##
## Allow Apache to modify public files
@@ -36,6 +38,13 @@
##
##
+## Allow httpd scripts and modules execmem/execstack
+##
+##
+gen_tunable(httpd_execmem, false)
+
+##
+##
## Allow httpd to use built in scripting (usually php)
##
##
@@ -50,6 +59,13 @@
##
##
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##
+##
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+##
+##
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
@@ -100,6 +116,13 @@
##
##
+## Allow httpd to read user content
+##
+##
+gen_tunable(httpd_read_user_content, false)
+
+##
+##
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
##
##
@@ -107,6 +130,13 @@
##
##
+## Allow Apache to execute tmp content.
+##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
+##
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
@@ -130,7 +160,7 @@
##
##
-## Allow httpd to run gpg
+## Allow httpd to run gpg in gpg-web domain
##
##
gen_tunable(httpd_use_gpg, false)
@@ -142,6 +172,13 @@
##
gen_tunable(httpd_use_nfs, false)
+##
+##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -216,7 +253,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -226,6 +266,10 @@
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
@@ -233,6 +277,7 @@
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -286,6 +331,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -355,6 +401,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -365,8 +412,10 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
@@ -378,12 +427,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -402,6 +451,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
@@ -420,12 +473,23 @@
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
+')
+
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -446,6 +510,16 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -456,6 +530,10 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -470,11 +548,25 @@
userdom_read_user_home_content_files(httpd_t)
')
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
@@ -484,7 +576,16 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
@@ -513,7 +614,13 @@
')
optional_policy(`
- cobbler_search_lib(httpd_t)
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+ cobbler_read_content(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
optional_policy(`
@@ -528,7 +635,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -537,8 +644,12 @@
')
optional_policy(`
+ gitosis_read_lib_files(httpd_t)
+')
+
+optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+ gpg_domtrans_web(httpd_t)
')
')
@@ -557,6 +668,7 @@
optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -567,6 +679,7 @@
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -577,12 +690,23 @@
')
optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
')
')
@@ -591,6 +715,11 @@
')
optional_policy(`
+ smokeping_getattr_lib_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -603,6 +732,10 @@
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
+')
+
########################################
#
# Apache helper local policy
@@ -618,6 +751,10 @@
userdom_use_user_terminals(httpd_helper_t)
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
########################################
#
# Apache PHP script local policy
@@ -699,17 +836,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -740,10 +878,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+')
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -769,6 +918,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
+optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+')
+
########################################
#
# Apache system script local policy
@@ -792,9 +947,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
+
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+auth_use_nsswitch(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
@@ -803,6 +962,22 @@
mta_send_mail(httpd_sys_script_t)
')
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -830,6 +1005,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -842,6 +1027,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
')
optional_policy(`
@@ -891,11 +1077,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
+')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
+')
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.8.6/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/apcupsd.te 2010-06-21 10:53:58.000000000 -0400
@@ -94,6 +94,10 @@
')
optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+')
+
+optional_policy(`
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.6/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/arpwatch.te 2010-06-21 10:53:58.000000000 -0400
@@ -63,6 +63,7 @@
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.6/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/asterisk.te 2010-06-21 10:53:58.000000000 -0400
@@ -99,6 +99,7 @@
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_sip_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
@@ -109,6 +110,7 @@
corenet_sendrecv_generic_server_packets(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -147,6 +149,10 @@
')
optional_policy(`
+ postfix_domtrans_postdrop(asterisk_t)
+')
+
+optional_policy(`
postgresql_stream_connect(asterisk_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.8.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/automount.te 2010-06-21 10:53:58.000000000 -0400
@@ -145,6 +145,7 @@
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
+mount_domtrans_showmount(automount_t)
mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.8.6/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/avahi.if 2010-06-21 10:53:58.000000000 -0400
@@ -90,6 +90,7 @@
class dbus send_msg;
')
+ allow avahi_t $1:file read;
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.6/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-03-23 10:55:15.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/bind.if 2010-06-25 13:19:23.000000000 -0400
@@ -359,9 +359,9 @@
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_lib_t, named_var_run_t;
+ type named_conf_t, named_var_run_t;
type named_cache_t, named_zone_t;
- type dnssec_t, ndc_t;
+ type dnssec_t, ndc_t, named_keytab_t;
type named_initrc_exec_t;
')
@@ -391,8 +391,7 @@
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
- files_list_var_lib($1)
- admin_pattern($1, named_var_lib_t)
+ admin_pattern($1, named_keytab_t)
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.6/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/bitlbee.te 2010-06-21 10:53:58.000000000 -0400
@@ -27,6 +27,7 @@
# Local policy
#
#
+allow bitlbee_t self:capability { setgid setuid };
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
@@ -80,6 +81,10 @@
libs_legacy_use_shared_libs(bitlbee_t)
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
miscfiles_read_localization(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.6/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/bluetooth.if 2010-06-25 13:21:01.000000000 -0400
@@ -117,6 +117,27 @@
########################################
##
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
@@ -194,7 +215,7 @@
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
@@ -217,9 +238,6 @@
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
- files_list_spool($1)
- admin_pattern($1, bluetooth_spool_t)
-
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.6/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/boinc.fc 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.8.6/policy/modules/services/boinc.if
--- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/boinc.if 2010-06-25 13:19:35.000000000 -0400
@@ -0,0 +1,151 @@
+
+## policy for boinc
+
+########################################
+##
+## Execute a domain transition to run boinc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
+##
+## Search boinc lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Manage boinc var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an boinc environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t;
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, boinc_t, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.6/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/boinc.te 2010-06-28 09:37:14.000000000 -0400
@@ -0,0 +1,94 @@
+policy_module(boinc,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { execmem ptrace setsched signal signull sigstop sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
+
+kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
+kernel_search_vm_sysctl(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
+dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_dontaudit_getattr_ptmx(boinc_t)
+
+miscfiles_read_localization(boinc_t)
+miscfiles_read_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.6/policy/modules/services/bugzilla.fc
--- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/bugzilla.fc 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.6/policy/modules/services/bugzilla.if
--- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/bugzilla.if 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,39 @@
+## Bugzilla server
+
+########################################
+##
+## Allow the specified domain to search
+## bugzilla directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bugzilla_search_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## bugzilla script unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.6/policy/modules/services/bugzilla.te
--- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/bugzilla.te 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,56 @@
+policy_module(bugzilla, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+########################################
+#
+# bugzilla local policy
+#
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.8.6/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cachefilesd.fc 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.8.6/policy/modules/services/cachefilesd.if
--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cachefilesd.if 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,41 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+
+## policy for cachefilesd
+
+########################################
+##
+## Execute a domain transition to run cachefilesd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cachefilesd_domtrans',`
+ gen_require(`
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+
+ allow $1 cachefilesd_t:fd use;
+ allow cachefilesd_t $1:fd use;
+ allow cachefilesd_t $1:fifo_file rw_file_perms;
+ allow cachefilesd_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.8.6/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cachefilesd.te 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,147 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd,1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+require { type kernel_t; }
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+domain_type(cachefilesd_t)
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+rpm_use_script_fds(cachefilesd_t)
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+libs_use_ld_so(cachefilesd_t)
+libs_use_shared_libs(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+allow cachefiles_kernel_t initrc_t:process sigchld;
+
+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.8.6/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/ccs.te 2010-06-21 10:53:58.000000000 -0400
@@ -118,5 +118,10 @@
')
optional_policy(`
+ qpidd_rw_semaphores(ccs_t)
+ qpidd_rw_shm(ccs_t)
+')
+
+optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.8.6/policy/modules/services/certmaster.if
--- nsaserefpolicy/policy/modules/services/certmaster.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/certmaster.if 2010-06-22 15:20:41.000000000 -0400
@@ -18,6 +18,25 @@
domtrans_pattern($1, certmaster_exec_t, certmaster_t)
')
+####################################
+##
+## Execute certmaster.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_exec',`
+ gen_require(`
+ type certmaster_exec_t;
+ ')
+
+ can_exec($1, certmaster_exec_t)
+ corecmd_search_bin($1)
+')
+
#######################################
##
## read certmaster logs.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.8.6/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/certmonger.if 2010-06-25 13:17:18.000000000 -0400
@@ -167,8 +167,8 @@
allow $2 system_r;
files_search_var_lib($1)
- admin_pattern($1, cermonger_var_lib_t)
+ admin_pattern($1, certmonger_var_lib_t)
files_search_pids($1)
- admin_pattern($1, cermonger_var_run_t)
+ admin_pattern($1, certmonger_var_run_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.6/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/certmonger.te 2010-06-21 10:53:58.000000000 -0400
@@ -68,5 +68,5 @@
')
optional_policy(`
- unconfined_dbus_send(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.8.6/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 2010-06-08 10:35:48.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cgroup.if 2010-06-25 13:20:49.000000000 -0400
@@ -121,7 +121,6 @@
gen_require(`
type cgred_t, cgconfig_t, cgred_var_run_t;
type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
- type cgred_etc_t;
')
allow $1 cgconfig_t:process { ptrace signal_perms getattr };
@@ -131,7 +130,6 @@
read_files_pattern($1, cgred_t, cgred_t)
admin_pattern($1, cgconfig_etc_t)
- admin_pattern($1, cgred_etc_t)
files_search_etc($1)
admin_pattern($1, cgred_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.6/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cgroup.te 2010-06-21 10:53:58.000000000 -0400
@@ -18,8 +18,8 @@
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.8.6/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/chronyd.if 2010-06-25 13:20:28.000000000 -0400
@@ -19,6 +19,24 @@
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+########################################
+##
+## Execute chronyd server in the chronyd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_initrc_domtrans',`
+ gen_require(`
+ type chronyd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
####################################
##
## Execute chronyd
@@ -56,6 +74,64 @@
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+########################################
+##
+## Read and write chronyd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_rw_shm',`
+ gen_require(`
+ type chronyd_t, chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:shm rw_shm_perms;
+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Read chronyd keys files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_read_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+##
+## Append chronyd keys files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
####################################
##
## All of the rules required to administrate
@@ -77,6 +153,7 @@
gen_require(`
type chronyd_t, chronyd_var_log_t;
type chronyd_var_run_t, chronyd_var_lib_t;
+ type chronyd_tmpfs_t;
type chronyd_initrc_exec_t, chronyd_keys_t;
')
@@ -100,6 +177,5 @@
files_search_pids($1)
admin_pattern($1, chronyd_var_run_t)
- files_search_tmp($1)
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.8.6/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/chronyd.te 2010-06-21 10:53:58.000000000 -0400
@@ -15,6 +15,9 @@
type chronyd_keys_t;
files_type(chronyd_keys_t)
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -37,6 +40,10 @@
allow chronyd_t chronyd_keys_t:file read_file_perms;
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -50,6 +57,7 @@
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.6/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/clamav.te 2010-06-21 10:53:58.000000000 -0400
@@ -92,7 +92,7 @@
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -184,6 +184,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
@@ -202,6 +203,8 @@
clamav_stream_connect(freshclam_t)
+userdom_stream_connect(freshclam_t)
+
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
@@ -257,8 +260,10 @@
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
', `
dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.6/policy/modules/services/cmirrord.fc
--- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cmirrord.fc 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.6/policy/modules/services/cmirrord.if
--- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cmirrord.if 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,118 @@
+
+## policy for cmirrord
+
+########################################
+##
+## Execute a domain transition to run cmirrord.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cmirrord_domtrans',`
+ gen_require(`
+ type cmirrord_t, cmirrord_exec_t;
+ ')
+
+ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
+')
+
+########################################
+##
+## Execute cmirrord server in the cmirrord domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_initrc_domtrans',`
+ gen_require(`
+ type cmirrord_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
+')
+
+########################################
+##
+## Read cmirrord PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_read_pid_files',`
+ gen_require(`
+ type cmirrord_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cmirrord_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Read and write to cmirrord shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cmirrord_rw_shm',`
+ gen_require(`
+ type cmirrord_t;
+ type cmirrord_tmpfs_t;
+ ')
+
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cmirrord environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`cmirrord_admin',`
+ gen_require(`
+ type cmirrord_t;
+ type cmirrord_initrc_exec_t;
+ type cmirrord_var_run_t;
+ ')
+
+ allow $1 cmirrord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cmirrord_t)
+
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, cmirrord_var_run_t)
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.8.6/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cmirrord.te 2010-06-21 10:53:58.000000000 -0400
@@ -0,0 +1,56 @@
+policy_module(cmirrord,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cmirrord_t;
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
+permissive cmirrord_t;
+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
+type cmirrord_tmpfs_t;
+files_tmpfs_file(cmirrord_tmpfs_t)
+
+type cmirrord_var_run_t;
+files_pid_file(cmirrord_var_run_t)
+
+########################################
+#
+# cmirrord local policy
+#
+
+allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:process signal;
+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
+
+domain_use_interactive_fds(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.8.6/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.8.6/policy/modules/services/cobbler.fc 2010-06-22 15:20:41.000000000 -0400
@@ -1,7 +1,32 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
-/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_content_t,s0)
+
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
+
+# This should removable when cobbler package installs /var/www/cobbler/rendered
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.8.6/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cobbler.if 2010-06-22 15:20:41.000000000 -0400
@@ -1,14 +1,4 @@
## Cobbler installation server.
-##
-##
-## Cobbler is a Linux installation server that allows for
-## rapid setup of network installation environments. It
-## glues together and automates many associated Linux
-## tasks so you do not have to hop between lots of various
-## commands and applications when rolling out new systems,
-## and, in some cases, changing existing ones.
-##
-##
########################################
##
@@ -26,6 +16,7 @@
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ corecmd_search_bin($1)
')
########################################
@@ -34,7 +25,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed to transition.
##
##
#
@@ -48,7 +39,7 @@
########################################
##
-## Read Cobbler content in /etc
+## List Cobbler configuration.
##
##
##
@@ -56,19 +47,18 @@
##
##
#
-interface(`cobbler_read_config',`
+interface(`cobbler_list_config',`
gen_require(`
type cobbler_etc_t;
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+ list_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
files_search_etc($1)
')
########################################
##
-## Do not audit attempts to read and write
-## Cobbler log files (leaked fd).
+## Read Cobbler configuration files.
##
##
##
@@ -76,17 +66,18 @@
##
##
#
-interface(`cobbler_dontaudit_rw_log',`
+interface(`cobbler_read_config',`
gen_require(`
- type cobbler_var_log_t;
+ type cobbler_etc_t;
')
- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
')
########################################
##
-## Search cobbler dirs in /var/lib
+## Manage cobbler content.
##
##
##
@@ -94,18 +85,20 @@
##
##
#
-interface(`cobbler_search_lib',`
+interface(`cobbler_manage_content',`
gen_require(`
- type cobbler_var_lib_t;
+ type cobbler_content_t;
')
- search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
+ manage_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ manage_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
files_search_var_lib($1)
')
########################################
##
-## Read cobbler files in /var/lib
+## Read cobbler content.
##
##
##
@@ -113,18 +106,19 @@
##
##
#
-interface(`cobbler_read_lib_files',`
+interface(`cobbler_read_content',`
gen_require(`
- type cobbler_var_lib_t;
+ type cobbler_content_t;
')
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_files_pattern($1, cobbler_content_t, cobbler_content_t)
+ read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
files_search_var_lib($1)
')
########################################
##
-## Manage cobbler files in /var/lib
+## Search cobbler content.
##
##
##
@@ -132,17 +126,56 @@
##
##
#
-interface(`cobbler_manage_lib_files',`
+interface(`cobbler_search_content',`
gen_require(`
- type cobbler_var_lib_t;
+ type cobbler_content_t;
')
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ search_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
+ read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
files_search_var_lib($1)
')
########################################
##
+## Read and write Cobbler log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cobbler_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ rw_files_pattern($1, cobbler_var_log_t, cobbler_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
## All of the rules required to administrate
## an cobblerd environment
##
@@ -160,26 +193,44 @@
#
interface(`cobblerd_admin',`
gen_require(`
- type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobblerd_t, cobbler_var_log_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, cobblerd_t, cobblerd_t)
- files_search_etc($1)
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
+
admin_pattern($1, cobbler_etc_t)
+ files_search_etc($1)
+ admin_pattern($1, cobbler_content_t)
files_list_var_lib($1)
- admin_pattern($1, cobbler_var_lib_t)
- logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
+ logging_search_logs($1)
- admin_pattern($1, httpd_cobbler_content_rw_t)
+ # below may want to be removed.
+ tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files($1)
+ ')
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
+ optional_policy(`
+ gen_require(`
+ type httpd_cobbler_content_t;
+ ')
+
+ # manage /var/www/cobbler
+ admin_pattern($1, httpd_cobbler_content_t)
+ apache_search_sys_content($1)
+ ')
+
+ optional_policy(`
+ # traverse /var/lib/tftpdir to get to cobbler_content_t there.
+ tftp_search_rw_content($1)
+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.6/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cobbler.te 2010-06-25 17:37:55.000000000 -0400
@@ -1,3 +1,4 @@
+
policy_module(cobbler, 1.1.0)
########################################
@@ -7,11 +8,33 @@
##
##
-## Allow Cobbler to modify public files
-## used for public file transfer services.
+## Allow Cobbler to modify public files
+## used for public file transfer services.
##
##
gen_tunable(cobbler_anon_write, false)
+
+##
+##
+## Allow Cobbler to connect to the
+## network using TCP.
+##
+##
+gen_tunable(cobbler_can_network_connect, false)
+
+##
+##
+## Allow Cobbler to access cifs file systems.
+##
+##
+gen_tunable(cobbler_use_cifs, false)
+
+##
+##
+## Allow Cobbler to access nfs file systems.
+##
+##
+gen_tunable(cobbler_use_nfs, false)
type cobblerd_t;
type cobblerd_exec_t;
@@ -23,28 +46,45 @@
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
+type cobbler_content_t;
+typealias cobbler_content_t alias cobbler_var_lib_t;
+files_type(cobbler_content_t)
+
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
-type cobbler_var_lib_t;
-files_type(cobbler_var_lib_t)
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
+# Cobbler check is not supported and is silently ignored.
########################################
#
-# Cobbler personal policy.
+# Cobbler local policy.
#
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
+
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+allow cobblerd_t self:udp_socket create_stream_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
-manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_content_t:dir relabel_dir_perms;
+
+manage_dirs_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
+manage_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
+manage_lnk_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_content_t, { dir file lnk_file })
+
+# Something really needs to write to cobbler.log. Ideally this should not be happening.
+allow cobblerd_t cobbler_var_log_t:file write;
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -52,39 +92,92 @@
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
-corenet_sendrecv_cobbler_server_packets(cobblerd_t)
-corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
+corenet_tcp_sendrecv_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
dev_read_urand(cobblerd_t)
+domain_dontaudit_exec_all_entry_files(cobblerd_t)
+domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+# mtab
+files_read_etc_runtime_files(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
+
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_dontaudit_use_console(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
+selinux_dontaudit_read_fs(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
+userdom_dontaudit_use_user_terminals(cobblerd_t)
+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
+userdom_dontaudit_search_admin_dir(cobblerd_t)
+
tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
+tunable_policy(`cobbler_can_network_connect',`
+ corenet_tcp_connect_all_ports(cobblerd_t)
+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
+ corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
+ fs_manage_cifs_dirs(cobblerd_t)
+ fs_manage_cifs_files(cobblerd_t)
+ fs_manage_cifs_symlinks(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_nfs',`
+ fs_manage_nfs_dirs(cobblerd_t)
+ fs_manage_nfs_files(cobblerd_t)
+ fs_manage_nfs_symlinks(cobblerd_t)
+')
+
+optional_policy(`
+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
+ apache_search_sys_content(cobblerd_t)
+')
+
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
@@ -95,6 +188,10 @@
')
optional_policy(`
+ certmaster_exec(cobblerd_t)
+')
+
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
@@ -110,12 +207,20 @@
')
optional_policy(`
- rsync_read_config(cobblerd_t)
- rsync_write_config(cobblerd_t)
+ rsync_exec(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
+ # cobbler creates /etc/rsync.conf if its not there.
+ rsync_filetrans_config(cobblerd_t, file)
')
optional_policy(`
- tftp_manage_rw_content(cobblerd_t)
+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
+ # 1. cobbler package installs /var/lib/tftpdir/images.
+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_content_t, { dir file })
')
########################################
@@ -123,6 +228,18 @@
# Cobbler web local policy.
#
-apache_content_template(cobbler)
-manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+# This should be removable when cobbler package installs /var/www/cobbler/rendered.
+optional_policy(`
+ gen_require(`
+ attribute httpdcontent;
+ ')
+
+ apache_content_template(cobbler)
+ # To filetrans the /var/www/cobbler/rendered directory to cobbler_content_t.
+ # I added "file" to it for now because fenris02 reported that cobbler buildiso tried to create a file with type
+ # httpd_cobbler_content_t and i do not know where exaclty. Google reports it should be /var/www/cobbler/pub but
+ # that directory should have been labeled cobbler_content_t.
+ filetrans_pattern(cobblerd_t, httpd_cobbler_content_t, cobbler_content_t, { dir file })
+ # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
+ dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.6/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/consolekit.te 2010-06-21 10:53:58.000000000 -0400
@@ -15,6 +15,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
########################################
#
# consolekit local policy
@@ -69,7 +72,10 @@
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
@@ -83,6 +89,10 @@
')
optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
+')
+
+optional_policy(`
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
@@ -99,16 +109,21 @@
')
optional_policy(`
- policykit_dbus_chat(consolekit_t)
+ networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
')
optional_policy(`
- type consolekit_tmpfs_t;
- files_tmpfs_file(consolekit_tmpfs_t)
+ shutdown_domtrans(consolekit_t)
+')
+optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
@@ -125,5 +140,6 @@
optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.8.6/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/corosync.fc 2010-06-21 10:53:58.000000000 -0400
@@ -3,6 +3,7 @@
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.6/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/corosync.te 2010-06-21 10:53:58.000000000 -0400
@@ -32,8 +32,8 @@
# corosync local policy
#
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
@@ -41,6 +41,8 @@
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
+can_exec(corosync_t, corosync_exec_t)
+
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
@@ -63,8 +65,10 @@
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
@@ -73,6 +77,7 @@
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -83,6 +88,7 @@
miscfiles_read_localization(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
@@ -90,12 +96,13 @@
')
optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
-
- rhcs_rw_fenced_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.6/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cron.fc 2010-06-21 10:53:58.000000000 -0400
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -45,3 +45,7 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cron.if 2010-06-21 10:53:58.000000000 -0400
@@ -12,6 +12,10 @@
##
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t;
+ ')
+
##############################
#
# Declarations
@@ -34,8 +38,12 @@
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
@@ -62,6 +70,7 @@
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
@@ -154,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -408,7 +404,43 @@
type crond_t;
')
- allow $1 crond_t:fifo_file { getattr read write };
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write inherited user spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+ type user_cron_spool_t;
+ ')
+
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
+## Read and write inherited spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
########################################
@@ -554,7 +586,7 @@
type system_cronjob_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -587,11 +619,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -627,7 +662,48 @@
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
+ type system_cronjob_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cron.te 2010-06-21 10:53:58.000000000 -0400
@@ -63,9 +63,12 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
+mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
@@ -79,6 +82,7 @@
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -87,6 +91,7 @@
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -108,6 +113,14 @@
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
########################################
#
@@ -138,7 +151,7 @@
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -193,6 +206,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
@@ -208,7 +223,9 @@
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -219,8 +236,10 @@
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -240,8 +259,17 @@
')
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
@@ -250,6 +278,20 @@
')
optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
+optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -259,6 +301,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -290,6 +334,8 @@
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+dontaudit system_cronjob_t self:capability sys_ptrace;
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -301,10 +347,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -324,6 +377,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -335,9 +389,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -360,6 +418,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
@@ -386,6 +445,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
@@ -410,6 +470,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
@@ -434,6 +496,8 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
')
optional_policy(`
@@ -441,6 +505,14 @@
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -451,15 +523,24 @@
')
optional_policy(`
+ livecd_read_tmp_files(system_cronjob_t)
+')
+
+optional_policy(`
lpd_list_spool(system_cronjob_t)
')
optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -475,7 +556,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
@@ -490,6 +571,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -497,6 +579,9 @@
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
@@ -590,6 +675,7 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.6/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cups.fc 2010-06-21 10:53:58.000000000 -0400
@@ -71,3 +71,9 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.8.6/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2009-07-28 15:51:13.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cups.if 2010-06-25 13:20:18.000000000 -0400
@@ -314,7 +314,7 @@
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t;
type ptal_var_run_t, hplip_var_run_t;
@@ -341,9 +341,6 @@
admin_pattern($1, cupsd_lpd_var_run_t)
- admin_pattern($1, cupsd_spool_t)
- files_list_spool($1)
-
admin_pattern($1, cupsd_tmp_t)
files_list_tmp($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cups.te 2010-06-21 10:53:58.000000000 -0400
@@ -15,6 +15,7 @@
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -123,6 +124,7 @@
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
@@ -137,6 +139,7 @@
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -297,8 +300,10 @@
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -425,6 +430,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
@@ -453,6 +459,10 @@
')
optional_policy(`
+ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
@@ -587,13 +597,18 @@
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
lpd_manage_spool(cups_pdf_t)
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.8.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cvs.te 2010-06-21 10:53:58.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.6/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/cyrus.te 2010-06-21 10:53:58.000000000 -0400
@@ -135,6 +135,7 @@
')
optional_policy(`
+ files_dontaudit_write_usr_dirs(cyrus_t)
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.6/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/dbus.if 2010-06-21 10:53:58.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined;
attribute session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -76,7 +78,7 @@
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -91,7 +93,7 @@
allow $3 $1_dbusd_t:process { signull sigkill signal };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -149,13 +151,20 @@
term_use_all_terms($1_dbusd_t)
- userdom_read_user_home_content_files($1_dbusd_t)
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
+ userdom_manage_user_home_content_dirs($1_dbusd_t)
+ userdom_manage_user_home_content_files($1_dbusd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
ifdef(`hide_broken_symptoms', `
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
optional_policy(`
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
@@ -181,10 +190,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -436,8 +447,17 @@
ps_process_pattern(system_dbusd_t, $1)
+ userdom_dontaudit_search_admin_dir($1)
userdom_read_all_users_state($1)
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_send($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.6/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/dbus.te 2010-06-21 10:53:58.000000000 -0400
@@ -121,6 +121,7 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
init_domtrans_script(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
@@ -141,7 +142,15 @@
')
optional_policy(`
- policykit_dbus_chat(system_dbusd_t)
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
@@ -158,5 +167,12 @@
#
# Unconfined access to this module
#
-
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+optional_policy(`
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.6/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/denyhosts.te 2010-06-21 10:53:58.000000000 -0400
@@ -25,7 +25,8 @@
#
# DenyHosts personal policy.
#
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
@@ -53,6 +54,7 @@
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
corenet_sendrecv_smtp_client_packets(denyhosts_t)
dev_read_urand(denyhosts_t)
@@ -61,9 +63,11 @@
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
+logging_send_syslog_msg(denyhosts_t)
miscfiles_read_localization(denyhosts_t)
+sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.6/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/devicekit.te 2010-06-21 10:53:58.000000000 -0400
@@ -75,10 +75,12 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+kernel_list_unlabeled(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
@@ -105,8 +107,10 @@
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
-files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_dirs(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
+files_getattr_all_pipes(devicekit_disk_t)
+files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
@@ -178,13 +182,19 @@
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.8.6/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/dhcp.te 2010-06-22 15:20:41.000000000 -0400
@@ -111,6 +111,11 @@
')
optional_policy(`
+ # Should we dontaudit or not?
+ cobbler_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.6/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/dnsmasq.te 2010-06-22 15:20:41.000000000 -0400
@@ -92,7 +92,11 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
- cobbler_read_lib_files(dnsmasq_t)
+ cobbler_read_content(dnsmasq_t)
+')
+
+optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.8.6/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/dovecot.if 2010-06-25 13:20:06.000000000 -0400
@@ -93,12 +93,14 @@
#
interface(`dovecot_admin',`
gen_require(`
- type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
type dovecot_spool_t, dovecot_var_lib_t;
- type dovecot_var_run_t;
+ type dovecot_var_run_t, dovecot_tmp_t;
+ type dovecot_var_log_t;
type dovecot_cert_t, dovecot_passwd_t;
type dovecot_initrc_exec_t;
+ type dovecot_keytab_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
@@ -112,8 +114,11 @@
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
- logging_list_logs($1)
- admin_pattern($1, dovecot_log_t)
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
@@ -121,6 +126,9 @@
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.6/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/dovecot.te 2010-06-21 10:53:58.000000000 -0400
@@ -58,7 +58,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -94,6 +94,7 @@
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@@ -242,6 +243,7 @@
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
postfix_search_spool(dovecot_auth_t)
')
@@ -302,4 +304,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.8.6/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/exim.fc 2010-06-21 10:53:58.000000000 -0400
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.8.6/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/exim.if 2010-06-21 10:53:58.000000000 -0400
@@ -20,6 +20,24 @@
########################################
##
+## Execute exim in the exim domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`exim_initrc_domtrans', `
+ gen_require(`
+ type exim_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
+')
+
+########################################
+##
## Do not audit attempts to read,
## exim tmp files
##
@@ -194,3 +212,46 @@
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an exim environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`exim_admin', `
+ gen_require(`
+ type exim_t, exim_initrc_exec_t, exim_log_t;
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, exim_t, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, exim_log_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, exim_tmp_t)
+
+ files_search_spool($1)
+ admin_pattern($1, exim_spool_t)
+
+ files_search_pids($1)
+ admin_pattern($1, exim_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.6/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/exim.te 2010-06-21 10:53:58.000000000 -0400
@@ -35,6 +35,9 @@
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
@@ -171,6 +174,10 @@
')
optional_policy(`
+ nagios_search_spool(exim_t)
+')
+
+optional_policy(`
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.6/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/fail2ban.if 2010-06-21 10:53:58.000000000 -0400
@@ -138,6 +138,26 @@
########################################
##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+##
## All of the rules required to administrate
## an fail2ban environment
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.8.6/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/fprintd.te 2010-06-21 10:53:58.000000000 -0400
@@ -54,4 +54,5 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.6/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/ftp.te 2010-06-21 10:53:58.000000000 -0400
@@ -40,6 +40,13 @@
##
##
+## Allow ftp servers to use connect to mysql database
+##
+##
+gen_tunable(ftpd_connect_db, false)
+
+##
+##
## Allow ftp to read and write files in the user home directories
##
##
@@ -70,6 +77,14 @@
##
gen_tunable(sftpd_full_access, false)
+##