cache(initrc_t) + virt_manage_cache(initrc_t) + virt_manage_lib_files(initrc_t) +') + +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) + cron_rw_inherited_user_spool_files(daemon) ') optional_policy(` unconfined_domain(initrc_t) + domain_role_change_exemption(initrc_t) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited @@ -818,6 +1012,25 @@ optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) + + + optional_policy(` + gen_require(` + type unconfined_execmem_t, execmem_exec_t; + ') + init_system_domain(unconfined_execmem_t, execmem_exec_t) + ') + + optional_policy(` + rtkit_scheduled(initrc_t) + ') +') + +optional_policy(` + rpm_delete_db(initrc_t) ') optional_policy(` @@ -843,3 +1056,55 @@ optional_policy(` zebra_read_config(initrc_t) ') + +userdom_inherit_append_user_home_content_files(daemon) +userdom_inherit_append_user_tmp_files(daemon) +userdom_dontaudit_rw_stream(daemon) + +logging_append_all_logs(daemon) + +optional_policy(` + # sudo service restart causes this + unconfined_signull(daemon) +') + + +optional_policy(` + xserver_dontaudit_append_xdm_home_files(daemon) + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(daemon) + ') + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(daemon) + ') +') + +init_rw_script_stream_sockets(daemon) + +optional_policy(` + fail2ban_read_lib_files(daemon) +') + +init_rw_stream_sockets(daemon) + +ifdef(`hide_broken_symptoms',` +optional_policy(` +gen_require(` + type system_dbusd_var_run_t; + type fsadm_t; + type avahi_var_run_t; +') + +fs_list_auto_mountpoints(fsadm_t) + +fs_list_auto_mountpoints(lvm_t) +fs_list_hugetlbfs(lvm_t) + +allow init_t avahi_var_run_t:dir { write add_name }; +allow init_t avahi_var_run_t:sock_file create; + +allow init_t system_dbusd_var_run_t:dir { write add_name }; +allow init_t system_dbusd_var_run_t:sock_file create; + +') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.8/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/ipsec.fc 2010-08-03 13:29:20.000000000 -0400 @@ -25,6 +25,7 @@ /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -35,6 +36,8 @@ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) + /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.8/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/ipsec.if 2010-08-11 07:44:10.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -20,11 +20,29 @@ ######################################## ## +## Execute ipsec in the ipsec mgmt domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_domtrans_mgmt',` + gen_require(` + type ipsec_mgmt_t, ipsec_mgmt_exec_t; + ') + + domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) +') + +######################################## +## ## Connect to IPSEC using a unix domain stream socket. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -43,7 +61,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -62,7 +80,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -80,7 +98,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -98,7 +116,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -175,7 +193,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -194,7 +212,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -237,7 +255,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -273,3 +291,81 @@ ipsec_domtrans_setkey($1) role $2 types setkey_t; ') + +######################################## +## +## Send ipsec mgmt a signal +## +## +## +## Domain allowed access. +## +## +# +# +interface(`ipsec_signal_mgmt',` + gen_require(` + type ipsec_mgmt_t; + ') + + allow $1 ipsec_mgmt_t:process signal; +') + +######################################## +## +## Send ipsec mgmt a signull +## +## +## +## Domain allowed access. +## +## +# +# +interface(`ipsec_signull_mgmt',` + gen_require(` + type ipsec_mgmt_t; + ') + + allow $1 ipsec_mgmt_t:process signull; +') + +######################################## +## +## Send ipsec mgmt a kill signal. +## +## +## +## Domain allowed access. +## +## +# +# +interface(`ipsec_kill_mgmt',` + gen_require(` + type ipsec_mgmt_t; + ') + + allow $1 ipsec_mgmt_t:process sigkill; +') + +###################################### +## +## Send and receive messages from +## ipsec-mgmt over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_mgmt_dbus_chat',` + gen_require(` + type ipsec_mgmt_t; + class dbus send_msg; + ') + + allow $1 ipsec_mgmt_t:dbus send_msg; + allow ipsec_mgmt_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-11 08:20:05.000000000 -0400 @@ -72,7 +72,7 @@ # allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability sys_tty_config; +dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; @@ -94,9 +94,10 @@ manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) +manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) +files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) @@ -107,7 +108,7 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; -dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; +allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process sigchld; kernel_read_kernel_sysctls(ipsec_t) @@ -149,6 +150,7 @@ files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t) files_read_usr_files(ipsec_t) +files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -166,6 +168,8 @@ miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) +sysnet_manage_config(ipsec_t) +sysnet_etc_filetrans_config(ipsec_t) userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) @@ -184,8 +188,8 @@ # allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -dontaudit ipsec_mgmt_t self:capability sys_tty_config; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; +dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; +allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; @@ -224,7 +228,6 @@ manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) -files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file) # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) @@ -243,6 +246,17 @@ kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) +# don't audit using of lsof +dontaudit ipsec_mgmt_t self:capability sys_ptrace; + +domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) +domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) + +dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) +dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) + +files_dontaudit_getattr_all_files(ipsec_mgmt_t) +files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) @@ -257,7 +271,7 @@ domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. -domain_dontaudit_list_all_domains_state(ipsec_mgmt_t) +domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) @@ -275,8 +289,11 @@ fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) +term_use_all_terms(ipsec_mgmt_t) + +auth_dontaudit_read_login_records(ipsec_mgmt_t) +init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -290,7 +307,9 @@ seutil_dontaudit_search_config(ipsec_mgmt_t) +sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) +sysnet_etc_filetrans_config(ipsec_mgmt_t) userdom_use_user_terminals(ipsec_mgmt_t) @@ -299,6 +318,23 @@ ') optional_policy(` + hostname_exec(ipsec_mgmt_t) +') + +optional_policy(` + dbus_system_bus_client(ipsec_mgmt_t) + dbus_connect_system_bus(ipsec_mgmt_t) + + optional_policy(` + networkmanager_dbus_chat(ipsec_mgmt_t) + ') +') + +optional_policy(` + iptables_domtrans(ipsec_mgmt_t) +') + +optional_policy(` nscd_socket_use(ipsec_mgmt_t) ') @@ -385,6 +421,8 @@ sysnet_exec_ifconfig(racoon_t) +auth_use_pam(racoon_t) + auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) @@ -411,6 +449,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) +init_read_script_tmp_files(setkey_t) # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) @@ -422,3 +461,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.8.8/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/iptables.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,12 +1,19 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) + + /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.8/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/iptables.if 2010-08-05 15:53:11.000000000 -0400 @@ -17,6 +17,10 @@ corecmd_search_bin($1) domtrans_pattern($1, iptables_exec_t, iptables_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit iptables_t $1:socket_class_set { read write }; + ') ') ######################################## @@ -76,7 +80,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -134,7 +138,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.8.8/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/iptables.te 2010-07-30 14:06:53.000000000 -0400 @@ -13,9 +13,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) -type iptables_conf_t; -files_config_file(iptables_conf_t) - type iptables_tmp_t; files_tmp_file(iptables_tmp_t) @@ -29,12 +26,14 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; -allow iptables_t self:fifo_file rw_fifo_file_perms; +allow iptables_t self:fifo_file rw_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +# needed by ipvsadm +allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) -files_etc_filetrans(iptables_t, iptables_conf_t, file) +files_manage_system_conf_files(iptables_t) +files_etc_filetrans_system_conf(iptables_t) manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) @@ -52,10 +51,17 @@ kernel_read_modprobe_sysctls(iptables_t) kernel_use_fds(iptables_t) +# needed by ipvsadm +corecmd_exec_bin(iptables_t) +corecmd_exec_shell(iptables_t) + corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) +ifdef(`hide_broken_symptoms',` + dev_dontaudit_write_mtrr(iptables_t) +') fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) @@ -64,11 +70,13 @@ mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) +term_use_all_terms(iptables_t) domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) files_read_etc_runtime_files(iptables_t) +files_read_usr_files(iptables_t) auth_use_nsswitch(iptables_t) @@ -77,6 +85,7 @@ # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) +init_dontaudit_script_leaks(iptables_t) logging_send_syslog_msg(iptables_t) @@ -90,6 +99,7 @@ optional_policy(` fail2ban_append_log(iptables_t) + fail2ban_dontaudit_leaks(iptables_t) ') optional_policy(` @@ -112,6 +122,7 @@ optional_policy(` psad_rw_tmp_files(iptables_t) + psad_write_log(iptables_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.8.8/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/iscsi.if 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -56,3 +56,21 @@ allow $1 iscsi_var_lib_t:dir list_dir_perms; files_search_var_lib($1) ') + +######################################## +## +## Manage iscsid sempaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`iscsi_manage_semaphores',` + gen_require(` + type iscsid_t; + ') + + allow $1 iscsid_t:sem create_sem_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.8/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/iscsi.te 2010-07-30 14:06:53.000000000 -0400 @@ -76,6 +76,8 @@ dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) +dev_read_raw_memory(iscsid_t) +dev_write_raw_memory(iscsid_t) domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.8.8/policy/modules/system/kdump.if --- nsaserefpolicy/policy/modules/system/kdump.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/kdump.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.8.8/policy/modules/system/kdump.te --- nsaserefpolicy/policy/modules/system/kdump.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/kdump.te 2010-08-04 13:52:39.000000000 -0400 @@ -29,6 +29,8 @@ kernel_read_system_state(kdump_t) kernel_read_core_if(kdump_t) +kernel_read_debugfs(kdump_t) +kernel_request_load_module(kdump_t) dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/libraries.fc 2010-07-30 14:06:53.000000000 -0400 @@ -129,15 +129,13 @@ /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -151,6 +149,7 @@ /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -208,6 +207,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -247,6 +247,7 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame @@ -302,13 +303,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - -/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) +/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) ') dnl end distro_redhat # @@ -319,14 +315,149 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') +/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + +/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +# Flash plugin, Macromedia +HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') +/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-07-30 14:06:53.000000000 -0400 @@ -61,7 +61,7 @@ manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) @@ -79,6 +79,7 @@ domain_use_interactive_fds(ldconfig_t) +files_search_home(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) @@ -94,6 +95,7 @@ logging_send_syslog_msg(ldconfig_t) +term_use_console(ldconfig_t) userdom_use_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) @@ -103,6 +105,10 @@ ') ') +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) + ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc --- nsaserefpolicy/policy/modules/system/locallogin.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,2 +1,3 @@ /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) +/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-3.8.8/policy/modules/system/locallogin.if --- nsaserefpolicy/policy/modules/system/locallogin.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/locallogin.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -28,7 +28,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.8.8/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/locallogin.te 2010-07-30 14:06:53.000000000 -0400 @@ -32,9 +32,8 @@ # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; @@ -73,6 +72,8 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) +dev_rw_generic_usb_dev(local_login_t) +dev_read_video_dev(local_login_t) dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) @@ -125,6 +126,7 @@ auth_domtrans_pam_console(local_login_t) init_dontaudit_use_fds(local_login_t) +init_stream_connect(local_login_t) miscfiles_read_localization(local_login_t) @@ -151,6 +153,12 @@ fs_read_cifs_symlinks(local_login_t) ') +tunable_policy(`allow_console_login',` + term_use_console(local_login_t) + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) +') + optional_policy(` alsa_domtrans(local_login_t) ') @@ -180,7 +188,7 @@ ') optional_policy(` - unconfined_domain(local_login_t) + unconfined_shell_domtrans(local_login_t) ') optional_policy(` @@ -197,9 +205,10 @@ # Sulogin local policy # +allow sulogin_t self:capability dac_override; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; -allow sulogin_t self:fifo_file rw_file_perms; +allow sulogin_t self:fifo_file rw_fifo_file_perms; allow sulogin_t self:unix_dgram_socket create_socket_perms; allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; @@ -219,6 +228,7 @@ files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) +auth_use_nsswitch(sulogin_t) init_getpgid_script(sulogin_t) @@ -232,14 +242,23 @@ userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) -sysadm_shell_domtrans(sulogin_t) +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) + +ifdef(`enable_mls',` + sysadm_shell_domtrans(sulogin_t) +',` + optional_policy(` + unconfined_shell_domtrans(sulogin_t) + ') +') # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') +allow sulogin_t self:capability sys_tty_config; ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; @@ -250,11 +269,3 @@ selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') - -optional_policy(` - nis_use_ypbind(sulogin_t) -') - -optional_policy(` - nscd_socket_use(sulogin_t) -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.8.8/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/logging.fc 2010-07-30 14:06:53.000000000 -0400 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) @@ -54,14 +58,16 @@ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) -/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) -/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) -/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) +/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) +/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) @@ -69,3 +75,5 @@ /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.8.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/logging.if 2010-07-30 14:06:53.000000000 -0400 @@ -545,6 +545,25 @@ ######################################## ## +## Connect to the syslog control unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_syslog',` + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) +') + +######################################## +## ## Read the auditd configuration files. ## ## @@ -715,7 +734,25 @@ ') files_search_var($1) - append_files_pattern($1, var_log_t, logfile) + append_files_pattern($1, logfile, logfile) +') + +######################################## +## +## Append to all log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_inherit_append_all_logs',` + gen_require(` + attribute logfile; + ') + + allow $1 logfile:file { getattr append }; ') ######################################## @@ -798,7 +835,7 @@ files_search_var($1) manage_files_pattern($1, logfile, logfile) - read_lnk_files_pattern($1, logfile, logfile) + manage_lnk_files_pattern($1, logfile, logfile) ') ######################################## @@ -996,6 +1033,8 @@ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) + allow $1 logfile:dir { relabelfrom relabelto }; + allow $1 logfile:file { relabelfrom relabelto }; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-08-18 07:09:50.000000000 -0400 @@ -60,6 +60,7 @@ type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) +mls_trusted_object(syslogd_t) type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) @@ -179,6 +180,8 @@ logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) +auth_use_nsswitch(auditd_t) + miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) @@ -234,7 +237,12 @@ files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) +mls_file_read_all_levels(audisp_t) mls_file_write_all_levels(audisp_t) +mls_socket_write_all_levels(audisp_t) +mls_dbus_send_all_levels(audisp_t) + +auth_use_nsswitch(audisp_t) logging_send_syslog_msg(audisp_t) @@ -244,14 +252,22 @@ optional_policy(` dbus_system_bus_client(audisp_t) + + optional_policy(` + setroubleshoot_dbus_chat(audisp_t) + ') ') ######################################## # # Audit remote logger local policy # - +allow audisp_remote_t self:capability { setuid setpcap }; +allow audisp_remote_t self:process { getcap setcap }; allow audisp_remote_t self:tcp_socket create_socket_perms; +allow audisp_remote_t var_log_t:dir search_dir_perms; + +corecmd_exec_bin(audisp_remote_t) corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) @@ -266,9 +282,16 @@ files_read_etc_files(audisp_remote_t) logging_send_syslog_msg(audisp_remote_t) +logging_send_audit_msgs(audisp_remote_t) + +auth_use_nsswitch(audisp_remote_t) miscfiles_read_localization(audisp_remote_t) +init_telinit(audisp_remote_t) +init_read_utmp(audisp_remote_t) +init_dontaudit_write_utmp(audisp_remote_t) + sysnet_dns_name_resolve(audisp_remote_t) ######################################## @@ -369,9 +392,15 @@ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) + # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) @@ -412,6 +441,7 @@ dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_rand(syslogd_t) domain_use_interactive_fds(syslogd_t) @@ -488,6 +518,10 @@ ') optional_policy(` + daemontools_search_svc_dir(syslogd_t) +') + +optional_policy(` udev_read_db(syslogd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.8.8/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/lvm.fc 2010-07-30 14:06:53.000000000 -0400 @@ -28,10 +28,12 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) # # /sbin # +/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.8.8/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/lvm.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -25,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -44,7 +44,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -69,7 +69,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-07-30 14:06:53.000000000 -0400 @@ -141,6 +141,11 @@ ') optional_policy(` + aisexec_stream_connect(clvmd_t) + corosync_stream_connect(clvmd_t) +') + +optional_policy(` ccs_stream_connect(clvmd_t) ') @@ -170,6 +175,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; +allow lvm_t self:sem create_sem_perms; allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; @@ -211,11 +217,13 @@ files_search_mnt(lvm_t) kernel_read_system_state(lvm_t) +kernel_read_kernel_sysctls(lvm_t) # Read system variables in /proc/sys kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) +kernel_request_load_module(lvm_t) kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) @@ -242,6 +250,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) +dev_rw_generic_files(lvm_t) domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) @@ -251,8 +260,9 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) +files_dontaudit_getattr_tmpfs_files(lvm_t) -fs_getattr_xattr_fs(lvm_t) +fs_getattr_all_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) @@ -262,6 +272,7 @@ mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) +mls_file_upgrade(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) @@ -309,6 +320,11 @@ ') optional_policy(` + aisexec_stream_connect(lvm_t) + corosync_stream_connect(lvm_t) +') + +optional_policy(` bootloader_rw_tmp_files(lvm_t) ') @@ -329,6 +345,10 @@ ') optional_policy(` + livecd_rw_semaphores(lvm_t) +') + +optional_policy(` modutils_domtrans_insmod(lvm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.8.8/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/miscfiles.fc 2010-07-30 14:06:53.000000000 -0400 @@ -75,13 +75,11 @@ /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) - /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) +/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) -/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) +/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ifdef(`distro_debian',` /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.8.8/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-08-11 09:33:51.000000000 -0400 @@ -2,6 +2,50 @@ ######################################## ## +## Make the specified type usable as a cert file. +## +## +##

+## Make the specified type usable for cert files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## cert management tools. +##

+##

+## Related interfaces: +##

+##
    +##
  • files_type()
    • +##
+##

+## Example: +##

+##

+## type mycertfile_t; +## cert_type(mycertfile_t) +## allow mydomain_t mycertfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +##

+## +## +## +## Type to be used for files. +## +## +## +# +interface(`miscfiles_cert_type',` + gen_require(` + attribute cert_type; + ') + + typeattribute $1 cert_type; + files_type($1) +') + +######################################## +## ## Read system SSL certificates. ## ## @@ -13,12 +57,12 @@ # interface(`miscfiles_read_certs',` gen_require(` - type cert_t; + attribute cert_type; ') - allow $1 cert_t:dir list_dir_perms; - read_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) + allow $1 cert_type:dir list_dir_perms; + read_files_pattern($1, cert_type, cert_type) + read_lnk_files_pattern($1, cert_type, cert_type) ') ######################################## @@ -305,9 +349,6 @@ allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) - - # why? - libs_read_lib_files($1) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.8.8/policy/modules/system/miscfiles.te --- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/miscfiles.te 2010-08-11 09:33:09.000000000 -0400 @@ -4,12 +4,13 @@ # # Declarations # +attribute cert_type; # # cert_t is the type of files in the system certs directories. # type cert_t; -files_type(cert_t) +miscfiles_cert_type(cert_t) # # fonts_t is the type of various font diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.8/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/modutils.if 2010-07-30 14:06:53.000000000 -0400 @@ -39,6 +39,26 @@ ######################################## ## +## list the configuration options used when +## loading modules. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`modutils_list_module_config',` + gen_require(` + type modules_conf_t; + ') + + list_dirs_pattern($1, modules_conf_t, modules_conf_t) +') + +######################################## +## ## Read the configuration options used when ## loading modules. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-07-30 14:06:53.000000000 -0400 @@ -18,6 +18,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) +mls_process_write_down(insmod_t) role system_r types insmod_t; # module loading config @@ -55,12 +56,14 @@ domain_use_interactive_fds(depmod_t) +files_delete_kernel_modules(depmod_t) files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) files_read_etc_runtime_files(depmod_t) files_read_etc_files(depmod_t) files_read_usr_src_files(depmod_t) files_list_usr(depmod_t) +files_read_boot_files(depmod_t) fs_getattr_xattr_fs(depmod_t) @@ -74,6 +77,7 @@ # Read System.map from home directories. files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) +userdom_manage_user_tmp_files(depmod_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -104,7 +108,7 @@ # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; +allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; @@ -125,6 +129,7 @@ kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) +kernel_request_load_module(insmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) @@ -142,6 +147,7 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) +dev_create_generic_chr_files(insmod_t) domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) @@ -160,11 +166,15 @@ fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) +fs_mount_rpc_pipefs(insmod_t) +fs_search_rpc(insmod_t) init_rw_initctl(insmod_t) init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) +init_spec_domtrans_script(insmod_t) +init_rw_script_tmp_files(insmod_t) logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) @@ -173,8 +183,7 @@ seutil_read_file_contexts(insmod_t) -userdom_use_user_terminals(insmod_t) - +term_use_all_terms(insmod_t) userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { @@ -235,6 +244,10 @@ ') optional_policy(` + virt_dontaudit_write_pipes(insmod_t) +') + +optional_policy(` # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) +/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.8.8/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/mount.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -16,6 +16,14 @@ ') domtrans_pattern($1, mount_exec_t, mount_t) + mount_domtrans_fusermount($1) + +ifdef(`hide_broken_symptoms', ` + dontaudit mount_t $1:unix_stream_socket { read write }; + dontaudit mount_t $1:tcp_socket { read write }; + dontaudit mount_t $1:udp_socket { read write }; +') + ') ######################################## @@ -26,7 +34,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -45,17 +53,63 @@ role $2 types mount_t; optional_policy(` - samba_run_smbmount($1, $2) + fstools_run(mount_t, $2) + ') + + # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 + optional_policy(` + lvm_run(mount_t, $2) + ') + + optional_policy(` + modutils_run_insmod(mount_t, $2) + ') + + optional_policy(` + rpc_run_rpcd(mount_t, $2) + ') + + optional_policy(` + samba_run_smbmount(mount_t, $2) ') ') ######################################## ## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the mount domain. +## +## +## +# +interface(`mount_run_fusermount',` + gen_require(` + type mount_t; + ') + + mount_domtrans_fusermount($1) + role $2 types mount_t; + + fstools_run(mount_t, $2) +') + +######################################## +## ## Execute mount in the caller domain. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -84,9 +138,11 @@ interface(`mount_signal',` gen_require(` type mount_t; + type unconfined_mount_t; ') allow $1 mount_t:process signal; + allow $1 unconfined_mount_t:process signal; ') ######################################## @@ -95,7 +151,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -176,4 +232,109 @@ mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; + + optional_policy(` + rpc_run_rpcd(unconfined_mount_t, $2) + ') + + optional_policy(` + samba_run_smbmount(unconfined_mount_t, $2) + ') +') + +######################################## +## +## Execute fusermount in the mount domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_domtrans_fusermount',` + gen_require(` + type mount_t, fusermount_exec_t; + ') + + domtrans_pattern($1, fusermount_exec_t, mount_t) +') + +######################################## +## +## Execute fusermount. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_exec_fusermount',` + gen_require(` + type fusermount_exec_t; + ') + + can_exec($1, fusermount_exec_t) +') + +######################################## +## +## dontaudit Execute fusermount. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_dontaudit_exec_fusermount',` + gen_require(` + type fusermount_exec_t; + ') + + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') + +###################################### +## +## Execute a domain transition to run showmount. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mount_domtrans_showmount',` + gen_require(` + type showmount_t, showmount_exec_t; + ') + + domtrans_pattern($1, showmount_exec_t, showmount_t) +') + +###################################### +## +## Execute showmount in the showmount domain, and +## allow the specified role the showmount domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the showmount domain. +## +## +# +interface(`mount_run_showmount',` + gen_require(` + type showmount_t; + ') + + mount_domtrans_showmount($1) + role $2 types showmount_t; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-30 14:06:53.000000000 -0400 @@ -17,8 +17,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; +type fusermount_exec_t; +domain_entry_file(mount_t, fusermount_exec_t) + +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; + type mount_loopback_t; # customizable files_type(mount_loopback_t) +typealias mount_loopback_t alias mount_loop_t; type mount_tmp_t; files_tmp_file(mount_tmp_t) @@ -28,6 +35,17 @@ # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) +role system_r types unconfined_mount_t; + +type mount_var_run_t; +files_pid_file(mount_var_run_t) + +# showmount - show mount information for an NFS server + +type showmount_t; +type showmount_exec_t; +application_domain(showmount_t, showmount_exec_t) +role system_r types showmount_t; ######################################## # @@ -35,7 +53,11 @@ # # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; +allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; allow mount_t mount_loopback_t:file read_file_perms; @@ -46,30 +68,51 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) +files_pid_filetrans(mount_t,mount_var_run_t,dir) +files_var_filetrans(mount_t,mount_var_run_t,dir) + +# In order to mount reiserfs_t +kernel_dontaudit_getattr_core_if(mount_t) +kernel_list_unlabeled(mount_t) +kernel_mount_unlabeled(mount_t) +kernel_unmount_unlabeled(mount_t) kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) -kernel_dontaudit_getattr_core_if(mount_t) +kernel_search_debugfs(mount_t) +kernel_setsched(mount_t) +kernel_use_fds(mount_t) +kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) +dev_getattr_generic_blk_files(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) +dev_read_sysfs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) domain_use_interactive_fds(mount_t) +domain_dontaudit_search_all_domains_state(mount_t) files_search_all(mount_t) files_read_etc_files(mount_t) files_manage_etc_runtime_files(mount_t) files_etc_filetrans_etc_runtime(mount_t, file) files_mounton_all_mountpoints(mount_t) +# ntfs-3g checks whether the mountpoint is writable before mounting +files_write_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: -files_relabelto_all_file_type_fs(mount_t) +files_relabel_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type @@ -79,15 +122,20 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) -fs_getattr_xattr_fs(mount_t) -fs_getattr_cifs(mount_t) +fs_list_all(mount_t) +fs_getattr_all_fs(mount_t) fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) -fs_list_auto_mountpoints(mount_t) +fs_rw_anon_inodefs_files(mount_t) fs_rw_tmpfs_chr_files(mount_t) +fs_rw_nfsd_fs(mount_t) +fs_manage_tmpfs_dirs(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) +fs_manage_nfs_dirs(mount_t) +fs_read_nfs_symlinks(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) @@ -98,6 +146,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) +storage_rw_fuse(mount_t) term_use_all_terms(mount_t) @@ -106,6 +155,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) +init_stream_connect_script(mount_t) +init_rw_script_stream_sockets(mount_t) logging_send_syslog_msg(mount_t) @@ -116,6 +167,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) + +optional_policy(` + abrt_rw_fifo_file(mount_t) +') ifdef(`distro_redhat',` optional_policy(` @@ -131,10 +188,17 @@ ') ') +corecmd_exec_shell(mount_t) + +modutils_domtrans_insmod(mount_t) + +fstools_domtrans(mount_t) + tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) files_mounton_non_security(mount_t) + files_rw_all_inherited_files(mount_t) ') optional_policy(` @@ -164,6 +228,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) + + rpc_domtrans_rpcd(mount_t) ') optional_policy(` @@ -171,6 +237,25 @@ ') optional_policy(` + cron_system_entry(mount_t, mount_exec_t) +') + +optional_policy(` + dbus_system_bus_client(mount_t) + + optional_policy(` + hal_dbus_chat(mount_t) + ') +') + + +optional_policy(` + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_dontaudit_rw_pipes(mount_t) +') + +optional_policy(` ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) @@ -178,6 +263,11 @@ ') ') +# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 +optional_policy(` + lvm_domtrans(mount_t) +') + # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) @@ -185,6 +275,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) + samba_read_config(mount_t) +') + +optional_policy(` + ssh_exec(mount_t) +') + +optional_policy(` + usbmuxd_stream_connect(mount_t) +') + +optional_policy(` + vmware_exec_host(mount_t) ') ######################################## @@ -193,6 +296,42 @@ # optional_policy(` + unconfined_domain_noaudit(unconfined_mount_t) +') + +optional_policy(` + userdom_unpriv_usertype(unconfined, unconfined_mount_t) files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) ') + +###################################### +# +# showmount local policy +# + +allow showmount_t self:tcp_socket create_stream_socket_perms; +allow showmount_t self:udp_socket create_socket_perms; + +kernel_read_system_state(showmount_t) + +corenet_all_recvfrom_unlabeled(showmount_t) +corenet_all_recvfrom_netlabel(showmount_t) +corenet_tcp_sendrecv_generic_if(showmount_t) +corenet_udp_sendrecv_generic_if(showmount_t) +corenet_tcp_sendrecv_generic_node(showmount_t) +corenet_udp_sendrecv_generic_node(showmount_t) +corenet_tcp_sendrecv_all_ports(showmount_t) +corenet_udp_sendrecv_all_ports(showmount_t) +corenet_tcp_bind_generic_node(showmount_t) +corenet_udp_bind_generic_node(showmount_t) +corenet_tcp_bind_all_rpc_ports(showmount_t) +corenet_udp_bind_all_rpc_ports(showmount_t) +corenet_tcp_connect_all_ports(showmount_t) + +files_read_etc_files(showmount_t) + +miscfiles_read_localization(showmount_t) + +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.if serefpolicy-3.8.8/policy/modules/system/pcmcia.if --- nsaserefpolicy/policy/modules/system/pcmcia.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/pcmcia.if 2010-07-30 14:06:53.000000000 -0400 @@ -22,7 +22,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -58,7 +58,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -77,7 +77,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.if serefpolicy-3.8.8/policy/modules/system/raid.if --- nsaserefpolicy/policy/modules/system/raid.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/raid.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -33,7 +33,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-07-30 14:06:53.000000000 -0400 @@ -30,8 +30,9 @@ allow mdadm_t mdadm_map_t:file manage_file_perms; dev_filetrans(mdadm_t, mdadm_map_t, file) +manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) @@ -57,6 +58,7 @@ files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) +files_dontaudit_getattr_tmpfs_files(mdadm_t) fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-30 14:06:53.000000000 -0400 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) -/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) # # /root @@ -38,11 +38,20 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) -/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) # # /var/run # /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) + +# +# /var/lib +# +/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-30 14:06:53.000000000 -0400 @@ -361,6 +361,27 @@ ######################################## ## +## Execute restorecond in the caller domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`seutil_exec_restorecond',` + gen_require(` + type restorecond_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, restorecond_exec_t) +') + +######################################## +## ## Execute run_init in the run_init domain. ## ## @@ -545,6 +566,53 @@ ######################################## ## +## Execute setfiles in the setfiles domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_domtrans_setfiles_mac',` + gen_require(` + type setfiles_mac_t, setfiles_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) +') + +######################################## +## +## Execute setfiles in the setfiles_mac domain, and +## allow the specified role the setfiles_mac domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the setfiles_mac domain. +## +## +## +# +interface(`seutil_run_setfiles_mac',` + gen_require(` + type setfiles_mac_t; + ') + + seutil_domtrans_setfiles_mac($1) + role $2 types setfiles_mac_t; +') + +######################################## +## ## Execute setfiles in the caller domain. ## ## @@ -690,6 +758,7 @@ ') files_search_etc($1) + manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') @@ -1009,6 +1078,26 @@ ######################################## ## +## Execute a domain transition to run setsebool. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`seutil_domtrans_setsebool',` + gen_require(` + type setsebool_t, setsebool_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setsebool_exec_t, setsebool_t) +') + +######################################## +## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. @@ -1020,7 +1109,7 @@ ## ## ## -## The role to be allowed the checkpolicy domain. +## The role to be allowed the semanage domain. ## ## ## @@ -1038,6 +1127,54 @@ ######################################## ## +## Execute setsebool in the semanage domain, and +## allow the specified role the semanage domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the setsebool domain. +## +## +## +# +interface(`seutil_run_setsebool',` + gen_require(` + type semanage_t; + ') + + seutil_domtrans_setsebool($1) + role $2 types setsebool_t; +') + +######################################## +## +## Full management of the semanage +## module store. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_read_module_store',` + gen_require(` + type selinux_config_t, semanage_store_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, selinux_config_t, semanage_store_t) + read_files_pattern($1, semanage_store_t, semanage_store_t) +') + +######################################## +## ## Full management of the semanage ## module store. ## @@ -1149,3 +1286,194 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') + +####################################### +## +## All rules necessary to run semanage command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_semanage_policy',` + gen_require(` + type semanage_tmp_t; + type policy_config_t; + ') + allow $1 self:capability { dac_override sys_resource }; + dontaudit $1 self:capability sys_tty_config; + allow $1 self:process signal; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + logging_send_audit_msgs($1) + + # Running genhomedircon requires this for finding all users + auth_use_nsswitch($1) + + allow $1 policy_config_t:file { read write }; + + allow $1 semanage_tmp_t:dir manage_dir_perms; + allow $1 semanage_tmp_t:file manage_file_perms; + files_tmp_filetrans($1, semanage_tmp_t, { file dir }) + + kernel_read_system_state($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_bin($1) + corecmd_exec_shell($1) + + dev_read_urand($1) + + domain_use_interactive_fds($1) + + files_read_etc_files($1) + files_read_etc_runtime_files($1) + files_read_usr_files($1) + files_list_pids($1) + fs_list_inotifyfs($1) + fs_getattr_all_fs($1) + + mls_file_write_all_levels($1) + mls_file_read_all_levels($1) + + selinux_getattr_fs($1) + selinux_validate_context($1) + selinux_get_enforce_mode($1) + + term_use_all_terms($1) + + locallogin_use_fds($1) + + logging_send_syslog_msg($1) + + miscfiles_read_localization($1) + + seutil_search_default_contexts($1) + seutil_domtrans_loadpolicy($1) + seutil_read_config($1) + seutil_manage_bin_policy($1) + seutil_use_newrole_fds($1) + seutil_manage_module_store($1) + seutil_get_semanage_trans_lock($1) + seutil_get_semanage_read_lock($1) + + userdom_dontaudit_write_user_home_content_files($1) + +') + + +####################################### +## +## All rules necessary to run setfiles command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_setfiles',` + +allow $1 self:capability { dac_override dac_read_search fowner }; +dontaudit $1 self:capability sys_tty_config; +allow $1 self:fifo_file rw_file_perms; +dontaudit $1 self:dir relabelfrom; +dontaudit $1 self:file relabelfrom; +dontaudit $1 self:lnk_file relabelfrom; + + +allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; +allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; +allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; + +logging_send_audit_msgs($1) + +kernel_read_system_state($1) +kernel_relabelfrom_unlabeled_dirs($1) +kernel_relabelfrom_unlabeled_files($1) +kernel_relabelfrom_unlabeled_symlinks($1) +kernel_relabelfrom_unlabeled_pipes($1) +kernel_relabelfrom_unlabeled_sockets($1) +kernel_use_fds($1) +kernel_rw_pipes($1) +kernel_rw_unix_dgram_sockets($1) +kernel_dontaudit_list_all_proc($1) +kernel_read_all_sysctls($1) +kernel_read_network_state_symlinks($1) + +dev_relabel_all_dev_nodes($1) + +domain_use_interactive_fds($1) +domain_read_all_domains_state($1) + +files_read_etc_runtime_files($1) +files_read_etc_files($1) +files_list_all($1) +files_relabel_all_files($1) +files_list_isid_type_dirs($1) +files_read_isid_type_files($1) +files_dontaudit_read_all_symlinks($1) + +fs_getattr_xattr_fs($1) +fs_list_all($1) +fs_getattr_all_files($1) +fs_search_auto_mountpoints($1) +fs_relabelfrom_noxattr_fs($1) + +mls_file_read_all_levels($1) +mls_file_write_all_levels($1) +mls_file_upgrade($1) +mls_file_downgrade($1) + +selinux_validate_context($1) +selinux_compute_access_vector($1) +selinux_compute_create_context($1) +selinux_compute_relabel_context($1) +selinux_compute_user_contexts($1) + +term_use_all_terms($1) + +# this is to satisfy the assertion: +auth_relabelto_shadow($1) + +init_use_fds($1) +init_use_script_fds($1) +init_use_script_ptys($1) +init_exec_script_files($1) + +logging_send_syslog_msg($1) + +miscfiles_read_localization($1) + +seutil_libselinux_linked($1) + +userdom_use_all_users_fds($1) +# for config files in a home directory +userdom_read_user_home_content_files($1) + +ifdef(`distro_debian',` + # udev tmpfs is populated with static device nodes + # and then relabeled afterwards; thus + # /dev/console has the tmpfs type + fs_rw_tmpfs_chr_files($1) +') + +ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files($1) + fs_rw_tmpfs_blk_files($1) + fs_relabel_tmpfs_blk_file($1) + fs_relabel_tmpfs_chr_file($1) +') + +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain($1) + ') +') + +optional_policy(` + hotplug_use_fds($1) +') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400 @@ -22,6 +22,9 @@ type selinux_config_t; files_type(selinux_config_t) +type selinux_var_lib_t; +files_type(selinux_var_lib_t) + type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) @@ -57,8 +60,9 @@ # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # -type policy_config_t; -files_type(policy_config_t) +#type policy_config_t; +#files_type(policy_config_t) +typealias semanage_store_t alias policy_config_t; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -74,7 +78,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) -role system_r types restorecond_t; type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) @@ -88,9 +91,14 @@ type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) +dbus_system_domain(semanage_t, semanage_exec_t) domain_interactive_fd(semanage_t) role system_r types semanage_t; +type setsebool_t; +type setsebool_exec_t; +init_system_domain(setsebool_t, setsebool_exec_t) + type semanage_store_t; files_type(semanage_store_t) @@ -108,6 +116,11 @@ init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) +type setfiles_mac_t; +domain_type(setfiles_mac_t) +domain_entry_file(setfiles_mac_t, setfiles_exec_t) +domain_obj_id_change_exemption(setfiles_mac_t) + ######################################## # # Checkpolicy local policy @@ -176,6 +189,7 @@ init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) +init_write_script_pipes(load_policy_t) miscfiles_read_localization(load_policy_t) @@ -216,7 +230,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(newrole_t) read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) @@ -260,25 +274,25 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) -auth_use_nsswitch(newrole_t) -auth_domtrans_chk_passwd(newrole_t) -auth_domtrans_upd_passwd(newrole_t) -auth_rw_faillog(newrole_t) +auth_use_pam(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) init_use_fds(newrole_t) -logging_send_syslog_msg(newrole_t) - miscfiles_read_localization(newrole_t) seutil_libselinux_linked(newrole_t) +userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) +optional_policy(` + xserver_dontaudit_exec_xauth(newrole_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) @@ -312,6 +326,8 @@ kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) +files_dontaudit_read_all_symlinks(restorecond_t) + fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) @@ -335,6 +351,8 @@ seutil_libselinux_linked(restorecond_t) +userdom_read_user_home_content_symlinks(restorecond_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) @@ -353,7 +371,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; -allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(run_init_t) # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit @@ -405,6 +423,10 @@ ') ') +optional_policy(` + rpm_domtrans(run_init_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) @@ -420,61 +442,22 @@ # semodule local policy # -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -allow semanage_t policy_config_t:file rw_file_perms; +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) - -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) -files_list_pids(semanage_t) - -mls_file_write_all_levels(semanage_t) -mls_file_read_all_levels(semanage_t) - -selinux_validate_context(semanage_t) -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: selinux_set_all_booleans(semanage_t) +can_exec(semanage_t, semanage_exec_t) -term_use_all_terms(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) seutil_domtrans_setfiles(semanage_t) -seutil_domtrans_loadpolicy(semanage_t) -seutil_manage_bin_policy(semanage_t) -seutil_use_newrole_fds(semanage_t) -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) + # netfilter_contexts: seutil_manage_default_contexts(semanage_t) @@ -483,12 +466,23 @@ files_read_var_lib_symlinks(semanage_t) ') +optional_policy(` + setrans_initrc_domtrans(semanage_t) + domain_system_change_exemption(semanage_t) + consoletype_exec(semanage_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(semanage_t) ') ') +optional_policy(` + #signal mcstrans on reload + init_spec_domtrans_script(semanage_t) +') + # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files @@ -498,112 +492,50 @@ userdom_read_user_tmp_files(semanage_t) ') -######################################## +userdom_search_admin_dir(semanage_t) + +####################################n#### # -# Setfiles local policy +# setsebool local policy # +seutil_semanage_policy(setsebool_t) +selinux_set_all_booleans(setsebool_t) -allow setfiles_t self:capability { dac_override dac_read_search fowner }; -dontaudit setfiles_t self:capability sys_tty_config; -allow setfiles_t self:fifo_file rw_file_perms; - -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; - -kernel_read_system_state(setfiles_t) -kernel_relabelfrom_unlabeled_dirs(setfiles_t) -kernel_relabelfrom_unlabeled_files(setfiles_t) -kernel_relabelfrom_unlabeled_symlinks(setfiles_t) -kernel_relabelfrom_unlabeled_pipes(setfiles_t) -kernel_relabelfrom_unlabeled_sockets(setfiles_t) -kernel_use_fds(setfiles_t) -kernel_rw_pipes(setfiles_t) -kernel_rw_unix_dgram_sockets(setfiles_t) -kernel_dontaudit_list_all_proc(setfiles_t) -kernel_dontaudit_list_all_sysctls(setfiles_t) - -dev_relabel_all_dev_nodes(setfiles_t) - -domain_use_interactive_fds(setfiles_t) -domain_dontaudit_search_all_domains_state(setfiles_t) - -files_read_etc_runtime_files(setfiles_t) -files_read_etc_files(setfiles_t) -files_list_all(setfiles_t) -files_relabel_all_files(setfiles_t) -files_read_usr_symlinks(setfiles_t) - -fs_getattr_xattr_fs(setfiles_t) -fs_list_all(setfiles_t) -fs_search_auto_mountpoints(setfiles_t) -fs_relabelfrom_noxattr_fs(setfiles_t) - -mls_file_read_all_levels(setfiles_t) -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) - -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) - -term_use_all_ttys(setfiles_t) -term_use_all_ptys(setfiles_t) -term_use_unallocated_ttys(setfiles_t) - -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - -init_use_fds(setfiles_t) -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) - -logging_send_syslog_msg(setfiles_t) - -miscfiles_read_localization(setfiles_t) - -seutil_libselinux_linked(setfiles_t) - -userdom_use_all_users_fds(setfiles_t) -# for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) +init_dontaudit_use_fds(setsebool_t) -ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) -') +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) - fs_rw_tmpfs_blk_files(setfiles_t) - fs_relabel_tmpfs_blk_file(setfiles_t) - fs_relabel_tmpfs_chr_file(setfiles_t) -') +######################################## +# +# Setfiles local policy +# -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(setfiles_t) - ') +seutil_setfiles(setfiles_t) +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) + +seutil_setfiles(setfiles_mac_t) +allow setfiles_mac_t self:capability2 mac_admin; +kernel_relabelto_unlabeled(setfiles_mac_t) + +optional_policy(` + files_dontaudit_write_isid_chr_files(setfiles_mac_t) + livecd_dontaudit_leaks(setfiles_mac_t) + livecd_rw_tmp_files(setfiles_mac_t) + dev_dontaudit_write_all_chr_files(setfiles_mac_t) ') ifdef(`hide_broken_symptoms',` optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) - ') - - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) + setroubleshoot_fixit_dontaudit_leaks(setfiles_t) + setroubleshoot_fixit_dontaudit_leaks(setsebool_t) ') ') optional_policy(` - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/setrans.if 2010-07-30 14:06:53.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.8.8/policy/modules/system/setrans.te --- nsaserefpolicy/policy/modules/system/setrans.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/setrans.te 2010-07-30 14:06:53.000000000 -0400 @@ -12,6 +12,7 @@ type setrans_t; type setrans_exec_t; init_daemon_domain(setrans_t, setrans_exec_t) +mls_trusted_object(setrans_t) type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) @@ -44,9 +45,10 @@ corecmd_search_bin(setrans_t) # create unix domain socket in /var +manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -files_pid_filetrans(setrans_t, setrans_var_run_t, file) +files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) kernel_read_kernel_sysctls(setrans_t) kernel_read_proc_symlinks(setrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.8.8/policy/modules/system/sosreport.fc --- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/system/sosreport.fc 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.8.8/policy/modules/system/sosreport.if --- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/system/sosreport.if 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,131 @@ + +## policy for sosreport + +######################################## +## +## Execute a domain transition to run sosreport. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`sosreport_domtrans',` + gen_require(` + type sosreport_t, sosreport_exec_t; + ') + + domtrans_pattern($1, sosreport_exec_t, sosreport_t) +') + + +######################################## +## +## Execute sosreport in the sosreport domain, and +## allow the specified role the sosreport domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the sosreport domain. +## +## +# +interface(`sosreport_run',` + gen_require(` + type sosreport_t; + ') + + sosreport_domtrans($1) + role $2 types sosreport_t; +') + +######################################## +## +## Role access for sosreport +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`sosreport_role',` + gen_require(` + type sosreport_t; + ') + + role $1 types sosreport_t; + + sosreport_domtrans($2) + + ps_process_pattern($2, sosreport_t) + allow $2 sosreport_t:process signal; +') + +######################################## +## +## Allow the specified domain to read +## sosreport tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sosreport_read_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') + +######################################## +## +## Delete sosreport tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sosreport_delete_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + files_delete_tmp_dir_entry($1) + delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') + +######################################## +## +## Append sosreport tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sosreport_append_tmp_files',` + gen_require(` + type sosreport_tmp_t; + ') + + allow $1 sosreport_tmp_t:file append; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te --- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-07-30 14:06:53.000000000 -0400 @@ -0,0 +1,154 @@ +policy_module(sosreport,1.0.0) + +######################################## +# +# Declarations +# + +type sosreport_t; +type sosreport_exec_t; +application_domain(sosreport_t, sosreport_exec_t) +role system_r types sosreport_t; + +type sosreport_tmp_t; +files_tmp_file(sosreport_tmp_t) + +type sosreport_tmpfs_t; +files_tmpfs_file(sosreport_tmpfs_t) + +######################################## +# +# sosreport local policy +# + +allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; +allow sosreport_t self:process { setsched signull }; + +allow sosreport_t self:fifo_file rw_fifo_file_perms; +allow sosreport_t self:tcp_socket create_stream_socket_perms; +allow sosreport_t self:udp_socket create_socket_perms; +allow sosreport_t self:unix_dgram_socket create_socket_perms; +allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; +allow sosreport_t self:unix_stream_socket create_stream_socket_perms; + +# sosreport tmp files +manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) + +manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) +fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file) + +kernel_read_network_state(sosreport_t) +kernel_read_all_sysctls(sosreport_t) +kernel_read_software_raid_state(sosreport_t) +kernel_search_debugfs(sosreport_t) +kernel_read_messages(sosreport_t) + +corecmd_exec_all_executables(sosreport_t) + +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) +dev_getattr_generic_chr_files(sosreport_t) +dev_getattr_generic_blk_files(sosreport_t) +dev_getattr_mtrr_dev(sosreport_t) + +dev_read_rand(sosreport_t) +dev_read_urand(sosreport_t) +dev_read_raw_memory(sosreport_t) +dev_read_sysfs(sosreport_t) + +domain_getattr_all_domains(sosreport_t) +domain_read_all_domains_state(sosreport_t) +domain_getattr_all_sockets(sosreport_t) +domain_getattr_all_pipes(sosreport_t) +domain_signull_all_domains(sosreport_t) + +# for blkid.tab +files_manage_etc_runtime_files(sosreport_t) +files_etc_filetrans_etc_runtime(sosreport_t, file) + +files_getattr_all_sockets(sosreport_t) +files_exec_etc_files(sosreport_t) +files_list_all(sosreport_t) +files_read_config_files(sosreport_t) +files_read_etc_files(sosreport_t) +files_read_generic_tmp_files(sosreport_t) +files_read_usr_files(sosreport_t) +files_read_var_lib_files(sosreport_t) +files_read_var_symlinks(sosreport_t) +files_read_kernel_modules(sosreport_t) +files_read_all_symlinks(sosreport_t) + +fs_getattr_all_fs(sosreport_t) +fs_list_inotifyfs(sosreport_t) + +# cjp: some config files do not have configfile attribute +# sosreport needs to read various files on system +auth_read_all_files_except_shadow(sosreport_t) +auth_use_nsswitch(sosreport_t) + +init_domtrans_script(sosreport_t) + +libs_domtrans_ldconfig(sosreport_t) + +logging_read_all_logs(sosreport_t) +logging_send_syslog_msg(sosreport_t) + +miscfiles_read_localization(sosreport_t) + +# needed by modinfo +modutils_read_module_deps(sosreport_t) + +sysnet_read_config(sosreport_t) + +optional_policy(` + abrt_manage_pid_files(sosreport_t) +') + +optional_policy(` + cups_stream_connect(sosreport_t) +') + +optional_policy(` + dmesg_domtrans(sosreport_t) +') + +optional_policy(` + fstools_domtrans(sosreport_t) +') + +optional_policy(` + dbus_system_bus_client(sosreport_t) + + optional_policy(` + hal_dbus_chat(sosreport_t) + ') +') + +optional_policy(` + lvm_domtrans(sosreport_t) +') + +optional_policy(` + mount_domtrans(sosreport_t) +') + +optional_policy(` + pulseaudio_stream_connect(sosreport_t) +') + +optional_policy(` + rpm_exec(sosreport_t) + rpm_dontaudit_manage_db(sosreport_t) + rpm_read_db(sosreport_t) +') + +optional_policy(` + xserver_stream_connect(sosreport_t) +') + +optional_policy(` + unconfined_domain(sosreport_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-30 14:06:53.000000000 -0400 @@ -64,3 +64,5 @@ ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.8/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if 2010-08-10 05:23:35.000000000 -0400 @@ -6,7 +6,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -26,7 +26,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -60,25 +60,24 @@ netutils_run(dhcpc_t, $2) netutils_run_ping(dhcpc_t, $2) ') -') -######################################## -## -## Do not audit attempts to use -## the dhcp file descriptors. -## -## -## -## The domain sending the SIGCHLD. -## -## -# -interface(`sysnet_dontaudit_use_dhcpc_fds',` - gen_require(` - type dhcpc_t; + optional_policy(` + networkmanager_run(dhcpc_t, $2) ') - dontaudit $1 dhcpc_t:fd use; + optional_policy(` + nis_run_ypbind(dhcpc_t, $2) + ') + + optional_policy(` + nscd_run(dhcpc_t, $2) + ') + + optional_policy(` + ntp_run(dhcpc_t, $2) + ') + + seutil_run_setfiles(dhcpc_t, $2) ') ######################################## @@ -249,6 +248,43 @@ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') +######################################## +## +## Allow caller to relabel dhcpc_state files +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelfrom_dhcpc_state',` + + gen_require(` + type dhcpc_state_t; + ') + + allow $1 dhcpc_state_t:file relabelfrom; +') + +####################################### +## +## Manage the dhcp client state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_manage_dhcpc_state',` + gen_require(` + type dhcpc_state_t; + ') + + manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) +') + ####################################### ## ## Set the attributes of network config files. @@ -270,6 +306,44 @@ ####################################### ## +## Allow caller to relabel net_conf files +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelfrom_net_conf',` + + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:file relabelfrom; +') + +###################################### +## +## Allow caller to relabel net_conf files +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelto_net_conf',` + + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:file relabelto; +') + +####################################### +## ## Read network config files. ## ## @@ -376,7 +450,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -394,7 +468,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -403,11 +477,8 @@ type net_conf_t; ') - allow $1 net_conf_t:file manage_file_perms; - - ifdef(`distro_redhat',` - manage_files_pattern($1, net_conf_t, net_conf_t) - ') + allow $1 net_conf_t:dir list_dir_perms; + manage_files_pattern($1, net_conf_t, net_conf_t) ') ####################################### @@ -416,7 +487,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -435,7 +506,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -444,6 +515,7 @@ type dhcpc_var_run_t; ') + files_rw_pid_dirs($1) allow $1 dhcpc_var_run_t:file unlink; ') @@ -453,7 +525,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -464,6 +536,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) + ifdef(`hide_broken_symptoms', ` + dontaudit ifconfig_t $1:socket_class_set { read write }; + ') + ') ######################################## @@ -474,7 +550,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -534,6 +610,25 @@ ######################################## ## +## Send a kill signal to iconfig. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`sysnet_kill_ifconfig',` + gen_require(` + type ifconfig_t; + ') + + allow $1 ifconfig_t:process sigkill; +') + +######################################## +## ## Read the DHCP configuration files. ## ## @@ -677,7 +772,10 @@ corenet_tcp_connect_ldap_port($1) corenet_sendrecv_ldap_client_packets($1) - sysnet_read_config($1) + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; + # LDAP Configuration using encrypted requires + dev_read_urand($1) ') ######################################## @@ -709,5 +807,52 @@ corenet_tcp_connect_portmap_port($1) corenet_sendrecv_portmap_client_packets($1) - sysnet_read_config($1) + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to use +## the dhcp file descriptors. +## +## +## +## The domain sending the SIGCHLD. +## +## +# +interface(`sysnet_dontaudit_dhcpc_use_fds',` + gen_require(` + type dhcpc_t; + ') + + dontaudit $1 dhcpc_t:fd use; +') + +######################################## +## +## Transition to system_r when execute an dhclient script +## +## +##

+## Execute dhclient script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Role to transition from. +## +## +interface(`sysnet_role_transition_dhcpc',` + gen_require(` + type dhcpc_exec_t; + ') + + role_transition $1 dhcpc_exec_t system_r; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-07-30 14:45:35.000000000 -0400 @@ -5,6 +5,13 @@ # Declarations # +## +##

+## Allow dhcpc client applications to execute iptables commands +##

+## +gen_tunable(dhcpc_exec_iptables, false) + # this is shared between dhcpc and dhcpd: type dhcp_etc_t; typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; @@ -19,6 +26,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; +type dhcpc_helper_exec_t; +init_script_file(dhcpc_helper_exec_t) + type dhcpc_state_t; files_type(dhcpc_state_t) @@ -57,8 +67,11 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; +allow dhcpc_t dhcp_state_t:file relabel_file_perms; + manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +allow dhcpc_t dhcpc_state_t:file relabel_file_perms; # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) @@ -66,6 +79,8 @@ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. +allow dhcpc_t net_conf_t:file manage_file_perms; +allow dhcpc_t net_conf_t:file relabel_file_perms; sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) @@ -105,11 +120,14 @@ corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) +corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) +corenet_udp_bind_all_unreserved_ports(dhcpc_t) dev_read_sysfs(dhcpc_t) # for SSP: dev_read_urand(dhcpc_t) +domain_obj_id_change_exemption(dhcpc_t) domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) @@ -155,6 +173,10 @@ ') optional_policy(` + chronyd_initrc_domtrans(dhcpc_t) +') + +optional_policy(` init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) @@ -171,6 +193,8 @@ optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) + hal_dontaudit_read_pid_files(dhcpc_t) + hal_dontaudit_write_log(dhcpc_t) ') optional_policy(` @@ -192,6 +216,13 @@ ') optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) + networkmanager_read_lib_files(dhcpc_t) +') + +optional_policy(` + nis_initrc_domtrans_ypbind(dhcpc_t) nis_read_ypbind_pid(dhcpc_t) ') @@ -213,6 +244,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) + seutil_domtrans_setfiles(dhcpc_t) ') optional_policy(` @@ -276,8 +308,11 @@ domain_use_interactive_fds(ifconfig_t) +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) +files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -305,6 +340,8 @@ seutil_use_runinit_fds(ifconfig_t) +sysnet_dns_name_resolve(ifconfig_t) + userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) @@ -314,6 +351,10 @@ ') ') +optional_policy(` + brctl_domtrans(ifconfig_t) +') + ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) @@ -327,6 +368,8 @@ optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) + hal_dontaudit_read_pid_files(ifconfig_t) + hal_write_log(ifconfig_t) ') optional_policy(` @@ -334,6 +377,10 @@ ') optional_policy(` + netutils_domtrans(dhcpc_t) +') + +optional_policy(` nis_use_ypbind(ifconfig_t) ') @@ -355,3 +402,9 @@ xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') + +optional_policy(` + tunable_policy(`dhcpc_exec_iptables',` + iptables_domtrans(dhcpc_t) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.8.8/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/udev.fc 2010-07-30 14:06:53.000000000 -0400 @@ -22,3 +22,4 @@ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.8.8/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/udev.if 2010-07-30 14:06:53.000000000 -0400 @@ -24,7 +24,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -34,6 +34,7 @@ ') domtrans_pattern($1, udev_exec_t, udev_t) + allow $1 udev_t:process noatsecure; ') ######################################## @@ -60,7 +61,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -199,7 +200,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-07-30 14:06:53.000000000 -0400 @@ -52,6 +52,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; +allow udev_t self:netlink_socket create_socket_perms; allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) @@ -72,7 +73,7 @@ manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) +files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) @@ -116,10 +117,13 @@ files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) +files_list_tmp(udev_t) fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) fs_rw_anon_inodefs_files(udev_t) +fs_list_auto_mountpoints(udev_t) +fs_list_hugetlbfs(udev_t) mcs_ptrace_all(udev_t) @@ -216,6 +220,10 @@ ') optional_policy(` + consolekit_read_pid_files(udev_t) +') + +optional_policy(` consoletype_exec(udev_t) ') @@ -259,6 +267,10 @@ ') optional_policy(` + networkmanager_dbus_chat(udev_t) +') + +optional_policy(` openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') @@ -273,6 +285,10 @@ ') optional_policy(` + usbmuxd_domtrans(udev_t) +') + +optional_policy(` unconfined_signal(udev_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.8.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/unconfined.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) - -/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.8.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/unconfined.if 2010-07-30 14:06:53.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` gen_require(` - type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. - allow $1 self:capability *; + allow $1 self:capability all_capabilities; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. @@ -27,12 +26,14 @@ # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; + allow $1 self:dir rw_dir_perms; # Userland object managers - allow $1 self:nscd *; - allow $1 self:dbus *; - allow $1 self:passwd *; - allow $1 self:association *; + allow $1 self:nscd all_nscd_perms; + allow $1 self:dbus all_dbus_perms; + allow $1 self:passwd all_passwd_perms; + allow $1 self:association all_association_perms; + allow $1 self:socket_class_set create_socket_perms; kernel_unconfined($1) corenet_unconfined($1) @@ -44,6 +45,16 @@ fs_unconfined($1) selinux_unconfined($1) + domain_mmap_low_type($1) + + mls_file_read_all_levels($1) + + ubac_process_exempt($1) + + tunable_policy(`mmap_low_allowed',` + allow $1 self:memprotect mmap_zero; + ') + tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; @@ -57,8 +68,8 @@ tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; + # execstack implies execmem; Bugzilla #211271 + allow $1 self:process { execmem execstack }; # auditallow $1 self:process execstack; ') @@ -69,6 +80,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) + dbus_unconfined($1) ') optional_policy(` @@ -122,6 +134,10 @@ ## # interface(`unconfined_domain',` + gen_require(` + attribute unconfined_services; + ') + unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` @@ -179,411 +195,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') -######################################## -## -## Transition to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_domtrans',` - gen_require(` - type unconfined_t, unconfined_exec_t; - ') - - domtrans_pattern($1, unconfined_exec_t, unconfined_t) -') - -######################################## -## -## Execute specified programs in the unconfined domain. -## -## -## -## The type of the process performing this action. -## -## -## -## -## The role to allow the unconfined domain. -## -## -# -interface(`unconfined_run',` - gen_require(` - type unconfined_t; - ') - - unconfined_domtrans($1) - role $2 types unconfined_t; -') - -######################################## -## -## Transition to the unconfined domain by executing a shell. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_shell_domtrans',` - gen_require(` - type unconfined_t; - ') - - corecmd_shell_domtrans($1, unconfined_t) - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_domtrans_to',` - gen_require(` - type unconfined_t; - ') - - domtrans_pattern(unconfined_t,$2,$1) -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_run_to',` - gen_require(` - type unconfined_t; - role unconfined_r; - ') - - domtrans_pattern(unconfined_t,$2,$1) - role unconfined_r types $1; - userdom_use_user_terminals($1) -') - -######################################## -## -## Inherit file descriptors from the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_use_fds',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_sigchld',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process sigchld; -') - -######################################## -## -## Send a SIGNULL signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signull',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signull; -') - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signal',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signal; -') - -######################################## -## -## Read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_read_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dontaudit_read_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file read; -') - -######################################## -## -## Read and write unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file rw_file_perms; -') - -######################################## -## -## Connect to the unconfined domain using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_stream_connect',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:unix_stream_socket connectto; -') - -######################################## -## -## Do not audit attempts to read or write -## unconfined domain tcp sockets. -## -## -##

-## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##

-##

-## This interface was added due to a broken -## symptom in ldconfig. -##

-## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_tcp_sockets',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:tcp_socket { read write }; -') - -######################################## -## -## Create keys for the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_create_keys',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:key create; -') - -######################################## -## -## Send messages to the unconfined domain over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_send',` - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## unconfined_t over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_chat',` - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; -') - -######################################## -## -## Connect to the the unconfined DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_connect',` - gen_require(` - type unconfined_t; - class dbus acquire_svc; - ') - - allow $1 unconfined_t:dbus acquire_svc; -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.8.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/unconfined.te 2010-07-30 14:06:53.000000000 -0400 @@ -4,227 +4,5 @@ # # Declarations # +attribute unconfined_services; -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types -userdom_base_user_template(unconfined) -userdom_manage_home_role(unconfined_r, unconfined_t) -userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) - -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) - -type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -role unconfined_r types unconfined_execmem_t; - -######################################## -# -# Local policy -# - -domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) - -files_create_boot_flag(unconfined_t) - -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) - -init_run_daemon(unconfined_t, unconfined_r) - -libs_run_ldconfig(unconfined_t, unconfined_r) - -logging_send_syslog_msg(unconfined_t) -logging_run_auditctl(unconfined_t, unconfined_r) - -mount_run_unconfined(unconfined_t, unconfined_r) - -seutil_run_setfiles(unconfined_t, unconfined_r) -seutil_run_semanage(unconfined_t, unconfined_r) - -unconfined_domain(unconfined_t) - -userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - -ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) -') - -optional_policy(` - ada_domtrans(unconfined_t) -') - -optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) -') - -optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') - -optional_policy(` - bootloader_run(unconfined_t, unconfined_r) -') - -optional_policy(` - cron_unconfined_role(unconfined_r, unconfined_t) -') - -optional_policy(` - init_dbus_chat_script(unconfined_t) - - dbus_stub(unconfined_t) - - optional_policy(` - avahi_dbus_chat(unconfined_t) - ') - - optional_policy(` - bluetooth_dbus_chat(unconfined_t) - ') - - optional_policy(` - consolekit_dbus_chat(unconfined_t) - ') - - optional_policy(` - cups_dbus_chat_config(unconfined_t) - ') - - optional_policy(` - hal_dbus_chat(unconfined_t) - ') - - optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') -') - -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') - -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') - -optional_policy(` - inn_domtrans(unconfined_t) -') - -optional_policy(` - java_run_unconfined(unconfined_t, unconfined_r) -') - -optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -') - -optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - -optional_policy(` - mono_domtrans(unconfined_t) -') - -optional_policy(` - mta_role(unconfined_r, unconfined_t) -') - -optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) -') - -optional_policy(` - prelink_run(unconfined_t, unconfined_r) -') - -optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - postfix_run_map(unconfined_t, unconfined_r) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -') - -optional_policy(` - pyzor_role(unconfined_r, unconfined_t) -') - -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) -') - -optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') - -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - spamassassin_role(unconfined_r, unconfined_t) -') - -optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r) - sysnet_dbus_chat_dhcpc(unconfined_t) -') - -optional_policy(` - tzdata_run(unconfined_t, unconfined_r) -') - -optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) -') - -optional_policy(` - vpn_run(unconfined_t, unconfined_r) -') - -optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - -optional_policy(` - wine_domtrans(unconfined_t) -') - -optional_policy(` - xserver_domtrans(unconfined_t) -') - -######################################## -# -# Unconfined Execmem Local policy -# - -allow unconfined_execmem_t self:process { execstack execmem }; -unconfined_domain_noaudit(unconfined_execmem_t) - -optional_policy(` - dbus_stub(unconfined_execmem_t) - - init_dbus_chat_script(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) - - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.8.8/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/userdomain.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,4 +1,14 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-19 07:42:28.000000000 -0400 @@ -30,8 +30,9 @@ ') attribute $1_file_type; + attribute $1_usertype; - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) @@ -43,69 +44,92 @@ term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) + term_dontaudit_getattr_generic_ptys($1_t) - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; + allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; + + allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; + allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; + allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_usertype $1_usertype:shm create_shm_perms; + allow $1_usertype $1_usertype:sem create_sem_perms; + allow $1_usertype $1_usertype:msgq create_msgq_perms; + allow $1_usertype $1_usertype:msg { send receive }; + allow $1_usertype $1_usertype:context contains; + dontaudit $1_usertype $1_usertype:socket create; - allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_t, user_devpts_t) + allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; + term_create_pty($1_usertype, user_devpts_t) # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_devpts_t:chr_file ioctl; + dontaudit $1_usertype user_devpts_t:chr_file ioctl; - allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_tty_device_t:chr_file ioctl; + dontaudit $1_usertype user_tty_device_t:chr_file ioctl; + + application_exec_all($1_usertype) - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) - kernel_dontaudit_getattr_unlabeled_symlinks($1_t) - kernel_dontaudit_getattr_unlabeled_pipes($1_t) - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) + kernel_dontaudit_list_unlabeled($1_usertype) + kernel_dontaudit_getattr_unlabeled_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) + kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) + kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) + kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) + kernel_dontaudit_list_proc($1_usertype) - dev_dontaudit_getattr_all_blk_files($1_t) - dev_dontaudit_getattr_all_chr_files($1_t) + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + dev_getattr_mtrr_dev($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_t) - domain_dontaudit_getattr_all_domains($1_t) - domain_dontaudit_getsession_all_domains($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) + domain_dontaudit_read_all_domains_state($1_usertype) + domain_dontaudit_getattr_all_domains($1_usertype) + domain_dontaudit_getsession_all_domains($1_usertype) + + files_read_etc_files($1_usertype) + files_list_mnt($1_usertype) + files_read_mnt_files($1_usertype) + files_read_etc_runtime_files($1_usertype) + files_read_usr_files($1_usertype) + files_read_usr_src_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) - files_read_world_readable_files($1_t) - files_read_world_readable_symlinks($1_t) - files_read_world_readable_pipes($1_t) - files_read_world_readable_sockets($1_t) + files_list_world_readable($1_usertype) + files_read_world_readable_files($1_usertype) + files_read_world_readable_symlinks($1_usertype) + files_read_world_readable_pipes($1_usertype) + files_read_world_readable_sockets($1_usertype) # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_all_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype) + + files_exec_usr_files($1_t) + + fs_list_cgroup_dirs($1_usertype) + fs_dontaudit_rw_cgroup_files($1_usertype) + + storage_rw_fuse($1_usertype) + + auth_use_nsswitch($1_usertype) - libs_exec_ld_so($1_t) + init_stream_connect($1_usertype) - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) + libs_exec_ld_so($1_usertype) - sysnet_read_config($1_t) + miscfiles_read_certs($1_usertype) + miscfiles_read_localization($1_usertype) + miscfiles_read_man_pages($1_usertype) + miscfiles_read_public_files($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. @@ -116,6 +140,16 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` + fs_list_cgroup_dirs($1_usertype) + ') + + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) + ssh_signal($1_t) + ') ') ####################################### @@ -149,6 +183,8 @@ type user_home_t, user_home_dir_t; ') + role $1 types { user_home_t user_home_dir_t }; + ############################## # # Domain access to home dir @@ -166,27 +202,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($2) - fs_read_nfs_files($2) - fs_read_nfs_symlinks($2) - fs_read_nfs_named_sockets($2) - fs_read_nfs_named_pipes($2) - ',` - fs_dontaudit_list_nfs($2) - fs_dontaudit_read_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($2) - fs_read_cifs_files($2) - fs_read_cifs_symlinks($2) - fs_read_cifs_named_sockets($2) - fs_read_cifs_named_pipes($2) - ',` - fs_dontaudit_list_cifs($2) - fs_dontaudit_read_cifs_files($2) - ') ') ####################################### @@ -218,8 +233,11 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; + attribute user_home_type; ') + role $1 types { user_home_type user_home_dir_t }; + ############################## # # Domain access to home dir @@ -228,17 +246,21 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory + allow $2 user_home_t:dir mounton; allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + + allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) @@ -246,25 +268,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs($2) + fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) fs_manage_nfs_named_sockets($2) fs_manage_nfs_named_pipes($2) - ',` - fs_dontaudit_manage_nfs_dirs($2) - fs_dontaudit_manage_nfs_files($2) ') tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs($2) + fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) fs_manage_cifs_named_sockets($2) fs_manage_cifs_named_pipes($2) - ',` - fs_dontaudit_manage_cifs_dirs($2) - fs_dontaudit_manage_cifs_files($2) ') ') @@ -289,6 +309,8 @@ type user_tmp_t; ') + role $1 types user_tmp_t; + files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) @@ -297,6 +319,45 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_files_pattern($2, user_tmp_t, user_tmp_t) +') + +####################################### +## +## Dontaudit search of user bin dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_search_user_bin_dirs',` + gen_require(` + type home_bin_t; + ') + + dontaudit $1 home_bin_t:dir search_dir_perms; +') + +####################################### +## +## Execute user bin files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_exec_user_bin_files',` + gen_require(` + attribute user_home_type; + type home_bin_t, user_home_dir_t; + ') + + exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) + files_search_home($1) ') ####################################### @@ -316,6 +377,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) + dontaudit $1 user_tmp_t:sock_file execute; files_search_tmp($1) ') @@ -350,6 +412,8 @@ type user_tmpfs_t; ') + role $1 types user_tmpfs_t; + manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) @@ -360,46 +424,41 @@ ####################################### ## -## The template allowing the user basic +## The interface allowing the user basic ## network permissions ## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The user domain ## ## ## # -template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') +interface(`userdom_basic_networking',` - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) - - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_ports($1) + corenet_sendrecv_all_client_packets($1) optional_policy(` - init_tcp_recvfrom_all_daemons($1_t) - init_udp_recvfrom_all_daemons($1_t) + init_tcp_recvfrom_all_daemons($1) + init_udp_recvfrom_all_daemons($1) ') optional_policy(` - ipsec_match_default_spd($1_t) + ipsec_match_default_spd($1) ') + ') ####################################### @@ -430,6 +489,7 @@ dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_t) xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) @@ -490,7 +550,7 @@ attribute unpriv_userdomain; ') - userdom_basic_networking_template($1) + userdom_basic_networking($1_usertype) ############################## # @@ -500,73 +560,78 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_t self:socket create_socket_perms; - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) + kernel_read_system_state($1_usertype) + kernel_read_network_state($1_usertype) + kernel_read_net_sysctls($1_usertype) # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) - - corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) + files_search_locks($1_usertype) # Check to see if cdrom is mounted - files_search_mnt($1_t) + files_search_mnt($1_usertype) # cjp: perhaps should cut back on file reads: - files_read_var_files($1_t) - files_read_var_symlinks($1_t) - files_read_generic_spool($1_t) - files_read_var_lib_files($1_t) + files_read_var_files($1_usertype) + files_read_var_symlinks($1_usertype) + files_read_generic_spool($1_usertype) + files_read_var_lib_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) - - fs_rw_cgroup_files($1_t) + files_getattr_lost_found_dirs($1_usertype) + files_read_config_files($1_usertype) + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) + + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) - selinux_validate_context($1_t) - selinux_compute_access_vector($1_t) - selinux_compute_create_context($1_t) - selinux_compute_relabel_context($1_t) - selinux_compute_user_contexts($1_t) + selinux_get_fs_mount($1_usertype) + selinux_validate_context($1_usertype) + selinux_compute_access_vector($1_usertype) + selinux_compute_create_context($1_usertype) + selinux_compute_relabel_context($1_usertype) + selinux_compute_user_contexts($1_usertype) # for eject - storage_getattr_fixed_disk_dev($1_t) + storage_getattr_fixed_disk_dev($1_usertype) - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) + auth_read_login_records($1_usertype) auth_run_pam($1_t,$1_r) auth_run_utempter($1_t,$1_r) - init_read_utmp($1_t) + init_read_utmp($1_usertype) - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) seutil_run_newrole($1_t,$1_r) seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. seutil_dontaudit_signal_newrole($1_t) tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) + dev_read_mouse($1_usertype) ') tunable_policy(`user_ttyfile_stat',` @@ -574,65 +639,108 @@ ') optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) ') optional_policy(` # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) + ') + + optional_policy(` + canna_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) + chrome_role($1_r, $1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + avahi_dbus_chat($1_usertype) + ') + + optional_policy(` + policykit_dbus_chat($1_usertype) + ') + + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') + + optional_policy(` + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) + ') + + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + ') + + optional_policy(` + evolution_dbus_chat($1_usertype) + evolution_alarm_dbus_chat($1_usertype) + ') optional_policy(` - bluetooth_dbus_chat($1_t) + gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) + hal_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) + vpn_dbus_chat($1_usertype) ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_session_role($1_r, $1_usertype) + ') + + optional_policy(` + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) + locate_read_lib_files($1_usertype) ') # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) + ') + + optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` @@ -643,41 +751,50 @@ optional_policy(` # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) + pcmcia_read_pid($1_usertype) ') optional_policy(` - pcscd_read_pub_files($1_t) - pcscd_stream_connect($1_t) + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') optional_policy(` tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) + postgresql_tcp_connect($1_usertype) ') ') optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) + ') + + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) + ') + + optional_policy(` + rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) + sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) + seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t,$1_r) + slrnpull_search_spool($1_usertype) ') + ') ####################################### @@ -705,13 +822,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) + ') + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') + ') userdom_change_password_template($1) @@ -729,72 +859,74 @@ allow $1_t self:context contains; - kernel_dontaudit_read_system_state($1_t) + kernel_dontaudit_read_system_state($1_usertype) + kernel_dontaudit_list_all_proc($1_usertype) - dev_read_sysfs($1_t) - dev_read_urand($1_t) + dev_read_sysfs($1_usertype) + dev_read_urand($1_usertype) - domain_use_interactive_fds($1_t) + domain_use_interactive_fds($1_usertype) # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) + domain_dontaudit_exec_all_entry_files($1_usertype) - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) + files_dontaudit_list_default($1_usertype) + files_dontaudit_read_default_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) - fs_search_auto_mountpoints($1_t) - fs_list_cgroup_dirs($1_t) - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_dontaudit_rw_cgroup_files($1_t) + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) auth_dontaudit_write_login_records($1_t) - - application_exec_all($1_t) + auth_rw_cache($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) + init_dontaudit_rw_utmp($1_usertype) # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) - logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) - seutil_read_config($1_t) + seutil_read_config($1_usertype) + + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) + ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + kerberos_use($1_usertype) + kerberos_connect_524($1_usertype) ') optional_policy(` - kerberos_use($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) + quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) + rpm_read_db($1_usertype) + rpm_dontaudit_manage_db($1_usertype) + rpm_read_cache($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + oddjob_run_mkhomedir($1_t, $1_r) ') ') @@ -826,6 +958,9 @@ typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) + allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; + ############################## # # Local policy @@ -867,45 +1002,103 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) + + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) - logging_send_syslog_msg($1_t) + tunable_policy(`user_rw_noexattrfile',` + dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_usertype) + + fs_manage_noxattr_fs_files($1_usertype) + fs_manage_noxattr_fs_dirs($1_usertype) + fs_manage_dos_dirs($1_usertype) + fs_manage_dos_files($1_usertype) + storage_raw_read_removable_device($1_usertype) + storage_raw_write_removable_device($1_usertype) + ') + + logging_send_syslog_msg($1_usertype) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain logging_send_audit_msgs($1_t) selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) xserver_restricted_role($1_r, $1_t) optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') optional_policy(` - consolekit_dbus_chat($1_t) + consolekit_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) ') + + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) + ') + + optional_policy(` + fprintd_dbus_chat($1_t) + ') + ') + + optional_policy(` + openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` + policykit_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) + pulseaudio_role($1_r, $1_usertype) + ') + + optional_policy(` + rtkit_scheduled($1_usertype) ') optional_policy(` setroubleshoot_dontaudit_stream_connect($1_t) + ') + + optional_policy(` + udev_read_db($1_usertype) + ') + + optional_policy(` + wm_role_template($1, $1_r, $1_t) ') ') @@ -940,7 +1133,7 @@ # # Inherit rules for ordinary users. - userdom_restricted_user_template($1) + userdom_restricted_xwindows_user_template($1) userdom_common_user_template($1) ############################## @@ -949,54 +1142,77 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) + corenet_tcp_bind_all_nodes($1_usertype) - files_exec_usr_files($1_t) - # cjp: why? - files_read_kernel_symbol_table($1_t) - - ifndef(`enable_mls',` - fs_exec_noxattr($1_t) - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - # Write floppies - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) - ',` - storage_raw_read_removable_device($1_t) - ') - ') + storage_rw_fuse($1_t) - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) - ') + miscfiles_read_hwdata($1_usertype) # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_usertype) + ') + + tunable_policy(`user_setrlimit',` + allow $1_usertype self:process setrlimit; ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) + cdrecord_role($1_r, $1_t) + ') + + optional_policy(` + cron_role($1_r, $1_t) + ') + + optional_policy(` + games_rw_data($1_usertype) + ') + + optional_policy(` + gpg_role($1_r, $1_usertype) + ') + + optional_policy(` + gnomeclock_dbus_chat($1_t) + ') + + optional_policy(` + gpm_stream_connect($1_usertype) + ') + + optional_policy(` + execmem_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) + java_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) + mono_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + mount_run_fusermount($1_t, $1_r) + ') + + optional_policy(` + wine_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + postfix_run_postdrop($1_t, $1_r) + ') + + # Run pppd in pppd_t by default for user + optional_policy(` + ppp_run_cond($1_t, $1_r) ') ') @@ -1032,7 +1248,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; - class passwd { passwd chfn chsh rootok }; + class passwd { passwd chfn chsh rootok crontab }; ') ############################## @@ -1067,6 +1283,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; + # Manipulate other users crontab. + allow $1_t self:passwd crontab; + kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) @@ -1081,6 +1300,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) + kernel_signal($1_t) corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels @@ -1112,10 +1332,13 @@ domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) + domain_dontaudit_getattr_all_sockets($1_t) files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) + fs_getattr_all_files($1_t) + fs_list_all($1_t) fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) @@ -1135,6 +1358,7 @@ logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) + modutils_domtrans_depmod($1_t) # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator @@ -1203,6 +1427,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) + files_create_default_dir($1) + files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) @@ -1230,6 +1456,7 @@ seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) + seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) optional_policy(` @@ -1268,12 +1495,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; + attribute user_home_type; ') allow $1 user_home_t:filesystem associate; files_type($1) - files_poly_member($1) ubac_constrained($1) + + files_poly_member($1) + typeattribute $1 user_home_type; ') ######################################## @@ -1384,6 +1614,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; files_search_home($1) ') @@ -1430,6 +1661,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') ') ######################################## @@ -1445,9 +1684,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; + type user_home_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_t:dir list_dir_perms; ') ######################################## @@ -1504,6 +1745,42 @@ allow $1 user_home_dir_t:dir relabelto; ') + +######################################## +## +## Relabel to user home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelto_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file relabelto; +') +######################################## +## +## Relabel user home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabel_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file { relabelto relabelfrom }; +') + ######################################## ## ## Create directories in the home dir root with @@ -1578,6 +1855,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; + fs_dontaudit_list_nfs($1) + fs_dontaudit_list_cifs($1) ') ######################################## @@ -1592,10 +1871,12 @@ # interface(`userdom_list_user_home_content',` gen_require(` - type user_home_t; + type user_home_dir_t; + attribute user_home_type; ') - allow $1 user_home_t:dir list_dir_perms; + files_list_home($1) + allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') ######################################## @@ -1638,6 +1919,25 @@ ######################################## ## +## Set the attributes of user home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_setattr_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file setattr; +') + +######################################## +## ## Do not audit attempts to set the ## attributes of user home files. ## @@ -1689,13 +1989,14 @@ type user_home_dir_t, user_home_t; ') + list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') ######################################## ## -## Do not audit attempts to read user home files. +## Do not audit attempts to getattr user home files. ## ## ## @@ -1703,18 +2004,40 @@ ## ## # -interface(`userdom_dontaudit_read_user_home_content_files',` +interface(`userdom_dontaudit_getattr_user_home_content',` gen_require(` - type user_home_t; + attribute user_home_type; ') - dontaudit $1 user_home_t:dir list_dir_perms; - dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; ') ######################################## ## -## Do not audit attempts to append user home files. +## Do not audit attempts to read user home files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` + attribute user_home_type; + type user_home_dir_t; + ') + + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; + dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Do not audit attempts to append user home files. ## ## ## @@ -1799,8 +2122,7 @@ type user_home_dir_t, user_home_t; ') - read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) + allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; ') ######################################## @@ -1816,20 +2138,14 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; ') files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') -') ######################################## ## @@ -2171,7 +2487,7 @@ type user_tmp_t; ') - dontaudit $1 user_tmp_t:file read_file_perms; + dontaudit $1 user_tmp_t:file read_inherited_file_perms; ') ######################################## @@ -2424,13 +2740,14 @@ ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) allow $1 user_tmpfs_t:dir list_dir_perms; fs_search_tmpfs($1) ') ######################################## ## -## Read user tmpfs files. +## Read/Write user tmpfs files. ## ## ## @@ -2451,26 +2768,6 @@ ######################################## ## -## Create, read, write, and delete user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_manage_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) -') - -######################################## -## ## Get the attributes of a user domain tty. ## ## @@ -2804,7 +3101,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; allow unpriv_userdomain $1:process sigchld; ') @@ -2820,11 +3117,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; ') files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; + allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; + allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; ') ######################################## @@ -2961,7 +3260,45 @@ type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Do not audit attempts to write users +## temporary files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:file write; +') + +######################################## +## +## Do not audit attempts to read/write users +## temporary fifo files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -2998,6 +3335,7 @@ ') read_files_pattern($1, userdomain, userdomain) + read_lnk_files_pattern($1,userdomain,userdomain) kernel_search_proc($1) ') @@ -3128,3 +3466,854 @@ allow $1 userdomain:dbus send_msg; ') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_set_rlimitnh',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process rlimitinh; +') + +######################################## +## +## Define this type as a Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_unpriv_usertype',` + gen_require(` + attribute unpriv_userdomain, userdomain; + attribute $1_usertype; + ') + typeattribute $2 $1_usertype; + typeattribute $2 unpriv_userdomain; + typeattribute $2 userdomain; + + ubac_constrained($2) +') + +######################################## +## +## Connect to users over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_stream_connect',` + gen_require(` + type user_tmp_t; + attribute userdomain; + ') + + stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) +') + +######################################## +## +## Ptrace user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_ptrace_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process ptrace; +') + +######################################## +## +## dontaudit Search /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## +## dontaudit list /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## +## Allow domain to list /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## +## Allow Search /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## +## RW unpriviledged user SysV sempaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:sem rw_sem_perms; +') + +######################################## +## +## Send a message to unpriv users over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dgram_send',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:unix_dgram_socket sendto; +') + +###################################### +## +## Send a message to users over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_users_dgram_send',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:unix_dgram_socket sendto; +') + +####################################### +## +## Allow execmod on files in homedirectory +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_execmod_user_home_files',` + gen_require(` + type user_home_type; + ') + + allow $1 user_home_type:file execmod; +') + +######################################## +## +## Read admin home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + read_files_pattern($1, admin_home_t, admin_home_t) +') + +######################################## +## +## Execute admin home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_exec_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + exec_files_pattern($1, admin_home_t, admin_home_t) +') + +######################################## +## +## Append files inherited +## in the /root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_inherit_append_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:file { getattr append }; +') + + +####################################### +## +## Manage all files/directories in the homedir +## +## +## +## The user domain +## +## +## +# +interface(`userdom_manage_user_home_content',` + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; + ') + + files_list_home($1) + manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + +') + + +######################################## +## +## Create objects in a user home directory +## with an automatic type transition to +## the user home file type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`userdom_user_home_dir_filetrans_pattern',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + type_transition $1 user_home_dir_t:$2 user_home_t; +') + +######################################## +## +## Create objects in the /root directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`userdom_admin_home_dir_filetrans',` + gen_require(` + type admin_home_t; + ') + + filetrans_pattern($1, admin_home_t, $2, $3) +') + +######################################## +## +## Send signull to unprivileged user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_signull_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:process signull; +') + +######################################## +## +## Write all users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + write_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Manage keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; +') + + +######################################## +## +## Do not audit attempts to read and write +## unserdomain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_rw_stream',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Append files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + append_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) +') + +######################################## +## +## Read files inherited +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_inherited_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:file { getattr read }; +') + +######################################## +## +## Append files inherited +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_inherit_append_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file { getattr append }; +') + +######################################## +## +## Append files inherited +## in a user tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_inherit_append_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file { getattr append }; +') + +###################################### +## +## Read audio files in the users homedir. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_home_audio_files',` + gen_require(` + type audio_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 audio_home_t:dir list_dir_perms; + read_files_pattern($1, audio_home_t, audio_home_t) + read_lnk_files_pattern($1, audio_home_t, audio_home_t) +') + +######################################## +## +## Read system SSL certificates in the users homedir. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_home_certs',` + gen_require(` + type home_cert_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 home_cert_t:dir list_dir_perms; + read_files_pattern($1, home_cert_t, home_cert_t) + read_lnk_files_pattern($1, home_cert_t, home_cert_t) +') + +######################################## +## +## dontaudit Search getatrr /root files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_getattr_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:file getattr; +') + +######################################## +## +## dontaudit read /root lnk files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_read_admin_home_lnk_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:lnk_file read; +') + +######################################## +## +## dontaudit read /root files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_read_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:file read_file_perms; +') + +######################################## +## +## Create, read, write, and delete user +## temporary chr files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_tmp_chr_files',` + gen_require(` + type user_tmp_t; + ') + + manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user +## temporary blk files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_tmp_blk_files',` + gen_require(` + type user_tmp_t; + ') + + manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Dontaudit search user temporary directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaduit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:dir search_dir_perms; +') + +######################################## +## +## Write all inherited users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_inherited_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file write; +') + +######################################## +## +## Delete all users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file delete_file_perms; +') + +######################################## +## +## Delete user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + allow $1 user_tmpfs_t:file delete_file_perms; +') + +######################################## +## +## Read/Write unpriviledged user SysV shared +## memory segments. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_unpriv_user_shared_mem',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:shm rw_shm_perms; +') + +######################################## +## +## Do not audit attempts to search user +## temporary directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:dir search_dir_perms; +') + +######################################## +## +## Execute a file in a user home directory +## in the specified domain. +## +## +##

+## Execute a file in a user home directory +## in the specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`userdom_domtrans_user_home',` + gen_require(` + type user_home_t; + ') + + read_lnk_files_pattern($1, user_home_t, user_home_t) + domain_transition_pattern($1, user_home_t, $2) + type_transition $1 user_home_t:process $2; +') + +######################################## +## +## Execute a file in a user tmp directory +## in the specified domain. +## +## +##

+## Execute a file in a user tmp directory +## in the specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`userdom_domtrans_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + files_search_tmp($1) + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + domain_transition_pattern($1, user_tmp_t, $2) + type_transition $1 user_tmp_t:process $2; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-08-12 15:46:21.000000000 -0400 @@ -43,6 +43,13 @@ ## ##

+## Allow user processes to change their priority +##

+## +gen_tunable(user_setrlimit, false) + +## +##

## Allow w to display everyone ##

## @@ -59,6 +66,15 @@ attribute untrusted_content_type; attribute untrusted_content_tmp_type; +# unprivileged user domains +attribute user_home_type; + +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) @@ -71,18 +87,21 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; +typeattribute user_home_t user_home_type; userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) +files_poly_member(user_home_t) files_poly_parent(user_home_t) files_mountpoint(user_home_t) +ubac_constrained(user_home_t) type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t) ubac_constrained(user_devpts_t) -type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; +type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) @@ -94,3 +113,25 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +type audio_home_t; +userdom_user_home_content(audio_home_t) +ubac_constrained(audio_home_t) + +type home_bin_t; +userdom_user_home_content(home_bin_t) +ubac_constrained(home_bin_t) + +type home_cert_t; +miscfiles_cert_type(home_cert_t) +userdom_user_home_content(home_cert_t) +ubac_constrained(home_cert_t) + +tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') + +allow userdomain userdomain:process signull; + +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.8.8/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/xen.fc 2010-07-30 14:06:53.000000000 -0400 @@ -1,7 +1,5 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) -/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) - /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) ifdef(`distro_debian',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.8.8/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/xen.if 2010-07-30 14:06:53.000000000 -0400 @@ -87,6 +87,26 @@ ## ## # +interface(`xen_manage_image_dirs',` + gen_require(` + type xend_var_lib_t; + ') + + files_list_var_lib($1) + manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) +') + +######################################## +## +## Allow the specified domain to read/write +## xend image files. +## +## +## +## Domain allowed to transition. +## +## +# interface(`xen_rw_image_files',` gen_require(` type xen_image_t, xend_var_lib_t; @@ -213,8 +233,9 @@ interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; + attribute virsh_transition_domain; ') - + typeattribute $1 virsh_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-07-30 14:06:53.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations # +attribute xm_transition_domain; ## ##

@@ -34,6 +35,7 @@ files_type(xen_image_t) # xen_image_t can be assigned to blk devices dev_node(xen_image_t) +virt_image(xen_image_t) type xenctl_t; files_type(xenctl_t) @@ -89,11 +91,6 @@ type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) -type xm_t; -type xm_exec_t; -domain_type(xm_t) -init_system_domain(xm_t, xm_exec_t) - ####################################### # # evtchnd local policy @@ -317,9 +314,10 @@ files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file +manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) +files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) @@ -346,6 +344,7 @@ files_read_usr_files(xenstored_t) +fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) @@ -353,6 +352,7 @@ storage_raw_read_removable_device(xenstored_t) term_use_generic_ptys(xenstored_t) +term_use_console(xenconsoled_t) init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) @@ -365,98 +365,9 @@ ######################################## # -# xm local policy -# - -allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; -allow xm_t self:process { getsched signal }; - -# internal communication is often done using fifo and unix sockets. -allow xm_t self:fifo_file rw_fifo_file_perms; -allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow xm_t self:tcp_socket create_stream_socket_perms; - -manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -files_search_var_lib(xm_t) - -allow xm_t xen_image_t:dir rw_dir_perms; -allow xm_t xen_image_t:file read_file_perms; -allow xm_t xen_image_t:blk_file read_blk_file_perms; - -kernel_read_system_state(xm_t) -kernel_read_kernel_sysctls(xm_t) -kernel_read_sysctl(xm_t) -kernel_read_xen_state(xm_t) -kernel_write_xen_state(xm_t) - -corecmd_exec_bin(xm_t) -corecmd_exec_shell(xm_t) - -corenet_tcp_sendrecv_generic_if(xm_t) -corenet_tcp_sendrecv_generic_node(xm_t) -corenet_tcp_connect_soundd_port(xm_t) - -dev_read_urand(xm_t) -dev_read_sysfs(xm_t) - -files_read_etc_runtime_files(xm_t) -files_read_usr_files(xm_t) -files_list_mnt(xm_t) -# Some common macros (you might be able to remove some) -files_read_etc_files(xm_t) - -fs_getattr_all_fs(xm_t) -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) - -storage_raw_read_fixed_disk(xm_t) - -term_use_all_terms(xm_t) - -init_stream_connect_script(xm_t) -init_rw_script_stream_sockets(xm_t) -init_use_fds(xm_t) - -miscfiles_read_localization(xm_t) - -sysnet_dns_name_resolve(xm_t) - -xen_append_log(xm_t) -xen_stream_connect(xm_t) -xen_stream_connect_xenstore(xm_t) - -optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` - hal_dbus_chat(xm_t) - ') -') - -optional_policy(` - virt_domtrans(xm_t) - virt_manage_images(xm_t) - virt_manage_config(xm_t) - virt_stream_connect(xm_t) -') - -######################################## -# # SSH component local policy # optional_policy(` - ssh_basic_client_template(xm, xm_t, system_r) - - kernel_read_xen_state(xm_ssh_t) - kernel_write_xen_state(xm_ssh_t) - - files_search_tmp(xm_ssh_t) - - fs_manage_xenfs_dirs(xm_ssh_t) - fs_manage_xenfs_files(xm_ssh_t) - #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2010-05-25 16:28:22.000000000 -0400 +++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-30 14:06:53.000000000 -0400 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; ') @@ -34,8 +34,12 @@ domain_auto_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; + + ifdef(`hide_broken_symptoms', ` + dontaudit $3 $1:socket_class_set { read write }; + ') ') # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.8.8/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-07-14 11:21:53.000000000 -0400 +++ serefpolicy-3.8.8/policy/support/obj_perm_sets.spt 2010-07-30 14:06:53.000000000 -0400 @@ -28,7 +28,7 @@ # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') # @@ -105,7 +105,7 @@ # # Permissions for using sockets. # -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. @@ -199,12 +199,14 @@ # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') -define(`read_file_perms',`{ getattr open read lock ioctl }') +define(`read_inherited_file_perms',`{ getattr read ioctl lock }') +define(`read_file_perms',`{ open read_inherited_file_perms }') define(`mmap_file_perms',`{ getattr open read execute ioctl }') define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') define(`append_file_perms',`{ getattr open append lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_file_perms',`{ open rw_inherited_file_perms }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') @@ -225,7 +227,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') @@ -238,7 +240,8 @@ define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -254,7 +257,8 @@ define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') -define(`rw_sock_file_perms',`{ getattr open read write append }') +define(`rw_inherited_sock_file_perms',`{ getattr read write append }') +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') define(`create_sock_file_perms',`{ getattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') @@ -271,7 +275,8 @@ define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') @@ -288,7 +293,8 @@ define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') @@ -305,7 +311,8 @@ # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr open read write ioctl }') +define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }') +define(`rw_term_perms', `{ open rw_inherited_term_perms }') # # Sockets @@ -317,3 +324,14 @@ # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') + +# +# All +# +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } +') + +define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8.8/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 +++ serefpolicy-3.8.8/policy/users 2010-07-30 14:06:53.000000000 -0400 @@ -15,7 +15,7 @@ # and a user process should never be assigned the system user # identity. # -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. @@ -38,8 +35,4 @@ # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.8.8/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2010-07-14 11:21:53.000000000 -0400 +++ serefpolicy-3.8.8/support/Makefile.devel 2010-07-30 14:06:53.000000000 -0400 @@ -68,8 +68,8 @@ # default MLS/MCS sensitivity and category settings. MLS_SENS ?= 16 -MLS_CATS ?= 1024 -MCS_CATS ?= 1024 +MLS_CATS ?= 256 +MCS_CATS ?= 256 ifeq ($(QUIET),y) verbose := @