diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.7/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/config/appconfig-mcs/failsafe_context 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.7/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/config/appconfig-mcs/guest_u_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.7/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/config/appconfig-mcs/root_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -1,11 +1,7 @@ system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 - # # Uncomment if you want to automatically login as sysadm_r # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.7/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/config/appconfig-mcs/seusers 2008-02-13 16:57:15.000000000 -0500 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh root:root:s0-mcs_systemhigh -__default__:user_u:s0 +__default__:unconfined_u:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.2.7/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/config/appconfig-mcs/unconfined_u_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,9 @@ +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 +system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 +system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 +system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 +system_r:rshd_t:s0 unconfined_r:unconfined_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 +system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 +system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 +system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.7/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/config/appconfig-mcs/userhelper_context 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.7/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/config/appconfig-mcs/xguest_u_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 +system_r:sshd_t xguest_r:xguest_t:s0 +system_r:crond_t xguest_r:xguest_crond_t:s0 +system_r:xdm_t xguest_r:xguest_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.7/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/config/appconfig-mls/guest_u_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.7/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/config/appconfig-standard/guest_u_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t guest_r:guest_t +system_r:remote_login_t guest_r:guest_t +system_r:sshd_t guest_r:guest_t +system_r:crond_t guest_r:guest_crond_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.2.7/config/appconfig-standard/root_default_contexts --- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/config/appconfig-standard/root_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -1,11 +1,7 @@ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t - # # Uncomment if you want to automatically login as sysadm_r # -#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.7/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/config/appconfig-standard/xguest_u_default_contexts 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t +system_r:remote_login_t xguest_r:xguest_t +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.7/Makefile --- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/Makefile 2008-02-13 16:57:15.000000000 -0500 @@ -309,20 +309,22 @@ # parse-rolemap modulename,outputfile define parse-rolemap - $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ - $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + echo "" >> $2 +# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 endef # perrole-expansion modulename,outputfile define perrole-expansion - $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 - $(call parse-rolemap,$1,$2) - $(verbose) echo "')" >> $2 - - $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 - $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 - $(call parse-rolemap-compat,$1,$2) - $(verbose) echo "')" >> $2 + echo "No longer doing perrole-expansion" +# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +# $(call parse-rolemap,$1,$2) +# $(verbose) echo "')" >> $2 + +# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +# $(call parse-rolemap-compat,$1,$2) +# $(verbose) echo "')" >> $2 endef # create-base-per-role-tmpl modulenames,outputfile diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.2.7/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2007-10-12 08:56:10.000000000 -0400 +++ serefpolicy-3.2.7/man/man8/httpd_selinux.8 2008-02-13 16:57:15.000000000 -0500 @@ -93,6 +93,11 @@ .EE .PP +httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. + +.EX +setsebool -P httpd_can_sendmail 1 +.PP httpd can be configured to turn off internal scripting (PHP). PHP and other loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.7/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2008-02-01 09:12:52.000000000 -0500 +++ serefpolicy-3.2.7/policy/flask/access_vectors 2008-02-13 16:57:15.000000000 -0500 @@ -644,6 +644,8 @@ send recv relabelto + flow_in + flow_out } class key diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.7/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.7/policy/global_tunables 2008-02-13 16:57:15.000000000 -0500 @@ -34,7 +34,7 @@ ## ##

-## Enable polyinstantiated directory support. +## Allow login programs to use polyinstantiated directories. ##

##
gen_tunable(allow_polyinstantiation,false) @@ -61,15 +61,6 @@ ## ##

-## Allow email client to various content. -## nfs, samba, removable devices, user temp -## and untrusted content files -##

-##
-gen_tunable(mail_read_content,false) - -## -##

## Allow any files/directories to be exported read/write via NFS. ##

##
@@ -129,3 +120,12 @@ ##

## gen_tunable(write_untrusted_content,false) + +## +##

+## Allow direct login to the console device. Required for System 390 +##

+##
+gen_tunable(allow_console_login,false) + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.7/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-10-29 18:02:32.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/admin/alsa.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,8 +1,11 @@ +/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) /etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0) - +/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.7/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2007-01-02 12:57:51.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/alsa.if 2008-02-13 16:57:15.000000000 -0500 @@ -74,3 +74,21 @@ read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) ') + +######################################## +## +## Read alsa lib config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`alsa_read_lib',` + gen_require(` + type alsa_var_lib_t; + ') + + read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.7/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/alsa.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,12 +8,15 @@ type alsa_t; type alsa_exec_t; -application_domain(alsa_t, alsa_exec_t) +init_system_domain(alsa_t, alsa_exec_t) role system_r types alsa_t; type alsa_etc_rw_t; files_type(alsa_etc_rw_t) +type alsa_var_lib_t; +files_type(alsa_var_lib_t) + ######################################## # # Local policy @@ -30,14 +33,23 @@ manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) +files_search_var_lib(alsa_t) +manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) +manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) + kernel_read_system_state(alsa_t) dev_read_sound(alsa_t) dev_write_sound(alsa_t) +corecmd_exec_bin(alsa_t) +can_exec(alsa_t, alsa_exec_t) + files_search_home(alsa_t) files_read_etc_files(alsa_t) +auth_use_nsswitch(alsa_t) + libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) @@ -48,10 +60,7 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_generic_user_home_dirs(alsa_t) - -optional_policy(` - nscd_socket_use(alsa_t) -') +userdom_dontaudit_search_sysadm_home_dirs(alsa_t) optional_policy(` hal_use_fds(alsa_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.7/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/anaconda.te 2008-02-13 16:57:15.000000000 -0500 @@ -31,16 +31,13 @@ modutils_domtrans_insmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) unconfined_domain(anaconda_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) optional_policy(` - dmesg_domtrans(anaconda_t) -') - -optional_policy(` kudzu_domtrans(anaconda_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.7/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/brctl.te 2008-02-13 16:57:15.000000000 -0500 @@ -40,4 +40,5 @@ optional_policy(` xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.7/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/consoletype.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,9 +8,11 @@ type consoletype_t; type consoletype_exec_t; -application_executable_file(consoletype_exec_t) -init_domain(consoletype_t,consoletype_exec_t) -init_system_domain(consoletype_t,consoletype_exec_t) +#dont transition from initrc +#init_domain(consoletype_t,consoletype_exec_t) +#init_system_domain(consoletype_t,consoletype_exec_t) +application_domain(consoletype_t, consoletype_exec_t) + role system_r types consoletype_t; ######################################## @@ -43,12 +45,12 @@ mls_file_write_all_levels(consoletype_t) term_use_console(consoletype_t) -term_use_unallocated_ttys(consoletype_t) +term_use_all_terms(consoletype_t) init_use_fds(consoletype_t) init_use_script_ptys(consoletype_t) init_use_script_fds(consoletype_t) -init_write_script_pipes(consoletype_t) +init_rw_script_pipes(consoletype_t) domain_use_interactive_fds(consoletype_t) @@ -88,6 +90,10 @@ ') optional_policy(` + hotplug_dontaudit_use_fds(consoletype_t) +') + +optional_policy(` logrotate_dontaudit_use_fds(consoletype_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.2.7/policy/modules/admin/firstboot.if --- nsaserefpolicy/policy/modules/admin/firstboot.if 2007-04-10 12:52:58.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/admin/firstboot.if 2008-02-13 16:57:15.000000000 -0500 @@ -141,4 +141,6 @@ ') dontaudit $1 firstboot_t:fifo_file { read write }; + dontaudit $1 firstboot_t:unix_stream_socket { read write }; + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.7/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/firstboot.te 2008-02-13 16:57:15.000000000 -0500 @@ -120,6 +120,10 @@ usermanage_domtrans_admin_passwd(firstboot_t) ') +optional_policy(` + xserver_xdm_rw_shm(firstboot_t) +') + ifdef(`TODO',` allow firstboot_t proc_t:file write; @@ -132,7 +136,4 @@ domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) ') -ifdef(`xserver.te', ` - domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') ') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.7/policy/modules/admin/kismet.fc --- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/kismet.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) +/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) +/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.7/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/kismet.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,275 @@ + +## policy for kismet + +######################################## +## +## Execute a domain transition to run kismet. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`kismet_domtrans',` + gen_require(` + type kismet_t; + type kismet_exec_t; + ') + + domtrans_pattern($1,kismet_exec_t,kismet_t) +') + + +######################################## +## +## Read kismet PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kismet_read_pid_files',` + gen_require(` + type kismet_var_run_t; + ') + + files_search_pids($1) + allow $1 kismet_var_run_t:file read_file_perms; +') + +######################################## +## +## Manage kismet var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kismet_manage_var_run',` + gen_require(` + type kismet_var_run_t; + ') + + manage_dirs_pattern($1,kismet_var_run_t,kismet_var_run_t) + manage_files_pattern($1,kismet_var_run_t,kismet_var_run_t) + manage_lnk_files_pattern($1,kismet_var_run_t,kismet_var_run_t) +') + + +######################################## +## +## Search kismet lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kismet_search_lib',` + gen_require(` + type kismet_var_lib_t; + ') + + allow $1 kismet_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read kismet lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kismet_read_lib_files',` + gen_require(` + type kismet_var_lib_t; + ') + + allow $1 kismet_var_lib_t:file read_file_perms; + allow $1 kismet_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Create, read, write, and delete +## kismet lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kismet_manage_lib_files',` + gen_require(` + type kismet_var_lib_t; + ') + + allow $1 kismet_var_lib_t:file manage_file_perms; + allow $1 kismet_var_lib_t:dir rw_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Manage kismet var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kismet_manage_var_lib',` + gen_require(` + type kismet_var_lib_t; + ') + + manage_dirs_pattern($1,kismet_var_lib_t,kismet_var_lib_t) + manage_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t) + manage_lnk_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t) +') + + +######################################## +## +## Allow the specified domain to read kismet's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kismet_read_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## +## Allow the specified domain to append +## kismet log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`kismet_append_log',` + gen_require(` + type var_log_t, kismet_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, kismet_log_t, kismet_log_t) +') + +######################################## +## +## Allow domain to manage kismet log files +## +## +## +## Domain to not audit. +## +## +# +interface(`kismet_manage_log',` + gen_require(` + type kismet_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1,kismet_log_t,kismet_log_t) + manage_files_pattern($1,kismet_log_t,kismet_log_t) + manage_lnk_files_pattern($1,kismet_log_t,kismet_log_t) +') + +######################################## +## +## Execute kismet in the kismet domain, and +## allow the specified role the kismet domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the kismet domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`kismet_run',` + gen_require(` + type kismet_t; + ') + + kismet_domtrans($1) + role $2 types kismet_t; + dontaudit kismet_t $3:chr_file rw_term_perms; +') + + +######################################## +## +## All of the rules required to administrate an kismet environment +## +## +## +## Prefix of the domain. Example, user would be +## the prefix for the uder_t domain. +## +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the kismet domain. +## +## +## +# +interface(`kismet_admin',` + gen_require(` + type kismet_t; + ') + + allow $1 kismet_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, kismet_t, kismet_t) + + + kismet_manage_var_run($1) + + kismet_manage_var_lib($1) + + kismet_manage_log($1) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.7/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,55 @@ + +policy_module(kismet,1.0.0) + +######################################## +# +# Declarations +# + +type kismet_t; +type kismet_exec_t; +application_domain(kismet_t, kismet_exec_t) +role system_r types kismet_t; + +type kismet_var_run_t; +files_pid_file(kismet_var_run_t) + +type kismet_var_lib_t; +files_type(kismet_var_lib_t) + +type kismet_log_t; +logging_log_file(kismet_log_t) + +######################################## +# +# kismet local policy +# + +allow kismet_t self:capability { net_admin setuid setgid }; + +corecmd_exec_bin(kismet_t) + +auth_use_nsswitch(kismet_t) + +allow kismet_t self:fifo_file rw_file_perms; +allow kismet_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(kismet_t) + +libs_use_ld_so(kismet_t) +libs_use_shared_libs(kismet_t) + +miscfiles_read_localization(kismet_t) + +allow kismet_t kismet_var_run_t:file manage_file_perms; +allow kismet_t kismet_var_run_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir }) + +allow kismet_t kismet_var_lib_t:file manage_file_perms; +allow kismet_t kismet_var_lib_t:dir manage_dir_perms; +files_var_lib_filetrans(kismet_t,kismet_var_lib_t, { file dir }) + +allow kismet_t kismet_log_t:file manage_file_perms; +allow kismet_t kismet_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(kismet_t,kismet_log_t,{ file dir }) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.7/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/kudzu.te 2008-02-13 16:57:15.000000000 -0500 @@ -21,8 +21,8 @@ # Local policy # -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config }; +allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; +dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -68,6 +68,7 @@ modutils_read_module_deps(kudzu_t) modutils_read_module_config(kudzu_t) modutils_rename_module_config(kudzu_t) +modutils_unlink_module_config(kudzu_t) storage_read_scsi_generic(kudzu_t) storage_read_tape(kudzu_t) @@ -103,6 +104,8 @@ init_use_fds(kudzu_t) init_use_script_ptys(kudzu_t) init_stream_connect_script(kudzu_t) +init_read_init_state(kudzu_t) +init_ptrace_init_domain(kudzu_t) # kudzu will telinit to make init re-read # the inittab after configuring serial consoles init_telinit(kudzu_t) @@ -142,28 +145,6 @@ ') optional_policy(` - # cjp: this was originally in the else block - # of ifdef userhelper.te, but it seems to - # make more sense here. also, require - # blocks curently do not work in the - # else block of optionals + unconfined_domtrans(kudzu_t) unconfined_domain(kudzu_t) ') - -ifdef(`TODO',` -allow kudzu_t modules_conf_t:file unlink; -optional_policy(` - allow kudzu_t printconf_t:file { getattr read }; -') -optional_policy(` - allow kudzu_t xserver_exec_t:file getattr; -') -optional_policy(` - allow kudzu_t rhgb_t:unix_stream_socket connectto; -') -optional_policy(` - role system_r types sysadm_userhelper_t; - domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) -') -allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms; -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.7/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/logrotate.te 2008-02-13 16:57:15.000000000 -0500 @@ -96,9 +96,11 @@ files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) +files_search_all(logrotate_t) # Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) +files_getattr_generic_locks(logrotate_t) # cjp: why is this needed? init_domtrans_script(logrotate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.7/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/logwatch.te 2008-02-13 16:57:15.000000000 -0500 @@ -59,10 +59,8 @@ files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -files_dontaudit_search_home(logwatch_t) -files_dontaudit_search_boot(logwatch_t) # Execs df and if file system mounted with a context avc raised -files_dontaudit_search_all_dirs(logwatch_t) +files_search_all(logwatch_t) fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) @@ -88,9 +86,6 @@ sysnet_dns_name_resolve(logwatch_t) -userdom_dontaudit_search_sysadm_home_dirs(logwatch_t) -userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t) - mta_send_mail(logwatch_t) optional_policy(` @@ -132,4 +127,5 @@ optional_policy(` samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.7/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/netutils.te 2008-02-13 16:57:15.000000000 -0500 @@ -94,6 +94,10 @@ ') optional_policy(` + vmware_append_log(netutils_t) +') + +optional_policy(` xen_append_log(netutils_t) ') @@ -107,12 +111,14 @@ allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:netlink_route_socket create_netlink_socket_perms; corenet_all_recvfrom_unlabeled(ping_t) corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_nodes(ping_t) +corenet_raw_bind_all_nodes(ping_t) corenet_tcp_sendrecv_all_nodes(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.7/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/prelink.te 2008-02-13 16:57:15.000000000 -0500 @@ -26,7 +26,7 @@ # Local policy # -allow prelink_t self:capability { chown dac_override fowner fsetid }; +allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; @@ -40,7 +40,7 @@ read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) -allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom }; +allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; files_tmp_filetrans(prelink_t, prelink_tmp_t, file) fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) @@ -49,8 +49,7 @@ allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; kernel_read_system_state(prelink_t) -kernel_dontaudit_search_kernel_sysctl(prelink_t) -kernel_dontaudit_search_sysctl(prelink_t) +kernel_read_kernel_sysctls(prelink_t) corecmd_manage_all_executables(prelink_t) corecmd_relabel_all_executables(prelink_t) @@ -65,6 +64,8 @@ files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) files_dontaudit_read_all_symlinks(prelink_t) +files_manage_usr_files(prelink_t) +files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -81,6 +82,11 @@ miscfiles_read_localization(prelink_t) +# prelink executables in the user homedir +userdom_manage_unpriv_users_home_content_files(prelink_t) +userdom_mmap_unpriv_user_home_content_files(prelink_t) +userdom_dontaudit_relabel_unpriv_user_home_content_files(prelink_t) + optional_policy(` amanda_manage_lib(prelink_t) ') @@ -88,3 +94,7 @@ optional_policy(` cron_system_entry(prelink_t, prelink_exec_t) ') + +optional_policy(` + unconfined_domain(prelink_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.7/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/rpm.fc 2008-02-13 16:57:15.000000000 -0500 @@ -11,6 +11,7 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -21,6 +22,9 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.7/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/admin/rpm.if 2008-02-13 16:57:15.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## ## +## dontaudit read and write an unnamed RPM pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpm_dontaudit_rw_pipes',` + gen_require(` + type rpm_t; + ') + + dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## ## Send and receive messages from ## rpm over dbus. ## @@ -173,6 +191,27 @@ ######################################## ## +## Send and receive messages from +## rpm_script over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_script_dbus_chat',` + gen_require(` + type rpm_script_t; + class dbus send_msg; + ') + + allow $1 rpm_script_t:dbus send_msg; + allow rpm_script_t $1:dbus send_msg; +') + +######################################## +## ## Create, read, write, and delete the RPM log. ## ## @@ -210,6 +249,24 @@ ######################################## ## +## dontaudit and use file descriptors from RPM scripts. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpm_dontaudit_use_script_fds',` + gen_require(` + type rpm_script_t; + ') + + dontaudit $1 rpm_script_t:fd use; +') + +######################################## +## ## Create, read, write, and delete RPM ## script temporary files. ## @@ -225,7 +282,29 @@ ') files_search_tmp($1) + manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) + manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) +') + +######################################## +## +## read, RPM +## script temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_read_script_tmp_files',` + gen_require(` + type rpm_script_tmp_t; + ') + + read_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) + read_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) ') ######################################## @@ -289,3 +368,137 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') + + +######################################## +## +## Allow application to transition to rpm_script domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_transition_script',` + gen_require(` + type rpm_script_t; + ') + + allow $1 rpm_script_t:process transition; + + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:process sigchld; +') + +######################################## +## +## allow domain to read, +## write RPM tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_rw_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + allow $1 rpm_tmp_t:file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read, +## write RPM tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_dontaudit_rw_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + dontaudit $1 rpm_tmp_t:file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read, +## write RPM shm +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_dontaudit_rw_shm',` + gen_require(` + type rpm_t; + ') + + dontaudit $1 rpm_t:shm rw_shm_perms; +') + +######################################## +## +## Read/write rpm tmpfs files. +## +## +##

+## Read/write rpm tmpfs files. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`rpm_rw_tmpfs_files',` + gen_require(` + type rpm_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 rpm_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) + read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) +') + +######################################## +## +## Transition to system_r when execute an rpm script +## +## +##

+## Execute rpm script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Role to transition from. +## +## +interface(`rpm_role_transition',` + gen_require(` + type rpm_exec_t; + ') + + role_transition $1 rpm_exec_t system_r; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.7/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/rpm.te 2008-02-13 16:57:15.000000000 -0500 @@ -179,7 +179,17 @@ ') optional_policy(` - hal_dbus_chat(rpm_t) + optional_policy(` + hal_dbus_chat(rpm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') + + optional_policy(` + dbus_system_domain(rpm_t,rpm_exec_t) + ') ') optional_policy(` @@ -190,6 +200,7 @@ unconfined_domain(rpm_t) # yum-updatesd requires this unconfined_dbus_chat(rpm_t) + unconfined_dbus_chat(rpm_script_t) ') ifdef(`TODO',` @@ -216,7 +227,7 @@ # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; @@ -317,6 +328,7 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) +seutil_domtrans_setsebool(rpm_script_t) userdom_use_all_users_fds(rpm_script_t) @@ -342,6 +354,7 @@ optional_policy(` unconfined_domain(rpm_script_t) unconfined_domtrans(rpm_script_t) + unconfined_execmem_domtrans(rpm_script_t) optional_policy(` java_domtrans(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.7/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/sudo.if 2008-02-13 16:57:15.000000000 -0500 @@ -55,7 +55,7 @@ # # Use capabilities. - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; + allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; @@ -68,33 +68,32 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; # Enter this derived domain from the user domain domtrans_pattern($2, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t,$2) + corecmd_bin_domtrans($1_sudo_t,$2) allow $2 $1_sudo_t:fd use; allow $2 $1_sudo_t:fifo_file rw_file_perms; allow $2 $1_sudo_t:process sigchld; kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) - kernel_search_key($1_sudo_t) dev_read_urand($1_sudo_t) fs_search_auto_mountpoints($1_sudo_t) fs_getattr_xattr_fs($1_sudo_t) - auth_domtrans_chk_passwd($1_sudo_t) + auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) # sudo stores a token in the pam_pid directory auth_manage_pam_pid($1_sudo_t) auth_use_nsswitch($1_sudo_t) corecmd_read_bin_symlinks($1_sudo_t) - corecmd_getattr_all_executables($1_sudo_t) + corecmd_exec_all_executables($1_sudo_t) domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) @@ -106,32 +105,36 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) + files_list_tmp($1_sudo_t) init_rw_utmp($1_sudo_t) libs_use_ld_so($1_sudo_t) libs_use_shared_libs($1_sudo_t) + logging_send_audit_msgs($1_sudo_t) logging_send_syslog_msg($1_sudo_t) miscfiles_read_localization($1_sudo_t) + mta_per_role_template($1, $1_sudo_t, $3) + userdom_manage_user_home_content_files($1,$1_sudo_t) userdom_manage_user_home_content_symlinks($1,$1_sudo_t) userdom_manage_user_tmp_files($1,$1_sudo_t) userdom_manage_user_tmp_symlinks($1,$1_sudo_t) + userdom_exec_user_home_content_files($1,$1_sudo_t) userdom_use_user_terminals($1,$1_sudo_t) userdom_use_unpriv_users_fds($1_sudo_t) # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home_content($1_sudo_t) - ifdef(`TODO',` - # for when the network connection is killed - dontaudit unpriv_userdomain $1_sudo_t:process signal; - - ifdef(`mta.te', ` - domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) - ') - - ') dnl end TODO + domain_role_change_exemption($1_sudo_t) + userdom_spec_domtrans_all_users($1_sudo_t) + selinux_validate_context($1_sudo_t) + selinux_compute_relabel_context($1_sudo_t) + term_use_all_user_ttys($1_sudo_t) + term_use_all_user_ptys($1_sudo_t) + term_relabel_all_user_ttys($1_sudo_t) + term_relabel_all_user_ptys($1_sudo_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.7/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/admin/su.if 2008-02-13 16:57:15.000000000 -0500 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; - # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) # By default, revert to the calling domain when a shell is executed. @@ -89,6 +87,7 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) + logging_send_audit_msgs($1_su_t) logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) @@ -112,6 +111,10 @@ userdom_spec_domtrans_unpriv_users($1_su_t) ') + # Deal with unconfined_terminals. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) + optional_policy(` cron_read_pipes($1_su_t) ') @@ -119,11 +122,6 @@ optional_policy(` kerberos_use($1_su_t) ') - - ifdef(`TODO',` - # Caused by su - init scripts - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - ') dnl end TODO ') ####################################### @@ -172,13 +170,12 @@ domain_interactive_fd($1_su_t) role $3 types $1_su_t; - allow $2 $1_su_t:process signal; + allow $2 $1_su_t:process { getsched signal }; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:process { getsched setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:key { search write }; # Transition from the user domain to this domain. @@ -188,7 +185,7 @@ corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; + allow $2 $1_su_t:process { getsched signal sigchld }; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) @@ -203,15 +200,15 @@ # needed for pam_rootok selinux_compute_access_vector($1_su_t) - auth_domtrans_user_chk_passwd($1,$1_su_t) + auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t }) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) - auth_rw_faillog($1_su_t) - corecmd_search_bin($1_su_t) + corecmd_exec_bin($1_su_t) domain_use_interactive_fds($1_su_t) + files_read_usr_symlinks($1_su_t) files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) @@ -226,12 +223,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) + logging_send_audit_msgs($1_su_t) logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) - userdom_use_user_terminals($1,$1_su_t) + userdom_search_sysadm_home_dirs($1_su_t) userdom_search_user_home_dirs($1,$1_su_t) + userdom_use_user_terminals($1,$1_su_t) ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) @@ -295,13 +294,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') - ifdef(`TODO',` - allow $1_su_t $1_home_t:file manage_file_perms; - - # Access sshd cookie files. - allow $1_su_t sshd_tmp_t:file rw_file_perms; - file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) - ') dnl end TODO + userdom_search_all_users_home_dirs($1_su_t) ') ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.7/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/admin/tmpreaper.te 2008-02-13 16:57:15.000000000 -0500 @@ -28,6 +28,7 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +files_dontaudit_getattr_lost_found_dirs(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) @@ -42,6 +43,19 @@ cron_system_entry(tmpreaper_t,tmpreaper_exec_t) +userdom_delete_all_users_home_content_dirs(tmpreaper_t) +userdom_delete_all_users_home_content_files(tmpreaper_t) +userdom_delete_all_users_home_content_symlinks(tmpreaper_t) + +optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') + +optional_policy(` + kismet_manage_log(tmpreaper_t) +') + optional_policy(` lpd_manage_spool(tmpreaper_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.7/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/usermanage.te 2008-02-13 16:57:15.000000000 -0500 @@ -97,6 +97,7 @@ # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) +corecmd_exec_bin(chfn_t) domain_use_interactive_fds(chfn_t) @@ -290,6 +291,7 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) +auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) @@ -309,6 +311,7 @@ # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) +init_use_fds(passwd_t) libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) @@ -518,6 +521,12 @@ ') optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(useradd_t) + ') +') + +optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.7/policy/modules/admin/vpn.fc --- nsaserefpolicy/policy/modules/admin/vpn.fc 2006-11-16 17:15:26.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/vpn.fc 2008-02-13 16:57:15.000000000 -0500 @@ -7,3 +7,5 @@ # sbin # /sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.7/policy/modules/admin/vpn.if --- nsaserefpolicy/policy/modules/admin/vpn.if 2007-01-02 12:57:51.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/vpn.if 2008-02-13 16:57:15.000000000 -0500 @@ -67,3 +67,25 @@ allow $1 vpnc_t:process signal; ') + +######################################## +## +## Send and receive messages from +## Vpnc over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`vpnc_dbus_chat',` + gen_require(` + type vpnc_t; + class dbus send_msg; + ') + + allow $1 vpnc_t:dbus send_msg; + allow vpnc_t $1:dbus send_msg; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.7/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/admin/vpn.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,10 +22,9 @@ # Local policy # -allow vpnc_t self:capability { net_admin ipc_lock net_raw }; +allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw }; allow vpnc_t self:process getsched; allow vpnc_t self:fifo_file { getattr ioctl read write }; -allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; allow vpnc_t self:tcp_socket create_stream_socket_perms; allow vpnc_t self:udp_socket create_socket_perms; allow vpnc_t self:rawip_socket create_socket_perms; @@ -38,8 +37,9 @@ manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t) files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) +manage_dirs_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t) manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t) -files_pid_filetrans(vpnc_t,vpnc_var_run_t,file) +files_pid_filetrans(vpnc_t,vpnc_var_run_t,{ file dir}) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -59,6 +59,7 @@ corenet_udp_bind_all_nodes(vpnc_t) corenet_udp_bind_generic_port(vpnc_t) corenet_udp_bind_isakmp_port(vpnc_t) +corenet_udp_bind_ipsecnat_port(vpnc_t) corenet_tcp_connect_all_ports(vpnc_t) corenet_sendrecv_all_client_packets(vpnc_t) corenet_sendrecv_isakmp_server_packets(vpnc_t) @@ -69,6 +70,8 @@ dev_read_urand(vpnc_t) dev_read_sysfs(vpnc_t) +domain_use_interactive_fds(vpnc_t) + fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) @@ -92,13 +95,14 @@ locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) +logging_dontaudit_search_logs(vpnc_t) miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) seutil_use_newrole_fds(vpnc_t) -sysnet_exec_ifconfig(vpnc_t) +sysnet_domtrans_ifconfig(vpnc_t) sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.7/policy/modules/apps/ethereal.fc --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/ethereal.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0) /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.7/policy/modules/apps/ethereal.if --- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/ethereal.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,6 +35,7 @@ template(`ethereal_per_role_template',` gen_require(` + type user_ethereal_home_t, user_ethereal_tmp_t; type ethereal_exec_t; ') @@ -48,12 +49,10 @@ application_domain($1_ethereal_t,ethereal_exec_t) role $3 types $1_ethereal_t; - type $1_ethereal_home_t alias $1_ethereal_rw_t; - files_poly_member($1_ethereal_home_t) - userdom_user_home_content($1,$1_ethereal_home_t) - - type $1_ethereal_tmp_t; - files_tmp_file($1_ethereal_tmp_t) + ifelse(`$1',`user',`',` + typealias user_ethereal_home_t alias $1_ethereal_home_t; + typealias user_ethereal_tmp_t alias $1_ethereal_tmp_t; + ') type $1_ethereal_tmpfs_t; files_tmpfs_file($1_ethereal_tmpfs_t) @@ -152,28 +151,11 @@ nscd_socket_use($1_ethereal_t) ') - # Manual transition from userhelper - optional_policy(` - userhelper_use_user_fd($1,$1_ethereal_t) - userhelper_sigchld_user($1,$1_ethereal_t) - ') - optional_policy(` xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t) xserver_create_xdm_tmp_sockets($1_ethereal_t) ') - ifdef(`TODO',` - # Why does it write this? - optional_policy(` - dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; - ') - #TODO - gnome_application($1_ethereal, $1) - gnome_file_dialog($1_ethereal, $1) - # FIXME: policy is incomplete - ') - ') ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.7/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/ethereal.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) +type user_ethereal_home_t; +files_poly_member(user_ethereal_home_t) +userdom_user_home_content(user,user_ethereal_home_t) + +type user_ethereal_tmp_t; +files_tmp_file(user_ethereal_tmp_t) + ######################################## # # Tethereal policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.7/policy/modules/apps/evolution.fc --- nsaserefpolicy/policy/modules/apps/evolution.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/evolution.fc 2008-02-13 16:57:15.000000000 -0500 @@ -2,13 +2,13 @@ # HOME_DIR/ # -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) +HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:user_evolution_home_t,s0) +HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:user_evolution_home_t,s0) # # /tmp # -/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0) +/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:user_evolution_exchange_tmp_t,s0) # # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.7/policy/modules/apps/gift.fc --- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/gift.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0) /usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) /usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.7/policy/modules/apps/gift.if --- nsaserefpolicy/policy/modules/apps/gift.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/gift.if 2008-02-13 16:57:15.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_gift_t,gift_exec_t) role $3 types $1_gift_t; - type $1_gift_home_t alias $1_gift_rw_t; - files_poly_member($1_gift_home_t) - userdom_user_home_content($1,$1_gift_home_t) + ifelse(`$1',`user',`',` + typealias user_gift_home_t alias $1_gift_home_t; + ') type $1_gift_tmpfs_t; files_tmpfs_file($1_gift_tmpfs_t) @@ -67,10 +67,10 @@ manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t) fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) - manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) - manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t) - userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir) + manage_dirs_pattern($1_gift_t,user_gift_home_t,user_gift_home_t) + manage_files_pattern($1_gift_t,user_gift_home_t,user_gift_home_t) + manage_lnk_files_pattern($1_gift_t,user_gift_home_t,user_gift_home_t) + userdom_user_home_dir_filetrans($1,$1_gift_t,user_gift_home_t,dir) # Launch gift daemon domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t) @@ -79,12 +79,12 @@ domtrans_pattern($2, gift_exec_t, $1_gift_t) # user managed content - manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t) - manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t) - manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t) - relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t) - relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t) - relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t) + manage_dirs_pattern($2,user_gift_home_t,user_gift_home_t) + manage_files_pattern($2,user_gift_home_t,user_gift_home_t) + manage_lnk_files_pattern($2,user_gift_home_t,user_gift_home_t) + relabel_dirs_pattern($2,user_gift_home_t,user_gift_home_t) + relabel_files_pattern($2,user_gift_home_t,user_gift_home_t) + relabel_lnk_files_pattern($2,user_gift_home_t,user_gift_home_t) # Allow the user domain to signal/ps. ps_process_pattern($2,$1_gift_t) @@ -143,10 +143,10 @@ allow $1_giftd_t self:tcp_socket create_stream_socket_perms; allow $1_giftd_t self:udp_socket create_socket_perms; - manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) - manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) - manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t) - userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir) + manage_dirs_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t) + manage_files_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t) + manage_lnk_files_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t) + userdom_user_home_dir_filetrans($1,$1_giftd_t,user_gift_home_t,dir) domtrans_pattern($2, giftd_exec_t, $1_giftd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.7/policy/modules/apps/gift.te --- nsaserefpolicy/policy/modules/apps/gift.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/gift.te 2008-02-13 16:57:15.000000000 -0500 @@ -11,3 +11,7 @@ type giftd_exec_t; application_executable_file(giftd_exec_t) + +type user_gift_home_t alias user_gift_rw_t; +userdom_user_home_content(user,user_gift_home_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.7/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/gnome.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,8 +1,7 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) +HOME_DIR/.gnome2(/.*)? gen_context(system_u:object_r:user_gnome_home_t,s0) +HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:user_gnome_home_t,s0) +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:user_gconf_home_t,s0) -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - -/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0) +/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:user_gconf_tmp_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.7/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/gnome.if 2008-02-13 16:57:15.000000000 -0500 @@ -33,9 +33,60 @@ ## # template(`gnome_per_role_template',` + + gen_require(` + type user_gnome_home_t; + ') + + ############################## + # + # Declarations + # + ifelse(`$1',`user',`',` + typealias user_gnome_home_t alias $1_gnome_home_t; + ') + + manage_dirs_pattern($2,user_gnome_home_t, user_gnome_home_t) + manage_files_pattern($2,user_gnome_home_t, user_gnome_home_t) +') + +######################################## +## +## The per role template for the gnome gconf module. +## +## +##

+## This template creates a derived domain which is used +## for gconf sessions. +##

+##

+## This template is invoked automatically for each role, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`gnome_gconf_per_role_template',` gen_require(` type gconfd_exec_t; attribute gnomedomain; + type user_gconf_home_t, user_gconf_tmp_t; ') ############################## @@ -47,14 +98,10 @@ application_domain($1_gconfd_t, gconfd_exec_t) role $3 types $1_gconfd_t; - type $1_gconf_home_t; - userdom_user_home_content($1, $1_gconf_home_t) - - type $1_gnome_home_t; - userdom_user_home_content($1, $1_gnome_home_t) - - type $1_gconf_tmp_t; - files_tmp_file($1_gconf_tmp_t) + ifelse(`$1',`user',`',` + typealias user_gconf_home_t alias $1_gconf_home_t; + typealias user_gconf_tmp_t alias $1_gconf_tmp_t; + ') ############################## # @@ -64,22 +111,19 @@ allow $1_gconfd_t self:process getsched; allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; - manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) - manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) - userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir) - - manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t) - manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t) - userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file }) + manage_dirs_pattern($1_gconfd_t,user_gconf_home_t,user_gconf_home_t) + manage_files_pattern($1_gconfd_t,user_gconf_home_t,user_gconf_home_t) + userdom_user_home_dir_filetrans($1, $1_gconfd_t, user_gconf_home_t, dir) + + manage_dirs_pattern($1_gconfd_t,user_gconf_tmp_t,user_gconf_tmp_t) + manage_files_pattern($1_gconfd_t,user_gconf_tmp_t,user_gconf_tmp_t) + userdom_user_tmp_filetrans($1,$1_gconfd_t,user_gconf_tmp_t,{ dir file }) domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t) allow $1_gconfd_t $2:fd use; allow $1_gconfd_t $2:fifo_file write; allow $1_gconfd_t $2:unix_stream_socket connectto; - allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; - read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t) - ps_process_pattern($2,$1_gconfd_t) dev_read_urand($1_gconfd_t) @@ -100,7 +144,12 @@ gnome_stream_connect_gconf_template($1,$2) optional_policy(` + mozilla_stream_connect_template($1,$1_gconfd_t) + ') + + optional_policy(` nscd_dontaudit_search_pid($1_gconfd_t) + nscd_socket_use($1_gconfd_t) ') optional_policy(` @@ -128,20 +177,39 @@ template(`gnome_stream_connect_gconf_template',` gen_require(` type $1_gconfd_t; - type $1_gconf_tmp_t; + type user_gconf_tmp_t; ') - read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t) + read_files_pattern($2,user_gconf_tmp_t,user_gconf_tmp_t) allow $2 $1_gconfd_t:unix_stream_socket connectto; ') + +######################################## +## +## Send general signals to all gconf domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_signal_all',` + gen_require(` + attribute gnomedomain; + ') + + allow $1 gnomedomain:process signal; +') + ######################################## ## ## Run gconfd in the role-specific gconfd domain. ## ## ##

-## Run gconfd in the role-specfic gconfd domain. +## Run gconfd in the role-specific gconfd domain. ##

##

## This is a templated interface, and should only @@ -170,6 +238,30 @@ ######################################## ##

+## read gnome homedir content (.config) +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_read_user_gnome_config',` + gen_require(` + type user_gnome_home_t; + ') + + read_files_pattern($2, user_gnome_home_t, user_gnome_home_t) +') + +######################################## +## ## manage gnome homedir content (.config) ## ## @@ -186,9 +278,29 @@ # template(`gnome_manage_user_gnome_config',` gen_require(` - type $1_gnome_home_t; + type user_gnome_home_t; + ') + + manage_dirs_pattern($2, user_gnome_home_t, user_gnome_home_t) + manage_files_pattern($2, user_gnome_home_t, user_gnome_home_t) +') + +######################################## +## +## Execute gconf programs in +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; ') - allow $2 $1_gnome_home_t:dir manage_dir_perms; - allow $2 $1_gnome_home_t:file manage_file_perms; + can_exec($1, gconfd_exec_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.7/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/gnome.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,8 +8,19 @@ attribute gnomedomain; -type gconf_etc_t; -files_type(gconf_etc_t) - type gconfd_exec_t; application_executable_file(gconfd_exec_t) + +type user_gnome_home_t; +userdom_user_home_type(user_gnome_home_t) +userdom_user_home_content(user, user_gnome_home_t) + +type user_gconf_home_t; +userdom_user_home_content(user, user_gconf_home_t) + +type user_gconf_tmp_t; +files_tmp_file(user_gconf_tmp_t) + +typealias user_gnome_home_t alias unconfined_gnome_home_t; +typealias user_gconf_home_t alias unconfined_gconf_home_t; +typealias user_gconf_tmp_t alias unconfined_gconf_tmp_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.7/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/gpg.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,9 +1,9 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0) -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) -/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.7/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-13 16:57:15.000000000 -0500 @@ -38,6 +38,10 @@ gen_require(` type gpg_exec_t, gpg_helper_exec_t; type gpg_agent_exec_t, pinentry_exec_t; + type gpg_t, gpg_helper_t; + type gpg_agent_t, gpg_pinentry_t; + type user_gpg_agent_tmp_t; + type user_gpg_secret_t; ') ######################################## @@ -45,275 +49,53 @@ # Declarations # - type $1_gpg_t; - application_domain($1_gpg_t,gpg_exec_t) - role $3 types $1_gpg_t; - - type $1_gpg_agent_t; - application_domain($1_gpg_agent_t,gpg_agent_exec_t) - role $3 types $1_gpg_agent_t; - - type $1_gpg_agent_tmp_t; - files_tmp_file($1_gpg_agent_tmp_t) - - type $1_gpg_secret_t; - userdom_user_home_content($1,$1_gpg_secret_t) - - type $1_gpg_helper_t; - application_domain($1_gpg_helper_t,gpg_helper_exec_t) - role $3 types $1_gpg_helper_t; - - type $1_gpg_pinentry_t; - application_domain($1_gpg_pinentry_t,pinentry_exec_t) - role $3 types $1_gpg_pinentry_t; + typealias gpg_t alias $1_gpg_t; + role $3 types gpg_t; - ######################################## - # - # GPG local policy - # - - allow $1_gpg_t self:capability { ipc_lock setuid }; - allow { $2 $1_gpg_t } $1_gpg_t:process signal; - # setrlimit is for ulimit -c 0 - allow $1_gpg_t self:process { setrlimit setcap setpgid }; - - allow $1_gpg_t self:fifo_file rw_fifo_file_perms; - allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - - # transition from the gpg domain to the helper domain - domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) - - manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) - manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) - allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms; - userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir) - - # transition from the userdomain to the derived domain - domtrans_pattern($2,gpg_exec_t,$1_gpg_t) - - # allow ps to show gpg - ps_process_pattern($2,$1_gpg_t) - - corenet_all_recvfrom_unlabeled($1_gpg_t) - corenet_all_recvfrom_netlabel($1_gpg_t) - corenet_tcp_sendrecv_all_if($1_gpg_t) - corenet_udp_sendrecv_all_if($1_gpg_t) - corenet_tcp_sendrecv_all_nodes($1_gpg_t) - corenet_udp_sendrecv_all_nodes($1_gpg_t) - corenet_tcp_sendrecv_all_ports($1_gpg_t) - corenet_udp_sendrecv_all_ports($1_gpg_t) - corenet_tcp_connect_all_ports($1_gpg_t) - corenet_sendrecv_all_client_packets($1_gpg_t) - - dev_read_rand($1_gpg_t) - dev_read_urand($1_gpg_t) + typealias gpg_agent_t alias $1_gpg_agent_t; + role $3 types gpg_agent_t; - fs_getattr_xattr_fs($1_gpg_t) + typealias gpg_helper_t alias $1_gpg_helper_t; + role $3 types gpg_helper_t; - domain_use_interactive_fds($1_gpg_t) + typealias gpg_pinentry_t alias $1_gpg_pinentry_t; + role $3 types gpg_pinentry_t; - files_read_etc_files($1_gpg_t) - files_read_usr_files($1_gpg_t) - files_dontaudit_search_var($1_gpg_t) - - libs_use_shared_libs($1_gpg_t) - libs_use_ld_so($1_gpg_t) - - miscfiles_read_localization($1_gpg_t) - - logging_send_syslog_msg($1_gpg_t) - - sysnet_read_config($1_gpg_t) - - userdom_use_user_terminals($1,$1_gpg_t) - - optional_policy(` - nis_use_ypbind($1_gpg_t) + ifelse(`$1',`user',`',` + typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t; + typealias user_gpg_secret_t alias $1_gpg_secret_t; ') - ifdef(`TODO',` - # Read content to encrypt/decrypt/sign - read_content($1_gpg_t, $1) - - # Write content to encrypt/decrypt/sign - write_trusted($1_gpg_t, $1) - ') dnl end TODO - - ######################################## - # - # GPG helper local policy - # - - # for helper programs (which automatically fetch keys) - # Note: this is only tested with the hkp interface. If you use eg the - # mail interface you will likely need additional permissions. - - allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; - allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; - allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; - - # communicate with the user - allow $1_gpg_helper_t $2:fd use; - allow $1_gpg_helper_t $2:fifo_file write; - - dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; - - corenet_all_recvfrom_unlabeled($1_gpg_helper_t) - corenet_all_recvfrom_netlabel($1_gpg_helper_t) - corenet_tcp_sendrecv_all_if($1_gpg_helper_t) - corenet_raw_sendrecv_all_if($1_gpg_helper_t) - corenet_udp_sendrecv_all_if($1_gpg_helper_t) - corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t) - corenet_udp_sendrecv_all_nodes($1_gpg_helper_t) - corenet_raw_sendrecv_all_nodes($1_gpg_helper_t) - corenet_tcp_sendrecv_all_ports($1_gpg_helper_t) - corenet_udp_sendrecv_all_ports($1_gpg_helper_t) - corenet_tcp_bind_all_nodes($1_gpg_helper_t) - corenet_udp_bind_all_nodes($1_gpg_helper_t) - corenet_tcp_connect_all_ports($1_gpg_helper_t) - - dev_read_urand($1_gpg_helper_t) - - files_read_etc_files($1_gpg_helper_t) - # for nscd - files_dontaudit_search_var($1_gpg_helper_t) - - libs_use_ld_so($1_gpg_helper_t) - libs_use_shared_libs($1_gpg_helper_t) - - sysnet_read_config($1_gpg_helper_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files($1_gpg_helper_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files($1_gpg_helper_t) - ') - - optional_policy(` - xserver_use_xdm_fds($1_gpg_t) - xserver_rw_xdm_pipes($1_gpg_t) - ') - - ######################################## - # - # GPG agent local policy - # - - # rlimit: gpg-agent wants to prevent coredumps - allow $1_gpg_agent_t self:process setrlimit; + # transition from the userdomain to the derived domain + domtrans_pattern($2,gpg_exec_t,gpg_t) - allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; - allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms; + # Transition from the user domain to the derived domain. + domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) - manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) - manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) + allow $2 gpg_t:process signal_perms; - # allow gpg to connect to the gpg agent - stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t) + # allow ps to show gpg + ps_process_pattern($2,gpg_t) # allow ps to show gpg-agent ps_process_pattern($2,$1_gpg_agent_t) # Allow the user shell to signal the gpg-agent program. - allow $2 $1_gpg_agent_t:process { signal sigkill }; - - manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) - manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) - manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) - files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) - - corecmd_search_bin($1_gpg_agent_t) - - domain_use_interactive_fds($1_gpg_agent_t) - - libs_use_ld_so($1_gpg_agent_t) - libs_use_shared_libs($1_gpg_agent_t) - - miscfiles_read_localization($1_gpg_agent_t) + allow $2 gpg_agent_t:process signal_perms; + userdom_use_user_terminals($1,gpg_t) # Write to the user domain tty. - userdom_use_user_terminals($1,$1_gpg_agent_t) - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - userdom_search_user_home_dirs($1,$1_gpg_agent_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_gpg_agent_t) - fs_manage_nfs_files($1_gpg_agent_t) - fs_manage_nfs_symlinks($1_gpg_agent_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_gpg_agent_t) - fs_manage_cifs_files($1_gpg_agent_t) - fs_manage_cifs_symlinks($1_gpg_agent_t) - ') - - ############################## - # - # Pinentry local policy - # - - allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms; - - # we need to allow gpg-agent to call pinentry so it can get the passphrase - # from the user. - domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) - - # read /proc/meminfo - kernel_read_system_state($1_gpg_pinentry_t) - - files_read_usr_files($1_gpg_pinentry_t) - # read /etc/X11/qtrc - files_read_etc_files($1_gpg_pinentry_t) - - libs_use_ld_so($1_gpg_pinentry_t) - libs_use_shared_libs($1_gpg_pinentry_t) - - miscfiles_read_fonts($1_gpg_pinentry_t) - miscfiles_read_localization($1_gpg_pinentry_t) - - # for .Xauthority - userdom_read_user_home_content_files($1,$1_gpg_pinentry_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_gpg_pinentry_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files($1_gpg_pinentry_t) - ') - - optional_policy(` - xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t) - ') + userdom_use_user_terminals($1,gpg_agent_t) - ifdef(`TODO',` - allow $1_gpg_pinentry_t tmp_t:dir { getattr search }; - - # wants to put some lock files into the user home dir, seems to work fine without - dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; - dontaudit $1_gpg_pinentry_t $1_home_t:file write; - - tunable_policy(`use_nfs_home_dirs',` - dontaudit $1_gpg_pinentry_t nfs_t:dir write; - dontaudit $1_gpg_pinentry_t nfs_t:file write; - ') + # communicate with the user + allow gpg_helper_t $2:fd use; + allow gpg_helper_t $2:fifo_file rw_fifo_file_perms; - tunable_policy(`use_samba_home_dirs',` - dontaudit $1_gpg_pinentry_t cifs_t:dir write; - dontaudit $1_gpg_pinentry_t cifs_t:file write; - ') + userdom_manage_user_home_content_files(user, gpg_helper_t) - dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; - ') dnl end TODO + manage_dirs_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) + manage_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) + manage_sock_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.7/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-13 16:57:15.000000000 -0500 @@ -7,15 +7,232 @@ # # Type for gpg or pgp executables. +type gpg_t; type gpg_exec_t; +application_domain(gpg_t,gpg_exec_t) + +type gpg_helper_t; type gpg_helper_exec_t; -application_executable_file(gpg_exec_t) -application_executable_file(gpg_helper_exec_t) +application_domain(gpg_helper_t,gpg_helper_exec_t) # Type for the gpg-agent executable. +type gpg_agent_t; type gpg_agent_exec_t; -application_executable_file(gpg_agent_exec_t) +application_domain(gpg_agent_t,gpg_agent_exec_t) # type for the pinentry executable +type gpg_pinentry_t; type pinentry_exec_t; -application_executable_file(pinentry_exec_t) +application_domain(gpg_pinentry_t,pinentry_exec_t) + +type user_gpg_agent_tmp_t; +files_tmp_file(user_gpg_agent_tmp_t) + +type user_gpg_secret_t; +userdom_user_home_content(user,user_gpg_secret_t) + +######################################## +# +# GPG local policy +# + +allow gpg_t self:capability { ipc_lock setuid }; +allow gpg_t gpg_t:process signal; +# setrlimit is for ulimit -c 0 +allow gpg_t self:process { setrlimit setcap setpgid }; + +allow gpg_t self:fifo_file rw_fifo_file_perms; +allow gpg_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) +manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) +allow gpg_t user_gpg_secret_t:dir create_dir_perms; +userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir) +userdom_manage_user_home_content_files(user,gpg_t) +userdom_manage_user_tmp_files(user,gpg_t) + +# transition from the gpg domain to the helper domain +domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t) + +corenet_all_recvfrom_unlabeled(gpg_t) +corenet_all_recvfrom_netlabel(gpg_t) +corenet_tcp_sendrecv_all_if(gpg_t) +corenet_udp_sendrecv_all_if(gpg_t) +corenet_tcp_sendrecv_all_nodes(gpg_t) +corenet_udp_sendrecv_all_nodes(gpg_t) +corenet_tcp_sendrecv_all_ports(gpg_t) +corenet_udp_sendrecv_all_ports(gpg_t) +corenet_tcp_connect_all_ports(gpg_t) +corenet_sendrecv_all_client_packets(gpg_t) + +dev_read_rand(gpg_t) +dev_read_urand(gpg_t) + +fs_getattr_xattr_fs(gpg_t) +fs_list_inotifyfs(gpg_t) + +domain_use_interactive_fds(gpg_t) + +files_read_etc_files(gpg_t) +files_read_usr_files(gpg_t) +files_dontaudit_search_var(gpg_t) + +libs_use_shared_libs(gpg_t) +libs_use_ld_so(gpg_t) + +miscfiles_read_localization(gpg_t) + +logging_send_syslog_msg(gpg_t) + +sysnet_read_config(gpg_t) + +optional_policy(` + nis_use_ypbind(gpg_t) +') + +######################################## +# +# GPG helper local policy +# + +allow gpg_helper_t self:process { getsched setsched }; + +# for helper programs (which automatically fetch keys) +# Note: this is only tested with the hkp interface. If you use eg the +# mail interface you will likely need additional permissions. + +allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; +allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + +dontaudit gpg_helper_t user_gpg_secret_t:file read; + +corenet_all_recvfrom_unlabeled(gpg_helper_t) +corenet_all_recvfrom_netlabel(gpg_helper_t) +corenet_tcp_sendrecv_all_if(gpg_helper_t) +corenet_raw_sendrecv_all_if(gpg_helper_t) +corenet_udp_sendrecv_all_if(gpg_helper_t) +corenet_tcp_sendrecv_all_nodes(gpg_helper_t) +corenet_udp_sendrecv_all_nodes(gpg_helper_t) +corenet_raw_sendrecv_all_nodes(gpg_helper_t) +corenet_tcp_sendrecv_all_ports(gpg_helper_t) +corenet_udp_sendrecv_all_ports(gpg_helper_t) +corenet_tcp_bind_all_nodes(gpg_helper_t) +corenet_udp_bind_all_nodes(gpg_helper_t) +corenet_tcp_connect_all_ports(gpg_helper_t) + +files_read_etc_files(gpg_helper_t) + +fs_list_inotifyfs(gpg_helper_t) + +auth_use_nsswitch(gpg_helper_t) + +libs_use_ld_so(gpg_helper_t) +libs_use_shared_libs(gpg_helper_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(gpg_helper_t) +') + +optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) +') + +######################################## +# +# GPG agent local policy +# + +# rlimit: gpg-agent wants to prevent coredumps +allow gpg_agent_t self:process setrlimit; + +allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; +allow gpg_agent_t self:fifo_file rw_fifo_file_perms; + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) +manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) +manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) + +# allow gpg to connect to the gpg agent +manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) +manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) +manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) + +stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t) + +manage_dirs_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) +manage_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) +files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir }) + +corecmd_search_bin(gpg_agent_t) + +domain_use_interactive_fds(gpg_agent_t) + +libs_use_ld_so(gpg_agent_t) +libs_use_shared_libs(gpg_agent_t) + +miscfiles_read_localization(gpg_agent_t) + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +userdom_search_user_home_dirs(user,gpg_agent_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_agent_t) + fs_manage_nfs_files(gpg_agent_t) + fs_manage_nfs_symlinks(gpg_agent_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_agent_t) + fs_manage_cifs_files(gpg_agent_t) + fs_manage_cifs_symlinks(gpg_agent_t) +') + +############################## +# +# Pinentry local policy +# + +allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; +allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; + +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. +domtrans_pattern(gpg_agent_t,pinentry_exec_t,gpg_pinentry_t) + +# read /proc/meminfo +kernel_read_system_state(gpg_pinentry_t) + +files_read_usr_files(gpg_pinentry_t) +# read /etc/X11/qtrc +files_read_etc_files(gpg_pinentry_t) + +libs_use_ld_so(gpg_pinentry_t) +libs_use_shared_libs(gpg_pinentry_t) + +miscfiles_read_fonts(gpg_pinentry_t) +miscfiles_read_localization(gpg_pinentry_t) + +# for .Xauthority +userdom_read_user_home_content_files(user,gpg_pinentry_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(gpg_pinentry_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(gpg_pinentry_t) +') + +optional_policy(` + xserver_stream_connect_xdm_xserver(gpg_pinentry_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.7/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/irc.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,7 +1,7 @@ # # /home # -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0) +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:user_irc_home_t,s0) # # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.7/policy/modules/apps/irc.if --- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/irc.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,6 +35,7 @@ template(`irc_per_role_template',` gen_require(` type irc_exec_t; + type user_irc_home_t, user_irc_tmp_t; ') ######################################## @@ -50,12 +51,11 @@ userdom_user_home_content($1,$1_irc_exec_t) application_domain($1_irc_t,$1_irc_exec_t) - type $1_irc_home_t; - userdom_user_home_content($1,$1_irc_home_t) + ifelse(`$1',`user',`',` + typealias user_irc_home_t alias $1_irc_home_t; + typealias user_irc_tmp_t alias $1_irc_tmp_t; + ') - type $1_irc_tmp_t; - userdom_user_home_content($1,$1_irc_tmp_t) - ######################################## # # Local policy @@ -65,18 +65,18 @@ allow $1_irc_t self:tcp_socket create_socket_perms; allow $1_irc_t self:udp_socket create_socket_perms; - manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) - manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) - manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t) - userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file }) + manage_dirs_pattern($1_irc_t,user_irc_home_t,user_irc_home_t) + manage_files_pattern($1_irc_t,user_irc_home_t,user_irc_home_t) + manage_lnk_files_pattern($1_irc_t,user_irc_home_t,user_irc_home_t) + userdom_user_home_dir_filetrans($1,$1_irc_t,user_irc_home_t,{ dir file lnk_file }) # access files under /tmp - manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) - manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) - manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) - manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) - manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t) - files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) + manage_dirs_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) + manage_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) + manage_lnk_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) + manage_fifo_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) + manage_sock_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t) + files_tmp_filetrans($1_irc_t,user_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. domtrans_pattern($2,irc_exec_t,$1_irc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.7/policy/modules/apps/irc.te --- nsaserefpolicy/policy/modules/apps/irc.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/irc.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,3 +8,10 @@ type irc_exec_t; application_executable_file(irc_exec_t) + +type user_irc_home_t; +userdom_user_home_content(user,user_irc_home_t) + +type user_irc_tmp_t; +userdom_user_home_content(user,user_irc_tmp_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.7/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-13 16:57:15.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) @@ -20,5 +21,13 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/local/matlab/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/lib/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib64/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.7/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/java.if 2008-02-13 16:57:15.000000000 -0500 @@ -32,7 +32,7 @@ ## ## # -template(`java_per_role_template',` +template(`java_plugin_per_role_template',` gen_require(` type java_exec_t; ') @@ -57,14 +57,16 @@ # Local policy # - allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; + allow $1_javaplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched }; allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms; - allow $1_javaplugin_t self:tcp_socket create_socket_perms; + allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms; allow $1_javaplugin_t self:udp_socket create_socket_perms; + allow $1_javaplugin_t $1_t:process signull; + allow $1_javaplugin_t $1_t:unix_stream_socket connectto; + allow $1_t $1_javaplugin_t:unix_stream_socket connectto; allow $1_javaplugin_t $2:unix_stream_socket connectto; allow $1_javaplugin_t $2:unix_stream_socket { read write }; - userdom_write_user_tmp_sockets($1,$1_javaplugin_t) manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) @@ -76,13 +78,9 @@ manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file }) - rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t) - read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t) - can_exec($1_javaplugin_t, java_exec_t) - # The user role is authorized for this domain. - domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) + domain_auto_trans($2, java_exec_t, $1_javaplugin_t) allow $1_javaplugin_t $2:fd use; # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; @@ -94,7 +92,7 @@ kernel_read_system_state($1_javaplugin_t) # Search bin directory under javaplugin for javaplugin executable - corecmd_search_bin($1_javaplugin_t) + corecmd_exec_bin($1_javaplugin_t) corenet_all_recvfrom_unlabeled($1_javaplugin_t) corenet_all_recvfrom_netlabel($1_javaplugin_t) @@ -107,10 +105,12 @@ corenet_tcp_connect_all_ports($1_javaplugin_t) corenet_sendrecv_all_client_packets($1_javaplugin_t) + dev_list_sysfs($1_javaplugin_t) dev_read_sound($1_javaplugin_t) dev_write_sound($1_javaplugin_t) dev_read_urand($1_javaplugin_t) dev_read_rand($1_javaplugin_t) + dev_write_rand($1_javaplugin_t) files_read_etc_files($1_javaplugin_t) files_read_usr_files($1_javaplugin_t) @@ -122,6 +122,9 @@ fs_getattr_xattr_fs($1_javaplugin_t) fs_dontaudit_rw_tmpfs_files($1_javaplugin_t) + fs_getattr_tmpfs($1_javaplugin_t) + + auth_use_nsswitch($1_javaplugin_t) libs_use_ld_so($1_javaplugin_t) libs_use_shared_libs($1_javaplugin_t) @@ -132,11 +135,14 @@ # Read global fonts and font config miscfiles_read_fonts($1_javaplugin_t) - sysnet_read_config($1_javaplugin_t) - + userdom_manage_unpriv_users_home_content_files($1_javaplugin_t) userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) + userdom_manage_user_tmp_dirs($1,$1_javaplugin_t) + userdom_manage_user_tmp_files($1,$1_javaplugin_t) + userdom_manage_user_tmp_sockets($1,$1_javaplugin_t) + userdom_read_user_tmpfs_files($1,$1_javaplugin_t) userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) userdom_manage_user_home_content_files($1,$1_javaplugin_t) userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) @@ -156,15 +162,65 @@ ') optional_policy(` - nis_use_ypbind($1_javaplugin_t) + xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') - optional_policy(` - nscd_socket_use($1_javaplugin_t) +') + +####################################### +## +## The per role template for the java module. +## +## +##

+## This template creates a derived domains which are used +## for java applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`java_per_role_template',` + gen_require(` + type java_exec_t; ') + type $1_java_t; + domain_type($1_java_t) + domain_entry_file($1_java_t,java_exec_t) + role $3 types $1_java_t; + + domain_interactive_fd($1_java_t) + + userdom_unpriv_usertype($1, $1_java_t) + + allow $1_java_t self:process { getsched sigkill execheap execmem execstack }; + + allow $2 $1_java_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; + + domtrans_pattern($2, java_exec_t, $1_java_t) + + dev_read_urand($1_java_t) + dev_read_rand($1_java_t) + + fs_dontaudit_rw_tmpfs_files($1_java_t) + optional_policy(` - xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) + xserver_xdm_rw_shm($1_java_t) ') ') @@ -219,3 +275,67 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') + +######################################## +## +## Execute a java in the specified domain +## +## +##

+## Execute the java command in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified +## domain. +##

+##
+## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`java_spec_domtrans',` + gen_require(` + type java_exec_t; + ') + + domain_trans($1,java_exec_t,$2) + type_transition $1 java_exec_t:process $2; +') + +######################################## +## +## Execute java in the java domain, and +## allow the specified role the java domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the java domain. +## +## +## +## +## The type of the terminal allow the java domain to use. +## +## +# +interface(`java_run',` + gen_require(` + type java_t; + ') + + java_domtrans($1) + role $2 types java_t; + allow java_t $3:chr_file rw_term_perms; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.7/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/java.te 2008-02-13 16:57:15.000000000 -0500 @@ -6,16 +6,10 @@ # Declarations # -## -##

-## Allow java executable stack -##

-##
-gen_tunable(allow_java_execstack,false) - type java_t; type java_exec_t; init_system_domain(java_t,java_exec_t) +typealias java_t alias unconfined_java_t; ######################################## # @@ -23,11 +17,23 @@ # # execheap is needed for itanium/BEA jrocket -allow java_t self:process { execstack execmem execheap }; +allow java_t self:process { getsched sigkill execheap execmem execstack }; -init_dbus_chat_script(java_t) +optional_policy(` + init_dbus_chat_script(java_t) + optional_policy(` + hal_dbus_chat(java_t) + ') + + optional_policy(` + unconfined_dbus_chat(java_t) + ') +') optional_policy(` unconfined_domain_noaudit(java_t) - unconfined_dbus_chat(java_t) +') + +optional_policy(` + xserver_xdm_rw_shm(java_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.7/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/loadkeys.te 2008-02-13 16:57:15.000000000 -0500 @@ -44,3 +44,5 @@ optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) ') + +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.7/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/mono.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,3 +18,105 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') + +######################################## +## +## Read and write to mono shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mono_rw_shm',` + gen_require(` + type mono_t; + ') + + allow $1 mono_t:shm rw_shm_perms; +') + +######################################## +## +## Execute mono in the mono domain, and +## allow the specified role the mono domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the mono domain. +## +## +## +## +## The type of the terminal allow the mono domain to use. +## +## +# +interface(`mono_run',` + gen_require(` + type mono_t; + ') + + mono_domtrans($1) + role $2 types mono_t; + allow mono_t $3:chr_file rw_term_perms; +') + +####################################### +## +## The per role template for the mono module. +## +## +##

+## This template creates a derived domains which are used +## for mono applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`mono_per_role_template',` + gen_require(` + type mono_exec_t; + ') + + type $1_mono_t; + domain_type($1_mono_t) + domain_entry_file($1_mono_t,mono_exec_t) + role $3 types $1_mono_t; + + domain_interactive_fd($1_mono_t) + + userdom_unpriv_usertype($1, $1_mono_t) + + allow $1_mono_t self:process { ptrace signal getsched execheap execmem }; + allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($2, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) + + optional_policy(` + xserver_xdm_rw_shm($1_mono_t) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.7/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/mono.te 2008-02-13 16:57:15.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # -allow mono_t self:process { execheap execmem }; +allow mono_t self:process { ptrace signal getsched execheap execmem }; userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) @@ -46,3 +46,7 @@ unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) ') + +optional_policy(` + xserver_xdm_rw_shm(mono_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.7/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/mozilla.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) +HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) +HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0) # # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.7/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/mozilla.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` type mozilla_conf_t, mozilla_exec_t; + type user_mozilla_home_t, user_mozilla_tmp_t; ') + gen_tunable(browser_confine_$1,false) + gen_tunable(browser_write_$1_data,false) ######################################## # @@ -45,20 +48,26 @@ application_domain($1_mozilla_t,mozilla_exec_t) role $3 types $1_mozilla_t; - type $1_mozilla_home_t alias $1_mozilla_rw_t; - files_poly_member($1_mozilla_home_t) - userdom_user_home_content($1,$1_mozilla_home_t) - type $1_mozilla_tmpfs_t; files_tmpfs_file($1_mozilla_tmpfs_t) + ifelse(`$1',`user',`',` + typealias user_mozilla_home_t alias $1_mozilla_home_t; + typealias user_mozilla_tmp_t alias $1_mozilla_tmp_t; + ') + + ######################################## + # + # Local booleans + # + ######################################## # # Local policy # allow $1_mozilla_t self:capability { sys_nice setgid setuid }; - allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit }; + allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit }; allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; @@ -71,10 +80,15 @@ # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) + domain_read_all_domains_state($1_mozilla_t) + + fs_getattr_tmpfs($1_mozilla_t) + fs_manage_tmpfs_files($1_mozilla_t) + # X access, Home files - manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) - manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) - manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) + manage_dirs_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t) + manage_files_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t) + manage_lnk_files_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t) userdom_search_user_home_dirs($1,$1_mozilla_t) # Mozpluggerrc @@ -89,22 +103,48 @@ allow $2 $1_mozilla_t:unix_stream_socket connectto; # X access, Home files - manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) - manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) - manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) - relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) - relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) - relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) - - manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) - manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) - manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) - manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t) - fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file }) + manage_dirs_pattern($2,user_mozilla_home_t,user_mozilla_home_t) + manage_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) + manage_lnk_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) + relabel_dirs_pattern($2,user_mozilla_home_t,user_mozilla_home_t) + relabel_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) + relabel_lnk_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t) allow $1_mozilla_t $2:process signull; - domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + tunable_policy(`browser_confine_$1',` + domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + ',` + can_exec($2, mozilla_exec_t) + ') + + userdom_read_user_home_content_files($1,$1_mozilla_t) + userdom_read_user_home_content_symlinks($1,$1_mozilla_t) + userdom_read_user_tmp_files($1,$1_mozilla_t) + userdom_list_user_files($1,$1_mozilla_t) + userdom_manage_user_tmp_dirs($1,$1_mozilla_t) + userdom_manage_user_tmp_files($1,$1_mozilla_t) + userdom_manage_user_tmp_sockets($1,$1_mozilla_t) + userdom_tmp_filetrans_user_tmp($1,$1_mozilla_t, { file dir sock_file }) + userdom_read_user_tmpfs_files($1,$1_mozilla_t) + + ifdef(`enable_mls',`',` + fs_search_removable($1_mozilla_t) + fs_read_removable_files($1_mozilla_t) + fs_read_removable_symlinks($1_mozilla_t) + ') + + tunable_policy(`browser_write_$1_data',` + userdom_manage_user_home_content_dirs($1,$1_mozilla_t) + userdom_manage_user_home_content_files($1,$1_mozilla_t) + userdom_manage_user_home_content_symlinks($1,$1_mozilla_t) + userdom_manage_user_home_content_pipes($1,$1_mozilla_t) + userdom_user_home_dir_filetrans_user_home_content($1,$1_mozilla_t, { file dir lnk_file }) + ', ` + # helper apps will try to create .files + userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t) + userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir) + ') # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; @@ -112,11 +152,13 @@ ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; + kernel_read_fs_sysctls($1_mozilla_t) kernel_read_kernel_sysctls($1_mozilla_t) kernel_read_network_state($1_mozilla_t) # Access /proc, sysctl - kernel_read_system_state($1_mozilla_t) - kernel_read_net_sysctls($1_mozilla_t) + kernel_dontaudit_read_system_state($1_mozilla_t) +# kernel_read_system_state($1_mozilla_t) +# kernel_read_net_sysctls($1_mozilla_t) # Look for plugins corecmd_list_bin($1_mozilla_t) @@ -165,10 +207,23 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) + files_dontaudit_list_non_security($1_mozilla_t) + files_dontaudit_getattr_non_security_files($1_mozilla_t) + files_dontaudit_getattr_non_security_symlinks($1_mozilla_t) + files_dontaudit_getattr_non_security_pipes($1_mozilla_t) + files_dontaudit_getattr_non_security_sockets($1_mozilla_t) + + dev_dontaudit_getattr_all_blk_files($1_mozilla_t) + dev_dontaudit_getattr_all_chr_files($1_mozilla_t) fs_search_auto_mountpoints($1_mozilla_t) fs_list_inotifyfs($1_mozilla_t) + fs_manage_dos_dirs($1_mozilla_t) + fs_manage_dos_files($1_mozilla_t) fs_rw_tmpfs_files($1_mozilla_t) + fs_read_noxattr_fs_files($1_mozilla_t) + + selinux_dontaudit_getattr_fs($1_mozilla_t) term_dontaudit_getattr_pty_dirs($1_mozilla_t) @@ -184,12 +239,8 @@ sysnet_dns_name_resolve($1_mozilla_t) sysnet_read_config($1_mozilla_t) - userdom_manage_user_home_content_dirs($1,$1_mozilla_t) - userdom_manage_user_home_content_files($1,$1_mozilla_t) - userdom_manage_user_home_content_symlinks($1,$1_mozilla_t) - userdom_manage_user_tmp_dirs($1,$1_mozilla_t) - userdom_manage_user_tmp_files($1,$1_mozilla_t) - userdom_manage_user_tmp_sockets($1,$1_mozilla_t) + userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) + userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) @@ -211,131 +262,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') - # Uploads, local html - tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints($1_mozilla_t) - files_list_home($1_mozilla_t) - fs_read_nfs_files($1_mozilla_t) - fs_read_nfs_symlinks($1_mozilla_t) - - ',` - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_read_nfs_files($1_mozilla_t) - fs_dontaudit_list_nfs($1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && use_samba_home_dirs',` - fs_list_auto_mountpoints($1_mozilla_t) - files_list_home($1_mozilla_t) - fs_read_cifs_files($1_mozilla_t) - fs_read_cifs_symlinks($1_mozilla_t) - ',` - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_read_cifs_files($1_mozilla_t) - fs_dontaudit_list_cifs($1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content',` - userdom_list_user_tmp($1,$1_mozilla_t) - userdom_read_user_tmp_files($1,$1_mozilla_t) - userdom_read_user_tmp_symlinks($1,$1_mozilla_t) - userdom_search_user_home_dirs($1,$1_mozilla_t) - userdom_read_user_home_content_files($1,$1_mozilla_t) - userdom_read_user_home_content_symlinks($1,$1_mozilla_t) - - ifdef(`enable_mls',`',` - fs_search_removable($1_mozilla_t) - fs_read_removable_files($1_mozilla_t) - fs_read_removable_symlinks($1_mozilla_t) - ') - ',` - files_dontaudit_list_tmp($1_mozilla_t) - files_dontaudit_list_home($1_mozilla_t) - fs_dontaudit_list_removable($1_mozilla_t) - fs_dontaudit_read_removable_files($1_mozilla_t) - userdom_dontaudit_list_user_tmp($1,$1_mozilla_t) - userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) - userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t) - userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && read_default_t',` - files_list_default($1_mozilla_t) - files_read_default_files($1_mozilla_t) - files_read_default_symlinks($1_mozilla_t) - ',` - files_dontaudit_read_default_files($1_mozilla_t) - files_dontaudit_list_default($1_mozilla_t) - ') - - tunable_policy(`mozilla_read_content && read_untrusted_content',` - files_list_tmp($1_mozilla_t) - files_list_home($1_mozilla_t) - userdom_search_user_home_dirs($1,$1_mozilla_t) - - userdom_list_user_untrusted_content($1,$1_mozilla_t) - userdom_read_user_untrusted_content_files($1,$1_mozilla_t) - userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t) - userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t) - userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t) - userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t) - ',` - files_dontaudit_list_tmp($1_mozilla_t) - files_dontaudit_list_home($1_mozilla_t) - userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t) - userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t) - userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t) - userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t) - userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t) - ') - - # Save web pages - tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` - files_search_home($1_mozilla_t) - - fs_search_auto_mountpoints($1_mozilla_t) - fs_manage_nfs_dirs($1_mozilla_t) - fs_manage_nfs_files($1_mozilla_t) - fs_manage_nfs_symlinks($1_mozilla_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_manage_nfs_dirs($1_mozilla_t) - fs_dontaudit_manage_nfs_files($1_mozilla_t) - ') - - tunable_policy(`write_untrusted_content && use_samba_home_dirs',` - files_search_home($1_mozilla_t) - - fs_search_auto_mountpoints($1_mozilla_t) - fs_manage_cifs_dirs($1_mozilla_t) - fs_manage_cifs_files($1_mozilla_t) - fs_manage_cifs_symlinks($1_mozilla_t) - ',` - fs_dontaudit_list_auto_mountpoints($1_mozilla_t) - fs_dontaudit_manage_cifs_dirs($1_mozilla_t) - fs_dontaudit_manage_cifs_files($1_mozilla_t) - ') - - tunable_policy(`write_untrusted_content',` - files_search_home($1_mozilla_t) - userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t) - files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file) - files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir) - - userdom_manage_user_untrusted_content_files($1,$1_mozilla_t) - userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir }) - userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir }) - ',` - files_dontaudit_list_home($1_mozilla_t) - files_dontaudit_list_tmp($1_mozilla_t) - - userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t) - userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t) - userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t) - userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t) - + optional_policy(` + alsa_read_rw_config($1_mozilla_t) ') optional_policy(` @@ -350,19 +278,27 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) + cups_stream_connect($1_mozilla_t) ') optional_policy(` dbus_system_bus_client_template($1_mozilla,$1_mozilla_t) - dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_connectto_user_bus($1,$1_mozilla_t) ') optional_policy(` + gnome_exec_gconf($1_mozilla_t) + gnome_manage_user_gnome_config($1,$1_mozilla_t) + ') + + optional_policy(` + gnome_domtrans_user_gconf($1,$1_mozilla_t) gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') optional_policy(` - java_domtrans_user_javaplugin($1, $1_mozilla_t) + java_plugin_per_role_template($1, $1_mozilla_t, $1_r) ') optional_policy(` @@ -370,6 +306,10 @@ ') optional_policy(` + nsplugin_per_role_template($1, $1_mozilla_t, $1_r) + ') + + optional_policy(` mplayer_domtrans_user_mplayer($1, $1_mozilla_t) mplayer_read_user_home_files($1, $1_mozilla_t) ') @@ -382,25 +322,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') - ifdef(`TODO',` - #NOTE commented out in strict. - ######### Launch email client, and make webcal links work - #ifdef(`evolution.te', ` - #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) - #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) - #') - - # Macros for mozilla/mozilla (or other browser) domains. - # FIXME: Rules were removed to centralize policy in a gnome_app macro - # A similar thing might be necessary for mozilla compiled without GNOME - # support (is this possible?). - - # GNOME integration - optional_policy(` - gnome_application($1_mozilla, $1) - gnome_file_dialog($1_mozilla, $1) - ') - ') ') ######################################## @@ -430,11 +351,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` - type $1_mozilla_home_t; + type user_mozilla_home_t; ') - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file read_file_perms; + allow $2 user_mozilla_home_t:dir list_dir_perms; + allow $2 user_mozilla_home_t:file read_file_perms; ') ######################################## @@ -464,11 +385,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` - type $1_mozilla_home_t; + type user_mozilla_home_t; ') - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file write; + write_files_pattern($2, user_mozilla_home_t, user_mozilla_home_t) ') ######################################## @@ -573,3 +493,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') + +######################################## +## +## mozilla connection template. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +# +template(`mozilla_stream_connect_template',` + gen_require(` + type $1_mozilla_t; + ') + + allow $2 $1_mozilla_t:unix_stream_socket connectto; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.7/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/mozilla.te 2008-02-13 16:57:15.000000000 -0500 @@ -6,15 +6,15 @@ # Declarations # -## -##

-## Control mozilla content access -##

-##
-gen_tunable(mozilla_read_content,false) - type mozilla_conf_t; files_config_file(mozilla_conf_t) type mozilla_exec_t; application_executable_file(mozilla_exec_t) + +type user_mozilla_home_t alias user_mozilla_rw_t; +files_poly_member(user_mozilla_home_t) +userdom_user_home_content(user,user_mozilla_home_t) + +type user_mozilla_tmp_t; +files_tmp_file(user_mozilla_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.7/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/mplayer.fc 2008-02-13 16:57:15.000000000 -0500 @@ -10,4 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.7/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/mplayer.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,6 +35,7 @@ template(`mplayer_per_role_template',` gen_require(` type mencoder_exec_t, mplayer_exec_t; + type user_mplayer_home_t; ') ######################################## @@ -50,9 +51,9 @@ application_domain($1_mplayer_t,mplayer_exec_t) role $3 types $1_mplayer_t; - type $1_mplayer_home_t alias $1_mplayer_rw_t; - files_poly_member($1_mplayer_home_t) - userdom_user_home_content($1,$1_mplayer_home_t) + ifelse(`$1',`user',`',` + typealias user_mplayer_home_t alias $1_mplayer_home_t; + ') type $1_mplayer_tmpfs_t; files_tmpfs_file($1_mplayer_tmpfs_t) @@ -62,9 +63,9 @@ # mencoder local policy # - manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) - manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) - manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t) + manage_dirs_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t) + manage_files_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t) + manage_lnk_files_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t) # Read global config allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms; @@ -256,9 +257,9 @@ allow $1_mplayer_t self:fifo_file rw_fifo_file_perms; allow $1_mplayer_t self:sem create_sem_perms; - manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) - manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) - manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) + manage_dirs_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t) + manage_files_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t) + manage_lnk_files_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t) userdom_search_user_home_dirs($1,$1_mplayer_t) manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t) @@ -273,12 +274,12 @@ read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t) # Home access - manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) - manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) - manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) - relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) - relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) - relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + manage_dirs_pattern($2,user_mplayer_home_t,user_mplayer_home_t) + manage_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) + manage_lnk_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) + relabel_dirs_pattern($2,user_mplayer_home_t,user_mplayer_home_t) + relabel_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) + relabel_lnk_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) # domain transition domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) @@ -470,7 +471,9 @@ # template(`mplayer_domtrans_user_mplayer',` gen_require(` - type $1_mplayer_t, mplayer_exec_t; + type mplayer_exec_t; + type $1_mplayer_t; + ') domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t) @@ -503,8 +506,8 @@ # template(`mplayer_read_user_home_files',` gen_require(` - type $1_mplayer_home_t; + type user_mplayer_home_t; ') - read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + read_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.7/policy/modules/apps/mplayer.te --- nsaserefpolicy/policy/modules/apps/mplayer.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/mplayer.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) application_executable_file(mplayer_exec_t) + +type user_mplayer_home_t alias user_mplayer_rw_t; +userdom_user_home_content(user,user_mplayer_home_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.7/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,7 @@ + +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) + +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.7/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,338 @@ + +## policy for nsplugin + +######################################## +## +## Execute a domain transition to run nsplugin_config. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`nsplugin_config_domtrans',` + gen_require(` + type nsplugin_config_t; + type nsplugin_config_exec_t; + ') + + domtrans_pattern($1,nsplugin_config_exec_t,nsplugin_config_t) +') + +######################################## +## +## Execute a domain transition to run nsplugin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`nsplugin_domtrans',` + gen_require(` + type nsplugin_t; + type nsplugin_exec_t; + ') + + domtrans_pattern($1,nsplugin_exec_t,nsplugin_t) +') + +######################################## +## +## Create, read, write, and delete +## nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + + allow $1 nsplugin_rw_t:file manage_file_perms; + allow $1 nsplugin_rw_t:dir rw_dir_perms; +') + +######################################## +## +## Manage nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_rw',` + gen_require(` + type nsplugin_rw_t; + ') + + manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t) + manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) + manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) +') + + +######################################## +## +## Execute plugin_config in the nsplugin_config domain, and +## allow the specified role the nsplugin_config domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the nsplugin domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`nsplugin_run_config',` + gen_require(` + type nsplugin_config_t; + ') + + nsplugin_config_domtrans($1) + role $2 types nsplugin_config_t; + dontaudit nsplugin_config_t $3:chr_file rw_term_perms; +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +##

+## This template creates a derived domains which are used +## for nsplugin web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`nsplugin_use',` + gen_require(` + type nsplugin_t; + type nsplugin_config_t; + type nsplugin_rw_t; + type $1_tmpfs_t; + ') + nsplugin_domtrans($2) + + nsplugin_config_domtrans($2) + + list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + can_exec($2, nsplugin_rw_t) + + allow nsplugin_t $2:udp_socket { read write }; + allow nsplugin_t $2:tcp_socket { read write }; + allow nsplugin_t $2:unix_stream_socket connectto; + dontaudit nsplugin_t $2:process ptrace; + allow nsplugin_t $1_tmpfs_t:file { read getattr }; + + allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; + userdom_use_user_terminals($1, nsplugin_t) + userdom_use_user_terminals($1, nsplugin_config_t) +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +##

+## This template creates a derived domains which are used +## for nsplugin web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`nsplugin_per_role_template',` + gen_require(` + type nsplugin_t; + type nsplugin_config_t; + type nsplugin_rw_t; + ') + nsplugin_use($1, $2) + role $3 types nsplugin_t; + role $3 types nsplugin_config_t; +') + +######################################## +## +## Search nsplugin rw directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_search_rw_dir',` + gen_require(` + type nsplugin_rw_t; + ') + + allow $1 nsplugin_rw_t:dir search_dir_perms; +') + +######################################## +## +## Read nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_read_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + + read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + +######################################## +## +## Exec nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_rw_exec',` + gen_require(` + type nsplugin_rw_t; + ') + + can_exec($1, nsplugin_rw_t) +') + +######################################## +## +## Execute nsplugin in the nsplugin domain, and +## allow the specified role the nsplugin domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the nsplugin domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`nsplugin_run',` + gen_require(` + type nsplugin_t; + ') + + nsplugin_domtrans($1) + role $2 types nsplugin_t; + dontaudit nsplugin_t $3:chr_file rw_term_perms; +') + +######################################## +## +## All of the rules required to administrate +## an nsplugin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`nsplugin_admin',` + gen_require(` + type nsplugin_t; + type nsplugin_config_t; + ') + + allow $1 nsplugin_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nsplugin_t, nsplugin_t) + + allow $1 nsplugin_config_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nsplugin_config_t, nsplugin_config_t) + + nsplugin_manage_rw($1) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.7/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,133 @@ + +policy_module(nsplugin,1.0.0) + +######################################## +# +# Declarations +# + +type nsplugin_t; +type nsplugin_exec_t; +application_domain(nsplugin_t, nsplugin_exec_t) +role system_r types nsplugin_t; + +type nsplugin_config_t; +type nsplugin_config_exec_t; +application_domain(nsplugin_config_t, nsplugin_config_exec_t) +role system_r types nsplugin_config_t; + +type nsplugin_rw_t; +files_type(nsplugin_rw_t) + +type nsplugin_tmp_t; +files_tmp_file(nsplugin_tmp_t) + +type user_nsplugin_home_t; +files_poly_member(user_nsplugin_home_t) +userdom_user_home_content(user,user_nsplugin_home_t) + +######################################## +# +# nsplugin local policy +# +allow nsplugin_t self:fifo_file rw_file_perms; +allow nsplugin_t self:process { ptrace getsched }; + +manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) +userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir}) + +corecmd_exec_bin(nsplugin_t) +corecmd_exec_shell(nsplugin_t) + +corenet_all_recvfrom_unlabeled(nsplugin_t) +corenet_all_recvfrom_netlabel(nsplugin_t) +corenet_tcp_connect_flash_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_all_nodes(nsplugin_t) + +domain_dontaudit_read_all_domains_state(nsplugin_t) + +dev_read_rand(nsplugin_t) + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) + +files_read_usr_files(nsplugin_t) +files_read_etc_files(nsplugin_t) + +fs_list_inotifyfs(nsplugin_t) +fs_manage_tmpfs_files(nsplugin_t) +fs_getattr_tmpfs(nsplugin_t) + +auth_use_nsswitch(nsplugin_t) + +libs_use_ld_so(nsplugin_t) +libs_use_shared_libs(nsplugin_t) + +miscfiles_read_localization(nsplugin_t) +miscfiles_read_fonts(nsplugin_t) +miscfiles_manage_home_fonts(nsplugin_t) + +userdom_read_user_home_content_files(user, nsplugin_t) +userdom_write_user_tmp_sockets(user, nsplugin_t) +userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t) + +optional_policy(` + mozilla_read_user_home_files(user, nsplugin_t) + mozilla_write_user_home_files(user, nsplugin_t) +') + +optional_policy(` + xserver_stream_connect_xdm_xserver(nsplugin_t) + xserver_xdm_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) +') + +######################################## +# +# nsplugin_config local policy +# + +allow nsplugin_config_t self:capability { sys_nice setuid setgid }; +allow nsplugin_config_t self:process { setsched getsched execmem }; +allow nsplugin_t self:sem create_sem_perms; +allow nsplugin_t self:shm create_shm_perms; + +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t) +manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t) +files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir }) + +can_exec(nsplugin_config_t, nsplugin_rw_t) +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) + +manage_dirs_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t) + +corecmd_exec_bin(nsplugin_config_t) +corecmd_exec_shell(nsplugin_config_t) + +kernel_read_system_state(nsplugin_config_t) + +files_read_etc_files(nsplugin_config_t) +files_dontaudit_search_home(nsplugin_config_t) + +auth_use_nsswitch(nsplugin_config_t) + +libs_use_ld_so(nsplugin_config_t) +libs_use_shared_libs(nsplugin_config_t) + +miscfiles_read_localization(nsplugin_config_t) +miscfiles_read_fonts(nsplugin_config_t) + +userdom_search_all_users_home_content(nsplugin_config_t) + +nsplugin_domtrans(nsplugin_config_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.7/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/screen.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,7 +1,7 @@ # # /home # -HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) +HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0) # # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.7/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/screen.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,6 +35,7 @@ template(`screen_per_role_template',` gen_require(` type screen_dir_t, screen_exec_t; + type user_screen_ro_home_t; ') ######################################## @@ -50,8 +51,9 @@ type $1_screen_tmp_t; files_tmp_file($1_screen_tmp_t) - type $1_screen_ro_home_t; - files_type($1_screen_ro_home_t) + ifelse(`$1',`user',`',` + typealias user_screen_ro_home_t alias $1_screen_ro_home_t; + ') type $1_screen_var_run_t; files_pid_file($1_screen_var_run_t) @@ -81,9 +83,9 @@ filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) files_pid_filetrans($1_screen_t,screen_dir_t,dir) - allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; - read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) - read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t) + allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms; + read_files_pattern($1_screen_t,user_screen_ro_home_t,user_screen_ro_home_t) + read_lnk_files_pattern($1_screen_t,user_screen_ro_home_t,user_screen_ro_home_t) allow $1_screen_t $2:process signal; @@ -91,12 +93,12 @@ allow $2 $1_screen_t:process signal; allow $1_screen_t $2:process signal; - manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) - manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) - manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) - relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) - relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) - relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t) + manage_dirs_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) + manage_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) + manage_lnk_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) + relabel_dirs_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) + relabel_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) + relabel_lnk_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t) kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.7/policy/modules/apps/screen.te --- nsaserefpolicy/policy/modules/apps/screen.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/screen.te 2008-02-13 16:57:15.000000000 -0500 @@ -11,3 +11,7 @@ type screen_exec_t; application_executable_file(screen_exec_t) + +type user_screen_ro_home_t; +userdom_user_home_content(user,user_screen_ro_home_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.2.7/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2007-10-02 09:54:50.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/slocate.te 2008-02-13 16:57:15.000000000 -0500 @@ -39,6 +39,7 @@ files_list_all(locate_t) files_getattr_all_files(locate_t) +files_getattr_all_pipes(locate_t) files_getattr_all_sockets(locate_t) files_read_etc_runtime_files(locate_t) files_read_etc_files(locate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.7/policy/modules/apps/thunderbird.fc --- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/thunderbird.fc 2008-02-13 16:57:15.000000000 -0500 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.7/policy/modules/apps/thunderbird.if --- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-12-06 13:12:03.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/thunderbird.if 2008-02-13 16:57:15.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_thunderbird_t,thunderbird_exec_t) role $3 types $1_thunderbird_t; - type $1_thunderbird_home_t alias $1_thunderbird_rw_t; - files_poly_member($1_thunderbird_home_t) - userdom_user_home_content($1, $1_thunderbird_home_t) + ifelse(`$1',`user',`',` + typealias user_thunderbird_home_t alias $1_thunderbird_home_t; + ') type $1_thunderbird_tmpfs_t; files_tmpfs_file($1_thunderbird_tmpfs_t) @@ -64,9 +64,9 @@ allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; # Access ~/.thunderbird - manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) - manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) - manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) + manage_dirs_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t) + manage_files_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t) + manage_lnk_files_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t) userdom_search_user_home_dirs($1,$1_thunderbird_t) manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) @@ -87,13 +87,13 @@ ps_process_pattern($2,$1_thunderbird_t) # Access ~/.thunderbird - manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) - manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) - manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) - - relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) - relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) - relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + manage_dirs_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) + manage_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) + manage_lnk_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) + + relabel_dirs_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) + relabel_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) + relabel_lnk_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t) # Allow netstat kernel_read_network_state($1_thunderbird_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.7/policy/modules/apps/thunderbird.te --- nsaserefpolicy/policy/modules/apps/thunderbird.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/thunderbird.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,3 +8,7 @@ type thunderbird_exec_t; application_executable_file(thunderbird_exec_t) + +type user_thunderbird_home_t alias user_thunderbird_rw_t; +userdom_user_home_content(user, user_thunderbird_home_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.7/policy/modules/apps/tvtime.if --- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/tvtime.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,6 +35,7 @@ template(`tvtime_per_role_template',` gen_require(` type tvtime_exec_t; + type user_tvtime_home_t, user_tvtime_tmp_t; ') ######################################## @@ -46,12 +47,10 @@ application_domain($1_tvtime_t,tvtime_exec_t) role $3 types $1_tvtime_t; - type $1_tvtime_home_t alias $1_tvtime_rw_t; - userdom_user_home_content($1,$1_tvtime_home_t) - files_poly_member($1_tvtime_home_t) - - type $1_tvtime_tmp_t; - files_tmp_file($1_tvtime_tmp_t) + ifelse(`$1',`user',`',` + typealias user_tvtime_home_t alias $1_tvtime_home_t; + typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t; + ') type $1_tvtime_tmpfs_t; files_tmpfs_file($1_tvtime_tmpfs_t) @@ -67,14 +66,14 @@ allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; # X access, Home files - manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) - manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) - manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t) - userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir) - - manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t) - manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t) - files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir }) + manage_dirs_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t) + manage_files_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t) + manage_lnk_files_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t) + userdom_user_home_dir_filetrans($1,$1_tvtime_t,user_tvtime_home_t,dir) + + manage_dirs_pattern($1_tvtime_t,user_tvtime_tmp_t,user_tvtime_tmp_t) + manage_files_pattern($1_tvtime_t,user_tvtime_tmp_t,user_tvtime_tmp_t) + files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t,{ file dir }) manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) @@ -86,12 +85,12 @@ domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t) # X access, Home files - manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) - manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) - manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) - relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) - relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) - relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t) + manage_dirs_pattern($2,user_tvtime_home_t,user_tvtime_home_t) + manage_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) + manage_lnk_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) + relabel_dirs_pattern($2,user_tvtime_home_t,user_tvtime_home_t) + relabel_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) + relabel_lnk_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t) # Allow the user domain to signal/ps. ps_process_pattern($2,$1_tvtime_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.7/policy/modules/apps/tvtime.te --- nsaserefpolicy/policy/modules/apps/tvtime.te 2007-10-02 09:54:50.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/tvtime.te 2008-02-13 16:57:15.000000000 -0500 @@ -11,3 +11,9 @@ type tvtime_dir_t; files_pid_file(tvtime_dir_t) + +type user_tvtime_home_t alias user_tvtime_rw_t; +userdom_user_home_content(user,user_tvtime_home_t) + +type user_tvtime_tmp_t; +files_tmp_file(user_tvtime_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.7/policy/modules/apps/uml.fc --- nsaserefpolicy/policy/modules/apps/uml.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/uml.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,7 +1,7 @@ # # HOME_DIR/ # -HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) +HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:user_uml_rw_t,s0) # # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.7/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/userhelper.if 2008-02-13 16:57:15.000000000 -0500 @@ -181,24 +181,6 @@ nscd_socket_use($1_userhelper_t) ') - ifdef(`TODO',` - allow $1_userhelper_t xdm_t:fd use; - allow $1_userhelper_t xdm_var_run_t:dir search; - allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl }; - - optional_policy(` - allow $1_userhelper_t gphdomain:fd use; - ') - optional_policy(` - domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t) - allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; - ') - optional_policy(` - domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) - ') - # for when the network connection is killed - dontaudit unpriv_userdomain $1_userhelper_t:process signal; - ') ') ######################################## @@ -240,29 +222,6 @@ ######################################## ## -## Allow domain to use userhelper file descriptor. -## -## -## -## The prefix of the domain, example user is the prefix of user_t. -## -## -## -## -## Domain allowed access. -## -## -# -template(`userhelper_use_user_fd',` - gen_require(` - type $1_userhelper_t; - ') - - allow $2 $1_userhelper_t:fd use; -') - -######################################## -## ## Allow domain to send sigchld to userhelper. ## ## @@ -278,7 +237,7 @@ # template(`userhelper_sigchld_user',` gen_require(` - type $1_userhelper_t; + type userhelper_exec_t; ') allow $2 $1_userhelper_t:process sigchld; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.7/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ # -HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) -HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0) -HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) +HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:user_vmware_file_t,s0) +HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:user_vmware_conf_t,s0) +HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:user_vmware_file_t,s0) # # /etc @@ -21,19 +21,25 @@ /usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) /usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) /usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) /usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) ifdef(`distro_gentoo',` /opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) @@ -49,3 +55,8 @@ /opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) /opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) ') +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) +/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.7/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/vmware.if 2008-02-13 16:57:15.000000000 -0500 @@ -202,3 +202,22 @@ allow $1 vmware_sys_conf_t:file append; ') + +######################################## +## +## Append to VMWare log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`vmware_append_log',` + gen_require(` + type vmware_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1,vmware_log_t,vmware_log_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.7/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/vmware.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,17 +22,21 @@ type vmware_var_run_t; files_pid_file(vmware_var_run_t) +type vmware_log_t; +logging_log_file(vmware_log_t) + ######################################## # # VMWare host local policy # -allow vmware_host_t self:capability { setuid net_raw }; +allow vmware_host_t self:capability { setgid setuid net_raw }; dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process signal_perms; +allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; allow vmware_host_t self:rawip_socket create_socket_perms; +allow vmware_host_t self:tcp_socket create_socket_perms; # cjp: the ro and rw files should be split up manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t) @@ -41,6 +45,11 @@ manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file }) +manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t) +logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir }) + +files_search_home(vmware_host_t) + kernel_read_kernel_sysctls(vmware_host_t) kernel_list_proc(vmware_host_t) kernel_read_proc_symlinks(vmware_host_t) @@ -63,6 +72,7 @@ corenet_sendrecv_all_server_packets(vmware_host_t) dev_read_sysfs(vmware_host_t) +dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) @@ -99,14 +109,12 @@ ') netutils_domtrans_ping(vmware_host_t) -ifdef(`TODO',` -# VMWare need access to pcmcia devices for network optional_policy(` -allow kernel_t cardmgr_var_lib_t:dir { getattr search }; -allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; + unconfined_domain(vmware_host_t) ') -# Vmware create network devices -allow kernel_t self:capability net_admin; -allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow kernel_t self:socket create; + +optional_policy(` + xserver_xdm_rw_shm(vmware_host_t) ') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.7/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/wine.if 2008-02-13 16:57:15.000000000 -0500 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; ') + +####################################### +## +## The per role template for the wine module. +## +## +##

+## This template creates a derived domains which are used +## for wine applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`wine_per_role_template',` + gen_require(` + type wine_exec_t; + ') + + type $1_wine_t; + domain_type($1_wine_t) + domain_entry_file($1_wine_t,wine_exec_t) + role $3 types $1_wine_t; + + domain_interactive_fd($1_wine_t) + + userdom_unpriv_usertype($1, $1_wine_t) + + allow $1_wine_t self:process { execheap execmem }; + + domtrans_pattern($2, wine_exec_t, $1_wine_t) + + optional_policy(` + xserver_xdm_rw_shm($1_wine_t) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.7/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/wine.te 2008-02-13 16:57:15.000000000 -0500 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; application_domain(wine_t,wine_exec_t) +role system_r types wine_t; ######################################## # @@ -17,10 +18,16 @@ optional_policy(` allow wine_t self:process { execstack execmem execheap }; + domain_mmap_low(wine_t) unconfined_domain_noaudit(wine_t) files_execmod_all_files(wine_t) - optional_policy(` - hal_dbus_chat(wine_t) - ') +') + +optional_policy(` + hal_dbus_chat(wine_t) +') + +optional_policy(` + xserver_xdm_rw_shm(wine_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-13 16:57:15.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - # # /dev # @@ -58,6 +58,8 @@ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) @@ -67,6 +69,12 @@ /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) + +/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) +/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) +/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) +/etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) +/etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) @@ -127,6 +135,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /usr # @@ -144,10 +154,7 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -186,7 +193,10 @@ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -284,3 +294,9 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') +/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.7/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.if 2008-02-13 16:57:15.000000000 -0500 @@ -875,6 +875,7 @@ read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,chroot_exec_t) + allow $1 self:capability sys_chroot; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.2.7/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-02-01 09:12:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.if.in 2008-02-13 16:57:15.000000000 -0500 @@ -1441,10 +1441,11 @@ # interface(`corenet_tcp_bind_all_unreserved_ports',` gen_require(` - attribute port_type, reserved_port_type; + attribute port_type; + type hi_reserved_port_t, reserved_port_t; ') - allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; + allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind; ') ######################################## @@ -1459,10 +1460,10 @@ # interface(`corenet_udp_bind_all_unreserved_ports',` gen_require(` - attribute port_type, reserved_port_type; + type hi_reserved_port_t, reserved_port_t; ') - allow $1 { port_type -reserved_port_type }:udp_socket name_bind; + allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in 2008-02-13 16:57:15.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(comsat, udp,512,s0) +network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) @@ -91,6 +92,7 @@ network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(fingerd, tcp,79,s0) +network_port(flash, tcp,1935,s0, udp,1935,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) @@ -122,6 +124,8 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(munin, tcp,4949,s0, udp,4949,s0) +network_port(mythtv, tcp,6543,s0, udp,6543,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) @@ -133,10 +137,12 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) network_port(postgrey, tcp,60000,s0) +network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) @@ -148,7 +154,7 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) -network_port(router, udp,520,s0) +network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) @@ -170,7 +176,11 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) + network_port(vnc, tcp,5900,s0) +# Reserve 100 ports for vnc/virt machines +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0) network_port(wccp, udp,2048,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in.cyphesis --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in.cyphesis 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,246 @@ + +policy_module(corenetwork,1.2.14) + +######################################## +# +# Declarations +# + +attribute client_packet_type; +attribute netif_type; +attribute node_type; +attribute packet_type; +attribute port_type; +attribute reserved_port_type; +attribute rpc_port_type; +attribute server_packet_type; + +attribute corenet_unconfined_type; + +type ppp_device_t; +dev_node(ppp_device_t) + +# +# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* +# +type tun_tap_device_t; +dev_node(tun_tap_device_t) + +######################################## +# +# Ports and packets +# + +# +# client_packet_t is the default type of IPv4 and IPv6 client packets. +# +type client_packet_t, packet_type, client_packet_type; + +# +# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network +# connections using NetLabel which do not carry full SELinux contexts. +# +type netlabel_peer_t; +sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) + +# +# port_t is the default type of INET port numbers. +# +type port_t, port_type; +sid port gen_context(system_u:object_r:port_t,s0) + +# +# reserved_port_t is the type of INET port numbers below 1024. +# +type reserved_port_t, port_type, reserved_port_type; + +# +# hi_reserved_port_t is the type of INET port numbers between 600-1023. +# +type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; + +# +# server_packet_t is the default type of IPv4 and IPv6 server packets. +# +type server_packet_t, packet_type, server_packet_type; + +network_port(afs_bos, udp,7007,s0) +network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) +network_port(afs_ka, udp,7004,s0) +network_port(afs_pt, udp,7002,s0) +network_port(afs_vl, udp,7003,s0) +network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) +network_port(amavisd_recv, tcp,10024,s0) +network_port(amavisd_send, tcp,10025,s0) +network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) +network_port(apcupsd, tcp,3551,s0, udp,3551,s0) +network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) +network_port(auth, tcp,113,s0) +network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) +type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict +network_port(clamd, tcp,3310,s0) +network_port(clockspeed, udp,4041,s0) +network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) +network_port(comsat, udp,512,s0) +network_port(cvs, tcp,2401,s0, udp,2401,s0) +network_port(dcc, udp,6276,s0, udp,6277,s0) +network_port(dbskkd, tcp,1178,s0) +network_port(dhcpc, udp,68,s0) +network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0) +network_port(dict, tcp,2628,s0) +network_port(distccd, tcp,3632,s0) +network_port(dns, udp,53,s0, tcp,53,s0) +network_port(fingerd, tcp,79,s0) +network_port(ftp_data, tcp,20,s0) +network_port(ftp, tcp,21,s0) +network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) +network_port(giftd, tcp,1213,s0) +network_port(gopher, tcp,70,s0, udp,70,s0) +network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port +network_port(howl, tcp,5335,s0, udp,5353,s0) +network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) +network_port(i18n_input, tcp,9010,s0) +network_port(imaze, tcp,5323,s0, udp,5323,s0) +network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) +network_port(innd, tcp,119,s0) +network_port(ipp, tcp,631,s0, udp,631,s0) +network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) +network_port(ircd, tcp,6667,s0) +network_port(isakmp, udp,500,s0) +network_port(iscsi, tcp,3260,s0) +network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) +network_port(jabber_interserver, tcp,5269,s0) +network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) +network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) +network_port(ktalkd, udp,517,s0, udp,518,s0) +network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) +type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon +network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(mail, tcp,2000,s0) +network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(monopd, tcp,1234,s0) +network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(munin, tcp,4949,s0, udp,4949,s0) +network_port(mythtv, tcp,6543,s0, udp,6543,s0) +network_port(mysqld, tcp,1186,s0, tcp,3306,s0) +portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) +network_port(nessus, tcp,1241,s0) +network_port(netsupport, tcp,5405,s0, udp,5405,s0) +network_port(nmbd, udp,137,s0, udp,138,s0) +network_port(ntp, udp,123,s0) +network_port(ocsp, tcp,9080,s0) +network_port(openvpn, tcp,1194,s0, udp,1194,s0) +network_port(pegasus_http, tcp,5988,s0) +network_port(pegasus_https, tcp,5989,s0) +network_port(postfix_policyd, tcp,10031,s0) +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) +network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) +network_port(portmap, udp,111,s0, tcp,111,s0) +network_port(postgresql, tcp,5432,s0) +network_port(postgrey, tcp,60000,s0) +network_port(printer, tcp,515,s0) +network_port(ptal, tcp,5703,s0) +network_port(pxe, udp,4011,s0) +network_port(pyzor, udp,24441,s0) +network_port(radacct, udp,1646,s0, udp,1813,s0) +network_port(radius, udp,1645,s0, udp,1812,s0) +network_port(razor, tcp,2703,s0) +network_port(ricci, tcp,11111,s0, udp,11111,s0) +network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) +network_port(rlogind, tcp,513,s0) +network_port(rndc, tcp,953,s0) +network_port(router, udp,520,s0) +network_port(rsh, tcp,514,s0) +network_port(rsync, tcp,873,s0, udp,873,s0) +network_port(rwho, udp,513,s0) +network_port(smbd, tcp,139,s0, tcp,445,s0) +network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) +network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) +network_port(spamd, tcp,783,s0) +network_port(ssh, tcp,22,s0) +network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) +type socks_port_t, port_type; dnl network_port(socks) # no defined portcon +type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict +network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(swat, tcp,901,s0) +network_port(syslogd, udp,514,s0) +network_port(telnetd, tcp,23,s0) +network_port(tftp, udp,69,s0) +network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) +network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) +network_port(transproxy, tcp,8081,s0) +type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon +network_port(uucpd, tcp,540,s0) +network_port(vnc, tcp,5900,s0) +network_port(wccp, udp,2048,s0) +network_port(xdmcp, udp,177,s0, tcp,177,s0) +network_port(xen, tcp,8002,s0) +network_port(xfs, tcp,7100,s0) +network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0) +network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0) +network_port(zope, tcp,8021,s0) + +# Defaults for reserved ports. Earlier portcon entries take precedence; +# these entries just cover any remaining reserved ports not otherwise declared. + +portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0) +portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0) + +######################################## +# +# Network nodes +# + +# +# node_t is the default type of network nodes. +# The node_*_t types are used for specific network +# nodes in net_contexts or net_contexts.mls. +# +type node_t, node_type; +sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) + +network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::) +network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255) +type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy +network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, ) +network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) +network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) +network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) +network_node(site_local, s0, fec0::, ffc0::) +network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) + +######################################## +# +# Network Interfaces +# + +# +# netif_t is the default type of network interfaces. +# +type netif_t, netif_type; +sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) + +build_option(`enable_mls',` +network_interface(lo, lo,s0 - mls_systemhigh) +',` +typealias netif_t alias netif_lo_t; +') + +######################################## +# +# Unconfined access to this module +# + +allow corenet_unconfined_type node_type:node *; +allow corenet_unconfined_type netif_type:netif *; +allow corenet_unconfined_type packet_type:packet *; +allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; +allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; + +# Bind to any network address. +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.7/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/devices.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) /dev/.* gen_context(system_u:object_r:device_t,s0) - +/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -16,28 +16,40 @@ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) +/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) +/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) +/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -48,6 +60,7 @@ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) @@ -69,9 +82,8 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) -/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -98,13 +110,23 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) +/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) +/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/pts(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.7/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-13 16:57:15.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) relabelfrom_files_pattern($1,device_t,device_node) - relabelfrom_lnk_files_pattern($1,device_t,device_node) + relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node }) relabelfrom_fifo_files_pattern($1,device_t,device_node) relabelfrom_sock_files_pattern($1,device_t,device_node) relabel_blk_files_pattern($1,device_t,{ device_t device_node }) @@ -167,6 +167,25 @@ ######################################## ## +## Manage of directories in /dev. +## +## +## +## Domain allowed to relabel. +## +## +# +interface(`dev_manage_generic_dirs',` + gen_require(` + type device_t; + ') + + manage_dirs_pattern($1,device_t,device_t) +') + + +######################################## +## ## Delete a directory in the device directory. ## ## @@ -667,6 +686,7 @@ ') dontaudit $1 device_node:blk_file getattr; + dev_dontaudit_getattr_generic_blk_files($1) ') ######################################## @@ -704,6 +724,7 @@ ') dontaudit $1 device_node:chr_file getattr; + dev_dontaudit_getattr_generic_chr_files($1) ') ######################################## @@ -2787,6 +2808,97 @@ ######################################## ## +## Read and write generic the USB fifo files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_generic_usb_pipes',` + gen_require(` + type usb_device_t; + ') + + allow $1 device_t:dir search_dir_perms; + allow $1 usb_device_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Get the attributes of the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_kvm_dev',` + gen_require(` + type device_t, kvm_device_t; + ') + + getattr_chr_files_pattern($1,device_t,kvm_device_t) +') + +######################################## +## +## Set the attributes of the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_kvm_dev',` + gen_require(` + type device_t, kvm_device_t; + ') + + setattr_chr_files_pattern($1,device_t,kvm_device_t) +') + +######################################## +## +## Read the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_kvm',` + gen_require(` + type device_t, kvm_device_t; + ') + + read_chr_files_pattern($1,device_t,kvm_device_t) +') + +######################################## +## +## Read and write to kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_kvm',` + gen_require(` + type device_t, kvm_device_t; + ') + + rw_chr_files_pattern($1,device_t,kvm_device_t) +') + +######################################## +## ## Mount a usbfs filesystem. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.7/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/devices.te 2008-02-13 16:57:15.000000000 -0500 @@ -66,12 +66,25 @@ dev_node(framebuf_device_t) # +# Type for /dev/ipmi/0 +# +type ipmi_device_t; +dev_node(ipmi_device_t) + +# # Type for /dev/kmsg # type kmsg_device_t; dev_node(kmsg_device_t) # +# kvm_device_t is the type of +# /dev/kvm +# +type kvm_device_t; +dev_node(kvm_device_t) + +# # Type for /dev/mapper/control # type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.7/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-14 15:03:13.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations # +## +##

+## Allow all domains to use other domains file descriptors +##

+##
+# +gen_tunable(allow_domain_fd_use, true) # Mark process types as domains attribute domain; @@ -85,6 +92,7 @@ # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) +userdom_dontaudit_search_all_users_keys(domain) # create child processes in the domain allow domain self:process { fork sigchld }; @@ -140,7 +148,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; -allow unconfined_domain_type domain:file read_file_perms; +allow unconfined_domain_type domain:file rw_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys @@ -148,3 +156,26 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') + +optional_policy(` + cron_dontaudit_write_system_job_tmp_files(domain) +') + +optional_policy(` + rpm_rw_pipes(domain) + rpm_dontaudit_use_script_fds(domain) +') + +optional_policy(` + rhgb_dontaudit_use_ptys(domain) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) + unconfined_sigchld(domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.7/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/files.if 2008-02-13 16:57:15.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## ## +## Remove entries from the tmp directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_tmp_dir_entry',` + gen_require(` + type root_t; + ') + + allow $1 tmp_t:dir del_entry_dir_perms; +') + +######################################## +## ## Unmount a rootfs filesystem. ## ## @@ -4717,7 +4735,6 @@ files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) - mount_domtrans($1) ') ') @@ -4756,3 +4773,54 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') + +######################################## +## +## Create a core files in / +## +## +##

+## Create a core file in /, +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`files_dump_core',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir rw_dir_perms; + allow $1 root_t:file { create getattr write }; +') + +######################################## +## +## Create a default directory in / +## +## +##

+## Create a default_t direcrory in / +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`files_create_default_dir',` + gen_require(` + type root_t, default_t; + ') + + allow $1 default_t:dir create; + filetrans_pattern($1,root_t,default_t,dir) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.7/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/files.te 2008-02-13 16:57:15.000000000 -0500 @@ -55,6 +55,8 @@ # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; +typealias etc_t alias gconf_etc_t; +typealias etc_t alias hplip_etc_t; # # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.7/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/filesystem.if 2008-02-13 16:57:15.000000000 -0500 @@ -310,6 +310,25 @@ ######################################## ## +## Read and write files on hugetlbfs files +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_hugetlbfs_files',` + gen_require(` + type hugetlbfs_t; + + ') + + rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t) +') +######################################## +## ## Mount an automount pseudo filesystem. ## ## @@ -1171,6 +1190,25 @@ ######################################## ## +## Create, read, write, and delete dirs +## on a DOS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_dos_dirs',` + gen_require(` + type dosfs_t; + ') + + manage_dirs_pattern($1,dosfs_t,dosfs_t) +') + +######################################## +## ## Create, read, write, and delete files ## on a DOS filesystem. ## @@ -1625,7 +1663,7 @@ type nfs_t; ') - dontaudit $1 nfs_t:file { read write }; + dontaudit $1 nfs_t:file rw_file_perms; ') ######################################## @@ -3039,6 +3077,25 @@ ######################################## ## +## Read and write block nodes on removable filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_removable_blk_files',` + gen_require(` + type removable_t; + ') + + allow $1 removable_t:dir list_dir_perms; + rw_blk_files_pattern($1,removable_t,removable_t) +') + +######################################## +## ## Relabel block nodes on tmpfs filesystems. ## ## @@ -3551,3 +3608,83 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') + +######################################## +## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:dir manage_dir_perms; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; + ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; +') + +######################################## +## +## Create, read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + manage_files_pattern($1,fusefs_t,fusefs_t) +') + +######################################## +## +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + dontaudit $1 fusefs_t:file manage_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.7/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/filesystem.te 2008-02-13 16:57:15.000000000 -0500 @@ -25,6 +25,8 @@ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); @@ -135,6 +137,11 @@ genfscon squash / gen_context(system_u:object_r:squash_t,s0) files_mountpoint(squash_t) +type vmblock_t; +fs_noxattr_type(vmblock_t) +files_mountpoint(vmblock_t) +genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) + type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.7/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/kernel.if 2008-02-13 16:57:15.000000000 -0500 @@ -851,9 +851,8 @@ type proc_t, proc_afs_t; ') - read_files_pattern($1,proc_t,proc_afs_t) - list_dirs_pattern($1,proc_t,proc_t) + rw_files_pattern($1,proc_afs_t,proc_afs_t) ') ####################################### @@ -1194,6 +1193,7 @@ ') dontaudit $1 proc_type:dir list_dir_perms; + dontaudit $1 proc_type:file getattr; ') ######################################## @@ -1764,6 +1764,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; + dontaudit $1 sysctl_type:file getattr; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.2.7/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/kernel.te 2008-02-13 16:57:15.000000000 -0500 @@ -259,6 +259,8 @@ fs_rw_tmpfs_chr_files(kernel_t) ') +userdom_generic_user_home_dir_filetrans_generic_user_home_content(kernel_t, { file dir }) + tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) @@ -363,7 +365,7 @@ allow kern_unconfined proc_type:{ dir file lnk_file } *; -allow kern_unconfined sysctl_t:{ dir file } *; +allow kern_unconfined sysctl_type:{ dir file } *; allow kern_unconfined kernel_t:system *; @@ -374,3 +376,4 @@ allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; kernel_rw_all_sysctls(kern_unconfined) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.7/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-11-16 13:45:14.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/selinux.if 2008-02-13 16:57:15.000000000 -0500 @@ -164,6 +164,7 @@ type security_t; ') + selinux_dontaudit_getattr_fs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file { getattr read }; ') @@ -185,6 +186,7 @@ type security_t; ') + selinux_get_fs_mount($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read }; ') @@ -265,6 +267,34 @@ ######################################## ## +## Allow caller to read the state of Booleans +## +## +##

+## Allow caller read the state of Booleans +##

+##
+## +## +## The process type allowed to set the Boolean. +## +## +## +# +interface(`selinux_get_boolean',` + gen_require(` + type security_t; + attribute booleans_type; + bool secure_mode_policyload; + ') + + allow $1 security_t:dir list_dir_perms; + allow $1 booleans_type:dir list_dir_perms; + allow $1 booleans_type:file read_file_perms; +') + +######################################## +## ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ## @@ -288,11 +318,13 @@ interface(`selinux_set_boolean',` gen_require(` type security_t; + attribute booleans_type; bool secure_mode_policyload; ') allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file { getattr read write }; + allow $1 booleans_type:dir list_dir_perms; + allow $1 booleans_type:file { getattr read write }; if(!secure_mode_policyload) { allow $1 security_t:security setbool; @@ -489,3 +521,23 @@ typeattribute $1 selinux_unconfined_type; ') + +######################################## +## +## Generate a file context for a boolean type +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_genbool',` + gen_require(` + attribute booleans_type; + ') + + type $1, booleans_type; + fs_type($1) + mls_trusted_object($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.7/policy/modules/kernel/selinux.te --- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/selinux.te 2008-02-13 16:57:15.000000000 -0500 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; attribute selinux_unconfined_type; +attribute booleans_type; # # security_t is the target type when checking @@ -22,6 +23,11 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) +type boolean_t, booleans_type; +fs_type(boolean_t) +mls_trusted_object(boolean_t) +#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0) + neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.2.7/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/storage.fc 2008-02-13 16:57:15.000000000 -0500 @@ -13,6 +13,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.2.7/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/storage.if 2008-02-13 16:57:15.000000000 -0500 @@ -81,6 +81,26 @@ ######################################## ## +## dontaudit the caller attempts to read from a fixed disk. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`storage_dontaudit_raw_read_fixed_disk',` + gen_require(` + attribute fixed_disk_raw_read; + type fixed_disk_device_t; + ') + + dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; + dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; +') + +######################################## +## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.7/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/kernel/terminal.if 2008-02-13 16:57:15.000000000 -0500 @@ -525,11 +525,13 @@ interface(`term_use_generic_ptys',` gen_require(` type devpts_t; + attribute server_ptynode; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:chr_file { rw_term_perms lock append }; + allow $1 server_ptynode:chr_file { getattr read write ioctl }; ') ######################################## @@ -547,9 +549,11 @@ interface(`term_dontaudit_use_generic_ptys',` gen_require(` type devpts_t; + attribute server_ptynode; ') dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + dontaudit $1 server_ptynode:chr_file { getattr read write ioctl }; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.2.7/policy/modules/services/aide.if --- nsaserefpolicy/policy/modules/services/aide.if 2007-03-26 10:39:04.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/aide.if 2008-02-13 16:57:15.000000000 -0500 @@ -49,3 +49,45 @@ role $2 types aide_t; allow aide_t $3:chr_file rw_chr_file_perms; ') + +######################################## +## +## All of the rules required to administrate +## an aide environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the aide domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`aide_admin',` + gen_require(` + type aide_t; + type aide_db_t; + type aide_log_t; + ') + + allow $1 aide_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, aide_t, aide_t) + + aide_run($1, $2, $3) + + files_list_etc($1) + manage_all_pattern($1,aide_db_t) + + logging_list_logs($1) + manage_all_pattern($1,aide_log_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-3.2.7/policy/modules/services/amavis.fc --- nsaserefpolicy/policy/modules/services/amavis.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/amavis.fc 2008-02-13 16:57:15.000000000 -0500 @@ -14,3 +14,5 @@ /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) + +/etc/rc.d/init.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.2.7/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2007-06-27 10:10:38.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/amavis.if 2008-02-13 16:57:15.000000000 -0500 @@ -186,3 +186,88 @@ allow $1 amavis_var_run_t:file create_file_perms; files_search_pids($1) ') + +######################################## +## +## Execute amavis server in the amavis domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`amavis_script_domtrans',` + gen_require(` + type amavis_script_exec_t; + ') + + init_script_domtrans_spec($1,amavis_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an amavis environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the amavis domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`amavis_admin',` + gen_require(` + type amavis_t; + type amavis_script_exec_t; + type amavis_tmp_t; + type amavis_log_t; + type amavis_spool_t; + type amavis_var_lib_t; + type amavis_var_run_t; + type amavis_etc_t; + type amavis_quarantine_t; + ') + + allow $1 amavis_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, amavis_t, amavis_t) + + # Allow amavis_t to restart the apache service + amavis_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 amavis_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,amavis_tmp_t) + + manage_all_pattern($1,amavis_quarantine_t) + + files_list_etc($1) + manage_all_pattern($1,amavis_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,amavis_log_t) + + files_list_spool($1) + manage_all_pattern($1,amavis_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,amavis_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,amavis_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.7/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/amavis.te 2008-02-13 16:57:15.000000000 -0500 @@ -38,6 +38,9 @@ type amavis_spool_t; files_type(amavis_spool_t) +type amavis_script_exec_t; +init_script_type(amavis_script_exec_t) + ######################################## # # amavis local policy @@ -65,6 +68,7 @@ # Spool Files manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t) manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t) +manage_lnk_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t) manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t) filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file) files_search_spool(amavis_t) @@ -116,6 +120,7 @@ # bind to incoming port corenet_tcp_bind_amavisd_recv_port(amavis_t) corenet_udp_bind_generic_port(amavis_t) +corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.7/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/apache.fc 2008-02-13 16:57:15.000000000 -0500 @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) @@ -71,5 +70,16 @@ /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +#Bugzilla file context +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0) +#viewvc file context +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.7/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/apache.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') - # allow write access to public file transfer - # services files. - gen_tunable(allow_httpd_$1_script_anon_write,false) - #This type is for webpages type httpd_$1_content_t, httpdcontent; # customizable files_type(httpd_$1_content_t) @@ -71,7 +67,7 @@ logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; + allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) @@ -87,7 +83,6 @@ manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) - files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) @@ -96,6 +91,7 @@ dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) + application_exec_all(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) @@ -120,10 +116,6 @@ can_exec(httpd_$1_script_t, httpdcontent) ') - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) @@ -177,48 +169,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_$1_script_t) - corenet_all_recvfrom_netlabel(httpd_$1_script_t) - corenet_tcp_sendrecv_all_if(httpd_$1_script_t) - corenet_udp_sendrecv_all_if(httpd_$1_script_t) - corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - corenet_tcp_connect_postgresql_port(httpd_$1_script_t) - corenet_tcp_connect_mysqld_port(httpd_$1_script_t) - corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t) - corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_$1_script_t) - corenet_all_recvfrom_netlabel(httpd_$1_script_t) - corenet_tcp_sendrecv_all_if(httpd_$1_script_t) - corenet_udp_sendrecv_all_if(httpd_$1_script_t) - corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_udp_sendrecv_all_nodes(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - corenet_tcp_connect_all_ports(httpd_$1_script_t) - corenet_sendrecv_all_client_packets(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') - - optional_policy(` - mta_send_mail(httpd_$1_script_t) - ') - optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) @@ -267,7 +217,7 @@ attribute httpdcontent, httpd_script_domains; attribute httpd_exec_scripts, httpd_user_content_type; attribute httpd_user_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t; ') apache_content_template($1) @@ -331,6 +281,7 @@ userdom_search_user_home_dirs($1,httpd_t) userdom_search_user_home_dirs($1,httpd_suexec_t) userdom_search_user_home_dirs($1,httpd_$1_script_t) + userdom_search_user_home_dirs($1,httpd_sys_script_t) ') ') @@ -352,12 +303,11 @@ # template(`apache_read_user_scripts',` gen_require(` - type httpd_$1_script_exec_t; + attribute httpd_user_script_exec_type; ') - - allow $2 httpd_$1_script_exec_t:dir list_dir_perms; - read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) - read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) + allow $2 httpd_user_script_exec_type:dir list_dir_perms; + read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type) + read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type) ') ######################################## @@ -378,12 +328,12 @@ # template(`apache_read_user_content',` gen_require(` - type httpd_$1_content_t; + attribute httpd_user_content_type; ') - allow $2 httpd_$1_content_t:dir list_dir_perms; - read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) - read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) + allow $2 httpd_user_content_type:dir list_dir_perms; + read_files_pattern($2,httpd_user_content_type,httpd_user_content_type) + read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type) ') ######################################## @@ -761,6 +711,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; + read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t) ') ######################################## @@ -845,6 +796,10 @@ type httpd_sys_script_t; ') + tunable_policy(`httpd_enable_cgi',` + domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) + ') + tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') @@ -932,7 +887,7 @@ type httpd_squirrelmail_t; ') - allow $1 httpd_squirrelmail_t:file { getattr read }; + read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t) ') ######################################## @@ -1088,3 +1043,133 @@ allow httpd_t $1:process signal; ') + +######################################## +## +## Allow the specified domain to search +## apache bugzilla directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_search_bugzilla_dirs',` + gen_require(` + type httpd_bugzilla_content_t; + ') + + allow $1 httpd_bugzilla_content_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to read and write Apache +## bugzill script unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` + gen_require(` + type httpd_bugzilla_script_t; + ') + + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## +## Execute apache server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apache_script_domtrans',` + gen_require(` + type httpd_script_exec_t; + ') + + init_script_domtrans_spec($1,httpd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate an apache environment +## +## +## +## Prefix of the domain. Example, user would be +## the prefix for the uder_t domain. +## +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the apache domain. +## +## +## +# +interface(`apache_admin',` + + gen_require(` + type httpd_t, httpd_script_exec_t, httpd_config_t; + type httpd_log_t, httpd_modules_t, httpd_lock_t; + type httpd_var_run_t; + attribute httpdcontent; + attribute httpd_script_exec_type; + type httpd_bool_t; + ') + + allow $1 httpd_t:process { getattr ptrace signal_perms }; + + # Allow $1 to restart the apache service + apache_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 httpd_script_exec_t system_r; + allow $2 system_r; + + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + + files_search_etc($1) + manage_all_pattern($1,httpd_config_t) + + logging_search_logs($1) + manage_all_pattern($1,httpd_log_t) + + manage_all_pattern($1,httpd_modules_t) + + manage_all_pattern($1,httpd_lock_t) + files_lock_filetrans($1, httpd_lock_t, file) + + manage_all_pattern($1,httpd_var_run_t) + files_pid_filetrans($1,httpd_var_run_t, file) + + kernel_search_proc($1) + allow $1 httpd_t:dir list_dir_perms; + read_files_pattern($1,httpd_t,httpd_t) + read_lnk_files_pattern($1,httpd_t,httpd_t) + + manage_all_pattern($1, httpdcontent) + manage_all_pattern($1, httpd_script_exec_type) + + seutil_domtrans_setfiles($1) + +# apache_set_booleans($1, $2, $3, httpd_bool_t ) +# seutil_setsebool_per_role_template($1, httpd, $3) +# allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; +# allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.7/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/apache.te 2008-02-13 16:57:15.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # +selinux_genbool(httpd_bool_t) + ## ##

## Allow Apache to modify public files @@ -31,10 +33,10 @@ ## ##

-## Allow Apache to use mod_auth_pam +## Allow Apache to communicate with avahi service via dbus ##

##
-gen_tunable(allow_httpd_mod_auth_pam,false) +gen_tunable(allow_httpd_dbus_avahi,false) ## ##

@@ -45,7 +47,14 @@ ## ##

-## Allow HTTPD scripts and modules to connect to the network using TCP. +## Allow http daemon to send mail +##

+##
+gen_tunable(httpd_can_sendmail,false) + +## +##

+## Allow HTTPD scripts and modules to connect to the network ##

##
gen_tunable(httpd_can_network_connect,false) @@ -95,8 +104,8 @@ ## ##

-## Unify HTTPD to communicate with the terminal. -## Needed for entering the passphrase for certificates at +## Unify HTTPD to communicate with the terminal. +## Needed for handling certificates at ## the terminal. ##

##
@@ -109,6 +118,27 @@ ## gen_tunable(httpd_unified,false) +## +##

+## Allow httpd to access nfs file systems +##

+##
+gen_tunable(httpd_use_nfs,false) + +## +##

+## Allow httpd to access cifs file systems +##

+##
+gen_tunable(httpd_use_cifs,false) + +## +##

+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. +##

+##
+gen_tunable(allow_httpd_sys_script_anon_write,false) + attribute httpdcontent; attribute httpd_user_content_type; @@ -147,6 +177,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) +type httpd_script_exec_t; +init_script_type(httpd_script_exec_t) + # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; @@ -207,7 +240,7 @@ # Apache server local policy # -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; @@ -249,6 +282,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) +read_lnk_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. @@ -289,6 +323,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) +kernel_search_network_sysctl(httpd_t) corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) @@ -315,9 +350,7 @@ auth_use_nsswitch(httpd_t) -# execute perl -corecmd_exec_bin(httpd_t) -corecmd_exec_shell(httpd_t) +application_exec_all(httpd_t) domain_use_interactive_fds(httpd_t) @@ -335,6 +368,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them +manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file }) libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) @@ -351,25 +388,38 @@ userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) - tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -ifdef(`TODO', ` # # We need optionals to be able to be within booleans to make this work # +## +##

+## Allow Apache to use mod_auth_pam +##

+##
+gen_tunable(allow_httpd_mod_auth_pam,false) + tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) -') + auth_domtrans_chkpwd(httpd_t) ') tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') +tunable_policy(`httpd_can_sendmail',` + # allow httpd to connect to mail servers + corenet_tcp_connect_smtp_port(httpd_t) + corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) + mta_send_mail(httpd_t) + mta_send_mail(httpd_sys_script_t) +') + tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) @@ -382,6 +432,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) +') + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -399,11 +453,21 @@ fs_read_nfs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_nfs',` + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_cifs',` + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) +') + tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; @@ -437,8 +501,14 @@ ') optional_policy(` + dbus_system_bus_client_template(httpd,httpd_t) + tunable_policy(`allow_httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') +') +optional_policy(` kerberos_use(httpd_t) - kerberos_read_kdc_config(httpd_t) + kerberos_read_keytab(httpd_t) ') optional_policy(` @@ -450,19 +520,13 @@ ') optional_policy(` - # Allow httpd to work with mysql mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - corenet_tcp_connect_mysqld_port(httpd_t) - corenet_sendrecv_mysqld_client_packets(httpd_t) - ') + mysql_read_config(httpd_t) ') optional_policy(` nagios_read_config(httpd_t) - nagios_domtrans_cgi(httpd_t) ') optional_policy(` @@ -472,13 +536,14 @@ openca_kill(httpd_t) ') +tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) + postgresql_tcp_connect(httpd_sys_script_t) +') + optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) - ') ') optional_policy(` @@ -486,6 +551,7 @@ ') optional_policy(` + files_dontaudit_rw_usr_dirs(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') @@ -521,6 +587,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') +optional_policy(` + tunable_policy(`httpd_tty_comm',` + unconfined_use_terminals(httpd_helper_t) + ') +') + + ######################################## # # Apache PHP script local policy @@ -550,18 +623,24 @@ fs_search_auto_mountpoints(httpd_php_t) +auth_use_nsswitch(httpd_php_t) + libs_exec_lib_files(httpd_php_t) libs_use_ld_so(httpd_php_t) libs_use_shared_libs(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) -optional_policy(` - mysql_stream_connect(httpd_php_t) +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) + corenet_tcp_connect_mysqld_port(httpd_sys_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) ') optional_policy(` - nis_use_ypbind(httpd_php_t) + mysql_stream_connect(httpd_php_t) + mysql_read_config(httpd_php_t) ') ######################################## @@ -585,6 +664,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) @@ -593,9 +674,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) -# for shell scripts -corecmd_exec_bin(httpd_suexec_t) -corecmd_exec_shell(httpd_suexec_t) +application_exec_all(httpd_suexec_t) files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) @@ -628,6 +707,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +domain_entry_file(httpd_sys_script_t,httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') @@ -638,6 +718,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') +tunable_policy(`httpd_use_cifs',` + fs_read_cifs_files(httpd_suexec_t) + fs_read_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) @@ -655,10 +741,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') -optional_policy(` - nagios_domtrans_cgi(httpd_suexec_t) -') - ######################################## # # Apache system script local policy @@ -668,7 +750,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; -allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +apache_read_squirrelmail_data(httpd_sys_script_t) +apache_append_squirrelmail_data(httpd_sys_script_t) allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) @@ -682,15 +765,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) +sysnet_read_config(httpd_sys_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file { getattr append }; ') -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_all_recvfrom_netlabel(httpd_sys_script_t) + corenet_tcp_sendrecv_all_if(httpd_sys_script_t) + corenet_udp_sendrecv_all_if(httpd_sys_script_t) + corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) + corenet_udp_sendrecv_all_ports(httpd_sys_script_t) + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + + +tunable_policy(`httpd_use_cifs', ` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) @@ -700,9 +812,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) +') + optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) ') ######################################## @@ -724,3 +842,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) + +#============= bugzilla policy ============== +apache_content_template(bugzilla) + +type httpd_bugzilla_tmp_t; +files_tmp_file(httpd_bugzilla_tmp_t) + +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; +allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; +allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) +corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) +corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) +corenet_tcp_connect_http_port(httpd_bugzilla_script_t) +corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + +manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t) +manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t) +files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir }) + +files_search_var_lib(httpd_bugzilla_script_t) + +mta_send_mail(httpd_bugzilla_script_t) + +sysnet_read_config(httpd_bugzilla_script_t) + +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.2.7/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/apcupsd.fc 2008-02-13 16:57:15.000000000 -0500 @@ -13,3 +13,5 @@ /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + +/etc/rc.d/init.d/apcupsd -- gen_context(system_u:object_r:apcupsd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.7/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/apcupsd.if 2008-02-13 16:57:15.000000000 -0500 @@ -90,10 +90,102 @@ ##
## # -interface(`httpd_apcupsd_cgi_script_domtrans',` +interface(`apcupsd_cgi_script_domtrans',` gen_require(` type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; ') domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t) ') + +######################################## +## +## Read apcupsd tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apcupsd_read_tmp_files',` + gen_require(` + type apcupsd_tmp_t; + ') + + allow $1 apcupsd_tmp_t:file read_file_perms; +') + + +######################################## +## +## Execute apcupsd server in the apcupsd domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`apcupsd_script_domtrans',` + gen_require(` + type apcupsd_script_exec_t; + ') + + init_script_domtrans_spec($1,apcupsd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an apcupsd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the apcupsd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`apcupsd_admin',` + gen_require(` + type apcupsd_t; + type apcupsd_script_exec_t; + type apcupsd_tmp_t; + type apcupsd_log_t; + type apcupsd_lock_t; + type apcupsd_var_run_t; + ') + + allow $1 apcupsd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, apcupsd_t, apcupsd_t) + + # Allow apcupsd_t to restart the apache service + apcupsd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 apcupsd_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,apcupsd_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,apcupsd_log_t) + + files_list_var($1) + manage_all_pattern($1,apcupsd_lock_t) + + files_list_pids($1) + manage_all_pattern($1,apcupsd_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.7/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/apcupsd.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,6 +22,9 @@ type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) +type apcupsd_script_exec_t; +init_script_type(apcupsd_script_exec_t) + ######################################## # # apcupsd local policy @@ -86,6 +89,11 @@ miscfiles_read_localization(apcupsd_t) +sysnet_dns_name_resolve(apcupsd_t) + +userdom_use_unpriv_users_ttys(apcupsd_t) +userdom_use_unpriv_users_ptys(apcupsd_t) + optional_policy(` hostname_exec(apcupsd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.2.7/policy/modules/services/arpwatch.fc --- nsaserefpolicy/policy/modules/services/arpwatch.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/arpwatch.fc 2008-02-13 16:57:15.000000000 -0500 @@ -9,3 +9,5 @@ # /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) + +/etc/rc.d/init.d/arpwatch -- gen_context(system_u:object_r:arpwatch_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.2.7/policy/modules/services/arpwatch.if --- nsaserefpolicy/policy/modules/services/arpwatch.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/arpwatch.if 2008-02-13 16:57:15.000000000 -0500 @@ -90,3 +90,73 @@ dontaudit $1 arpwatch_t:packet_socket { read write }; ') + +######################################## +## +## Execute arpwatch server in the arpwatch domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`arpwatch_script_domtrans',` + gen_require(` + type arpwatch_script_exec_t; + ') + + init_script_domtrans_spec($1,arpwatch_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an arpwatch environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the arpwatch domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`arpwatch_admin',` + gen_require(` + type arpwatch_t; + type arpwatch_script_exec_t; + type arpwatch_tmp_t; + type arpwatch_data_t; + type arpwatch_var_run_t; + ') + + allow $1 arpwatch_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, arpwatch_t, arpwatch_t) + + # Allow arpwatch_t to restart the apache service + arpwatch_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 arpwatch_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,arpwatch_tmp_t) + + files_list_var($1) + manage_all_pattern($1,arpwatch_data_t) + + files_list_pids($1) + manage_all_pattern($1,arpwatch_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.2.7/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/arpwatch.te 2008-02-13 16:57:15.000000000 -0500 @@ -19,6 +19,9 @@ type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) +type arpwatch_script_exec_t; +init_script_type(arpwatch_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.2.7/policy/modules/services/asterisk.fc --- nsaserefpolicy/policy/modules/services/asterisk.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/asterisk.fc 2008-02-13 16:57:15.000000000 -0500 @@ -6,3 +6,4 @@ /var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) /var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) /var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) +/etc/rc.d/init.d/asterisk -- gen_context(system_u:object_r:asterisk_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.2.7/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/asterisk.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,83 @@ ## Asterisk IP telephony server + +######################################## +## +## Execute asterisk server in the asterisk domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`asterisk_script_domtrans',` + gen_require(` + type asterisk_script_exec_t; + ') + + init_script_domtrans_spec($1,asterisk_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an asterisk environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the asterisk domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`asterisk_admin',` + gen_require(` + type asterisk_t; + type asterisk_script_exec_t; + type asterisk_etc_t; + type asterisk_tmp_t; + type asterisk_log_t; + type asterisk_spool_t; + type asterisk_var_lib_t; + type asterisk_var_run_t; + ') + + allow $1 asterisk_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, asterisk_t, asterisk_t) + + # Allow asterisk_t to restart the apache service + asterisk_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 asterisk_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,asterisk_tmp_t) + + files_list_etc($1) + manage_all_pattern($1,asterisk_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,asterisk_log_t) + + files_list_spool($1) + manage_all_pattern($1,asterisk_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,asterisk_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,asterisk_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.2.7/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/asterisk.te 2008-02-13 16:57:15.000000000 -0500 @@ -31,6 +31,9 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) +type asterisk_script_exec_t; +init_script_type(asterisk_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.7/policy/modules/services/automount.fc --- nsaserefpolicy/policy/modules/services/automount.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/automount.fc 2008-02-13 16:57:15.000000000 -0500 @@ -12,4 +12,7 @@ # /var # -/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0) +/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) + +/etc/rc.d/init.d/autofs -- gen_context(system_u:object_r:automount_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.7/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/automount.if 2008-02-13 16:57:15.000000000 -0500 @@ -74,3 +74,109 @@ dontaudit $1 automount_tmp_t:dir getattr; ') + +######################################## +## +## Do not audit attempts to file descriptors for automount. +## +## +## +## Domain to not audit. +## +## +# +interface(`automount_dontaudit_use_fds',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fd use; +') + +######################################## +## +## Do not audit attempts to write automount daemon unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`automount_dontaudit_write_pipes',` + gen_require(` + type automount_t; + ') + + dontaudit $1 automount_t:fifo_file write; +') + + +######################################## +## +## Execute automount server in the automount domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`automount_script_domtrans',` + gen_require(` + type automount_script_exec_t; + ') + + init_script_domtrans_spec($1,automount_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an automount environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the automount domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`automount_admin',` + gen_require(` + type automount_t; + type automount_script_exec_t; + type automount_lock_t; + type automount_tmp_t; + type automount_var_run_t; + ') + + allow $1 automount_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, automount_t, automount_t) + + # Allow automount_t to restart the apache service + automount_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 automount_script_exec_t system_r; + allow $2 system_r; + + files_list_var($1) + manage_all_pattern($1,automount_lock_t) + + files_list_tmp($1) + manage_all_pattern($1,automount_tmp_t) + + files_list_pids($1) + manage_all_pattern($1,automount_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.7/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/automount.te 2008-02-13 16:57:15.000000000 -0500 @@ -20,6 +20,9 @@ files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) +type automount_script_exec_t; +init_script_type(automount_script_exec_t) + ######################################## # # Local policy @@ -52,7 +55,8 @@ files_root_filetrans(automount_t,automount_tmp_t,dir) manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) -files_pid_filetrans(automount_t,automount_var_run_t,file) +manage_fifo_files_pattern(automount_t,automount_var_run_t,automount_var_run_t) +files_pid_filetrans(automount_t,automount_var_run_t,{ file fifo_file }) kernel_read_kernel_sysctls(automount_t) kernel_read_irq_sysctls(automount_t) @@ -69,6 +73,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) files_unmount_all_file_type_fs(automount_t) +files_manage_non_security_dirs(automount_t) fs_mount_all_fs(automount_t) fs_unmount_all_fs(automount_t) @@ -126,6 +131,8 @@ fs_mount_autofs(automount_t) fs_manage_autofs_symlinks(automount_t) +storage_rw_fuse(automount_t) + term_dontaudit_getattr_pty_dirs(automount_t) libs_use_ld_so(automount_t) @@ -170,6 +177,11 @@ ') optional_policy(` + samba_read_config(automount_t) + samba_read_var_files(automount_t) +') + +optional_policy(` seutil_sigchld_newrole(automount_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.2.7/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/avahi.fc 2008-02-13 16:57:15.000000000 -0500 @@ -3,3 +3,7 @@ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) + + +/etc/rc.d/init.d/avahi -- gen_context(system_u:object_r:avahi_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.2.7/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2007-05-02 15:04:46.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/avahi.if 2008-02-13 16:57:15.000000000 -0500 @@ -57,3 +57,64 @@ dontaudit $1 avahi_var_run_t:dir search_dir_perms; ') + +######################################## +## +## Execute avahi server in the avahi domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`avahi_script_domtrans',` + gen_require(` + type avahi_script_exec_t; + ') + + init_script_domtrans_spec($1,avahi_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an avahi environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the avahi domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`avahi_admin',` + gen_require(` + type avahi_t; + type avahi_script_exec_t; + type avahi_var_run_t; + ') + + allow $1 avahi_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, avahi_t, avahi_t) + + # Allow avahi_t to restart the apache service + avahi_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 avahi_script_exec_t system_r; + allow $2 system_r; + + files_list_pids($1) + manage_all_pattern($1,avahi_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.7/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/avahi.te 2008-02-13 16:57:15.000000000 -0500 @@ -13,6 +13,9 @@ type avahi_var_run_t; files_pid_file(avahi_var_run_t) +type avahi_script_exec_t; +init_script_type(avahi_script_exec_t) + ######################################## # # Local policy @@ -85,6 +88,7 @@ dbus_connect_system_bus(avahi_t) init_dbus_chat_script(avahi_t) + dbus_system_domain(avahi_t,avahi_exec_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.2.7/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2007-10-15 16:11:05.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/bind.fc 2008-02-13 16:57:15.000000000 -0500 @@ -49,3 +49,5 @@ /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ') + +/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.2.7/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/bind.if 2008-02-13 16:57:15.000000000 -0500 @@ -254,3 +254,94 @@ interface(`bind_udp_chat_named',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Execute bind server in the bind domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`bind_script_domtrans',` + gen_require(` + type bind_script_exec_t; + ') + + init_script_domtrans_spec($1,bind_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an bind environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the bind domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`bind_admin',` + gen_require(` + type named_t; + type named_script_exec_t; + type named_tmp_t; + type named_log_t; + type named_conf_t; + type named_var_lib_t; + type named_var_run_t; + + type named_cache_t; + type named_zone_t; + type dnssec_t; + type ndc_t; + ') + + allow $1 named_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, named_t, named_t) + + allow $1 ndc_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ndc_t, ndc_t) + + bind_run_ndc($1, $2, $3) + + # Allow named_t to restart the apache service + bind_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 named_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,named_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,named_log_t) + + files_list_etc($1) + manage_all_pattern($1,named_conf_t) + + manage_all_pattern($1,named_cache_t) + manage_all_pattern($1,named_zone_t) + manage_all_pattern($1,dnssec_t) + + files_list_var_lib($1) + manage_all_pattern($1,named_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,named_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.7/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/bind.te 2008-02-13 16:57:15.000000000 -0500 @@ -53,6 +53,9 @@ init_system_domain(ndc_t,ndc_exec_t) role system_r types ndc_t; +type named_script_exec_t; +init_script_type(named_script_exec_t) + ######################################## # # Named local policy @@ -222,6 +225,7 @@ corenet_tcp_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) +corenet_tcp_bind_all_nodes(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) domain_use_interactive_fds(ndc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.2.7/policy/modules/services/bitlbee.fc --- nsaserefpolicy/policy/modules/services/bitlbee.fc 2007-09-17 15:56:47.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/bitlbee.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,3 +1,6 @@ /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) + + +/etc/rc.d/init.d/bitlbee -- gen_context(system_u:object_r:bitlbee_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.2.7/policy/modules/services/bitlbee.if --- nsaserefpolicy/policy/modules/services/bitlbee.if 2007-09-17 15:56:47.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/bitlbee.if 2008-02-13 16:57:15.000000000 -0500 @@ -20,3 +20,70 @@ allow $1 bitlbee_conf_t:file { read getattr }; ') + +######################################## +## +## Execute bitlbee server in the bitlbee domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`bitlbee_script_domtrans',` + gen_require(` + type bitlbee_script_exec_t; + ') + + init_script_domtrans_spec($1,bitlbee_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an bitlbee environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the bitlbee domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`bitlbee_admin',` + gen_require(` + type bitlbee_t; + type bitlbee_script_exec_t; + type bitlbee_conf_t; + type bitlbee_var_t; + ') + + allow $1 bitlbee_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, bitlbee_t, bitlbee_t) + + # Allow bitlbee_t to restart the apache service + bitlbee_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 bitlbee_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1, bitlbee_conf_t) + + files_list_var($1) + manage_all_pattern($1, bitlbee_var_t) + +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.2.7/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/bitlbee.te 2008-02-13 16:57:15.000000000 -0500 @@ -17,6 +17,9 @@ type bitlbee_var_t; files_type(bitlbee_var_t) +type bitlbee_script_exec_t; +init_script_type(bitlbee_script_exec_t) + ######################################## # # Local policy @@ -54,6 +57,9 @@ corenet_tcp_connect_msnp_port(bitlbee_t) corenet_tcp_sendrecv_msnp_port(bitlbee_t) +dev_read_rand(bitlbee_t) +dev_read_urand(bitlbee_t) + files_read_etc_files(bitlbee_t) files_search_pids(bitlbee_t) # grant read-only access to the user help files diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.7/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/bluetooth.fc 2008-02-13 16:57:15.000000000 -0500 @@ -22,3 +22,8 @@ # /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) + +/etc/rc.d/init.d/bluetooth -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) +/etc/rc.d/init.d/dund -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) +/etc/rc.d/init.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.2.7/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2007-10-29 07:52:49.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,7 +35,7 @@ template(`bluetooth_per_role_template',` gen_require(` attribute bluetooth_helper_domain; - type bluetooth_helper_exec_t; + type bluetooth_helper_exec_t, bluetooth_t; ') type $1_bluetooth_t, bluetooth_helper_domain; @@ -226,3 +226,88 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; ') + +######################################## +## +## Execute bluetooth server in the bluetooth domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`bluetooth_script_domtrans',` + gen_require(` + type bluetooth_script_exec_t; + ') + + init_script_domtrans_spec($1,bluetooth_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an bluetooth environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the bluetooth domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`bluetooth_admin',` + gen_require(` + type bluetooth_t; + type bluetooth_script_exec_t; + type bluetooth_tmp_t; + type bluetooth_lock_t; + type bluetooth_spool_t; + type bluetooth_var_lib_t; + type bluetooth_var_run_t; + type bluetooth_conf_t; + type bluetooth_conf_rw_t; + + ') + + allow $1 bluetooth_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, bluetooth_t, bluetooth_t) + + # Allow bluetooth_t to restart the apache service + bluetooth_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 bluetooth_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,bluetooth_tmp_t) + + files_list_var($1) + manage_all_pattern($1,bluetooth_lock_t) + + files_list_etc($1) + manage_all_pattern($1,bluetooth_conf_t) + manage_all_pattern($1,bluetooth_conf_rw_t) + + files_list_spool($1) + manage_all_pattern($1,bluetooth_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,bluetooth_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,bluetooth_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.7/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/bluetooth.te 2008-02-13 16:57:15.000000000 -0500 @@ -32,19 +32,22 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) +type bluetooth_script_exec_t; +init_script_type(bluetooth_script_exec_t) + ######################################## # # Bluetooth services local policy # -allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock }; +allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; +allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow bluetooth_t self:tcp_socket create_stream_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms; @@ -110,6 +113,8 @@ files_read_etc_runtime_files(bluetooth_t) files_read_usr_files(bluetooth_t) +auth_use_nsswitch(bluetooth_t) + libs_use_ld_so(bluetooth_t) libs_use_shared_libs(bluetooth_t) @@ -118,19 +123,18 @@ miscfiles_read_localization(bluetooth_t) miscfiles_read_fonts(bluetooth_t) -sysnet_read_config(bluetooth_t) - userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_sysadm_ptys(bluetooth_t) userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t) optional_policy(` - dbus_system_bus_client_template(bluetooth,bluetooth_t) - dbus_connect_system_bus(bluetooth_t) + cups_dbus_chat(bluetooth_t) ') optional_policy(` - nis_use_ypbind(bluetooth_t) + dbus_system_bus_client_template(bluetooth,bluetooth_t) + dbus_connect_system_bus(bluetooth_t) + dbus_system_domain(bluetooth_t,bluetooth_exec_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.fc serefpolicy-3.2.7/policy/modules/services/canna.fc --- nsaserefpolicy/policy/modules/services/canna.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/canna.fc 2008-02-13 16:57:15.000000000 -0500 @@ -20,3 +20,5 @@ /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) /var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) + +/etc/rc.d/init.d/canna -- gen_context(system_u:object_r:canna_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.2.7/policy/modules/services/canna.if --- nsaserefpolicy/policy/modules/services/canna.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/canna.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,3 +18,74 @@ files_search_pids($1) stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t) ') + +######################################## +## +## Execute canna server in the canna domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`canna_script_domtrans',` + gen_require(` + type canna_script_exec_t; + ') + + init_script_domtrans_spec($1,canna_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an canna environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the canna domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`canna_admin',` + gen_require(` + type canna_t; + type canna_script_exec_t; + type canna_log_t; + type canna_var_lib_t; + type canna_var_run_t; + ') + + allow $1 canna_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, canna_t, canna_t) + + # Allow canna_t to restart the apache service + canna_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 canna_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,canna_log_t) + + files_list_var_lib($1) + manage_all_pattern($1,canna_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,canna_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.2.7/policy/modules/services/canna.te --- nsaserefpolicy/policy/modules/services/canna.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/canna.te 2008-02-13 16:57:15.000000000 -0500 @@ -19,6 +19,9 @@ type canna_var_run_t; files_pid_file(canna_var_run_t) +type canna_script_exec_t; +init_script_type(canna_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.7/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/clamav.fc 2008-02-13 16:57:15.000000000 -0500 @@ -5,16 +5,20 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) +/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/etc/rc.d/init.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.2.7/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/clamav.if 2008-02-13 16:57:15.000000000 -0500 @@ -91,3 +91,97 @@ domtrans_pattern($1,clamscan_exec_t,clamscan_t) ') + +######################################## +## +## Execute clamav server in the clamav domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`clamav_script_domtrans',` + gen_require(` + type clamd_script_exec_t; + ') + + init_script_domtrans_spec($1,clamd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an clamav environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the clamav domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`clamav_admin',` + gen_require(` + type clamd_t; + type clamd_script_exec_t; + type clamd_etc_t; + type clamd_tmp_t; + type clamd_var_log_t; + type clamd_var_lib_t; + type clamd_var_run_t; + + type clamscan_t; + type clamscan_tmp_t; + + type freshclam_t; + type freshclam_var_log_t; + ') + + allow $1 clamd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, clamd_t, clamd_t) + + allow $1 clamscan_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, clamscan_t, clamscan_t) + + allow $1 freshclam_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, freshclam_t, freshclam_t) + + # Allow clamd_t to restart the apache service + clamav_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 clamd_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,clamd_tmp_t) + + files_list_etc($1) + manage_all_pattern($1,clamd_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,clamd_var_log_t) + + files_list_var_lib($1) + manage_all_pattern($1,clamd_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,clamd_var_run_t) + + manage_all_pattern($1,clamscan_tmp_t) + + manage_all_pattern($1,freshclam_var_log_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.7/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/clamav.te 2008-02-13 16:57:15.000000000 -0500 @@ -48,6 +48,9 @@ type freshclam_var_log_t; logging_log_file(freshclam_var_log_t) +type clamd_script_exec_t; +init_script_type(clamd_script_exec_t) + ######################################## # # clamd local policy @@ -87,6 +90,7 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) kernel_read_kernel_sysctls(clamd_t) +kernel_read_system_state(clamd_t) corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) @@ -120,6 +124,8 @@ cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) +mta_read_config(clamd_t) + optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) @@ -127,6 +133,10 @@ amavis_create_pid_files(clamd_t) ') +optional_policy(` + exim_read_spool_files(clamd_t) +') + ######################################## # # Freshclam local policy @@ -233,3 +243,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) ') + +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.7/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/consolekit.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.2.7/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2007-03-20 09:23:13.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/consolekit.if 2008-02-13 16:57:15.000000000 -0500 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; ') + +######################################## +## +## Read consolekit log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_read_log',` + gen_require(` + type consolekit_log_t; + ') + + files_search_pids($1) + read_files_pattern($1, consolekit_log_t, consolekit_log_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.7/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/consolekit.te 2008-02-13 16:57:15.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) +type consolekit_log_t; +files_pid_file(consolekit_log_t) + ######################################## # # consolekit local policy @@ -24,20 +27,27 @@ allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t) +logging_log_filetrans(consolekit_t,consolekit_log_t, file) + +manage_dirs_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) -files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) +files_pid_filetrans(consolekit_t,consolekit_var_run_t, { file dir }) kernel_read_system_state(consolekit_t) corecmd_exec_bin(consolekit_t) +corecmd_exec_shell(consolekit_t) dev_read_urand(consolekit_t) dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) +domain_dontaudit_ptrace_all_domains(consolekit_t) files_read_etc_files(consolekit_t) +files_read_usr_files(consolekit_t) # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) @@ -47,16 +57,32 @@ auth_use_nsswitch(consolekit_t) +init_telinit(consolekit_t) +init_rw_utmp(consolekit_t) + libs_use_ld_so(consolekit_t) libs_use_shared_libs(consolekit_t) +logging_send_syslog_msg(consolekit_t) + miscfiles_read_localization(consolekit_t) +# consolekit needs to be able to ptrace all logged in users +userdom_ptrace_all_users(consolekit_t) +userdom_dontaudit_read_unpriv_users_home_content_files(consolekit_t) + +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) + optional_policy(` - dbus_system_bus_client_template(consolekit, consolekit_t) - dbus_connect_system_bus(consolekit_t) + cron_read_system_job_lib_files(consolekit_t) +') - hal_dbus_chat(consolekit_t) +optional_policy(` + dbus_system_domain(consolekit_t, consolekit_exec_t) + optional_policy(` + hal_dbus_chat(consolekit_t) + ') optional_policy(` unconfined_dbus_chat(consolekit_t) @@ -64,6 +90,33 @@ ') optional_policy(` + polkit_domtrans_auth(consolekit_t) + polkit_search_lib(consolekit_t) +') + +optional_policy(` xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) + xserver_ptrace_xdm(consolekit_t) +') + +optional_policy(` + #reading .Xauthity + unconfined_ptrace(consolekit_t) + unconfined_stream_connect(consolekit_t) +') + +optional_policy(` + userdom_read_user_tmp_files(user, consolekit_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_list_nfs(consolekit_t) + fs_dontaudit_rw_nfs_files(consolekit_t) ') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_list_cifs(consolekit_t) + fs_dontaudit_rw_cifs_files(consolekit_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.7/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cron.fc 2008-02-13 16:57:15.000000000 -0500 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/spool/anacron(/.*) gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/at/[^/]* -- <> @@ -45,3 +47,4 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.7/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/cron.if 2008-02-13 16:57:15.000000000 -0500 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` gen_require(` + class context contains; attribute cron_spool_type; type crond_t, cron_spool_t, crontab_exec_t; ') + typealias $1_t alias $1_crond_t; # Type of user crontabs once moved to cron spool. type $1_cron_spool_t, cron_spool_type; files_type($1_cron_spool_t) - type $1_crond_t; - domain_type($1_crond_t) - domain_cron_exemption_target($1_crond_t) - corecmd_shell_entry_type($1_crond_t) - role $3 types $1_crond_t; + domain_cron_exemption_target($1_t) + corecmd_shell_entry_type($1_t) type $1_crontab_t; application_domain($1_crontab_t,crontab_exec_t) role $3 types $1_crontab_t; - type $1_crontab_tmp_t; - files_tmp_file($1_crontab_tmp_t) - - ############################## - # - # $1_crond_t local policy - # - - allow $1_crond_t self:capability dac_override; - allow $1_crond_t self:process { signal_perms setsched }; - allow $1_crond_t self:fifo_file rw_fifo_file_perms; - allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; - allow $1_crond_t self:unix_dgram_socket create_socket_perms; - # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that @@ -74,116 +59,23 @@ # for the domain of the user cron job. It # performs an entrypoint permission check # for this purpose. - allow $1_crond_t $1_cron_spool_t:file entrypoint; + allow $1_t $1_cron_spool_t:file entrypoint; # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond # via setexeccon. There is no way to set up an automatic # transition, since crontabs are configuration files, not executables. - allow crond_t $1_crond_t:process transition; - dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh }; - allow crond_t $1_crond_t:fd use; - allow $1_crond_t crond_t:fd use; - allow $1_crond_t crond_t:fifo_file rw_file_perms; - allow $1_crond_t crond_t:process sigchld; - - kernel_read_system_state($1_crond_t) - kernel_read_kernel_sysctls($1_crond_t) - - # ps does not need to access /boot when run from cron - files_dontaudit_search_boot($1_crond_t) - - corenet_all_recvfrom_unlabeled($1_crond_t) - corenet_all_recvfrom_netlabel($1_crond_t) - corenet_tcp_sendrecv_all_if($1_crond_t) - corenet_udp_sendrecv_all_if($1_crond_t) - corenet_tcp_sendrecv_all_nodes($1_crond_t) - corenet_udp_sendrecv_all_nodes($1_crond_t) - corenet_tcp_sendrecv_all_ports($1_crond_t) - corenet_udp_sendrecv_all_ports($1_crond_t) - corenet_tcp_connect_all_ports($1_crond_t) - corenet_sendrecv_all_client_packets($1_crond_t) - - dev_read_urand($1_crond_t) - - fs_getattr_all_fs($1_crond_t) - - corecmd_exec_all_executables($1_crond_t) - - # quiet other ps operations - domain_dontaudit_read_all_domains_state($1_crond_t) - domain_dontaudit_getattr_all_domains($1_crond_t) - - files_read_usr_files($1_crond_t) - files_exec_etc_files($1_crond_t) - # for nscd: - files_dontaudit_search_pids($1_crond_t) - - libs_use_ld_so($1_crond_t) - libs_use_shared_libs($1_crond_t) - libs_exec_lib_files($1_crond_t) - libs_exec_ld_so($1_crond_t) - - files_read_etc_runtime_files($1_crond_t) - files_read_var_files($1_crond_t) - files_search_spool($1_crond_t) - - logging_search_logs($1_crond_t) - - seutil_read_config($1_crond_t) - - miscfiles_read_localization($1_crond_t) - - userdom_manage_user_tmp_files($1,$1_crond_t) - userdom_manage_user_tmp_symlinks($1,$1_crond_t) - userdom_manage_user_tmp_pipes($1,$1_crond_t) - userdom_manage_user_tmp_sockets($1,$1_crond_t) - # Run scripts in user home directory and access shared libs. - userdom_exec_user_home_content_files($1,$1_crond_t) - # Access user files and dirs. -# userdom_manage_user_home_subdir_dirs($1,$1_crond_t) - userdom_manage_user_home_content_files($1,$1_crond_t) - userdom_manage_user_home_content_symlinks($1,$1_crond_t) - userdom_manage_user_home_content_pipes($1,$1_crond_t) - userdom_manage_user_home_content_sockets($1,$1_crond_t) -# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set) + allow crond_t $1_t:process transition; + dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh }; + allow crond_t $1_t:fd use; + allow $1_t crond_t:fd use; + allow $1_t crond_t:fifo_file rw_file_perms; + allow $1_t crond_t:process sigchld; tunable_policy(`fcron_crond', ` allow crond_t $1_cron_spool_t:file manage_file_perms; ') - # need a per-role version of this: - #optional_policy(` - # mono_domtrans($1_crond_t) - #') - - optional_policy(` - dbus_stub($1_crond_t) - - allow $1_crond_t $2:dbus send_msg; - ') - - optional_policy(` - nis_use_ypbind($1_crond_t) - ') - - ifdef(`TODO',` - optional_policy(` - create_dir_file($1_crond_t, httpd_$1_content_t) - ') - allow $1_crond_t tmp_t:dir rw_dir_perms; - type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t; - - ifdef(`mta.te', ` - domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) - allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms; - - # $1_mail_t should only be reading from the cron fifo not needing to write - dontaudit $1_mail_t crond_t:fifo_file write; - allow mta_user_agent $1_crond_t:fd use; - ') - ') dnl endif TODO - ############################## # # $1_crontab_t local policy @@ -192,9 +84,13 @@ # dac_override is to create the file in the directory under /tmp allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; allow $1_crontab_t self:process signal_perms; + allow $1_crontab_t self:fifo_file rw_fifo_file_perms; # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, $1_crontab_t) + allow $2 $1_crontab_t:fd use; + + auth_domtrans_chk_passwd($1_crontab_t) # crontab shows up in user ps ps_process_pattern($2,$1_crontab_t) @@ -205,9 +101,6 @@ # Allow crond to read those crontabs in cron spool. allow crond_t $1_cron_spool_t:file manage_file_perms; - allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file) - # create files in /var/spool/cron manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t) filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file) @@ -236,6 +129,7 @@ libs_use_shared_libs($1_crontab_t) logging_send_syslog_msg($1_crontab_t) + logging_send_audit_msgs($1_crontab_t) miscfiles_read_localization($1_crontab_t) @@ -247,6 +141,7 @@ userdom_use_user_terminals($1,$1_crontab_t) # Read user crontabs userdom_read_user_home_content_files($1,$1_crontab_t) + userdom_transition_user_tmp($1,$1_crontab_t, { lnk_file file dir fifo_file }) tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator @@ -285,14 +180,12 @@ template(`cron_admin_template',` gen_require(` attribute cron_spool_type; - type $1_crontab_t, $1_crond_t; + type $1_crontab_t; ') # Allow our crontab domain to unlink a user cron spool file. allow $1_crontab_t cron_spool_type:file { getattr read unlink }; - logging_read_generic_logs($1_crond_t) - # Manipulate other users crontab. selinux_get_fs_mount($1_crontab_t) selinux_validate_context($1_crontab_t) @@ -438,6 +331,25 @@ ######################################## ## +## Read temporary files from cron. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_read_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + files_search_tmp($1) + allow $1 crond_tmp_t:file read_file_perms; +') + +######################################## +## ## Read, and write cron daemon TCP sockets. ## ## @@ -558,11 +470,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` - type system_crond_tmp_t; + type system_crond_tmp_t, cron_var_run_t; ') files_search_tmp($1) allow $1 system_crond_tmp_t:file read_file_perms; + + files_search_pids($1) + allow $1 cron_var_run_t:file read_file_perms; ') ######################################## @@ -583,3 +498,45 @@ dontaudit $1 system_crond_tmp_t:file append; ') + + +######################################## +## +## Do not audit attempts to write temporary +## files from the system cron jobs. +## +## +## +## Domain to not audit. +## +## +# +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_crond_tmp_t; + type system_crond_var_run_t; + ') + + dontaudit $1 system_crond_tmp_t:file write_file_perms; + dontaudit $1 cron_var_run_t:file write_file_perms; +') + + +######################################## +## +## Read temporary files from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_read_system_job_lib_files',` + gen_require(` + type system_crond_var_lib_t; + ') + + + read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.7/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cron.te 2008-02-13 16:57:15.000000000 -0500 @@ -12,14 +12,6 @@ ## ##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

-##
-gen_tunable(cron_can_relabel,false) - -## -##

## Enable extra rules in the cron domain ## to support fcron. ##

@@ -38,6 +30,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) +# var/lib files +type cron_var_run_t; +files_type(cron_var_run_t) + # var/log files type cron_log_t; logging_log_file(cron_log_t) @@ -50,6 +46,7 @@ type crond_tmp_t; files_tmp_file(crond_tmp_t) +files_poly_parent(crond_tmp_t) type crond_var_run_t; files_pid_file(crond_var_run_t) @@ -71,6 +68,12 @@ type system_crond_tmp_t; files_tmp_file(system_crond_tmp_t) +type system_crond_var_lib_t; +files_type(system_crond_var_lib_t) + +type system_crond_var_run_t; +files_pid_file(system_crond_var_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) ') @@ -80,7 +83,7 @@ # Cron Local policy # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -99,15 +102,14 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) -allow crond_t cron_spool_t:dir rw_dir_perms; -allow crond_t cron_spool_t:file read_file_perms; +manage_files_pattern(crond_t,cron_spool_t,cron_spool_t) manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t) manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t) files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir }) -allow crond_t system_cron_spool_t:dir list_dir_perms; -allow crond_t system_cron_spool_t:file read_file_perms; +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) @@ -133,6 +135,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) +domain_subj_id_change_exemption(crond_t) +domain_role_change_exemption(crond_t) files_read_etc_files(crond_t) files_read_generic_spool(crond_t) @@ -142,13 +146,16 @@ files_search_default(crond_t) init_rw_utmp(crond_t) +init_spec_domtrans_script(crond_t) auth_use_nsswitch(crond_t) libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) +logging_send_audit_msgs(crond_t) logging_send_syslog_msg(crond_t) +logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -163,9 +170,6 @@ mta_send_mail(crond_t) ifdef(`distro_debian',` - # pam_limits is used - allow crond_t self:process setrlimit; - optional_policy(` # Debian logcheck has the home dir set to its cache logwatch_search_cache_dir(crond_t) @@ -180,21 +184,45 @@ ') ') +tunable_policy(`allow_polyinstantiation',` + allow crond_t self:capability fowner; + files_search_tmp(crond_t) + files_polyinstantiate_all(crond_t) +') + +optional_policy(` + apache_search_sys_content(crond_t) +') + optional_policy(` locallogin_search_keys(crond_t) locallogin_link_keys(crond_t) ') +optional_policy(` + # these should probably be unconfined_crond_t + init_dbus_send_script(crond_t) +') + +optional_policy(` + mono_domtrans(crond_t) +') + tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file manage_file_perms; ') optional_policy(` + amanda_search_var_lib(crond_t) +') + +optional_policy(` amavis_search_lib(crond_t) ') optional_policy(` - hal_dbus_send(crond_t) + hal_dbus_chat(crond_t) + hal_dbus_chat(system_crond_t) ') optional_policy(` @@ -236,6 +264,9 @@ allow system_crond_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) +allow system_crond_t cron_var_run_t:file manage_file_perms; +files_pid_filetrans(system_crond_t,cron_var_run_t,file) + allow system_crond_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are @@ -267,9 +298,13 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) +# var/lib files for system_crond +files_search_var_lib(system_crond_t) +manage_files_pattern(system_crond_t,system_crond_var_lib_t,system_crond_var_lib_t) + # Read from /var/spool/cron. allow system_crond_t cron_spool_t:dir list_dir_perms; -allow system_crond_t cron_spool_t:file read_file_perms; +allow system_crond_t cron_spool_t:file rw_file_perms; kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) @@ -323,7 +358,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit -init_write_initctl(system_crond_t) +init_telinit(system_crond_t) auth_use_nsswitch(system_crond_t) @@ -333,6 +368,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) +logging_send_audit_msgs(system_crond_t) logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) @@ -348,18 +384,6 @@ ') ') -tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_crond_t) -',` - selinux_get_fs_mount(system_crond_t) - selinux_validate_context(system_crond_t) - selinux_compute_access_vector(system_crond_t) - selinux_compute_create_context(system_crond_t) - selinux_compute_relabel_context(system_crond_t) - selinux_compute_user_contexts(system_crond_t) - seutil_read_file_contexts(system_crond_t) -') - optional_policy(` # Needed for certwatch apache_exec_modules(system_crond_t) @@ -383,6 +407,14 @@ ') optional_policy(` + lpd_list_spool(system_crond_t) +') + +optional_policy(` + mono_domtrans(system_crond_t) +') + +optional_policy(` mrtg_append_create_logs(system_crond_t) ') @@ -415,8 +447,7 @@ ') optional_policy(` - # cjp: why? - squid_domtrans(system_crond_t) + spamassassin_manage_lib_files(system_crond_t) ') optional_policy(` @@ -424,15 +455,12 @@ ') optional_policy(` + unconfined_dbus_send(crond_t) + unconfined_shell_domtrans(crond_t) + unconfined_domain(crond_t) unconfined_domain(system_crond_t) - - userdom_priveleged_home_dir_manager(system_crond_t) ') -ifdef(`TODO',` -ifdef(`mta.te', ` -allow system_crond_t mail_spool_t:lnk_file read; -allow mta_user_agent system_crond_t:fd use; -r_dir_file(system_mail_t, crond_tmp_t) +optional_policy(` + userdom_priveleged_home_dir_manager(system_crond_t) ') -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.7/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cups.fc 2008-02-13 16:57:15.000000000 -0500 @@ -8,24 +8,28 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +# keep as separate lines to ensure proper sorting +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) @@ -33,7 +37,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -50,3 +54,9 @@ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/etc/rc.d/init.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.2.7/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cups.if 2008-02-13 16:57:15.000000000 -0500 @@ -247,3 +247,102 @@ files_search_pids($1) stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t) ') + +######################################## +## +## Execute cups server in the cups domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`cups_script_domtrans',` + gen_require(` + type cups_script_exec_t; + ') + + init_script_domtrans_spec($1,cups_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an cups environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the cups domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`cups_admin',` + gen_require(` + type cups_t; + type cups_script_exec_t; + type cups_tmp_t; + type cups_lpd_tmp_t; + type cups_etc_t; + type cups_etc_rw_t; + type cups_log_t; + type cups_spool_t; + type cups_config_var_run_t; + type cups_lpd_var_run_t; + type cups_var_run_t; + type ptal_etc_t; + type ptal_var_run_t; + type hplip_var_run_t; + ') + + allow $1 cups_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, cups_t, cups_t) + + # Allow cups_t to restart the apache service + cups_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cups_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,cups_tmp_t) + + manage_all_pattern($1,cups_lpd_tmp_t) + + files_list_etc($1) + manage_all_pattern($1,cups_etc_t) + + manage_all_pattern($1,ptal_etc_t) + + manage_all_pattern($1,cups_etc_rw_t) + + files_list_spool($1) + manage_all_pattern($1,cups_spool_t) + + logging_list_logs($1) + manage_all_pattern($1,cups_log_t) + + files_list_pids($1) + manage_all_pattern($1,cups_var_run_t) + + manage_all_pattern($1,ptal_var_run_t) + + manage_all_pattern($1,cups_config_var_run_t) + + manage_all_pattern($1,cups_lpd_var_run_t) + + manage_all_pattern($1,hplip_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.7/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cups.te 2008-02-13 16:57:15.000000000 -0500 @@ -43,14 +43,12 @@ type cupsd_var_run_t; files_pid_file(cupsd_var_run_t) -mls_trusted_object(cupsd_var_run_t) type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t,hplip_exec_t) - -type hplip_etc_t; -files_config_file(hplip_etc_t) +domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t) +domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t) type hplip_var_run_t; files_pid_file(hplip_var_run_t) @@ -65,12 +63,17 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) +type cups_script_exec_t; +init_script_type(cups_script_exec_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) + + mls_trusted_object(cupsd_var_run_t) ') ######################################## @@ -79,13 +82,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; +allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { setsched signal_perms }; -allow cupsd_t self:fifo_file rw_file_perms; +allow cupsd_t self:process { setpgid setsched signal_perms }; +allow cupsd_t self:fifo_file rw_fifo_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms; +allow cupsd_t self:shm create_shm_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; @@ -104,7 +108,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search; +allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) @@ -116,13 +120,19 @@ manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) +# This whole section needs to be moved to a smbspool policy +# smbspool seems to be iterating through all existing tmp files. +# Looking for kerberos files +files_getattr_all_tmp_files(cupsd_t) +userdom_read_unpriv_users_tmp_files(cupsd_t) +files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + allow cupsd_t cupsd_var_run_t:dir setattr; manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) -read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t) - +allow cupsd_t hplip_t:process sigkill; allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) @@ -149,32 +159,35 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) +corenet_tcp_connect_smbd_port(cupsd_t) corenet_sendrecv_hplip_client_packets(cupsd_t) corenet_sendrecv_ipp_client_packets(cupsd_t) corenet_sendrecv_ipp_server_packets(cupsd_t) +corenet_tcp_bind_all_rpc_ports(cupsd_t) dev_rw_printer(cupsd_t) dev_read_urand(cupsd_t) dev_read_sysfs(cupsd_t) -dev_read_usbfs(cupsd_t) +dev_rw_generic_usb_dev(cupsd_t) +dev_rw_usbfs(cupsd_t) dev_getattr_printer_dev(cupsd_t) domain_read_all_domains_state(cupsd_t) fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) +fs_read_anon_inodefs_files(cupsd_t) +mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) mls_file_read_all_levels(cupsd_t) +mls_rangetrans_target(cupsd_t) mls_socket_write_all_levels(cupsd_t) term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -auth_domtrans_chk_passwd(cupsd_t) -auth_dontaudit_read_pam_pid(cupsd_t) - # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) @@ -186,7 +199,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma -files_search_var_lib(cupsd_t) +files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) @@ -195,15 +208,15 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) -# smbspool seems to be iterating through all existing tmp files. -# redhat bug #214953 -# cjp: this might be a broken behavior -files_dontaudit_getattr_all_tmp_files(cupsd_t) selinux_compute_access_vector(cupsd_t) +selinux_validate_context(cupsd_t) init_exec_script_files(cupsd_t) +auth_domtrans_chk_passwd(cupsd_t) +auth_dontaudit_read_pam_pid(cupsd_t) +auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) @@ -219,17 +232,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) +sysnet_exec_ifconfig(cupsd_t) -sysnet_read_config(cupsd_t) - +files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_all_users_home_content(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) +lpd_read_config(cupsd_t) +lpd_exec_lpr(cupsd_t) ifdef(`enable_mls',` lpd_relabel_spool(cupsd_t) + + mls_trusted_object(cupsd_var_run_t) + init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) ') optional_policy(` @@ -242,12 +260,21 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) + dbus_send_system_bus(cupsd_t) userdom_dbus_send_all_users(cupsd_t) optional_policy(` + avahi_dbus_chat(cupsd_t) + ') + + optional_policy(` hal_dbus_chat(cupsd_t) ') + + optional_policy(` + unconfined_dbus_chat(cupsd_t) + ') ') optional_policy(` @@ -263,6 +290,10 @@ ') optional_policy(` + mta_send_mail(cupsd_t) +') + +optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -326,6 +357,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) +dev_rw_generic_usb_dev(cupsd_config_t) fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) @@ -353,6 +385,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) +miscfiles_read_hwdata(cupsd_config_t) seutil_dontaudit_search_config(cupsd_config_t) @@ -372,6 +405,10 @@ ') optional_policy(` + term_use_generic_ptys(cupsd_config_t) +') + +optional_policy(` cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') @@ -387,6 +424,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) + hal_dontaudit_use_fds(hplip_t) ') optional_policy(` @@ -499,14 +537,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; -allow hplip_t cupsd_etc_t:dir search; +allow hplip_t cupsd_etc_t:dir search_dir_perms; cups_stream_connect(hplip_t) - -allow hplip_t hplip_etc_t:dir list_dir_perms; -read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) -read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t) -files_search_etc(hplip_t) +# For CUPS to run as a backend +allow cupsd_t hplip_t:process signal; +allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms; manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) @@ -537,14 +573,14 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) -dev_read_usbfs(hplip_t) +dev_rw_usbfs(hplip_t) + fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) # for python corecmd_exec_bin(hplip_t) - domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) @@ -565,6 +601,7 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) lpd_read_config(cupsd_t) +lpd_manage_spool(hplip_t) optional_policy(` seutil_sigchld_newrole(hplip_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.2.7/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cvs.if 2008-02-13 16:57:15.000000000 -0500 @@ -36,3 +36,72 @@ can_exec($1,cvs_exec_t) ') + +######################################## +## +## Execute cvs server in the cvs domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`cvs_script_domtrans',` + gen_require(` + type cvs_script_exec_t; + ') + + init_script_domtrans_spec($1,cvs_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an cvs environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the cvs domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`cvs_admin',` + gen_require(` + type cvs_t; + type cvs_script_exec_t; + type cvs_tmp_t; + type cvs_data_t; + type cvs_var_run_t; + ') + + allow $1 cvs_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, cvs_t, cvs_t) + + # Allow cvs_t to restart the apache service + cvs_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cvs_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,cvs_tmp_t) + + manage_all_pattern($1,cvs_data_t) + + files_list_pids($1) + manage_all_pattern($1,cvs_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.7/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cvs.te 2008-02-13 16:57:15.000000000 -0500 @@ -28,6 +28,9 @@ type cvs_var_run_t; files_pid_file(cvs_var_run_t) +type cvs_script_exec_t; +init_script_type(cvs_script_exec_t) + ######################################## # # Local policy @@ -69,6 +72,7 @@ fs_getattr_xattr_fs(cvs_t) auth_domtrans_chk_passwd(cvs_t) +auth_use_nsswitch(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -86,8 +90,6 @@ miscfiles_read_localization(cvs_t) -sysnet_read_config(cvs_t) - mta_send_mail(cvs_t) # cjp: typeattribute doesnt work in conditionals yet @@ -102,11 +104,3 @@ kerberos_read_config(cvs_t) kerberos_dontaudit_write_config(cvs_t) ') - -optional_policy(` - nis_use_ypbind(cvs_t) -') - -optional_policy(` - nscd_socket_use(cvs_t) -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.2.7/policy/modules/services/cyphesis.fc --- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cyphesis.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.2.7/policy/modules/services/cyphesis.if --- nsaserefpolicy/policy/modules/services/cyphesis.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cyphesis.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,19 @@ +## policy for cyphesis + +######################################## +## +## Execute a domain transition to run cyphesis. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cyphesis_domtrans',` + gen_require(` + type cyphesis_t, cyphesis_exec_t; + ') + + domtrans_pattern($1,cyphesis_exec_t,cyphesis_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.7/policy/modules/services/cyphesis.te --- nsaserefpolicy/policy/modules/services/cyphesis.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cyphesis.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,92 @@ +policy_module(cyphesis,1.0.0) + +######################################## +# +# Declarations +# + +type cyphesis_t; +type cyphesis_exec_t; +domain_type(cyphesis_t) +init_daemon_domain(cyphesis_t, cyphesis_exec_t) + +type cyphesis_var_run_t; +files_pid_file(cyphesis_var_run_t) + +type cyphesis_log_t; +logging_file(cyphesis_log_t) + +type cyphesis_tmp_t; +files_tmp_file(cyphesis_tmp_t) + +######################################## +# +# cyphesis local policy +# + +allow cyphesis_t self:process { setfscreate setsched signal }; +allow cyphesis_t self:fifo_file rw_fifo_file_perms; +allow cyphesis_t self:tcp_socket create_stream_socket_perms; +allow cyphesis_t self:unix_stream_socket create_stream_socket_perms; +allow cyphesis_t self:unix_dgram_socket create_socket_perms; +allow cyphesis_t self:netlink_route_socket create_netlink_socket_perms; + +# DAN> What is cyphesis looking for in /bin? +corecmd_search_bin(cyphesis_t) +corecmd_getattr_bin_files(cyphesis_t) + +manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) +logging_log_filetrans(cyphesis_t,cyphesis_log_t,file) + +# DAN > Does cyphesis really create a sock_file in /tmp? Why? +allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; +files_tmp_filetrans(cyphesis_t,cyphesis_tmp_t,file) + +manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file }) + +dev_read_urand(cyphesis_t) + +files_read_etc_files(cyphesis_t) +files_read_usr_files(cyphesis_t) + +libs_use_ld_so(cyphesis_t) +libs_use_shared_libs(cyphesis_t) + +miscfiles_read_localization(cyphesis_t) + +logging_send_syslog_msg(cyphesis_t) + +sysnet_dns_name_resolve(cyphesis_t) +corenet_tcp_sendrecv_all_if(cyphesis_t) +corenet_tcp_sendrecv_all_nodes(cyphesis_t) +corenet_all_recvfrom_unlabeled(cyphesis_t) +corenet_tcp_bind_all_nodes(cyphesis_t) +corenet_tcp_cyphesis_bind(cyphesis_t) +corenet_tcp_sendrecv_all_ports(cyphesis_t) + +# Init script handling +domain_use_interactive_fds(cyphesis_t) + +kernel_read_system_state(cyphesis_t) +kernel_read_kernel_sysctls(cyphesis_t) + +# cyphesis wants to talk to avahi via dbus +optional_policy(` + + dbus_system_bus_client_template(cyphesis_t) + + optional_policy(` + avahi_dbus_chat(cyphesis_t) + ') +') + +optional_policy(` + postgresql_stream_connect(cyphesis_t) +') + +optional_policy(` + kerberos_use(cyphesis_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.2.7/policy/modules/services/cyrus.fc --- nsaserefpolicy/policy/modules/services/cyrus.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cyrus.fc 2008-02-13 16:57:15.000000000 -0500 @@ -2,3 +2,5 @@ /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) + +/etc/rc.d/init.d/cyrus -- gen_context(system_u:object_r:cyrus_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-3.2.7/policy/modules/services/cyrus.if --- nsaserefpolicy/policy/modules/services/cyrus.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cyrus.if 2008-02-13 16:57:15.000000000 -0500 @@ -39,3 +39,74 @@ files_search_var_lib($1) stream_connect_pattern($1,cyrus_var_lib_t,cyrus_var_lib_t,cyrus_t) ') + +######################################## +## +## Execute cyrus server in the cyrus domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`cyrus_script_domtrans',` + gen_require(` + type cyrus_script_exec_t; + ') + + init_script_domtrans_spec($1,cyrus_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an cyrus environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the cyrus domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`cyrus_admin',` + gen_require(` + type cyrus_t; + type cyrus_script_exec_t; + type cyrus_tmp_t; + type cyrus_var_lib_t; + type cyrus_var_run_t; + ') + + allow $1 cyrus_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, cyrus_t, cyrus_t) + + # Allow cyrus_t to restart the apache service + cyrus_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cyrus_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1, cyrus_tmp_t) + + files_list_var_lib($1) + manage_all_pattern($1, cyrus_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,cyrus_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.2.7/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cyrus.te 2008-02-13 16:57:15.000000000 -0500 @@ -19,6 +19,9 @@ type cyrus_var_run_t; files_pid_file(cyrus_var_run_t) +type cyrus_script_exec_t; +init_script_type(cyrus_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.7/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dbus.if 2008-02-13 16:57:15.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; class dbus { send_msg acquire_svc }; + attribute dbusd_unconfined; ') ############################## @@ -64,8 +65,6 @@ domain_entry_file($1_dbusd_t,system_dbusd_exec_t) role $3 types $1_dbusd_t; - type $1_dbusd_$1_t; - type $1_dbusd_tmp_t; files_tmp_file($1_dbusd_tmp_t) @@ -84,14 +83,18 @@ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; + allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_dbusd_t dbusd_unconfined:dbus send_msg; + # For connecting to the bus - allow $2 $1_dbusd_t:unix_stream_socket connectto; - type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; + allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto }; + allow $2 $1_dbusd_t:unix_dgram_socket getattr; # SE-DBus specific permissions - allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_dbusd_t $2:dbus send_msg; + allow $2 $2:dbus send_msg; + allow $2 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) @@ -102,10 +105,9 @@ files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) - allow $2 $1_dbusd_t:process { sigkill signal }; + allow $2 $1_dbusd_t:process { getattr ptrace signal_perms }; - # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $2) + corecmd_bin_domtrans($1_dbusd_t, $1_t) allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; @@ -139,6 +141,7 @@ fs_getattr_romfs($1_dbusd_t) fs_getattr_xattr_fs($1_dbusd_t) + fs_list_inotifyfs($1_dbusd_t) selinux_get_fs_mount($1_dbusd_t) selinux_validate_context($1_dbusd_t) @@ -161,12 +164,23 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) - userdom_read_user_home_content_files($1, $1_dbusd_t) + userdom_dontaudit_search_sysadm_home_dirs($1_dbusd_t) + userdom_read_unpriv_users_home_content_files($1_dbusd_t) + userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t) + term_dontaudit_use_all_user_ptys($1_dbusd_t) ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; ') + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files($1_dbusd_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files($1_dbusd_t) + ') + tunable_policy(`read_default_t',` files_list_default($1_dbusd_t) files_read_default_files($1_dbusd_t) @@ -182,6 +196,7 @@ optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) + xserver_dontaudit_xdm_lib_search($1_dbusd_t) ') ') @@ -209,12 +224,9 @@ class dbus send_msg; ') -# type $1_dbusd_system_t; -# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t; - # SE-DBus specific permissions -# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; - allow $2 { system_dbusd_t self }:dbus send_msg; + allow $2 { system_dbusd_t $2 }:dbus send_msg; + allow system_dbusd_t $2:dbus send_msg; read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) @@ -223,6 +235,10 @@ files_search_pids($2) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) dbus_read_config($2) + + optional_policy(` + rpm_script_dbus_chat($2) + ') ') ####################################### @@ -251,18 +267,16 @@ template(`dbus_user_bus_client_template',` gen_require(` type $1_dbusd_t; + attribute dbusd_unconfined; class dbus send_msg; ') -# type $2_dbusd_$1_t; -# type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t; - # SE-DBus specific permissions -# allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; allow $3 { $1_dbusd_t self }:dbus send_msg; # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; + allow dbusd_unconfined $1_dbusd_t:dbus *; ') ######################################## @@ -292,6 +306,59 @@ ######################################## ## +## connectto a message on user/application specific DBUS. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`dbus_connectto_user_bus',` + gen_require(` + type $1_dbusd_t; + ') + + allow $2 $1_dbusd_t:unix_stream_socket connectto; +') + +######################################## +## +## Chat on user/application specific DBUS. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`dbus_chat_user_bus',` + gen_require(` + type $1_t; + type $1_dbusd_t; + class dbus send_msg; + ') + + allow $2 $1_dbusd_t:dbus send_msg; + allow $1_dbusd_t $2:dbus send_msg; + allow $2 $1_t:dbus send_msg; + allow $1_t $2:dbus send_msg; +') + +######################################## +## ## Read dbus configuration. ## ## @@ -366,3 +433,55 @@ allow $1 system_dbusd_t:dbus *; ') + +######################################## +## +## Allow unconfined access to the system DBUS. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_unconfined',` + gen_require(` + attribute dbusd_unconfined; + ') + + typeattribute $1 dbusd_unconfined; +') + +######################################## +## +## Create a domain for processes +## which can be started by the system dbus +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`dbus_system_domain',` + gen_require(` + type system_dbusd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1,$2) + + role system_r types $1; + + domtrans_pattern(system_dbusd_t,$2,$1) + + dbus_system_bus_client_template($1,$1) + dbus_connect_system_bus($1) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.7/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dbus.te 2008-02-13 16:57:15.000000000 -0500 @@ -9,6 +9,7 @@ # # Delcarations # +attribute dbusd_unconfined; type dbusd_etc_t alias etc_dbusd_t; files_type(dbusd_etc_t) @@ -21,7 +22,7 @@ files_tmp_file(system_dbusd_tmp_t) type system_dbusd_var_lib_t; -files_pid_file(system_dbusd_var_lib_t) +files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) @@ -65,6 +66,7 @@ fs_getattr_all_fs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) +fs_list_inotifyfs(system_dbusd_t) selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) @@ -121,9 +123,20 @@ ') optional_policy(` + polkit_domtrans_auth(system_dbusd_t) + polkit_search_lib(system_dbusd_t) +') + +optional_policy(` sysnet_domtrans_dhcpc(system_dbusd_t) ') optional_policy(` udev_read_db(system_dbusd_t) ') + +optional_policy(` + consolekit_dbus_chat(system_dbusd_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.7/policy/modules/services/dcc.if --- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/dcc.if 2008-02-13 16:57:15.000000000 -0500 @@ -72,6 +72,24 @@ ######################################## ## +## Send a signal to the dcc_client. +## +## +## +## Domain allowed access. +## +## +# +interface(`dcc_signal_client',` + gen_require(` + type dcc_client_t; + ') + + allow $1 dcc_client_t:process signal; +') + +######################################## +## ## Execute dcc_client in the dcc_client domain, and ## allow the specified role the dcc_client domain. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.7/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dcc.te 2008-02-13 16:57:15.000000000 -0500 @@ -105,6 +105,8 @@ files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) +auth_use_nsswitch(cdcc_t) + libs_use_ld_so(cdcc_t) libs_use_shared_libs(cdcc_t) @@ -112,19 +114,12 @@ miscfiles_read_localization(cdcc_t) -sysnet_read_config(cdcc_t) -sysnet_dns_name_resolve(cdcc_t) - -optional_policy(` - nscd_socket_use(cdcc_t) -') - ######################################## # # dcc procmail interface local policy # -allow dcc_client_t self:capability setuid; +allow dcc_client_t self:capability { setgid setuid }; allow dcc_client_t self:unix_dgram_socket create_socket_perms; allow dcc_client_t self:udp_socket create_socket_perms; @@ -141,6 +136,7 @@ corenet_all_recvfrom_unlabeled(dcc_client_t) corenet_all_recvfrom_netlabel(dcc_client_t) +corenet_udp_bind_all_nodes(dcc_client_t) corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_all_nodes(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) @@ -148,6 +144,10 @@ files_read_etc_files(dcc_client_t) files_read_etc_runtime_files(dcc_client_t) +kernel_read_system_state(dcc_client_t) + +auth_use_nsswitch(dcc_client_t) + libs_use_ld_so(dcc_client_t) libs_use_shared_libs(dcc_client_t) @@ -155,11 +155,8 @@ miscfiles_read_localization(dcc_client_t) -sysnet_read_config(dcc_client_t) -sysnet_dns_name_resolve(dcc_client_t) - optional_policy(` - nscd_socket_use(dcc_client_t) + spamassassin_read_spamd_tmp_files(dcc_client_t) ') ######################################## @@ -191,6 +188,8 @@ files_read_etc_files(dcc_dbclean_t) files_read_etc_runtime_files(dcc_dbclean_t) +auth_use_nsswitch(dcc_dbclean_t) + libs_use_ld_so(dcc_dbclean_t) libs_use_shared_libs(dcc_dbclean_t) @@ -198,13 +197,6 @@ miscfiles_read_localization(dcc_dbclean_t) -sysnet_read_config(dcc_dbclean_t) -sysnet_dns_name_resolve(dcc_dbclean_t) - -optional_policy(` - nscd_socket_use(dcc_dbclean_t) -') - ######################################## # # Server daemon local policy @@ -262,6 +254,8 @@ fs_getattr_all_fs(dccd_t) fs_search_auto_mountpoints(dccd_t) +auth_use_nsswitch(dccd_t) + libs_use_ld_so(dccd_t) libs_use_shared_libs(dccd_t) @@ -276,10 +270,6 @@ userdom_dontaudit_search_sysadm_home_dirs(dccd_t) optional_policy(` - nscd_socket_use(dccd_t) -') - -optional_policy(` seutil_sigchld_newrole(dccd_t) ') @@ -335,6 +325,8 @@ fs_getattr_all_fs(dccifd_t) fs_search_auto_mountpoints(dccifd_t) +auth_use_nsswitch(dccifd_t) + libs_use_ld_so(dccifd_t) libs_use_shared_libs(dccifd_t) @@ -342,17 +334,10 @@ miscfiles_read_localization(dccifd_t) -sysnet_read_config(dccifd_t) -sysnet_dns_name_resolve(dccifd_t) - userdom_dontaudit_use_unpriv_user_fds(dccifd_t) userdom_dontaudit_search_sysadm_home_dirs(dccifd_t) optional_policy(` - nscd_socket_use(dccifd_t) -') - -optional_policy(` seutil_sigchld_newrole(dccifd_t) ') @@ -407,6 +392,8 @@ fs_getattr_all_fs(dccm_t) fs_search_auto_mountpoints(dccm_t) +auth_use_nsswitch(dccm_t) + libs_use_ld_so(dccm_t) libs_use_shared_libs(dccm_t) @@ -414,17 +401,10 @@ miscfiles_read_localization(dccm_t) -sysnet_read_config(dccm_t) -sysnet_dns_name_resolve(dccm_t) - userdom_dontaudit_use_unpriv_user_fds(dccm_t) userdom_dontaudit_search_sysadm_home_dirs(dccm_t) optional_policy(` - nscd_socket_use(dccm_t) -') - -optional_policy(` seutil_sigchld_newrole(dccm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.fc serefpolicy-3.2.7/policy/modules/services/ddclient.fc --- nsaserefpolicy/policy/modules/services/ddclient.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ddclient.fc 2008-02-13 16:57:15.000000000 -0500 @@ -9,3 +9,5 @@ /var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) /var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) /var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +/etc/rc.d/init.d/ddclient -- gen_context(system_u:object_r:ddclient_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.2.7/policy/modules/services/ddclient.if --- nsaserefpolicy/policy/modules/services/ddclient.if 2007-03-26 10:39:04.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/ddclient.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,3 +18,81 @@ corecmd_search_bin($1) domtrans_pattern($1, ddclient_exec_t, ddclient_t) ') + +######################################## +## +## Execute ddclient server in the ddclient domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`ddclient_script_domtrans',` + gen_require(` + type ddclient_script_exec_t; + ') + + init_script_domtrans_spec($1,ddclient_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an ddclient environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ddclient domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`ddclient_admin',` + gen_require(` + type ddclient_t; + type ddclient_script_exec_t; + type ddclient_etc_t; + type ddclient_log_t; + type ddclient_var_t; + type ddclient_var_lib_t; + type ddclient_var_run_t; + ') + + allow $1 ddclient_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ddclient_t, ddclient_t) + + # Allow ddclient_t to restart the apache service + ddclient_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ddclient_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,ddclient_etc_t) + + files_list_var($1) + manage_all_pattern($1,ddclient_var_t) + + logging_list_logs($1) + manage_all_pattern($1,ddclient_log_t) + + files_list_var_lib($1) + manage_all_pattern($1,ddclient_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,ddclient_var_run_t) + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.2.7/policy/modules/services/ddclient.te --- nsaserefpolicy/policy/modules/services/ddclient.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ddclient.te 2008-02-13 16:57:15.000000000 -0500 @@ -25,6 +25,9 @@ type ddclient_var_run_t; files_pid_file(ddclient_var_run_t) +type ddclient_script_exec_t; +init_script_type(ddclient_script_exec_t) + ######################################## # # Declarations diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.2.7/policy/modules/services/dhcp.fc --- nsaserefpolicy/policy/modules/services/dhcp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dhcp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -5,3 +5,6 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) + +/etc/rc.d/init.d/dhcpd -- gen_context(system_u:object_r:dhcpd_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.2.7/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dhcp.if 2008-02-13 16:57:15.000000000 -0500 @@ -19,3 +19,71 @@ sysnet_search_dhcp_state($1) allow $1 dhcpd_state_t:file setattr; ') + +######################################## +## +## Execute dhcp server in the dhcp domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dhcpd_script_domtrans',` + gen_require(` + type dhcpd_script_exec_t; + ') + + init_script_domtrans_spec($1,dhcpd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an dhcp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dhcp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`dhcpd_admin',` + gen_require(` + type dhcpd_t; + type dhcpd_script_exec_t; + type dhcpd_tmp_t; + type dhcpd_state_t; + type dhcpd_var_run_t; + ') + + allow $1 dhcpd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, dhcpd_t, dhcpd_t) + + # Allow dhcpd_t to restart the apache service + dhcpd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 dhcpd_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,dhcpd_tmp_t) + + manage_all_pattern($1,dhcpd_state_t) + + files_list_pids($1) + manage_all_pattern($1,dhcpd_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.2.7/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dhcp.te 2008-02-13 16:57:15.000000000 -0500 @@ -19,18 +19,20 @@ type dhcpd_var_run_t; files_pid_file(dhcpd_var_run_t) +type dhcpd_script_exec_t; +init_script_type(dhcpd_script_exec_t) + ######################################## # # Local policy # -allow dhcpd_t self:capability net_raw; +allow dhcpd_t self:capability { net_raw sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; allow dhcpd_t self:process signal_perms; allow dhcpd_t self:fifo_file { read write getattr }; allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; allow dhcpd_t self:tcp_socket create_stream_socket_perms; allow dhcpd_t self:udp_socket create_socket_perms; # Allow dhcpd_t to use packet sockets @@ -88,6 +90,8 @@ files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) +auth_use_nsswitch(dhcpd_t) + libs_use_ld_so(dhcpd_t) libs_use_shared_libs(dhcpd_t) @@ -95,7 +99,6 @@ miscfiles_read_localization(dhcpd_t) -sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) @@ -116,14 +119,6 @@ ') optional_policy(` - nis_use_ypbind(dhcpd_t) -') - -optional_policy(` - nscd_socket_use(dhcpd_t) -') - -optional_policy(` seutil_sigchld_newrole(dhcpd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.7/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dictd.fc 2008-02-13 16:57:15.000000000 -0500 @@ -4,3 +4,6 @@ /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) + +/etc/rc.d/init.d/dictd -- gen_context(system_u:object_r:dictd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.if serefpolicy-3.2.7/policy/modules/services/dictd.if --- nsaserefpolicy/policy/modules/services/dictd.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dictd.if 2008-02-13 16:57:15.000000000 -0500 @@ -14,3 +14,73 @@ interface(`dictd_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Execute dictd server in the dictd domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dictd_script_domtrans',` + gen_require(` + type dictd_script_exec_t; + ') + + init_script_domtrans_spec($1,dictd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an dictd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dictd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`dictd_admin',` + gen_require(` + type dictd_t; + type dictd_script_exec_t; + type dictd_etc_t; + type dictd_var_lib_t; + type dictd_var_run_t; + ') + + allow $1 dictd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, dictd_t, dictd_t) + + # Allow dictd_t to restart the apache service + dictd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 dictd_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,dictd_etc_t) + + files_list_var_lib($1) + manage_all_pattern($1,dictd_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,dictd_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.7/policy/modules/services/dictd.te --- nsaserefpolicy/policy/modules/services/dictd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dictd.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,12 @@ type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) +type dictd_var_run_t; +files_pid_file(dictd_var_run_t) + +type dictd_script_exec_t; +init_script_type(dictd_script_exec_t) + ######################################## # # Local policy @@ -34,6 +40,9 @@ allow dictd_t dictd_var_lib_t:dir list_dir_perms; allow dictd_t dictd_var_lib_t:file read_file_perms; +manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t) +files_pid_filetrans(dictd_t,dictd_var_run_t,file) + kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.2.7/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,7 @@ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) +/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + +/etc/rc.d/init.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.2.7/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,106 @@ ## dnsmasq DNS forwarder and DHCP server + +######################################## +## +## Execute dnsmasq server in the dnsmasq domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dnsmasq_domtrans',` + gen_require(` + type dnsmasq_exec_t; + type dnsmasq_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1,dnsmasq_exec_t, dnsmasq_t) +') + +######################################## +## +## Execute dnsmasq server in the dnsmasq domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dnsmasq_script_domtrans',` + gen_require(` + type dnsmasq_script_exec_t; + ') + + init_script_domtrans_spec($1,dnsmasq_script_exec_t) +') + +######################################## +## +## Send dnsmasq a signal +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dnsmasq_signal',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process signal; +') + +######################################## +## +## All of the rules required to administrate +## an dnsmasq environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dnsmasq domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`dnsmasq_admin',` + gen_require(` + type dnsmasq_t; + type dnsmasq_script_exec_t; + type dnsmasq_lease_t; + type dnsmasq_var_run_t; + ') + + allow $1 dnsmasq_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, dnsmasq_t, dnsmasq_t) + + # Allow dnsmasq_t to restart the apache service + dnsmasq_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 dnsmasq_script_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + manage_all_pattern($1,dnsmasq_lease_t) + + files_list_pids($1) + manage_all_pattern($1,dnsmasq_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.7/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,9 @@ type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) +type dnsmasq_script_exec_t; +init_script_type(dnsmasq_script_exec_t) + ######################################## # # Local policy @@ -32,7 +35,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms; # dhcp leases -allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms; +manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t) @@ -94,3 +97,7 @@ optional_policy(` udev_read_db(dnsmasq_t) ') + +optional_policy(` + virt_manage_lib_files(dnsmasq_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.7/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dovecot.fc 2008-02-13 16:57:15.000000000 -0500 @@ -17,21 +17,24 @@ ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') ifdef(`distro_redhat', ` /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') # # /var # /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) - - +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.7/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dovecot.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,3 +18,129 @@ manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t) manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t) ') + +######################################## +## +## Connect to dovecot auth unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dovecot_auth_stream_connect',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; + ') + + allow $1 dovecot_var_run_t:dir search; + allow $1 dovecot_var_run_t:sock_file write; + allow $1 dovecot_auth_t:unix_stream_socket connectto; +') + +######################################## +## +## Execute dovecot_deliver in the dovecot_deliver domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dovecot_domtrans_deliver',` + gen_require(` + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + + domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t) +') + + +######################################## +## +## Execute dovecot server in the dovecot domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dovecot_script_domtrans',` + gen_require(` + type dovecot_script_exec_t; + ') + + init_script_domtrans_spec($1,dovecot_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an dovecot environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dovecot domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`dovecot_admin',` + gen_require(` + type dovecot_t; + type dovecot_script_exec_t; + type dovecot_etc_t; + type dovecot_log_t; + type dovecot_spool_t; + type dovecot_var_lib_t; + type dovecot_var_run_t; + + type dovecot_cert_t; + type dovecot_passwd_t; + ') + + allow $1 dovecot_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, dovecot_t, dovecot_t) + + # Allow dovecot_t to restart the apache service + dovecot_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 dovecot_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,dovecot_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,dovecot_log_t) + + files_list_spool($1) + manage_all_pattern($1,dovecot_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,dovecot_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,dovecot_var_run_t) + + manage_all_pattern($1,dovecot_cert_t) + + manage_all_pattern($1,dovecot_passwd_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.7/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/dovecot.te 2008-02-13 16:57:15.000000000 -0500 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; +type dovecot_deliver_t; +type dovecot_deliver_exec_t; +domain_type(dovecot_deliver_t) +domain_entry_file(dovecot_deliver_t,dovecot_deliver_exec_t) +role system_r types dovecot_deliver_t; + type dovecot_cert_t; files_type(dovecot_cert_t) @@ -31,9 +37,15 @@ type dovecot_var_lib_t; files_type(dovecot_var_lib_t) +type dovecot_var_log_t; +logging_log_file(dovecot_var_log_t) + type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) +type dovecot_script_exec_t; +init_script_type(dovecot_script_exec_t) + ######################################## # # dovecot local policy @@ -46,7 +58,6 @@ allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; - domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) allow dovecot_t dovecot_cert_t:dir list_dir_perms; @@ -98,7 +109,7 @@ files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) -files_getattr_all_mountpoints(dovecot_t) +files_search_all_mountpoints(dovecot_t) init_getattr_utmp(dovecot_t) @@ -139,25 +150,34 @@ # dovecot auth local policy # -allow dovecot_auth_t self:capability { setgid setuid }; +allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; allow dovecot_auth_t self:process signal_perms; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; +allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl connectto }; allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; +# log files +manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) + # Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t) files_search_var_lib(dovecot_t) +files_read_var_symlinks(dovecot_t) allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; +dovecot_auth_stream_connect(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) +logging_send_audit_msgs(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) + dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) @@ -166,6 +186,7 @@ files_read_etc_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) +files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) @@ -184,5 +205,49 @@ ') optional_policy(` - logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) +') + +optional_policy(` + nis_authenticate(dovecot_auth_t) +') + +optional_policy(` + postfix_manage_private_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) +') + +# for gssapi (kerberos) +userdom_list_unpriv_users_tmp(dovecot_auth_t) +userdom_read_unpriv_users_tmp_files(dovecot_auth_t) +userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t) + +######################################## +# +# dovecot deliver local policy +# +allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + +allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; +allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + +kernel_read_all_sysctls(dovecot_deliver_t) +kernel_read_system_state(dovecot_deliver_t) + +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) + +libs_use_ld_so(dovecot_deliver_t) +libs_use_shared_libs(dovecot_deliver_t) + +logging_send_syslog_msg(dovecot_deliver_t) + +miscfiles_read_localization(dovecot_deliver_t) + +dovecot_auth_stream_connect(dovecot_deliver_t) + +optional_policy(` + mta_manage_spool(dovecot_deliver_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.7/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/exim.if 2008-02-13 16:57:15.000000000 -0500 @@ -97,6 +97,26 @@ ######################################## ## +## Allow the specified domain to manage exim's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`exim_manage_log',` + gen_require(` + type exim_log_t; + ') + + manage_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## ## Allow the specified domain to append ## exim log files. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.7/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/exim.te 2008-02-13 16:57:15.000000000 -0500 @@ -21,9 +21,20 @@ ##
gen_tunable(exim_manage_user_files,false) +## +##

+## Allow exim to connect to databases (postgres, mysql) +##

+##
+gen_tunable(exim_can_connect_db,false) + type exim_t; type exim_exec_t; init_daemon_domain(exim_t, exim_exec_t) +mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_user_agent(exim_t) +application_executable_file(exim_exec_t) +mta_mailclient(exim_exec_t) type exim_log_t; logging_log_file(exim_log_t) @@ -37,15 +48,20 @@ type exim_var_run_t; files_pid_file(exim_var_run_t) +type exim_script_exec_t; +init_script_type(exim_script_exec_t) + ######################################## # # exim local policy # -allow exim_t self:capability { dac_override dac_read_search setuid setgid }; -allow exim_t self:fifo_file rw_fifo_file_perms; +allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; +allow exim_t self:process { setrlimit setpgid }; +allow exim_t self:fifo_file rw_file_perms; allow exim_t self:unix_stream_socket create_stream_socket_perms; allow exim_t self:tcp_socket create_stream_socket_perms; +allow exim_t self:udp_socket create_socket_perms; can_exec(exim_t,exim_exec_t) @@ -66,22 +82,39 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) +kernel_dontaudit_read_system_state(exim_t) +kernel_read_network_state(exim_t) corecmd_search_bin(exim_t) corenet_all_recvfrom_unlabeled(exim_t) +corenet_all_recvfrom_netlabel(exim_t) +corenet_udp_sendrecv_all_if(exim_t) +corenet_udp_sendrecv_all_nodes(exim_t) corenet_tcp_sendrecv_all_if(exim_t) corenet_tcp_sendrecv_all_nodes(exim_t) corenet_tcp_sendrecv_all_ports(exim_t) corenet_tcp_bind_all_nodes(exim_t) corenet_tcp_bind_smtp_port(exim_t) corenet_tcp_bind_amavisd_send_port(exim_t) +corenet_tcp_connect_smtp_port(exim_t) +corenet_tcp_sendrecv_smtp_port(exim_t) +corenet_sendrecv_smtp_server_packets(exim_t) +corenet_sendrecv_all_client_packets(exim_t) + corenet_tcp_connect_auth_port(exim_t) corenet_tcp_connect_inetd_child_port(exim_t) +corenet_tcp_sendrecv_auth_port(exim_t) + +# connect to spamassassin +corenet_tcp_connect_spamd_port(exim_t) +corenet_tcp_sendrecv_spamd_port(exim_t) # Init script handling domain_use_interactive_fds(exim_t) +files_search_usr(exim_t) +files_search_var(exim_t) files_read_etc_files(exim_t) auth_use_nsswitch(exim_t) @@ -92,14 +125,14 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) +miscfiles_read_certs(exim_t) -sysnet_dns_name_resolve(exim_t) - -userdom_dontaudit_search_sysadm_home_dirs(exim_t) -userdom_dontaudit_search_generic_user_home_dirs(exim_t) +fs_getattr_xattr_fs(exim_t) mta_read_aliases(exim_t) -mta_rw_spool(exim_t) +mta_read_config(exim_t) +mta_manage_spool(exim_t) +mta_mailserver_delivery(exim_t) tunable_policy(`exim_read_user_files',` userdom_read_unpriv_users_home_content_files(exim_t) @@ -111,3 +144,71 @@ userdom_read_unpriv_users_tmp_files(exim_t) userdom_write_unpriv_users_tmp_files(exim_t) ') + +# TLS sessions need entropy +dev_read_urand(exim_t) +dev_read_rand(exim_t) + +tunable_policy(`exim_can_connect_db',` + corenet_tcp_connect_mysqld_port(exim_t) + corenet_sendrecv_mysqld_client_packets(exim_t) + corenet_tcp_connect_postgresql_port(exim_t) + corenet_sendrecv_postgresql_client_packets(exim_t) +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + mysql_stream_connect(exim_t) + ') +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + postgresql_stream_connect(exim_t) + ') +') + +optional_policy(` + mailman_read_data_files(exim_t) + mailman_domtrans(exim_t) +') + +optional_policy(` + procmail_domtrans(exim_t) +') + +optional_policy(` + sasl_connect(exim_t) +') + +optional_policy(` + cyrus_stream_connect(exim_t) +') + +# receipt & validation + +optional_policy(` + clamav_domtrans_clamscan(exim_t) + clamav_stream_connect(exim_t) +') + +optional_policy(` + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') + +# Debian uses a template based config generator which generates config +# files under /var +ifdef(`distro_debian',` + type exim_var_lib_t; + files_config_file(exim_var_lib_t) + exim_read_lib(exim_t) + + type exim_lib_update_t; + type exim_lib_update_exec_t; + init_domain(exim_lib_update_t, exim_lib_update_exec_t) + domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t) + exim_read_lib(exim_lib_update_t) + exim_manage_var_lib(exim_lib_update_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.7/policy/modules/services/fail2ban.fc --- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/fail2ban.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,3 +1,7 @@ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/etc/rc.d/init.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.2.7/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2007-03-22 14:30:09.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/fail2ban.if 2008-02-13 16:57:15.000000000 -0500 @@ -78,3 +78,68 @@ files_search_pids($1) allow $1 fail2ban_var_run_t:file read_file_perms; ') + +######################################## +## +## Execute fail2ban server in the fail2ban domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`fail2ban_script_domtrans',` + gen_require(` + type fail2ban_script_exec_t; + ') + + init_script_domtrans_spec($1,fail2ban_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an fail2ban environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the fail2ban domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`fail2ban_admin',` + gen_require(` + type fail2ban_t; + type fail2ban_script_exec_t; + type fail2ban_log_t; + type fail2ban_var_run_t; + ') + + allow $1 fail2ban_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, fail2ban_t, fail2ban_t) + + # Allow fail2ban_t to restart the apache service + fail2ban_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 fail2ban_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,fail2ban_log_t) + + files_list_pids($1) + manage_all_pattern($1,fail2ban_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.7/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/fail2ban.te 2008-02-13 16:57:15.000000000 -0500 @@ -18,6 +18,9 @@ type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) +type fail2ban_script_exec_t; +init_script_type(fail2ban_script_exec_t) + ######################################## # # fail2ban local policy @@ -33,8 +36,9 @@ logging_log_filetrans(fail2ban_t,fail2ban_log_t,file) # pid file +manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file) +files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file }) kernel_read_system_state(fail2ban_t) @@ -55,6 +59,8 @@ miscfiles_read_localization(fail2ban_t) +mta_send_mail(fail2ban_t) + optional_policy(` apache_read_log(fail2ban_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.2.7/policy/modules/services/fetchmail.fc --- nsaserefpolicy/policy/modules/services/fetchmail.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/fetchmail.fc 2008-02-13 16:57:15.000000000 -0500 @@ -17,3 +17,4 @@ /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.2.7/policy/modules/services/fetchmail.if --- nsaserefpolicy/policy/modules/services/fetchmail.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/fetchmail.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,44 @@ ## Remote-mail retrieval and forwarding utility + +######################################## +## +## All of the rules required to administrate +## an fetchmail environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the fetchmail domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`fetchmail_admin',` + gen_require(` + type fetchmail_t; + type fetchmail_script_exec_t; + type fetchmail_etc_t; + type fetchmail_uidl_cache_t; + type fetchmail_var_run_t; + ') + + allow $1 fetchmail_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, fetchmail_t, fetchmail_t) + + files_list_etc($1) + manage_all_pattern($1,fetchmail_etc_t) + + manage_all_pattern($1,fetchmail_uidl_cache_t) + + files_list_pids($1) + manage_all_pattern($1,fetchmail_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.2.7/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ftp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -27,3 +27,6 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) + +/etc/rc.d/init.d/vsftpd -- gen_context(system_u:object_r:ftp_script_exec_t,s0) +/etc/rc.d/init.d/proftpd -- gen_context(system_u:object_r:ftp_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.7/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/ftp.if 2008-02-13 16:57:15.000000000 -0500 @@ -28,11 +28,13 @@ type ftpd_t; ') - userdom_manage_user_home_content_files($1,ftpd_t) - userdom_manage_user_home_content_symlinks($1,ftpd_t) - userdom_manage_user_home_content_sockets($1,ftpd_t) - userdom_manage_user_home_content_pipes($1,ftpd_t) - userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + tunable_policy(`ftp_home_dir',` + userdom_manage_user_home_content_files($1,ftpd_t) + userdom_manage_user_home_content_symlinks($1,ftpd_t) + userdom_manage_user_home_content_sockets($1,ftpd_t) + userdom_manage_user_home_content_pipes($1,ftpd_t) + userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + ') ') ######################################## @@ -155,3 +157,96 @@ role $2 types ftpdctl_t; allow ftpdctl_t $3:chr_file rw_term_perms; ') + +######################################## +## +## Execute ftp server in the ftp domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`ftp_script_domtrans',` + gen_require(` + type ftp_script_exec_t; + ') + + init_script_domtrans_spec($1,ftp_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an ftp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ftp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`ftp_admin',` + gen_require(` + type ftp_t; + type ftpdctl_t; + type ftp_script_exec_t; + type ftp_tmp_t; + type ftp_log_t; + type ftp_etc_t; + type ftp_lock_t; + type ftp_var_lib_t; + type ftp_var_run_t; + type xferlog_t; + ') + + allow $1 ftp_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ftp_t, ftp_t) + + # Allow ftp_t to restart the apache service + ftp_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ftp_script_exec_t system_r; + allow $2 system_r; + + allow $1 ftpdctl_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ftpdctl_t, ftpdctl_t) + + ftp_run_ftpdctl($1, $2, $3) + + miscfiles_manage_public_files($1) + + files_list_tmp($1) + manage_all_pattern($1,ftp_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,ftp_log_t) + + manage_all_pattern($1,xferlog_t) + + files_list_etc($1) + manage_all_pattern($1,ftp_etc_t) + + files_list_var($1) + manage_all_pattern($1,ftp_lock_t) + + files_list_var_lib($1) + manage_all_pattern($1,ftp_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,ftp_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.7/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ftp.te 2008-02-13 16:57:15.000000000 -0500 @@ -75,6 +75,9 @@ type xferlog_t; logging_log_file(xferlog_t) +type ftp_script_exec_t; +init_script_type(ftp_script_exec_t) + ######################################## # # ftpd local policy @@ -106,9 +109,10 @@ manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) -files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) +files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} ) # proftpd requires the client side to bind a socket so that # it can stat the socket to perform access control decisions, @@ -123,6 +127,7 @@ kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) +kernel_search_network_state(ftpd_t) dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) @@ -169,7 +174,9 @@ libs_use_ld_so(ftpd_t) libs_use_shared_libs(ftpd_t) +logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) +logging_set_loginuid(ftpd_t) miscfiles_read_localization(ftpd_t) miscfiles_read_public_files(ftpd_t) @@ -218,6 +225,11 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) + auth_manage_all_files_except_shadow(ftpd_t) + + auth_read_all_dirs_except_shadow(ftpd_t) + auth_read_all_files_except_shadow(ftpd_t) + auth_read_all_symlinks_except_shadow(ftpd_t) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -253,7 +265,10 @@ ') optional_policy(` + kerberos_use(ftpd_t) kerberos_read_keytab(ftpd_t) + kerberos_manage_host_rcache(ftpd_t) + selinux_validate_context(ftpd_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.2.7/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.2.7/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,75 @@ + +## policy for gnomeclock + +######################################## +## +## Execute a domain transition to run gnomeclock. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gnomeclock_domtrans',` + gen_require(` + type gnomeclock_t; + type gnomeclock_exec_t; + ') + + domtrans_pattern($1,gnomeclock_exec_t,gnomeclock_t) +') + + +######################################## +## +## Execute gnomeclock in the gnomeclock domain, and +## allow the specified role the gnomeclock domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the gnomeclock domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`gnomeclock_run',` + gen_require(` + type gnomeclock_t; + ') + + gnomeclock_domtrans($1) + role $2 types gnomeclock_t; + dontaudit gnomeclock_t $3:chr_file rw_term_perms; +') + + +######################################## +## +## Send and receive messages from +## gnomeclock over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnomeclock_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.2.7/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,51 @@ +policy_module(gnomeclock,1.0.0) +######################################## +# +# Declarations +# + +type gnomeclock_t; +type gnomeclock_exec_t; +dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + + +######################################## +# +# gnomeclock local policy +# +allow gnomeclock_t self:capability sys_time; +allow gnomeclock_t self:process getsched; + +# internal communication is often done using fifo and unix sockets. +allow gnomeclock_t self:fifo_file rw_file_perms; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + +corecmd_search_bin(gnomeclock_t) + +files_read_etc_files(gnomeclock_t) +files_read_usr_files(gnomeclock_t) + +fs_list_inotifyfs(gnomeclock_t) + +auth_use_nsswitch(gnomeclock_t) + +libs_use_ld_so(gnomeclock_t) +libs_use_shared_libs(gnomeclock_t) + +miscfiles_read_localization(gnomeclock_t) + +userdom_read_all_users_state(gnomeclock_t) + +optional_policy(` + consolekit_dbus_chat(gnomeclock_t) +') + +optional_policy(` + clock_domtrans(gnomeclock_t) +') + +optional_policy(` + polkit_domtrans_auth(gnomeclock_t) + polkit_read_lib(gnomeclock_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.7/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/hal.fc 2008-02-13 16:57:15.000000000 -0500 @@ -8,6 +8,7 @@ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) @@ -16,10 +17,11 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) +/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0) - +/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.2.7/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2007-09-05 15:24:44.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/hal.if 2008-02-13 16:57:15.000000000 -0500 @@ -302,3 +302,42 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ') + +######################################## +## +## Send a SIGCHLD signal to hal. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_getattr',` + gen_require(` + type hald_t; + ') + + allow $1 hald_t:process getattr; +') + +######################################## +## +##f Read hal system state +## +## +## +## Domain to not audit. +## +## +# +interface(`hal_read_state',` + gen_require(` + type hald_t; + ') + kernel_search_proc($1) + allow $1 hald_t:dir list_dir_perms; + read_files_pattern($1,hald_t,hald_t) + read_lnk_files_pattern($1,hald_t,hald_t) + dontaudit $1 hald_t:process ptrace; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.7/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/hal.te 2008-02-13 16:57:15.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) +typealias hald_log_t alias pmtools_log_t; +typealias hald_var_run_t alias pmtools_var_run_t; + ######################################## # # Local policy @@ -70,7 +73,7 @@ manage_files_pattern(hald_t,hald_cache_t,hald_cache_t) # log files for hald -allow hald_t hald_log_t:file manage_file_perms; +manage_files_pattern(hald_t, hald_log_t, hald_log_t) logging_log_filetrans(hald_t,hald_log_t,file) manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t) @@ -93,6 +96,7 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) +kernel_setsched(hald_t) auth_read_pam_console_data(hald_t) @@ -155,6 +159,8 @@ selinux_compute_relabel_context(hald_t) selinux_compute_user_contexts(hald_t) +dev_read_raw_memory(hald_t) + storage_raw_read_removable_device(hald_t) storage_raw_write_removable_device(hald_t) storage_raw_read_fixed_disk(hald_t) @@ -172,6 +178,8 @@ init_rw_utmp(hald_t) init_telinit(hald_t) +fstools_getattr_swap_files(hald_t) + libs_use_ld_so(hald_t) libs_use_shared_libs(hald_t) libs_exec_ld_so(hald_t) @@ -265,6 +273,11 @@ ') optional_policy(` + polkit_domtrans_auth(hald_t) + polkit_read_lib(hald_t) +') + +optional_policy(` rpc_search_nfs_state_data(hald_t) ') @@ -291,7 +304,8 @@ # allow hald_acl_t self:capability { dac_override fowner }; -allow hald_acl_t self:fifo_file read_fifo_file_perms; +allow hald_acl_t self:process { getattr signal }; +allow hald_acl_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) allow hald_t hald_acl_t:process signal; @@ -304,6 +318,7 @@ corecmd_exec_bin(hald_acl_t) dev_getattr_all_chr_files(hald_acl_t) +dev_setattr_all_chr_files(hald_acl_t) dev_getattr_generic_usb_dev(hald_acl_t) dev_getattr_video_dev(hald_acl_t) dev_setattr_video_dev(hald_acl_t) @@ -325,6 +340,11 @@ miscfiles_read_localization(hald_acl_t) +optional_policy(` + polkit_domtrans_auth(hald_acl_t) + polkit_read_lib(hald_acl_t) +') + ######################################## # # Local hald mac policy @@ -338,10 +358,14 @@ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_mac_t) +dev_read_raw_memory(hald_mac_t) dev_write_raw_memory(hald_mac_t) +dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) +kernel_read_system_state(hald_mac_t) + libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) @@ -391,3 +415,7 @@ libs_use_shared_libs(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) + +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/.if serefpolicy-3.2.7/policy/modules/services/.if --- nsaserefpolicy/policy/modules/services/.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1 @@ +sed s/myapp//g /home/dwalsh/myapp.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.7/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/inetd.te 2008-02-13 16:57:15.000000000 -0500 @@ -30,6 +30,10 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh) +') + ######################################## # # Local policy @@ -84,6 +88,7 @@ corenet_udp_bind_ftp_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) +corenet_tcp_bind_ircd_port(inetd_t) corenet_udp_bind_ktalkd_port(inetd_t) corenet_tcp_bind_printer_port(inetd_t) corenet_udp_bind_rlogind_port(inetd_t) @@ -137,6 +142,7 @@ miscfiles_read_localization(inetd_t) # xinetd needs MLS override privileges to work +mls_fd_use_all_levels(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) @@ -164,6 +170,7 @@ ') optional_policy(` + unconfined_domain(inetd_t) unconfined_domtrans(inetd_t) ') @@ -180,6 +187,9 @@ # for identd allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow inetd_child_t self:capability { setuid setgid }; +allow inetd_child_t self:dir search; +allow inetd_child_t self:{ lnk_file file } { getattr read }; + files_search_home(inetd_child_t) manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) @@ -226,3 +236,7 @@ optional_policy(` unconfined_domain(inetd_child_t) ') + +optional_policy(` + inetd_service_domain(inetd_child_t,bin_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.2.7/policy/modules/services/inn.fc --- nsaserefpolicy/policy/modules/services/inn.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/inn.fc 2008-02-13 16:57:15.000000000 -0500 @@ -64,3 +64,5 @@ /var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) /var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) + +/etc/rc.d/init.d/innd -- gen_context(system_u:object_r:innd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.2.7/policy/modules/services/inn.if --- nsaserefpolicy/policy/modules/services/inn.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/inn.if 2008-02-13 16:57:15.000000000 -0500 @@ -176,3 +176,80 @@ corecmd_search_bin($1) domtrans_pattern($1,innd_exec_t,innd_t) ') + +######################################## +## +## Execute inn server in the inn domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`inn_script_domtrans',` + gen_require(` + type innd_script_exec_t; + ') + + init_script_domtrans_spec($1,innd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an inn environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the inn domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`inn_admin',` + gen_require(` + type innd_t; + type innd_script_exec_t; + type innd_etc_t; + type innd_log_t; + type news_spool_t; + type innd_var_lib_t; + type innd_var_run_t; + ') + + allow $1 innd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, innd_t, innd_t) + + # Allow innd_t to restart the apache service + inn_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 innd_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,innd_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,innd_log_t) + + files_list_spool($1) + manage_all_pattern($1,news_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,innd_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,innd_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.7/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/inn.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,7 +22,10 @@ files_pid_file(innd_var_run_t) type news_spool_t; -files_type(news_spool_t) +files_mountpoint(news_spool_t) + +type innd_script_exec_t; +init_script_type(innd_script_exec_t) ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.2.7/policy/modules/services/jabber.fc --- nsaserefpolicy/policy/modules/services/jabber.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/jabber.fc 2008-02-13 16:57:15.000000000 -0500 @@ -2,3 +2,4 @@ /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/etc/rc.d/init.d/jabber -- gen_context(system_u:object_r:jabber_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.2.7/policy/modules/services/jabber.if --- nsaserefpolicy/policy/modules/services/jabber.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/jabber.if 2008-02-13 16:57:15.000000000 -0500 @@ -13,3 +13,73 @@ interface(`jabber_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Execute jabber server in the jabber domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`jabber_script_domtrans',` + gen_require(` + type jabber_script_exec_t; + ') + + init_script_domtrans_spec($1,jabber_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an jabber environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the jabber domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`jabber_admin',` + gen_require(` + type jabber_t; + type jabber_script_exec_t; + type jabber_log_t; + type jabber_var_lib_t; + type jabber_var_run_t; + ') + + allow $1 jabber_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, jabber_t, jabber_t) + + # Allow jabber_t to restart the apache service + jabber_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 jabber_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,jabber_log_t) + + files_list_var_lib($1) + manage_all_pattern($1,jabber_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,jabber_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.2.7/policy/modules/services/jabber.te --- nsaserefpolicy/policy/modules/services/jabber.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/jabber.te 2008-02-13 16:57:15.000000000 -0500 @@ -19,6 +19,9 @@ type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) +type jabber_script_exec_t; +init_script_type(jabber_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.7/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/kerberos.fc 2008-02-13 16:57:15.000000000 -0500 @@ -16,3 +16,9 @@ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) + +/etc/rc.d/init.d/kadmind -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc.d/init.d/krb524d -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc.d/init.d/kpropd -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc.d/init.d/krb5kdc -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.7/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/kerberos.if 2008-02-13 16:57:15.000000000 -0500 @@ -43,7 +43,13 @@ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + #kerberos libraries are attempting to set the correct file context + dontaudit $1 self:process setfscreate; + seutil_dontaudit_read_file_contexts($1) + tunable_policy(`allow_kerberos',` + fs_rw_tmpfs_files($1) + allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; @@ -61,11 +67,7 @@ corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) - - sysnet_read_config($1) - sysnet_dns_name_resolve($1) ') - optional_policy(` tunable_policy(`allow_kerberos',` pcscd_stream_connect($1) @@ -172,3 +174,156 @@ allow $1 krb5kdc_conf_t:file read_file_perms; ') + +######################################## +## +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kerberos_manage_host_rcache',` + gen_require(` + type krb5_host_rcache_t; + ') + + tunable_policy(`allow_kerberos',` + files_search_tmp($1) + allow $1 self:process setfscreate; + selinux_validate_context($1) + seutil_read_file_contexts($1) + allow $1 krb5_host_rcache_t:file manage_file_perms; + ') + # creates files as system_u no matter what the selinux user + domain_obj_id_change_exemption($1) +') + +######################################## +## +## Connect to krb524 service +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_524_connect',` + tunable_policy(`allow_kerberos',` + allow $1 self:udp_socket create_socket_perms; + corenet_all_recvfrom_unlabeled($1) + corenet_udp_sendrecv_all_if($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_udp_sendrecv_kerberos_master_port($1) + corenet_udp_bind_all_nodes($1) + ') +') + +######################################## +## +## Execute kerberos server in the kerberos domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`kerberos_script_domtrans',` + gen_require(` + type kerberos_script_exec_t; + ') + + init_script_domtrans_spec($1,kerberos_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an kerberos environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the kerberos domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`kerberos_admin',` + gen_require(` + type kadmind_t; + type krb5kdc_t; + + type kadmind_script_exec_t; + type kadmind_log_t; + type kadmind_tmp_t; + type kadmind_var_run_t; + + type krb5_conf_t; + type krb5_keytab_t; + type krb5kdc_conf_t; + type krb5kdc_principal_t; + type krb5kdc_tmp_t; + type krb5kdc_var_run_t; + type krb5_host_rcache_t; + + type kadmind_spool_t; + type kadmind_var_lib_t; + ') + + allow $1 kadmind_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, kadmind_t, kadmind_t) + + allow $1 krb5kdc_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, krb5kdc_t, krb5kdc_t) + + # Allow kadmind_t to restart the apache service + kerberos_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 kadmind_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,kadmind_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,kadmind_log_t) + + files_list_spool($1) + manage_all_pattern($1,kadmind_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,kadmind_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,kadmind_var_run_t) + + manage_all_pattern($1,krb5_conf_t) + + manage_all_pattern($1,krb5_keytab_t) + + manage_all_pattern($1,krb5kdc_principal_t) + + manage_all_pattern($1,krb5kdc_tmp_t) + + manage_all_pattern($1,krb5kdc_var_run_t) + + manage_all_pattern($1,krb5_host_rcache_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.7/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/kerberos.te 2008-02-13 16:57:15.000000000 -0500 @@ -54,6 +54,12 @@ type krb5kdc_var_run_t; files_pid_file(krb5kdc_var_run_t) +type krb5_host_rcache_t; +files_tmp_file(krb5_host_rcache_t) + +type kerberos_script_exec_t; +init_script_type(kerberos_script_exec_t) + ######################################## # # kadmind local policy @@ -62,7 +68,7 @@ # Use capabilities. Surplus capabilities may be allowed. allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; -allow kadmind_t self:process signal_perms; +allow kadmind_t self:process { setfscreate signal_perms }; allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; allow kadmind_t self:unix_dgram_socket { connect create write }; allow kadmind_t self:tcp_socket connected_stream_socket_perms; @@ -91,6 +97,7 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) +kernel_read_system_state(kadmind_t) corenet_all_recvfrom_unlabeled(kadmind_t) corenet_all_recvfrom_netlabel(kadmind_t) @@ -118,6 +125,9 @@ domain_use_interactive_fds(kadmind_t) files_read_etc_files(kadmind_t) +files_read_usr_symlinks(kadmind_t) +files_read_usr_files(kadmind_t) +files_read_var_files(kadmind_t) libs_use_ld_so(kadmind_t) libs_use_shared_libs(kadmind_t) @@ -127,6 +137,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) +sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) @@ -137,6 +148,7 @@ optional_policy(` seutil_sigchld_newrole(kadmind_t) + seutil_read_file_contexts(kadmind_t) ') optional_policy(` @@ -151,7 +163,7 @@ # Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; dontaudit krb5kdc_t self:capability sys_tty_config; -allow krb5kdc_t self:process { setsched getsched signal_perms }; +allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; allow krb5kdc_t self:tcp_socket create_stream_socket_perms; allow krb5kdc_t self:udp_socket create_socket_perms; @@ -223,6 +235,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) +sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) @@ -233,8 +246,10 @@ optional_policy(` seutil_sigchld_newrole(krb5kdc_t) + seutil_read_file_contexts(krb5kdc_t) ') optional_policy(` udev_read_db(krb5kdc_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.2.7/policy/modules/services/kerneloops.fc --- nsaserefpolicy/policy/modules/services/kerneloops.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/kerneloops.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) + +/etc/rc.d/init.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.2.7/policy/modules/services/kerneloops.if --- nsaserefpolicy/policy/modules/services/kerneloops.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/kerneloops.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,104 @@ + +## policy for kerneloops + +######################################## +## +## Execute a domain transition to run kerneloops. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`kerneloops_domtrans',` + gen_require(` + type kerneloops_t; + type kerneloops_exec_t; + ') + + domtrans_pattern($1,kerneloops_exec_t,kerneloops_t) +') + + +######################################## +## +## Execute kerneloops server in the kerneloops domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`kerneloops_script_domtrans',` + gen_require(` + type kerneloops_script_exec_t; + ') + + init_script_domtrans_spec($1,kerneloops_script_exec_t) +') + +######################################## +## +## Send and receive messages from +## kerneloops over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`kerneloops_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + allow $1 kerneloops_t:dbus send_msg; + allow kerneloops_t $1:dbus send_msg; +') + +######################################## +## +## All of the rules required to administrate +## an kerneloops environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the kerneloops domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`kerneloops_admin',` + gen_require(` + type kerneloops_t; + ') + + allow $1 kerneloops_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, kerneloops_t, kerneloops_t) + + + gen_require(` + type kerneloops_script_exec_t; + ') + + # Allow kerneloops_t to restart the apache service + kerneloops_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 kerneloops_script_exec_t system_r; + allow $2 system_r; + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.2.7/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/kerneloops.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,56 @@ +policy_module(kerneloops,1.0.0) + +######################################## +# +# Declarations +# + +type kerneloops_t; +type kerneloops_exec_t; +domain_type(kerneloops_t) +init_daemon_domain(kerneloops_t, kerneloops_exec_t) + +type kerneloops_script_exec_t; +init_script_type(kerneloops_script_exec_t) + +######################################## +# +# kerneloops local policy +# +allow kerneloops_t self:capability sys_nice; +allow kerneloops_t self:process { setsched getsched }; + +# Init script handling +domain_use_interactive_fds(kerneloops_t) + +# internal communication is often done using fifo and unix sockets. +allow kerneloops_t self:fifo_file rw_file_perms; +allow kerneloops_t self:unix_stream_socket create_stream_socket_perms; +allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; + +corenet_all_recvfrom_unlabeled(kerneloops_t) +corenet_all_recvfrom_netlabel(kerneloops_t) +corenet_tcp_sendrecv_all_if(kerneloops_t) +corenet_tcp_sendrecv_all_nodes(kerneloops_t) +corenet_tcp_sendrecv_all_ports(kerneloops_t) +corenet_tcp_bind_http_port(kerneloops_t) + +files_read_etc_files(kerneloops_t) + +kernel_read_ring_buffer(kerneloops_t) + +libs_use_ld_so(kerneloops_t) +libs_use_shared_libs(kerneloops_t) + +logging_send_syslog_msg(kerneloops_t) +logging_read_generic_logs(kerneloops_t) + +miscfiles_read_localization(kerneloops_t) + +sysnet_dns_name_resolve(kerneloops_t) + +optional_policy(` + dbus_system_bus_client_template(kerneloops,kerneloops_t) + dbus_connect_system_bus(kerneloops_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.2.7/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ldap.fc 2008-02-13 16:57:15.000000000 -0500 @@ -14,3 +14,5 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) + +/etc/rc.d/init.d/ldap -- gen_context(system_u:object_r:ldap_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.2.7/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ldap.if 2008-02-13 16:57:15.000000000 -0500 @@ -73,3 +73,80 @@ allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; ') + +######################################## +## +## Execute ldap server in the ldap domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`ldap_script_domtrans',` + gen_require(` + type ldap_script_exec_t; + ') + + init_script_domtrans_spec($1,ldap_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an ldap environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ldap domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`ldap_admin',` + gen_require(` + type slapd_t; + type ldap_script_exec_t; + type slapd_tmp_t; + type slapd_replog_t; + type slapd_lock_t; + type slapd_etc_t; + type slapd_var_run_t; + ') + + allow $1 slapd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, slapd_t, slapd_t) + + # Allow slapd_t to restart the apache service + ldap_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ldap_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,slapd_tmp_t) + + manage_all_pattern($1,slapd_replog_t) + + files_list_etc($1) + manage_all_pattern($1,slapd_etc_t) + + manage_all_pattern($1,slapd_lock_t) + + files_list_pids($1) + manage_all_pattern($1,slapd_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.2.7/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ldap.te 2008-02-13 16:57:15.000000000 -0500 @@ -31,6 +31,9 @@ type slapd_var_run_t; files_pid_file(slapd_var_run_t) +type ldap_script_exec_t; +init_script_type(ldap_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.7/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/lpd.if 2008-02-13 16:57:15.000000000 -0500 @@ -336,10 +336,8 @@ ') files_search_spool($1) + manage_dirs_pattern($1,print_spool_t,print_spool_t) manage_files_pattern($1,print_spool_t,print_spool_t) - - # cjp: cups wants setattr - allow $1 print_spool_t:dir setattr; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.7/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mailman.if 2008-02-13 16:57:15.000000000 -0500 @@ -211,6 +211,7 @@ type mailman_data_t; ') + manage_dirs_pattern($1,mailman_data_t,mailman_data_t) manage_files_pattern($1,mailman_data_t,mailman_data_t) ') @@ -252,6 +253,25 @@ ####################################### ## +## read +## mailman logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailman_read_log',` + gen_require(` + type mailman_log_t; + ') + + read_files_pattern($1,mailman_log_t,mailman_log_t) +') + +####################################### +## ## Append to mailman logs. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.7/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mailman.te 2008-02-13 16:57:15.000000000 -0500 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) + apache_read_config(mailman_cgi_t) + apache_dontaudit_rw_stream_sockets(mailman_cgi_t) - optional_policy(` - nscd_socket_use(mailman_cgi_t) - ') ') ######################################## @@ -65,6 +64,11 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t initrc_t:process signal; +allow mailman_mail_t self:process signal; +allow mailman_mail_t self:capability { setuid setgid }; + +files_search_spool(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.7/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mailscanner.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.7/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mailscanner.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + +######################################## +## +## Search mailscanner spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailscanner_search_spool',` + gen_require(` + type mailscanner_spool_t; + ') + + files_search_spool($1) + allow $1 mailscanner_spool_t:dir search_dir_perms; +') + +######################################## +## +## read mailscanner spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailscanner_read_spool',` + gen_require(` + type mailscanner_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) +') + +######################################## +## +## Create, read, write, and delete +## mailscanner spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailscanner_manage_spool',` + gen_require(` + type mailscanner_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.7/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mailscanner.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(mailscanner,1.0.0) + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.7/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mta.if 2008-02-13 16:57:15.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') + optional_policy(` + exim_read_log($1_mail_t) + exim_append_log($1_mail_t) + exim_manage_spool_files($1_mail_t) + ') + ') ####################################### @@ -219,6 +225,11 @@ fs_manage_cifs_symlinks($1_mail_t) ') + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_mail_t) + fs_manage_nfs_symlinks($1_mail_t) + ') + optional_policy(` allow $1_mail_t self:capability dac_override; @@ -305,6 +316,42 @@ ######################################## ## +## Make the specified type usable for a mta_send_mail. +## +## +## +## Type to be used as a mail client. +## +## +# +interface(`mta_mailclient',` + gen_require(` + attribute mailclient_exec_type; + ') + + typeattribute $1 mailclient_exec_type; +') + +######################################## +## +## Make the specified type readable for a system_mail_t +## +## +## +## Type to be used as a mail client. +## +## +# +interface(`mta_mailcontent',` + gen_require(` + attribute mailcontent_type; + ') + + typeattribute $1 mailcontent_type; +') + +######################################## +## ## Modified mailserver interface for ## sendmail daemon use. ## @@ -383,11 +430,13 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) + append_files_pattern($1,mail_spool_t,mail_spool_t) create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) optional_policy(` dovecot_manage_spool($1) + dovecot_domtrans_deliver($1) ') optional_policy(` @@ -422,6 +471,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) + apache_append_log($1) ') ') @@ -438,20 +488,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; - type system_mail_t, sendmail_exec_t; + type system_mail_t; + attribute mailclient_exec_type; ') - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; - domain_auto_trans($1, sendmail_exec_t, system_mail_t) - - allow $1 system_mail_t:fd use; - allow system_mail_t $1:fd use; - allow system_mail_t $1:fifo_file rw_file_perms; - allow system_mail_t $1:process sigchld; + allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms; + domtrans_pattern($1, mailclient_exec_type, system_mail_t) + allow system_mail_t mailclient_exec_type:file entrypoint; allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file { read write }; + ') ######################################## @@ -586,6 +634,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') +######################################## +## +## manage mail aliases. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + allow $1 etc_aliases_t:file manage_file_perms; +') ####################################### ## @@ -837,6 +904,25 @@ ######################################## ## +## read mail queue files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_read_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) +') + +######################################## +## ## Create, read, write, and delete ## mail queue files. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.7/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mta.te 2008-02-13 16:57:15.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # +attribute mailcontent_type; +attribute mailclient_exec_type; attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; @@ -27,6 +29,7 @@ type sendmail_exec_t; application_executable_file(sendmail_exec_t) +mta_mailclient(sendmail_exec_t) mta_base_mail_template(system) role system_r types system_mail_t; @@ -37,30 +40,45 @@ # # newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override }; +allow system_mail_t self:capability { dac_override fowner }; read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) + +files_read_all_tmp_files(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) +dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) +fs_rw_anon_inodefs_files(system_mail_t) + +selinux_getattr_fs(system_mail_t) + init_use_script_ptys(system_mail_t) userdom_use_sysadm_terms(system_mail_t) userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) +userdom_dontaudit_search_all_users_home_content(system_mail_t) + +optional_policy(` + apcupsd_read_tmp_files(system_mail_t) +') optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) + apache_search_bugzilla_dirs(system_mail_t) # apache should set close-on-exec apache_dontaudit_append_log(system_mail_t) apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) ') optional_policy(` @@ -73,6 +91,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) + cron_read_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) ') @@ -81,6 +100,11 @@ ') optional_policy(` + exim_domtrans(system_mail_t) + exim_manage_log(system_mail_t) +') + +optional_policy(` logrotate_read_tmp_files(system_mail_t) ') @@ -136,11 +160,33 @@ ') optional_policy(` + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + spamd_stream_connect(system_mail_t) +') + +optional_policy(` smartmon_read_tmp_files(system_mail_t) ') -# should break this up among sections: +init_stream_connect_script(mailserver_delivery) +init_rw_script_stream_sockets(mailserver_delivery) +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) + fs_manage_cifs_symlinks(mailserver_delivery) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mailserver_delivery) + fs_manage_nfs_files(mailserver_delivery) + fs_manage_nfs_symlinks(mailserver_delivery) +') + +# should break this up among sections: optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) @@ -154,3 +200,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.7/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/munin.fc 2008-02-13 16:57:15.000000000 -0500 @@ -6,6 +6,9 @@ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + +/etc/rc.d/init.d/munin-node -- gen_context(system_u:object_r:munin_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.2.7/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2007-11-15 13:40:14.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/munin.if 2008-02-13 16:57:15.000000000 -0500 @@ -80,3 +80,85 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; ') + +######################################## +## +## Execute munin server in the munin domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`munin_script_domtrans',` + gen_require(` + type munin_script_exec_t; + ') + + init_script_domtrans_spec($1,munin_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an munin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the munin domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`munin_admin',` + gen_require(` + type munin_t; + type munin_script_exec_t; + type munin_etc_t; + type munin_tmp_t; + type munin_log_t; + type munin_var_lib_t; + type munin_var_run_t; + type httpd_munin_content_t; + ') + + allow $1 munin_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, munin_t, munin_t) + + # Allow munin_t to restart the apache service + munin_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 munin_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,munin_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,munin_log_t) + + files_list_etc($1) + manage_all_pattern($1,munin_etc_t) + + files_list_var_lib($1) + manage_all_pattern($1,munin_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,munin_var_run_t) + + manage_all_pattern($1, httpd_munin_content_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.7/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/munin.te 2008-02-13 16:57:15.000000000 -0500 @@ -25,26 +25,33 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) +type munin_script_exec_t; +init_script_type(munin_script_exec_t) + ######################################## # # Local policy # -allow munin_t self:capability { setgid setuid }; +allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; +allow munin_t self:fifo_file manage_fifo_file_perms; + +can_exec(munin_t, munin_exec_t) allow munin_t munin_etc_t:dir list_dir_perms; read_files_pattern(munin_t,munin_etc_t,munin_etc_t) read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) files_search_etc(munin_t) -allow munin_t munin_log_t:file manage_file_perms; -logging_log_filetrans(munin_t,munin_log_t,file) +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +manage_files_pattern(munin_t, munin_log_t, munin_log_t) +logging_log_filetrans(munin_t,munin_log_t,{ file dir }) manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) @@ -62,8 +69,11 @@ kernel_read_system_state(munin_t) kernel_read_kernel_sysctls(munin_t) +kernel_read_network_state(munin_t) +kernel_read_sysctl(munin_t) corecmd_exec_bin(munin_t) +corecmd_exec_shell(munin_t) corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) @@ -73,11 +83,15 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) +corenet_tcp_connect_munin_port(munin_t) +corenet_tcp_connect_http_port(munin_t) +corenet_tcp_bind_all_nodes(munin_t) dev_read_sysfs(munin_t) dev_read_urand(munin_t) domain_use_interactive_fds(munin_t) +domain_dontaudit_read_all_domains_state(munin_t) files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) @@ -86,14 +100,17 @@ fs_getattr_all_fs(munin_t) fs_search_auto_mountpoints(munin_t) +auth_use_nsswitch(munin_t) + libs_use_ld_so(munin_t) libs_use_shared_libs(munin_t) logging_send_syslog_msg(munin_t) +miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) -sysnet_read_config(munin_t) +sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_sysadm_home_dirs(munin_t) @@ -108,7 +125,19 @@ ') optional_policy(` - nis_use_ypbind(munin_t) + fstools_domtrans(munin_t) +') + +optional_policy(` + mta_read_config(munin_t) +') + +optional_policy(` + mysql_stream_connect(munin_t) +') + +optional_policy(` + sendmail_read_log(munin_t) ') optional_policy(` @@ -118,3 +147,9 @@ optional_policy(` udev_read_db(munin_t) ') + +#============= http munin policy ============== +apache_content_template(munin) + +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.7/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mysql.fc 2008-02-13 16:57:15.000000000 -0500 @@ -22,3 +22,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.7/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mysql.if 2008-02-13 16:57:15.000000000 -0500 @@ -157,3 +157,74 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; ') + +######################################## +## +## Execute mysql server in the mysqld domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mysql_script_domtrans',` + gen_require(` + type mysqld_script_exec_t; + ') + + init_script_domtrans_spec($1,mysqld_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate an mysql environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the mysql domain. +## +## +## +## +## The type of the terminal allow the mysql domain to use. +## +## +## +# +interface(`mysql_admin',` + + gen_require(` + type mysqld_t; + type mysqld_var_run_t; + type mysqld_tmp_t; + type mysqld_db_t; + type mysqld_etc_t; + type mysqld_log_t; + type mysqld_script_exec_t; + ') + + allow $1 mysqld_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, mysqld_t, mysqld_t) + + # Allow $1 to restart the apache service + mysql_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mysqld_script_exec_t system_r; + allow $2 system_r; + + manage_all_pattern($1,mysqld_var_run_t) + + manage_all_pattern($1,mysqld_db_t) + + manage_all_pattern($1,mysqld_etc_t) + + manage_all_pattern($1,mysqld_log_t) + + manage_all_pattern($1,mysqld_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.7/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/mysql.te 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,3 @@ - policy_module(mysql,1.6.0) ######################################## @@ -25,6 +24,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) +type mysqld_script_exec_t; +init_script_type(mysqld_script_exec_t) + ######################################## # # Local policy @@ -33,7 +35,8 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; -allow mysqld_t self:fifo_file { read write }; +allow mysqld_t self:fifo_file rw_fifo_file_perms; +allow mysqld_t self:shm create_shm_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; @@ -79,6 +82,7 @@ fs_getattr_all_fs(mysqld_t) fs_search_auto_mountpoints(mysqld_t) +fs_rw_hugetlbfs_files(mysqld_t) domain_use_interactive_fds(mysqld_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.7/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nagios.fc 2008-02-13 16:57:15.000000000 -0500 @@ -4,13 +4,19 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + ifdef(`distro_debian',` /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +/etc/rc.d/init.d/nagios -- gen_context(system_u:object_r:nagios_script_exec_t,s0) +/etc/rc.d/init.d/nrpe -- gen_context(system_u:object_r:nagios_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.7/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nagios.if 2008-02-13 16:57:15.000000000 -0500 @@ -44,7 +44,7 @@ ######################################## ## -## Execute the nagios CGI with +## Execute the nagios NRPE with ## a domain transition. ## ## @@ -53,29 +53,91 @@ ## ## # -interface(`nagios_domtrans_cgi',` +interface(`nagios_domtrans_nrpe',` gen_require(` - type nagios_cgi_t, nagios_cgi_exec_t; + type nrpe_t, nrpe_exec_t; ') - domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t) + domtrans_pattern($1,nrpe_exec_t,nrpe_t) ') ######################################## ## -## Execute the nagios NRPE with -## a domain transition. +## Execute nagios server in the nagios domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`nagios_script_domtrans',` + gen_require(` + type nagios_script_exec_t; + ') + + init_script_domtrans_spec($1,nagios_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an nagios environment ## ## ## ## Domain allowed access. ## ## +## +## +## The role to be allowed to manage the nagios domain. +## +## +## +## +## The type of the user terminal. +## +## +## # -interface(`nagios_domtrans_nrpe',` +interface(`nagios_admin',` gen_require(` - type nrpe_t, nrpe_exec_t; + type nagios_t; + type nrpe_t; + type nagios_script_exec_t; + type nagios_tmp_t; + type nagios_log_t; + type nagios_etc_t; + type nrpe_etc_t; + type nagios_spool_t; + type nagios_var_run_t; ') - domtrans_pattern($1,nrpe_exec_t,nrpe_t) + allow $1 nagios_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nagios_t, nagios_t) + + # Allow nagios_t to restart the apache service + nagios_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nagios_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,nagios_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,nagios_log_t) + + files_list_etc($1) + manage_all_pattern($1,nagios_etc_t) + + files_list_spool($1) + manage_all_pattern($1,nagios_spool_t) + + files_list_pids($1) + manage_all_pattern($1,nagios_var_run_t) + + manage_all_pattern($1,nrpe_etc_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.7/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nagios.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,11 +8,7 @@ type nagios_t; type nagios_exec_t; -init_daemon_domain(nagios_t, nagios_exec_t) - -type nagios_cgi_t; -type nagios_cgi_exec_t; -init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) +init_daemon_domain(nagios_t,nagios_exec_t) type nagios_etc_t; files_config_file(nagios_etc_t) @@ -26,13 +22,19 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) +type nagios_spool_t; +files_type(nagios_spool_t) + type nrpe_t; type nrpe_exec_t; -init_daemon_domain(nrpe_t, nrpe_exec_t) +init_daemon_domain(nrpe_t,nrpe_exec_t) type nrpe_etc_t; files_config_file(nrpe_etc_t) +type nagios_script_exec_t; +init_script_type(nagios_script_exec_t) + ######################################## # # Nagios local policy @@ -60,6 +62,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) +rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) + kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) @@ -130,42 +134,31 @@ # # Nagios CGI local policy # +apache_content_template(nagios) +typealias httpd_nagios_script_t alias nagios_cgi_t; +typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -corecmd_exec_bin(nagios_cgi_t) +kernel_read_system_state(httpd_nagios_script_t) -domain_dontaudit_read_all_domains_state(nagios_cgi_t) +domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) +files_read_etc_runtime_files(httpd_nagios_script_t) +files_read_kernel_symbol_table(httpd_nagios_script_t) -libs_use_ld_so(nagios_cgi_t) -libs_use_shared_libs(nagios_cgi_t) - -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) - -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` - apache_append_log(nagios_cgi_t) -') +logging_send_syslog_msg(httpd_nagios_script_t) ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.7/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/networkmanager.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,7 +1,9 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.7/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/networkmanager.if 2008-02-13 16:57:15.000000000 -0500 @@ -97,3 +97,21 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; ') + +######################################## +## +## Send a generic signal to NetworkManager +## +## +## +## Domain allowed access. +## +## +# +interface(`networkmanager_signal',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:process signal; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.7/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/networkmanager.te 2008-02-13 16:57:15.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) + ######################################## # # Local policy @@ -20,7 +23,7 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; @@ -38,10 +41,14 @@ manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) +manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) +logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) +kernel_read_debugfs(NetworkManager_t) corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) @@ -67,6 +74,7 @@ fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) +fs_list_inotifyfs(NetworkManager_t) mls_file_read_all_levels(NetworkManager_t) @@ -86,6 +94,8 @@ init_read_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +auth_use_nsswitch(NetworkManager_t) + libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) @@ -129,21 +139,21 @@ ') optional_policy(` - dbus_system_bus_client_template(NetworkManager,NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) + dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) ') optional_policy(` - howl_signal(NetworkManager_t) + hal_write_log(NetworkManager_t) ') optional_policy(` - nis_use_ypbind(NetworkManager_t) + howl_signal(NetworkManager_t) ') optional_policy(` - nscd_socket_use(NetworkManager_t) nscd_signal(NetworkManager_t) + nscd_script_domtrans(NetworkManager_t) + nscd_domtrans(NetworkManager_t) ') optional_policy(` @@ -155,19 +165,20 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) + ppp_read_config(NetworkManager_t) ') optional_policy(` - seutil_sigchld_newrole(NetworkManager_t) + # Dispatcher starting and stoping ntp + ntp_script_domtrans(NetworkManager_t) ') optional_policy(` - udev_read_db(NetworkManager_t) + seutil_sigchld_newrole(NetworkManager_t) ') optional_policy(` - # Read gnome-keyring - unconfined_read_home_content_files(NetworkManager_t) + udev_read_db(NetworkManager_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.7/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nis.fc 2008-02-13 16:57:15.000000000 -0500 @@ -4,9 +4,14 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) + +/etc/rc.d/init.d/yppasswd -- gen_context(system_u:object_r:nis_script_exec_t,s0) +/etc/rc.d/init.d/ypserv -- gen_context(system_u:object_r:nis_script_exec_t,s0) +/etc/rc.d/init.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.7/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/nis.if 2008-02-13 16:57:15.000000000 -0500 @@ -49,8 +49,8 @@ corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) - corenet_tcp_bind_reserved_port($1) - corenet_udp_bind_reserved_port($1) + corenet_dontaudit_tcp_bind_all_reserved_ports($1) + corenet_dontaudit_udp_bind_all_reserved_ports($1) corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) @@ -87,6 +87,25 @@ ######################################## ## +## Use the nis to authenticate passwords +## +## +## +## The type of the process performing this action. +## +## +## +# +interface(`nis_authenticate',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) + ') +') + +######################################## +## ## Execute ypbind in the ypbind domain. ## ## @@ -244,3 +263,93 @@ corecmd_search_bin($1) domtrans_pattern($1,ypxfr_exec_t,ypxfr_t) ') + +######################################## +## +## Execute nis server in the nis domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`nis_script_domtrans',` + gen_require(` + type nis_script_exec_t; + ') + + init_script_domtrans_spec($1,nis_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an nis environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nis domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`nis_admin',` + gen_require(` + type ypbind_t; + type yppasswdd_t; + type ypserv_t; + type ypxfr_t; + type nis_script_exec_t; + type ypbind_tmp_t; + type ypserv_tmp_t; + type ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; + ') + + allow $1 ypbind_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ypbind_t, ypbind_t) + + allow $1 yppasswdd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, yppasswdd_t, yppasswdd_t) + + allow $1 ypserv_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ypserv_t, ypserv_t) + + allow $1 ypxfr_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ypxfr_t, ypxfr_t) + + # Allow ypbind_t to restart the apache service + nis_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nis_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,ypbind_tmp_t) + + files_list_pids($1) + manage_all_pattern($1,ypbind_var_run_t) + + manage_all_pattern($1,yppasswdd_var_run_t) + + files_list_etc($1) + manage_all_pattern($1,ypserv_conf_t) + + manage_all_pattern($1,ypserv_tmp_t) + + manage_all_pattern($1,ypserv_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.7/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nis.te 2008-02-13 16:57:15.000000000 -0500 @@ -44,6 +44,9 @@ type ypxfr_exec_t; init_daemon_domain(ypxfr_t,ypxfr_exec_t) +type nis_script_exec_t; +init_script_type(nis_script_exec_t) + ######################################## # # ypbind local policy @@ -113,6 +116,17 @@ userdom_dontaudit_use_unpriv_user_fds(ypbind_t) userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) + +optional_policy(` + dbus_system_bus_client_template(ypbind,ypbind_t) + dbus_connect_system_bus(ypbind_t) + init_dbus_chat_script(ypbind_t) + + optional_policy(` + networkmanager_dbus_chat(ypbind_t) + ') +') + optional_policy(` seutil_sigchld_newrole(ypbind_t) ') @@ -126,6 +140,7 @@ # yppasswdd local policy # +allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { setfscreate signal_perms }; @@ -156,8 +171,8 @@ corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_all_nodes(yppasswdd_t) corenet_udp_bind_all_nodes(yppasswdd_t) -corenet_tcp_bind_reserved_port(yppasswdd_t) -corenet_udp_bind_reserved_port(yppasswdd_t) +corenet_tcp_bind_all_rpc_ports(yppasswdd_t) +corenet_udp_bind_all_rpc_ports(yppasswdd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) corenet_sendrecv_generic_server_packets(yppasswdd_t) @@ -247,6 +262,8 @@ corenet_udp_bind_all_nodes(ypserv_t) corenet_tcp_bind_reserved_port(ypserv_t) corenet_udp_bind_reserved_port(ypserv_t) +corenet_tcp_bind_all_rpc_ports(ypserv_t) +corenet_udp_bind_all_rpc_ports(ypserv_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) corenet_sendrecv_generic_server_packets(ypserv_t) @@ -315,6 +332,8 @@ corenet_udp_bind_all_nodes(ypxfr_t) corenet_tcp_bind_reserved_port(ypxfr_t) corenet_udp_bind_reserved_port(ypxfr_t) +corenet_tcp_bind_all_rpc_ports(ypxfr_t) +corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.7/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nscd.fc 2008-02-13 16:57:15.000000000 -0500 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.7/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/nscd.if 2008-02-13 16:57:15.000000000 -0500 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; - + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) dontaudit $1 nscd_var_run_t:file { getattr read }; @@ -204,3 +203,68 @@ role $2 types nscd_t; dontaudit nscd_t $3:chr_file rw_term_perms; ') + +######################################## +## +## Execute nscd server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`nscd_script_domtrans',` + gen_require(` + type nscd_script_exec_t; + ') + + init_script_domtrans_spec($1,nscd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an nscd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nscd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`nscd_admin',` + gen_require(` + type nscd_t; + type nscd_script_exec_t; + type nscd_log_t; + type nscd_var_run_t; + ') + + allow $1 nscd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nscd_t, nscd_t) + + # Allow nscd_t to restart the apache service + nscd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nscd_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,nscd_log_t) + + files_list_pids($1) + manage_all_pattern($1,nscd_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.7/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nscd.te 2008-02-13 16:57:15.000000000 -0500 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) +type nscd_script_exec_t; +init_script_type(nscd_script_exec_t) + ######################################## # # Local policy # -allow nscd_t self:capability { kill setgid setuid audit_write }; +allow nscd_t self:capability { kill setgid setuid }; dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr setsched signal_perms }; +allow nscd_t self:process { getattr setcap setsched signal_perms }; allow nscd_t self:fifo_file { read write }; allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; @@ -50,6 +53,8 @@ manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) +can_exec(nscd_t, nscd_exec_t) + kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) @@ -73,6 +78,8 @@ corenet_udp_sendrecv_all_nodes(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) +corenet_udp_bind_all_nodes(nscd_t) +corenet_udp_bind_all_nodes(nscd_t) corenet_tcp_connect_all_ports(nscd_t) corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) @@ -93,6 +100,7 @@ libs_use_ld_so(nscd_t) libs_use_shared_libs(nscd_t) +logging_send_audit_msgs(nscd_t) logging_send_syslog_msg(nscd_t) miscfiles_read_localization(nscd_t) @@ -114,3 +122,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.7/policy/modules/services/ntp.fc --- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ntp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -17,3 +17,8 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) + +/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.7/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/ntp.if 2008-02-13 16:57:15.000000000 -0500 @@ -53,3 +53,76 @@ corecmd_search_bin($1) domtrans_pattern($1,ntpdate_exec_t,ntpd_t) ') + +######################################## +## +## Execute ntp server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ntp_script_domtrans',` + gen_require(` + type ntpd_script_exec_t; + ') + + init_script_domtrans_spec($1,ntpd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an ntp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ntp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`ntp_admin',` + gen_require(` + type ntp_t; + type ntp_script_exec_t; + type ntp_tmp_t; + type ntp_log_t; + type ntp_key_t; + type ntp_var_lib_t; + type ntp_var_run_t; + ') + + allow $1 ntp_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, ntp_t, ntp_t) + + # Allow ntp_t to restart the apache service + ntp_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ntp_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,ntp_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,ntp_log_t) + + manage_all_pattern($1,ntp_key_t) + + files_list_pids($1) + manage_all_pattern($1,ntp_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.7/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ntp.te 2008-02-13 16:57:15.000000000 -0500 @@ -25,6 +25,12 @@ type ntpdate_exec_t; init_system_domain(ntpd_t,ntpdate_exec_t) +type ntpd_key_t; +files_type(ntpd_key_t) + +type ntpd_script_exec_t; +init_script_type(ntpd_script_exec_t) + ######################################## # # Local policy @@ -36,6 +42,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; +allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; @@ -49,6 +56,8 @@ manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) +read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) + # for some reason it creates a file in /tmp manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) @@ -82,6 +91,8 @@ fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +# Necessary to communicate with gpsd devices +fs_rw_tmpfs_files(ntpd_t) auth_use_nsswitch(ntpd_t) @@ -105,6 +116,10 @@ miscfiles_read_localization(ntpd_t) +sysnet_dontaudit_dhcpc_use_fds(ntpd_t) + +term_use_ptmx(ntpd_t) + userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) @@ -120,6 +135,10 @@ ') optional_policy(` + hal_dontaudit_write_log(ntpd_t) +') + +optional_policy(` logrotate_exec(ntpd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.2.7/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/nx.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,3 +1,5 @@ + +/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.2.7/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/oddjob.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.2.7/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/oddjob.if 2008-02-13 16:57:15.000000000 -0500 @@ -44,6 +44,7 @@ ') domtrans_pattern(oddjob_t, $2, $1) + domain_user_exemption_target($1) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.7/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/oddjob.te 2008-02-13 16:57:15.000000000 -0500 @@ -10,14 +10,20 @@ type oddjob_exec_t; domain_type(oddjob_t) init_daemon_domain(oddjob_t, oddjob_exec_t) +domain_obj_id_change_exemption(oddjob_t) domain_subj_id_change_exemption(oddjob_t) type oddjob_mkhomedir_t; type oddjob_mkhomedir_exec_t; domain_type(oddjob_mkhomedir_t) -init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +domain_obj_id_change_exemption(oddjob_mkhomedir_t) +init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t,oddjob_exec_t,s0 - mcs_systemhigh) +') + # pid files type oddjob_var_run_t; files_pid_file(oddjob_var_run_t) @@ -68,20 +74,38 @@ # oddjob_mkhomedir local policy # +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file { read write }; allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(oddjob_mkhomedir_t) +kernel_read_system_state(oddjob_mkhomedir_t) + +auth_use_nsswitch(oddjob_mkhomedir_t) + libs_use_ld_so(oddjob_mkhomedir_t) libs_use_shared_libs(oddjob_mkhomedir_t) +logging_send_syslog_msg(oddjob_mkhomedir_t) + miscfiles_read_localization(oddjob_mkhomedir_t) +selinux_get_fs_mount(oddjob_mkhomedir_t) +selinux_validate_context(oddjob_mkhomedir_t) +selinux_compute_access_vector(oddjob_mkhomedir_t) +selinux_compute_create_context(oddjob_mkhomedir_t) +selinux_compute_relabel_context(oddjob_mkhomedir_t) +selinux_compute_user_contexts(oddjob_mkhomedir_t) + +seutil_read_config(oddjob_mkhomedir_t) +seutil_read_file_contexts(oddjob_mkhomedir_t) +seutil_read_default_contexts(oddjob_mkhomedir_t) + # Add/remove user home directories +userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t) userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) -userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) -userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) +userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.7/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/openct.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,6 +22,7 @@ allow openct_t self:process signal_perms; manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) +manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) files_pid_filetrans(openct_t,openct_var_run_t,file) kernel_read_kernel_sysctls(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.7/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/openvpn.fc 2008-02-13 16:57:15.000000000 -0500 @@ -11,5 +11,7 @@ # # /var # -/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) +/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) + +/etc/rc.d/init.d/openvpn -- gen_context(system_u:object_r:openvpn_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.2.7/policy/modules/services/openvpn.if --- nsaserefpolicy/policy/modules/services/openvpn.if 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/openvpn.if 2008-02-13 16:57:15.000000000 -0500 @@ -90,3 +90,74 @@ read_files_pattern($1,openvpn_etc_t,openvpn_etc_t) read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t) ') + +######################################## +## +## Execute openvpn server in the openvpn domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`openvpn_script_domtrans',` + gen_require(` + type openvpn_script_exec_t; + ') + + init_script_domtrans_spec($1,openvpn_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an openvpn environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the openvpn domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`openvpn_admin',` + gen_require(` + type openvpn_t; + type openvpn_script_exec_t; + type openvpn_etc_t; + type openvpn_var_log_t; + type openvpn_var_run_t; + ') + + allow $1 openvpn_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, openvpn_t, openvpn_t) + + # Allow openvpn_t to restart the apache service + openvpn_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 openvpn_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,openvpn_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,openvpn_var_log_t) + + files_list_pids($1) + manage_all_pattern($1,openvpn_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.7/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/openvpn.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,7 +8,7 @@ ## ##

-## Allow openvpn to read home directories +## Allow openvpn service access to users home directories ##

##
gen_tunable(openvpn_enable_homedirs,false) @@ -30,12 +30,15 @@ type openvpn_var_run_t; files_pid_file(openvpn_var_run_t) +type openvpn_script_exec_t; +init_script_type(openvpn_script_exec_t) + ######################################## # # openvpn local policy # -allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config }; +allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; allow openvpn_t self:process { signal getsched }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -47,6 +50,7 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms; read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) +can_exec(openvpn_t,openvpn_etc_t) allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) @@ -77,6 +81,7 @@ corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) +corenet_tcp_connect_http_port(openvpn_t) dev_search_sysfs(openvpn_t) dev_read_rand(openvpn_t) @@ -110,3 +115,12 @@ networkmanager_dbus_chat(openvpn_t) ') + + +# Need to interact with terminals if config option "auth-user-pass" is used +userdom_use_sysadm_terms(openvpn_t) + +optional_policy(` + unconfined_use_terminals(openvpn_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.7/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/pcscd.te 2008-02-13 16:57:15.000000000 -0500 @@ -45,6 +45,7 @@ files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) +term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) libs_use_ld_so(pcscd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.7/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/pegasus.te 2008-02-13 16:57:15.000000000 -0500 @@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; +manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) @@ -95,13 +96,12 @@ auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) +auth_read_shadow(pegasus_t) domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -files_read_etc_files(pegasus_t) -files_list_var_lib(pegasus_t) -files_read_var_lib_files(pegasus_t) +files_read_all_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) @@ -113,19 +113,16 @@ libs_use_shared_libs(pegasus_t) logging_send_audit_msgs(pegasus_t) +logging_send_syslog_msg(pegasus_t) miscfiles_read_localization(pegasus_t) -sysnet_read_config(pegasus_t) +sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) optional_policy(` - logging_send_syslog_msg(pegasus_t) -') - -optional_policy(` rpm_exec(pegasus_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.7/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/polkit.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) +/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.7/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/polkit.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,189 @@ + +## policy for polkit_auth + +######################################## +## +## Execute a domain transition to run polkit_auth. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_auth',` + gen_require(` + type polkit_auth_t; + type polkit_auth_exec_t; + ') + + domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t) +') + +######################################## +## +## Search polkit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_search_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + allow $1 polkit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## read polkit lib files +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_read_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) + + # Broken placement + cron_read_system_job_lib_files($1) +') + +######################################## +## +## Execute a domain transition to run polkit_grant. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_grant',` + gen_require(` + type polkit_grant_t; + type polkit_grant_exec_t; + ') + + domtrans_pattern($1,polkit_grant_exec_t,polkit_grant_t) +') + +######################################## +## +## Execute a policy_grant in the policy_grant domain, and +## allow the specified role the policy_grant domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +## +## +## The type of the terminal allow the load_policy domain to use. +## +## +## +# +interface(`polkit_run_grant',` + gen_require(` + type polkit_grant_t; + ') + + polkit_domtrans_grant($1) + role $2 types polkit_grant_t; + allow polkit_grant_t $3:chr_file rw_term_perms; + allow $1 polkit_grant_t:process signal; + read_files_pattern(polkit_grant_t, $1, $1) + allow polkit_grant_t $1:process getattr; +') + +######################################## +## +## Execute a policy_auth in the policy_auth domain, and +## allow the specified role the policy_auth domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +## +## +## The type of the terminal allow the load_policy domain to use. +## +## +# +interface(`polkit_run_auth',` + gen_require(` + type polkit_auth_t; + ') + + polkit_domtrans_auth($1) + role $2 types polkit_auth_t; + allow polkit_auth_t $3:chr_file rw_term_perms; +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +##

+## This template creates a derived domains which are used +## for nsplugin web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +## +# +template(`polkit_per_role_template',` + polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t }) + polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t }) + polkit_read_lib($2) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.7/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/polkit.te 2008-02-14 09:29:19.000000000 -0500 @@ -0,0 +1,157 @@ +policy_module(polkit_auth,1.0.0) + +######################################## +# +# Declarations +# + +type polkit_t; +type polkit_exec_t; +init_daemon_domain(polkit_t, polkit_exec_t) + +type polkit_grant_t; +type polkit_grant_exec_t; +init_system_domain(polkit_grant_t, polkit_grant_exec_t) + +type polkit_auth_t; +type polkit_auth_exec_t; +init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + +type polkit_var_lib_t; +files_type(polkit_var_lib_t) + +type polkit_var_run_t; +files_pid_file(polkit_var_run_t) + +######################################## +# +# polkit local policy +# + +allow polkit_t self:process getattr; + +allow polkit_t self:unix_dgram_socket create_socket_perms; +allow polkit_t self:fifo_file rw_file_perms; +allow polkit_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_t, polkit_exec_t) +corecmd_search_bin(polkit_t) + +domain_use_interactive_fds(polkit_t) + +files_read_etc_files(polkit_t) +files_read_usr_files(polkit_t) + +auth_use_nsswitch(polkit_t) + +libs_use_ld_so(polkit_t) +libs_use_shared_libs(polkit_t) + +miscfiles_read_localization(polkit_t) + +logging_send_syslog_msg(polkit_t) + +manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file +manage_dirs_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t) +manage_files_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t) +files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir }) + +optional_policy(` + dbus_system_domain(polkit_t, polkit_exec_t) + optional_policy(` + consolekit_dbus_chat(polkit_t) + ') +') + +######################################## +# +# polkit_auth local policy +# + +allow polkit_auth_t self:process getattr; + +allow polkit_auth_t self:unix_dgram_socket create_socket_perms; +allow polkit_auth_t self:fifo_file rw_file_perms; +allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_auth_t, polkit_auth_exec_t) +corecmd_search_bin(polkit_auth_t) + +domain_use_interactive_fds(polkit_auth_t) + +files_read_etc_files(polkit_auth_t) +files_read_usr_files(polkit_auth_t) + +auth_use_nsswitch(polkit_auth_t) + +libs_use_ld_so(polkit_auth_t) +libs_use_shared_libs(polkit_auth_t) + +miscfiles_read_localization(polkit_auth_t) + +logging_send_syslog_msg(polkit_auth_t) + +manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file +manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) +manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) +files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir }) + +userdom_append_unpriv_users_home_content_files(polkit_auth_t) +userdom_dontaudit_read_unpriv_users_home_content_files(polkit_auth_t) + +optional_policy(` + dbus_system_bus_client_template(polkit_auth, polkit_auth_t) + consolekit_dbus_chat(polkit_auth_t) + dbus_system_domain(polkit_exec_t, polkit_t) +') + +optional_policy(` + hal_getattr(polkit_auth_t) + hal_read_state(polkit_auth_t) +') + +######################################## +# +# polkit_grant local policy +# + +allow polkit_grant_t self:capability setuid; +allow polkit_grant_t self:process getattr; + +allow polkit_grant_t self:unix_dgram_socket create_socket_perms; +allow polkit_grant_t self:fifo_file rw_file_perms; +allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_grant_t, polkit_grant_exec_t) +corecmd_search_bin(polkit_grant_t) + +files_read_etc_files(polkit_grant_t) +files_read_usr_files(polkit_grant_t) + +auth_use_nsswitch(polkit_grant_t) +auth_domtrans_chk_passwd(polkit_grant_t) + +libs_use_ld_so(polkit_grant_t) +libs_use_shared_libs(polkit_grant_t) + +miscfiles_read_localization(polkit_grant_t) + +logging_send_syslog_msg(polkit_grant_t) + +polkit_domtrans_auth(polkit_grant_t) + +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) + +optional_policy(` + dbus_system_bus_client_template(polkit_grant, polkit_grant_t) + consolekit_dbus_chat(polkit_grant_t) +') + +gen_require(` + type system_crond_var_lib_t; +') +manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.7/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/postfix.fc 2008-02-13 16:57:15.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.7/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postfix.if 2008-02-13 16:57:15.000000000 -0500 @@ -206,9 +206,8 @@ type postfix_etc_t; ') - allow $1 postfix_etc_t:dir { getattr read search }; - allow $1 postfix_etc_t:file { read getattr }; - allow $1 postfix_etc_t:lnk_file { getattr read }; + read_files_pattern($1, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) files_search_etc($1) ') @@ -416,7 +415,7 @@ ## ## # -interface(`postfix_create_pivate_sockets',` +interface(`postfix_create_private_sockets',` gen_require(` type postfix_private_t; ') @@ -427,6 +426,26 @@ ######################################## ## +## manage named socket in a postfix private directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_manage_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; + manage_sock_files_pattern($1,postfix_private_t,postfix_private_t) +') + + +######################################## +## ## Execute the master postfix program in the ## postfix_master domain. ## @@ -503,6 +522,25 @@ ######################################## ## +## Manage postfix mail spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_manage_spool_files',` + gen_require(` + type postfix_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1,postfix_spool_t, postfix_spool_t) +') + +######################################## +## ## Execute postfix user mail programs ## in their respective domains. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.2.7/policy/modules/services/postfixpolicyd.fc --- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postfixpolicyd.fc 2008-02-13 16:57:15.000000000 -0500 @@ -3,3 +3,5 @@ /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) + +/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.2.7/policy/modules/services/postfixpolicyd.if --- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postfixpolicyd.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,68 @@ ## Postfix policy server + +######################################## +## +## Execute postfixpolicyd server in the postfixpolicyd domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`postfixpolicyd_script_domtrans',` + gen_require(` + type postfix_policyd_script_exec_t; + ') + + init_script_domtrans_spec($1,postfix_policyd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an postfixpolicyd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postfixpolicyd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`postfixpolicyd_admin',` + gen_require(` + type postfix_policyd_t; + type postfix_policyd_script_exec_t; + type postfix_policyd_conf_t; + type postfix_policyd_var_run_t; + ') + + allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) + + # Allow postfix_policyd_t to restart the apache service + postfixpolicyd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postfix_policyd_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,postfix_policyd_conf_t) + + files_list_pids($1) + manage_all_pattern($1,postfix_policyd_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.2.7/policy/modules/services/postfixpolicyd.te --- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postfixpolicyd.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,9 @@ type postfix_policyd_var_run_t; files_pid_file(postfix_policyd_var_run_t) +type postfix_policyd_script_exec_t; +init_script_type(postfix_policyd_script_exec_t) + ######################################## # # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.7/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postfix.te 2008-02-13 16:57:15.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # +## +##

+## Allow postfix_local domain full write access to mail_spool directories +## +##

+##
+gen_tunable(allow_postfix_local_write_mail_spool,false) + attribute postfix_user_domains; # domains that transition to the # postfix user domains @@ -27,6 +35,10 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) +tunable_policy(`allow_postfix_local_write_mail_spool', ` + mta_rw_spool(postfix_local_t) +') + type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) @@ -34,6 +46,7 @@ type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t,postfix_map_exec_t) +role system_r types postfix_map_t; type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) @@ -99,6 +112,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; +allow postfix_master_t self:process setrlimit; allow postfix_master_t postfix_etc_t:file rw_file_perms; @@ -174,6 +188,7 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) optional_policy(` cyrus_stream_connect(postfix_master_t) @@ -248,6 +263,10 @@ corecmd_exec_bin(postfix_cleanup_t) +optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +') + ######################################## # # Postfix local local policy @@ -273,6 +292,8 @@ files_read_etc_files(postfix_local_t) +logging_dontaudit_search_logs(postfix_local_t) + mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin @@ -285,6 +306,8 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) ') optional_policy(` @@ -295,8 +318,7 @@ # # Postfix map local policy # - -allow postfix_map_t self:capability setgid; +allow postfix_map_t self:capability { dac_override setgid setuid }; allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; @@ -346,8 +368,6 @@ miscfiles_read_localization(postfix_map_t) -seutil_read_config(postfix_map_t) - tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) @@ -360,6 +380,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') +optional_policy(` +# for postalias + mailman_manage_data_files(postfix_map_t) +') + ######################################## # # Postfix pickup local policy @@ -392,6 +417,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') + +optional_policy(` procmail_domtrans(postfix_pipe_t) ') @@ -400,6 +429,10 @@ ') optional_policy(` + mta_manage_spool(postfix_pipe_t) +') + +optional_policy(` uucp_domtrans_uux(postfix_pipe_t) ') @@ -532,9 +565,6 @@ # connect to master process stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -# Connect to policy server -corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) - # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; @@ -557,6 +587,10 @@ sasl_connect(postfix_smtpd_t) ') +optional_policy(` + dovecot_auth_stream_connect(postfix_smtpd_t) +') + ######################################## # # Postfix virtual local policy @@ -584,3 +618,4 @@ # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.7/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postgresql.fc 2008-02-13 16:57:15.000000000 -0500 @@ -38,3 +38,5 @@ ') /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.7/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postgresql.if 2008-02-13 16:57:15.000000000 -0500 @@ -120,3 +120,72 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; ') + +######################################## +## +## Execute postgresql server in the posgresql domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`postgresql_script_domtrans',` + gen_require(` + type postgresql_script_exec_t; + ') + + init_script_domtrans_spec($1,postgresql_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate an postgresql environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postgresql domain. +## +## +## +## +## The type of the terminal allow the postgresql domain to use. +## +## +## +# +interface(`postgresql_admin',` + gen_require(` + type postgresql_t; + type postgresql_var_run_t; + type postgresql_tmp_t; + type postgresql_db_t; + type postgresql_etc_t; + type postgresql_log_t; + ') + + allow $1 postgresql_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postgresql_t, postgresql_t) + + # Allow $1 to restart the apache service + postgresql_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postgresql_script_exec_t system_r; + allow $2 system_r; + + manage_all_pattern($1,postgresql_var_run_t) + + manage_all_pattern($1,postgresql_db_t) + + manage_all_pattern($1,postgresql_etc_t) + + manage_all_pattern($1,postgresql_log_t) + + manage_all_pattern($1,postgresql_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.7/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postgresql.te 2008-02-13 16:57:15.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) +type postgresql_script_exec_t; +init_script_type(postgresql_script_exec_t) + ######################################## # # postgresql Local policy @@ -100,6 +103,7 @@ fs_getattr_all_fs(postgresql_t) fs_search_auto_mountpoints(postgresql_t) +fs_rw_hugetlbfs_files(postgresql_t) term_use_controlling_term(postgresql_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.2.7/policy/modules/services/postgrey.fc --- nsaserefpolicy/policy/modules/services/postgrey.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postgrey.fc 2008-02-13 16:57:15.000000000 -0500 @@ -7,3 +7,7 @@ /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) /var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) + +/etc/rc.d/init.d/postgrey -- gen_context(system_u:object_r:postgrey_script_exec_t,s0) + +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.2.7/policy/modules/services/postgrey.if --- nsaserefpolicy/policy/modules/services/postgrey.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postgrey.if 2008-02-13 16:57:15.000000000 -0500 @@ -19,3 +19,74 @@ allow $1 postgrey_var_run_t:sock_file write; files_search_pids($1) ') + +######################################## +## +## Execute postgrey server in the postgrey domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`postgrey_script_domtrans',` + gen_require(` + type postgrey_script_exec_t; + ') + + init_script_domtrans_spec($1,postgrey_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an postgrey environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postgrey domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`postgrey_admin',` + gen_require(` + type postgrey_t; + type postgrey_script_exec_t; + type postgrey_etc_t; + type postgrey_var_lib_t; + type postgrey_var_run_t; + ') + + allow $1 postgrey_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postgrey_t, postgrey_t) + + # Allow postgrey_t to restart the apache service + postgrey_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postgrey_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1, postgrey_etc_t) + + files_list_var_lib($1) + manage_all_pattern($1, postgrey_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1, postgrey_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.7/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/postgrey.te 2008-02-13 16:57:15.000000000 -0500 @@ -13,26 +13,37 @@ type postgrey_etc_t; files_config_file(postgrey_etc_t) +type postgrey_spool_t; +files_type(postgrey_spool_t) + type postgrey_var_lib_t; files_type(postgrey_var_lib_t) type postgrey_var_run_t; files_pid_file(postgrey_var_run_t) +type postgrey_script_exec_t; +init_script_type(postgrey_script_exec_t) + ######################################## # # Local policy # -allow postgrey_t self:capability { chown setgid setuid }; +allow postgrey_t self:capability { chown dac_override setgid setuid }; dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:tcp_socket create_stream_socket_perms; +allow postgrey_t self:fifo_file create_fifo_file_perms; allow postgrey_t postgrey_etc_t:dir list_dir_perms; read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) +manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) +manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) +manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t) + manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) @@ -85,6 +96,11 @@ ') optional_policy(` + postfix_read_config(postgrey_t) + postfix_manage_spool_files(postgrey_t) +') + +optional_policy(` seutil_sigchld_newrole(postgrey_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.7/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ppp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -25,7 +25,7 @@ # # /var # -/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0) +/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) # Fix pptp sockets @@ -33,3 +33,5 @@ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) + +/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.2.7/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2007-11-16 13:45:14.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ppp.if 2008-02-13 16:57:15.000000000 -0500 @@ -269,3 +269,79 @@ files_pid_filetrans($1,pppd_var_run_t,file) ') + +######################################## +## +## All of the rules required to administrate +## an ppp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ppp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`ppp_admin',` + gen_require(` + type pppd_t; + type pptp_t; + type pppd_tmp_t; + type pppd_log_t; + type pptp_log_t; + type pppd_script_exec_t; + type pppd_lock_t; + type pppd_etc_t; + type pppd_script_t; + type pppd_secret_t; + type pppd_etc_rw_t; + type pppd_var_lib_t; + type pppd_var_run_t; + type pptp_var_run_t; + ') + + allow $1 pppd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, pppd_t, pppd_t) + + allow $1 pptp_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, pptp_t, pptp_t) + + files_list_tmp($1) + manage_all_pattern($1,pppd_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,pppd_log_t) + + manage_all_pattern($1,pptp_log_t) + + manage_all_pattern($1,pppd_lock_t) + + files_list_etc($1) + manage_all_pattern($1,pppd_etc_t) + + manage_all_pattern($1,pppd_etc_rw_t) + + manage_all_pattern($1,pppd_secret_t) + + manage_all_pattern($1,pppd_script_exec_t) + + files_list_var_lib($1) + manage_all_pattern($1,pppd_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,pppd_var_run_t) + + manage_all_pattern($1,pptp_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.7/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ppp.te 2008-02-13 16:57:15.000000000 -0500 @@ -162,6 +162,8 @@ init_read_utmp(pppd_t) init_dontaudit_write_utmp(pppd_t) +auth_use_nsswitch(pppd_t) + libs_use_ld_so(pppd_t) libs_use_shared_libs(pppd_t) @@ -194,14 +196,12 @@ optional_policy(` mta_send_mail(pppd_t) + mta_mailcontent(pppd_etc_t) + mta_mailcontent(pppd_etc_rw_t) ') optional_policy(` - nis_use_ypbind(pppd_t) -') - -optional_policy(` - nscd_socket_use(pppd_t) + networkmanager_signal(pppd_t) ') optional_policy(` @@ -221,6 +221,7 @@ # PPTP Local policy # +allow pptp_t self:process signal; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:capability net_raw; allow pptp_t self:fifo_file { read write }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.2.7/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/prelude.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,14 @@ + +/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0) + +/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) + +/etc/rc.d/init.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) + +/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) + +/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) +/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) +/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.2.7/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/prelude.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,128 @@ + +## policy for prelude + +######################################## +## +## Execute a domain transition to run prelude. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`prelude_domtrans',` + gen_require(` + type prelude_t; + type prelude_exec_t; + ') + + domtrans_pattern($1,prelude_exec_t,prelude_t) +') + + +######################################## +## +## Execute prelude server in the prelude domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`prelude_script_domtrans',` + gen_require(` + type prelude_script_exec_t; + ') + + init_script_domtrans_spec($1,prelude_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an prelude environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`prelude_admin',` + gen_require(` + type prelude_t; + type prelude_spool_t; + type prelude_var_run_t; + type prelude_var_lib_t; + type prelude_script_exec_t; + type audisp_prelude_t; + type audisp_prelude_var_run_t; + ') + + allow $1 prelude_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, prelude_t, prelude_t) + + allow $1 audisp_prelude_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, audisp_prelude_t, audisp_prelude_t) + + # Allow prelude_t to restart the apache service + prelude_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 prelude_script_exec_t system_r; + allow $2 system_r; + + manage_all_pattern($1, prelude_spool_t) + manage_all_pattern($1, prelude_var_lib_t) + manage_all_pattern($1, prelude_var_run_t) + manage_all_pattern($1, audisp_prelude_var_run_t) +') + +######################################## +## +## Execute a domain transition to run audisp_prelude. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`audisp_prelude_domtrans',` + gen_require(` + type audisp_prelude_t; + type audisp_prelude_exec_t; + ') + + domtrans_pattern($1,audisp_prelude_exec_t,audisp_prelude_t) +') + +######################################## +## +## Signal the audisp_prelude domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`audisp_prelude_signal',` + gen_require(` + type audisp_prelude_t; + ') + + allow $1 audisp_prelude_t:process signal; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.7/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/prelude.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,142 @@ +policy_module(prelude,1.0.0) + +######################################## +# +# Declarations +# + +type prelude_t; +type prelude_exec_t; +domain_type(prelude_t) +init_daemon_domain(prelude_t, prelude_exec_t) + +type prelude_spool_t; +files_type(prelude_spool_t) + +type prelude_var_run_t; +files_pid_file(prelude_var_run_t) + +type prelude_var_lib_t; +files_type(prelude_var_lib_t) + +type prelude_script_exec_t; +init_script_type(prelude_script_exec_t) + +type audisp_prelude_t; +type audisp_prelude_exec_t; +domain_type(audisp_prelude_t) +init_daemon_domain(audisp_prelude_t, audisp_prelude_exec_t) + +type audisp_prelude_var_run_t; +files_pid_file(audisp_prelude_var_run_t) + +######################################## +# +# prelude local policy +# + +# Init script handling +domain_use_interactive_fds(prelude_t) + +allow prelude_t self:capability sys_tty_config; + +# internal communication is often done using fifo and unix sockets. +allow prelude_t self:fifo_file rw_file_perms; +allow prelude_t self:unix_stream_socket create_stream_socket_perms; + +allow prelude_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_t self:tcp_socket { bind create setopt listen }; + +dev_read_rand(prelude_t) +dev_read_urand(prelude_t) + +manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, file) + +files_read_etc_files(prelude_t) +files_read_usr_files(prelude_t) + +files_search_var_lib(prelude_t) +manage_dirs_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t) +manage_files_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t) + +files_search_spool(prelude_t) +manage_dirs_pattern(prelude_t,prelude_spool_t,prelude_spool_t) +manage_files_pattern(prelude_t,prelude_spool_t,prelude_spool_t) + +auth_use_nsswitch(prelude_t) + +libs_use_ld_so(prelude_t) +libs_use_shared_libs(prelude_t) + +logging_send_audit_msgs(prelude_t) +logging_send_syslog_msg(prelude_t) + +miscfiles_read_localization(prelude_t) + +corenet_all_recvfrom_unlabeled(prelude_t) +corenet_all_recvfrom_netlabel(prelude_t) +corenet_tcp_sendrecv_all_if(prelude_t) +corenet_tcp_sendrecv_all_nodes(prelude_t) +corenet_tcp_bind_all_nodes(prelude_t) +corenet_tcp_bind_prelude_port(prelude_t) +corenet_tcp_connect_prelude_port(prelude_t) + +corecmd_search_bin(prelude_t) + +optional_policy(` + mysql_search_db(prelude_t) + mysql_stream_connect(prelude_t) +') + +optional_policy(` + postgresql_stream_connect(prelude_t) +') + +######################################## +# +# audisp_prelude local policy +# + +# Init script handling +domain_use_interactive_fds(audisp_prelude_t) + +# internal communication is often done using fifo and unix sockets. +allow audisp_prelude_t self:fifo_file rw_file_perms; +allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms; +allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms; +allow audisp_prelude_t self:tcp_socket create_socket_perms; + +manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t) +files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file) + +dev_read_rand(audisp_prelude_t) +dev_read_urand(audisp_prelude_t) + +files_read_etc_files(audisp_prelude_t) + +libs_use_ld_so(audisp_prelude_t) +libs_use_shared_libs(audisp_prelude_t) + +logging_send_syslog_msg(audisp_prelude_t) + +miscfiles_read_localization(audisp_prelude_t) + +corecmd_search_bin(audisp_prelude_t) +allow audisp_prelude_t self:unix_dgram_socket create_socket_perms; + +logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t) + +files_search_spool(audisp_prelude_t) +manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t) +manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t) + +corenet_all_recvfrom_unlabeled(audisp_prelude_t) +corenet_all_recvfrom_netlabel(audisp_prelude_t) +corenet_tcp_sendrecv_all_if(audisp_prelude_t) +corenet_tcp_sendrecv_all_nodes(audisp_prelude_t) +corenet_tcp_bind_all_nodes(audisp_prelude_t) +corenet_tcp_connect_prelude_port(audisp_prelude_t) + +allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.2.7/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/privoxy.fc 2008-02-13 16:57:15.000000000 -0500 @@ -4,3 +4,6 @@ /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) /var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) + +/etc/rc.d/init.d/privoxy -- gen_context(system_u:object_r:privoxy_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.2.7/policy/modules/services/privoxy.if --- nsaserefpolicy/policy/modules/services/privoxy.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/privoxy.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,71 @@ ## Privacy enhancing web proxy. + +######################################## +## +## Execute privoxy server in the privoxy domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`privoxy_script_domtrans',` + gen_require(` + type privoxy_script_exec_t; + ') + + init_script_domtrans_spec($1,privoxy_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an privoxy environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the privoxy domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`privoxy_admin',` + gen_require(` + type privoxy_t; + type privoxy_script_exec_t; + type privoxy_log_t; + type privoxy_etc_rw_t; + type privoxy_var_run_t; + ') + + allow $1 privoxy_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, privoxy_t, privoxy_t) + + # Allow privoxy_t to restart the apache service + privoxy_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 privoxy_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,privoxy_log_t) + + files_list_etc($1) + manage_all_pattern($1,privoxy_etc_rw_t) + + files_list_pids($1) + manage_all_pattern($1,privoxy_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.2.7/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/privoxy.te 2008-02-13 16:57:15.000000000 -0500 @@ -19,6 +19,9 @@ type privoxy_var_run_t; files_pid_file(privoxy_var_run_t) +type privoxy_script_exec_t; +init_script_type(privoxy_script_exec_t) + ######################################## # # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.2.7/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/procmail.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,2 +1,5 @@ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.7/policy/modules/services/procmail.if --- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/procmail.if 2008-02-13 16:57:15.000000000 -0500 @@ -39,3 +39,41 @@ corecmd_search_bin($1) can_exec($1,procmail_exec_t) ') + +######################################## +## +## Read procmail tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_read_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + allow $1 procmail_tmp_t:file read_file_perms; +') + +######################################## +## +## Read/write procmail tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_rw_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.7/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/procmail.te 2008-02-13 16:57:15.000000000 -0500 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) +# log files +type procmail_log_t; +logging_log_file(procmail_log_t) + ######################################## # # Local policy @@ -29,6 +33,13 @@ can_exec(procmail_t,procmail_exec_t) +# Write log to /var/log/procmail.log or /var/log/procmail/.* +allow procmail_t procmail_log_t:dir setattr; +create_files_pattern(procmail_t,procmail_log_t,procmail_log_t) +append_files_pattern(procmail_t,procmail_log_t,procmail_log_t) +read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t) +logging_log_filetrans(procmail_t,procmail_log_t, { file dir }) + allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -58,6 +69,7 @@ corecmd_exec_bin(procmail_t) corecmd_exec_shell(procmail_t) +corecmd_read_bin_symlinks(procmail_t) files_read_etc_files(procmail_t) files_read_etc_runtime_files(procmail_t) @@ -102,6 +114,10 @@ ') optional_policy(` + cron_read_pipes(procmail_t) +') + +optional_policy(` munin_dontaudit_search_lib(procmail_t) ') @@ -116,11 +132,13 @@ optional_policy(` pyzor_domtrans(procmail_t) + pyzor_signal(procmail_t) ') optional_policy(` mta_read_config(procmail_t) sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) sendmail_rw_tcp_sockets(procmail_t) sendmail_rw_unix_stream_sockets(procmail_t) ') @@ -129,7 +147,10 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) - spamassassin_exec(procmail_t) - spamassassin_exec_client(procmail_t) - spamassassin_read_lib_files(procmail_t) + spamassassin_domtrans(procmail_t) + spamassassin_domtrans_spamc(procmail_t) +') + +optional_policy(` + mailscanner_read_spool(procmail_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/publicfile.if serefpolicy-3.2.7/policy/modules/services/publicfile.if --- nsaserefpolicy/policy/modules/services/publicfile.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/publicfile.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,2 @@ ## publicfile supplies files to the public through HTTP and FTP + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.7/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/pyzor.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,9 +1,11 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:user_pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) /var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) + +/etc/rc.d/init.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.7/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/pyzor.if 2008-02-13 16:57:15.000000000 -0500 @@ -25,16 +25,18 @@ # template(`pyzor_per_role_template',` gen_require(` - type pyzord_t; + type pyzor_t; + type user_pyzor_home_t; ') - type $1_pyzor_home_t; - userdom_user_home_content($1, $1_pyzor_home_t) + ifelse(`$1',`user',`',` + typealias user_pyzor_home_t alias $1_pyzor_home_t; + ') - manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) + manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) + manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) + manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) + userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file }) ') ######################################## @@ -94,3 +96,78 @@ corecmd_search_bin($1) can_exec($1,pyzor_exec_t) ') + +######################################## +## +## Execute pyzor server in the pyzor domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`pyzor_pyzord_script_domtrans',` + gen_require(` + type pyzord_script_exec_t; + ') + + init_script_domtrans_spec($1,pyzord_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an pyzor environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the pyzor domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`pyzor_admin',` + gen_require(` + type pyzord_t; + type pyzord_script_exec_t; + type pyzor_tmp_t; + type pyzord_log_t; + type pyzor_etc_t; + type pyzor_var_lib_t; + ') + + allow $1 pyzord_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, pyzord_t, pyzord_t) + + # Allow pyzord_t to restart the apache service + pyzor_pyzord_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pyzord_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,pyzor_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,pyzord_log_t) + + files_list_etc($1) + manage_all_pattern($1,pyzor_etc_t) + + files_list_var_lib($1) + manage_all_pattern($1,pyzor_var_lib_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.7/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/pyzor.te 2008-02-13 16:57:15.000000000 -0500 @@ -28,6 +28,12 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) +type user_pyzor_home_t; +userdom_user_home_content(user,user_pyzor_home_t) + +type pyzord_script_exec_t; +init_script_type(pyzord_script_exec_t) + ######################################## # # Pyzor local policy @@ -68,6 +74,8 @@ miscfiles_read_localization(pyzor_t) +mta_read_queue(pyzor_t) + userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) optional_policy(` @@ -76,8 +84,13 @@ ') optional_policy(` + procmail_read_tmp_files(pyzor_t) +') + +optional_policy(` spamassassin_signal_spamd(pyzor_t) spamassassin_read_spamd_tmp_files(pyzor_t) + userdom_read_user_home_content_files(unconfined,pyzor_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.if serefpolicy-3.2.7/policy/modules/services/qmail.if --- nsaserefpolicy/policy/modules/services/qmail.if 2007-03-26 10:39:05.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/qmail.if 2008-02-13 16:57:15.000000000 -0500 @@ -197,3 +197,4 @@ domtrans_pattern(qmail_smtpd_t, $2, $1) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.7/policy/modules/services/qmail.te --- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/qmail.te 2008-02-13 16:57:15.000000000 -0500 @@ -85,6 +85,8 @@ libs_use_ld_so(qmail_inject_t) libs_use_shared_libs(qmail_inject_t) +miscfiles_read_localization(qmail_inject_t) + qmail_read_config(qmail_inject_t) ######################################## @@ -106,15 +108,25 @@ kernel_read_system_state(qmail_local_t) +corecmd_exec_bin(qmail_local_t) corecmd_exec_shell(qmail_local_t) +can_exec(qmail_local_t, qmail_local_exec_t) files_read_etc_files(qmail_local_t) files_read_etc_runtime_files(qmail_local_t) +auth_use_nsswitch(qmail_local_t) + +logging_send_syslog_msg(qmail_local_t) + mta_append_spool(qmail_local_t) qmail_domtrans_queue(qmail_local_t) +optional_policy(` + spamassassin_domtrans_spamc(qmail_local_t) +') + ######################################## # # qmail-lspawn local policy @@ -155,6 +167,10 @@ manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) +corecmd_exec_bin(qmail_queue_t) + +logging_send_syslog_msg(qmail_queue_t) + optional_policy(` daemontools_ipc_domain(qmail_queue_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.2.7/policy/modules/services/radius.fc --- nsaserefpolicy/policy/modules/services/radius.fc 2007-11-16 13:45:14.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/radius.fc 2008-02-13 16:57:15.000000000 -0500 @@ -20,3 +20,5 @@ /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) /var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) + +/etc/rc.d/init.d/radiusd -- gen_context(system_u:object_r:radius_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.2.7/policy/modules/services/radius.if --- nsaserefpolicy/policy/modules/services/radius.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/radius.if 2008-02-13 16:57:15.000000000 -0500 @@ -13,3 +13,81 @@ interface(`radius_use',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Execute radius server in the radius domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`radius_script_domtrans',` + gen_require(` + type radius_script_exec_t; + ') + + init_script_domtrans_spec($1,radius_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an radius environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the radius domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`radius_admin',` + gen_require(` + type radius_t; + type radius_script_exec_t; + type radius_etc_t; + type radius_log_t; + type radius_etc_rw_t; + type radius_var_lib_t; + type radius_var_run_t; + ') + + allow $1 radius_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, radius_t, radius_t) + + # Allow radius_t to restart the apache service + radius_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 radius_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,radius_etc_t) + + logging_list_logs($1) + manage_all_pattern($1,radius_log_t) + + manage_all_pattern($1,radius_etc_rw_t) + + files_list_var_lib($1) + manage_all_pattern($1,radius_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,radius_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.7/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/radius.te 2008-02-13 16:57:15.000000000 -0500 @@ -25,6 +25,9 @@ type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) +type radius_script_exec_t; +init_script_type(radius_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.fc serefpolicy-3.2.7/policy/modules/services/radvd.fc --- nsaserefpolicy/policy/modules/services/radvd.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/radvd.fc 2008-02-13 16:57:15.000000000 -0500 @@ -5,3 +5,4 @@ /var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) /var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) +/etc/rc.d/init.d/radvd -- gen_context(system_u:object_r:radvd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.if serefpolicy-3.2.7/policy/modules/services/radvd.if --- nsaserefpolicy/policy/modules/services/radvd.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/radvd.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,68 @@ ## IPv6 router advertisement daemon + +######################################## +## +## Execute radvd server in the radvd domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`radvd_script_domtrans',` + gen_require(` + type radvd_script_exec_t; + ') + + init_script_domtrans_spec($1,radvd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an radvd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the radvd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`radvd_admin',` + gen_require(` + type radvd_t; + type radvd_script_exec_t; + type radvd_etc_t; + type radvd_var_run_t; + ') + + allow $1 radvd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, radvd_t, radvd_t) + + # Allow radvd_t to restart the apache service + radvd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 radvd_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,radvd_etc_t) + + files_list_pids($1) + manage_all_pattern($1,radvd_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.2.7/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/radvd.te 2008-02-13 16:57:15.000000000 -0500 @@ -15,6 +15,9 @@ type radvd_etc_t; files_config_file(radvd_etc_t) +type radvd_script_exec_t; +init_script_type(radvd_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.7/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/razor.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.7/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/razor.if 2008-02-13 16:57:15.000000000 -0500 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` type razor_exec_t; + type user_razor_home_t, user_razor_tmp_t; ') type $1_razor_t; @@ -145,12 +146,10 @@ razor_common_domain_template($1_razor) role $3 types $1_razor_t; - type $1_razor_home_t alias $1_razor_rw_t; - files_poly_member($1_razor_home_t) - userdom_user_home_content($1,$1_razor_home_t) - - type $1_razor_tmp_t; - files_tmp_file($1_razor_tmp_t) + ifelse(`$1',`user',`',` + typealias user_razor_home_t alias $1_razor_home_t; + typealias user_razor_tmp_t alias $1_razor_tmp_t; + ') ############################## # @@ -218,3 +217,42 @@ domtrans_pattern($1, razor_exec_t, razor_t) ') + +######################################## +## +## Create, read, write, and delete razor files +## in a user home subdirectory. +## +## +##

+## Create, read, write, and delete razor files +## in a user home subdirectory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`razor_manage_user_home_files',` + gen_require(` + type user_home_dir_t, user_razor_home_t; + ') + + files_search_home($2) + allow $2 user_home_dir_t:dir search_dir_perms; + manage_files_pattern($2,user_razor_home_t,user_razor_home_t) + read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.7/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/razor.te 2008-02-13 16:57:15.000000000 -0500 @@ -23,6 +23,12 @@ razor_common_domain_template(razor) +type user_razor_home_t; +userdom_user_home_content(user,user_razor_home_t) + +type user_razor_tmp_t; +files_tmp_file(user_razor_tmp_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.2.7/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rdisc.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + +######################################## +## +## Execute rdisc server in the rdisc domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`rdisc_script_domtrans',` + gen_require(` + type rdisc_script_exec_t; + ') + + init_script_domtrans_spec($1,rdisc_script_exec_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.7/policy/modules/services/remotelogin.if --- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/remotelogin.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,3 +18,21 @@ auth_domtrans_login_program($1,remote_login_t) ') +######################################## +## +## allow Domain to signal remote login domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`remotelogin_signal',` + gen_require(` + type remote_login_t; + ') + + allow $1 remote_login_t:process signal; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.7/policy/modules/services/remotelogin.te --- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/remotelogin.te 2008-02-13 16:57:15.000000000 -0500 @@ -85,6 +85,7 @@ miscfiles_read_localization(remote_login_t) +userdom_read_all_users_home_dirs_symlinks(remote_login_t) userdom_use_unpriv_users_fds(remote_login_t) userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.2.7/policy/modules/services/ricci.if --- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ricci.if 2008-02-13 16:57:15.000000000 -0500 @@ -165,3 +165,4 @@ domtrans_pattern($1,ricci_modstorage_exec_t,ricci_modstorage_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.7/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rlogin.te 2008-02-13 16:57:15.000000000 -0500 @@ -36,6 +36,8 @@ allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rlogind_t,rlogind_devpts_t) +domain_interactive_fd(rlogind_t) + # for /usr/lib/telnetlogin can_exec(rlogind_t, rlogind_exec_t) @@ -82,23 +84,21 @@ miscfiles_read_localization(rlogind_t) -seutil_dontaudit_search_config(rlogind_t) +seutil_read_config(rlogind_t) userdom_setattr_unpriv_users_ptys(rlogind_t) # cjp: this is egregious userdom_read_all_users_home_content_files(rlogind_t) remotelogin_domtrans(rlogind_t) +remotelogin_signal(rlogind_t) optional_policy(` + kerberos_use(rlogind_t) kerberos_read_keytab(rlogind_t) + kerberos_manage_host_rcache(rlogind_t) ') optional_policy(` tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) ') - -ifdef(`TODO',` -# Allow krb5 rlogind to use fork and open /dev/tty for use -allow rlogind_t userpty_type:chr_file setattr; -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.2.7/policy/modules/services/roundup.fc --- nsaserefpolicy/policy/modules/services/roundup.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/roundup.fc 2008-02-13 16:57:15.000000000 -0500 @@ -7,3 +7,5 @@ # /var # /var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) + +/etc/rc.d/init.d/roundup -- gen_context(system_u:object_r:roundup_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.2.7/policy/modules/services/roundup.if --- nsaserefpolicy/policy/modules/services/roundup.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/roundup.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,68 @@ ## Roundup Issue Tracking System policy + +######################################## +## +## Execute roundup server in the roundup domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`roundup_script_domtrans',` + gen_require(` + type roundup_script_exec_t; + ') + + init_script_domtrans_spec($1,roundup_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an roundup environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the roundup domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`roundup_admin',` + gen_require(` + type roundup_t; + type roundup_script_exec_t; + type roundup_var_lib_t; + type roundup_var_run_t; + ') + + allow $1 roundup_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, roundup_t, roundup_t) + + # Allow roundup_t to restart the apache service + roundup_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 roundup_script_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + manage_all_pattern($1,roundup_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,roundup_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.2.7/policy/modules/services/roundup.te --- nsaserefpolicy/policy/modules/services/roundup.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/roundup.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,9 @@ type roundup_var_lib_t; files_type(roundup_var_lib_t) +type roundup_script_exec_t; +init_script_type(roundup_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.2.7/policy/modules/services/rpcbind.fc --- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/rpcbind.fc 2008-02-13 16:57:15.000000000 -0500 @@ -5,3 +5,5 @@ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) + +/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.2.7/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/rpcbind.if 2008-02-13 16:57:15.000000000 -0500 @@ -95,3 +95,70 @@ manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) files_search_var_lib($1) ') + +######################################## +## +## Execute rpcbind server in the rpcbind domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`rpcbind_script_domtrans',` + gen_require(` + type rpcbind_script_exec_t; + ') + + init_script_domtrans_spec($1,rpcbind_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an rpcbind environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the rpcbind domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`rpcbind_admin',` + gen_require(` + type rpcbind_t; + type rpcbind_script_exec_t; + type rpcbind_var_lib_t; + type rpcbind_var_run_t; + ') + + allow $1 rpcbind_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, rpcbind_t, rpcbind_t) + + # Allow rpcbind_t to restart the apache service + rpcbind_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rpcbind_script_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + manage_all_pattern($1,rpcbind_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,rpcbind_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.7/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rpcbind.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,16 +16,21 @@ type rpcbind_var_lib_t; files_type(rpcbind_var_lib_t) +type rpcbind_script_exec_t; +init_script_type(rpcbind_script_exec_t) + ######################################## # # rpcbind local policy # -allow rpcbind_t self:capability setuid; +allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; allow rpcbind_t self:fifo_file rw_file_perms; allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; allow rpcbind_t self:udp_socket create_socket_perms; +# BROKEN ... +dontaudit rpcbind_t self:udp_socket listen; allow rpcbind_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) @@ -37,6 +42,7 @@ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) +kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.7/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rpc.if 2008-02-13 16:57:15.000000000 -0500 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) corenet_udp_bind_generic_port($1_t) - corenet_udp_bind_reserved_port($1_t) + corenet_dontaudit_tcp_bind_all_ports($1_t) + corenet_dontaudit_udp_bind_all_ports($1_t) corenet_sendrecv_generic_server_packets($1_t) + corenet_tcp_bind_all_rpc_ports($1_t) + corenet_udp_bind_all_rpc_ports($1_t) fs_rw_rpc_named_pipes($1_t) fs_search_auto_mountpoints($1_t) @@ -208,6 +211,24 @@ ######################################## ## +## Execute domain in nfsd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpc_domtrans_rpcd',` + gen_require(` + type rpcd_t, rpcd_exec_t; + ') + + domtrans_pattern($1,rpcd_exec_t,rpcd_t) +') + +######################################## +## ## Read NFS exported content. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.7/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rpc.te 2008-02-13 16:57:15.000000000 -0500 @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) +corecmd_exec_bin(rpcd_t) + kernel_read_system_state(rpcd_t) -kernel_search_network_state(rpcd_t) +kernel_read_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) +kernel_rw_fs_sysctls(rpcd_t) +kernel_getattr_core_if(nfsd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) @@ -77,11 +81,18 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) +selinux_dontaudit_read_fs(rpcd_t) optional_policy(` nis_read_ypserv_config(rpcd_t) ') +# automount -> mount -> rpcd +optional_policy(` + automount_dontaudit_use_fds(rpcd_t) + automount_dontaudit_write_pipes(rpcd_t) +') + ######################################## # # NFSD local policy @@ -92,9 +103,16 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) + +dev_read_lvm_control(nfsd_t) +storage_dontaudit_raw_read_fixed_disk(nfsd_t) + # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) +kernel_dontaudit_getattr_core_if(nfsd_t) corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) @@ -124,6 +142,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir }) ') tunable_policy(`nfs_export_all_ro',` @@ -144,6 +163,7 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) +kernel_read_system_state(gssd_t) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) @@ -157,8 +177,13 @@ files_list_tmp(gssd_t) files_read_usr_symlinks(gssd_t) +auth_read_cache(gssd_t) + miscfiles_read_certs(gssd_t) +userdom_dontaudit_search_users_home_dirs(rpcd_t) +userdom_dontaudit_search_sysadm_home_dirs(rpcd_t) + tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.7/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rshd.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,7 +16,7 @@ # # Local policy # -allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; +allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; @@ -33,6 +33,9 @@ corenet_udp_sendrecv_all_ports(rshd_t) corenet_tcp_bind_all_nodes(rshd_t) corenet_tcp_bind_rsh_port(rshd_t) +corenet_tcp_bind_all_rpc_ports(rshd_t) +corenet_tcp_connect_all_ports(rshd_t) +corenet_tcp_connect_all_rpc_ports(rshd_t) corenet_sendrecv_rsh_server_packets(rshd_t) dev_read_urand(rshd_t) @@ -44,20 +47,22 @@ selinux_compute_relabel_context(rshd_t) selinux_compute_user_contexts(rshd_t) -auth_domtrans_chk_passwd(rshd_t) +auth_login_pgm_domain(rshd_t) +auth_write_login_records(rshd_t) corecmd_read_bin_symlinks(rshd_t) files_list_home(rshd_t) files_read_etc_files(rshd_t) -files_search_tmp(rshd_t) +files_manage_generic_tmp_dirs(rshd_t) -auth_use_nsswitch(rshd_t) +init_rw_utmp(rshd_t) libs_use_ld_so(rshd_t) libs_use_shared_libs(rshd_t) logging_send_syslog_msg(rshd_t) +logging_search_logs(rshd_t) miscfiles_read_localization(rshd_t) @@ -78,6 +83,8 @@ optional_policy(` kerberos_use(rshd_t) + kerberos_read_keytab(rshd_t) + kerberos_manage_host_rcache(rshd_t) ') optional_policy(` @@ -86,4 +93,5 @@ optional_policy(` unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.7/policy/modules/services/rsync.fc --- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rsync.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,2 +1,4 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.7/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rsync.te 2008-02-13 16:57:15.000000000 -0500 @@ -31,6 +31,9 @@ type rsync_data_t; files_type(rsync_data_t) +type rsync_log_t; +logging_log_file(rsync_log_t) + type rsync_tmp_t; files_tmp_file(rsync_tmp_t) @@ -42,7 +45,7 @@ # Local policy # -allow rsync_t self:capability sys_chroot; +allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; @@ -52,7 +55,6 @@ # cjp: this should probably only be inetd_child_t rules? # search home and kerberos also. allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow rsync_t self:capability { setuid setgid }; #end for identd allow rsync_t rsync_data_t:dir list_dir_perms; @@ -95,7 +97,8 @@ libs_use_shared_libs(rsync_t) logging_send_syslog_msg(rsync_t) -logging_dontaudit_search_logs(rsync_t) +manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) +logging_log_filetrans(rsync_t,rsync_log_t,file) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -117,7 +120,6 @@ ') tunable_policy(`rsync_export_all_ro',` - allow rsync_t self:capability dac_override; fs_read_noxattr_fs_files(rsync_t) auth_read_all_files_except_shadow(rsync_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.2.7/policy/modules/services/rwho.fc --- nsaserefpolicy/policy/modules/services/rwho.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/rwho.fc 2008-02-13 16:57:15.000000000 -0500 @@ -3,3 +3,5 @@ /var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) /var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) + +/etc/rc.d/init.d/rwhod -- gen_context(system_u:object_r:rwho_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.2.7/policy/modules/services/rwho.if --- nsaserefpolicy/policy/modules/services/rwho.if 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/rwho.if 2008-02-13 16:57:15.000000000 -0500 @@ -115,3 +115,70 @@ manage_files_pattern($1,rwho_spool_t,rwho_spool_t) files_search_spool($1) ') + +######################################## +## +## Execute rwho server in the rwho domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`rwho_script_domtrans',` + gen_require(` + type rwho_script_exec_t; + ') + + init_script_domtrans_spec($1,rwho_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an rwho environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the rwho domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`rwho_admin',` + gen_require(` + type rwho_t; + type rwho_script_exec_t; + type rwho_log_t; + type rwho_spool_t; + ') + + allow $1 rwho_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, rwho_t, rwho_t) + + # Allow rwho_t to restart the apache service + rwho_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rwho_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,rwho_log_t) + + files_list_spool($1) + manage_all_pattern($1,rwho_spool_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.2.7/policy/modules/services/rwho.te --- nsaserefpolicy/policy/modules/services/rwho.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/rwho.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,9 @@ type rwho_spool_t; files_type(rwho_spool_t) +type rwho_script_exec_t; +init_script_type(rwho_script_exec_t) + ######################################## # # rwho local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.7/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/samba.fc 2008-02-13 16:57:15.000000000 -0500 @@ -15,6 +15,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) @@ -30,6 +31,8 @@ /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) + /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) @@ -47,3 +50,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +/etc/rc.d/init.d/winbind -- gen_context(system_u:object_r:samba_script_exec_t,s0) +/etc/rc.d/init.d/nmb -- gen_context(system_u:object_r:samba_script_exec_t,s0) +/etc/rc.d/init.d/smb -- gen_context(system_u:object_r:samba_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.7/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/samba.if 2008-02-13 16:57:15.000000000 -0500 @@ -331,6 +331,25 @@ ######################################## ## +## dontaudit the specified domain to +## write samba /var files. +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_dontaudit_write_var_files',` + gen_require(` + type samba_var_t; + ') + + dontaudit $1 samba_var_t:file write; +') + +######################################## +## ## Allow the specified domain to ## read and write samba /var files. ## @@ -348,6 +367,7 @@ files_search_var($1) files_search_var_lib($1) manage_files_pattern($1,samba_var_t,samba_var_t) + manage_lnk_files_pattern($1,samba_var_t,samba_var_t) ') ######################################## @@ -492,3 +512,221 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') + +######################################## +## +## Create a set of derived types for apache +## web content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`samba_helper_template',` + gen_require(` + type smbd_t; + ') + #This type is for samba helper scripts + type samba_$1_script_t; + domain_type(samba_$1_script_t) + role system_r types samba_$1_script_t; + + # This type is used for executable scripts files + type samba_$1_script_exec_t; + corecmd_shell_entry_type(samba_$1_script_t) + domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t) + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; + +') + +######################################## +## +## Allow the specified domain to read samba's shares +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_read_share_files',` + gen_require(` + type samba_share_t; + ') + + allow $1 samba_share_t:filesystem getattr; + read_files_pattern($1, samba_share_t, samba_share_t) +') + +######################################## +## +## Execute a domain transition to run smbcontrol. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`samba_domtrans_smbcontrol',` + gen_require(` + type smbcontrol_t; + type smbcontrol_exec_t; + ') + + domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t) +') + + +######################################## +## +## Execute smbcontrol in the smbcontrol domain, and +## allow the specified role the smbcontrol domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the smbcontrol domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`samba_run_smbcontrol',` + gen_require(` + type smbcontrol_t; + ') + + samba_domtrans_smbcontrol($1) + role $2 types smbcontrol_t; + dontaudit smbcontrol_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute samba server in the samba domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`samba_script_domtrans',` + gen_require(` + type samba_script_exec_t; + ') + + init_script_domtrans_spec($1,samba_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an samba environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the samba domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`samba_admin',` + gen_require(` + type nmbd_t; + type nmbd_var_run_t; + type smbd_t; + type smbd_script_exec_t; + type smbd_tmp_t; + type samba_log_t; + type smbd_spool_t; + type samba_var_t; + type smbd_var_run_t; + type samba_etc_t; + type samba_share_t; + type samba_secrets_t; + + type swat_var_run_t; + type swat_tmp_t; + + type winbind_var_run_t; + type winbind_tmp_t; + type winbind_log_t; + + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; + ') + + allow $1 smbd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, smbd_t, smbd_t) + + allow $1 nmbd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nmbd_t, nmbd_t) + + allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) + + samba_run_smbcontrol($1, $2, $3) + samba_run_winbind_helper($1, $2, $3) + samba_run_smbmount($1, $2, $3) + samba_run_net($1, $2, $3) + + # Allow smbd_t to restart the apache service + samba_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 smbd_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1, smbd_tmp_t) + manage_all_pattern($1, swat_tmp_t) + manage_all_pattern($1, winbind_tmp_t) + + manage_all_pattern($1, samba_secrets_t) + + files_list_etc($1) + manage_all_pattern($1, samba_etc_t) + + manage_all_pattern($1, samba_share_t) + + logging_list_logs($1) + manage_all_pattern($1, samba_log_t) + manage_all_pattern($1, winbind_log_t) + + files_list_spool($1) + manage_all_pattern($1, smbd_spool_t) + + files_list_var($1) + manage_all_pattern($1, samba_var_t) + + files_list_pids($1) + manage_all_pattern($1, smbd_var_run_t) + manage_all_pattern($1, nmbd_var_run_t) + manage_all_pattern($1, swat_var_run_t) + manage_all_pattern($1, winbind_var_run_t) + manage_all_pattern($1, samba_unconfined_script_exec_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.7/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/samba.te 2008-02-13 16:57:15.000000000 -0500 @@ -26,28 +26,28 @@ ## ##

-## Allow samba to share users home directories. +## Allow Samba to share users home directories ##

##
gen_tunable(samba_enable_home_dirs,false) ## ##

-## Allow samba to share any file/directory read only. +## Allow Samba to share any file/directory read only ##

##
gen_tunable(samba_export_all_ro,false) ## ##

-## Allow samba to share any file/directory read/write. +## Allow Samba to share any file/directory read/write ##

##
gen_tunable(samba_export_all_rw,false) ## ##

-## Allow samba to run unconfined scripts +## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory ##

##
gen_tunable(samba_run_unconfined,false) @@ -59,6 +59,13 @@ ##
gen_tunable(samba_share_nfs,false) +## +##

+## Allow samba to export ntfs/fusefs volumes. +##

+##
+gen_tunable(samba_share_fusefs,false) + type nmbd_t; type nmbd_exec_t; init_daemon_domain(nmbd_t,nmbd_exec_t) @@ -73,11 +80,9 @@ logging_log_file(samba_log_t) type samba_net_t; -domain_type(samba_net_t) -role system_r types samba_net_t; - type samba_net_exec_t; -domain_entry_file(samba_net_t,samba_net_exec_t) +role system_r types samba_net_t; +application_domain(samba_net_t, samba_net_exec_t) type samba_net_tmp_t; files_tmp_file(samba_net_tmp_t) @@ -139,6 +144,14 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) +type smbcontrol_t; +type smbcontrol_exec_t; +application_domain(smbcontrol_t, smbcontrol_exec_t) +role system_r types smbcontrol_t; + +type samba_script_exec_t; +init_script_type(samba_script_exec_t) + ######################################## # # Samba net local policy @@ -193,7 +206,10 @@ miscfiles_read_localization(samba_net_t) +samba_read_var_files(samba_net_t) + userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) +userdom_list_all_users_home_dirs(samba_net_t) optional_policy(` kerberos_use(samba_net_t) @@ -213,7 +229,7 @@ allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; -allow smbd_t self:sock_file read_file_perms; +allow smbd_t self:sock_file read_sock_file_perms; allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -221,10 +237,8 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) -create_files_pattern(smbd_t,samba_log_t,samba_log_t) -allow smbd_t samba_log_t:dir setattr; -dontaudit smbd_t samba_log_t:dir remove_name; +manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t) +manage_files_pattern(smbd_t,samba_log_t,samba_log_t) allow smbd_t samba_net_tmp_t:file getattr; @@ -234,6 +248,7 @@ manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t) manage_files_pattern(smbd_t,samba_share_t,samba_share_t) manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t) +allow smbd_t samba_share_t:filesystem getattr; manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t) manage_files_pattern(smbd_t,samba_var_t,samba_var_t) @@ -251,7 +266,7 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) -allow smbd_t winbind_var_run_t:sock_file { read write getattr }; +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) @@ -320,6 +335,8 @@ userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) +term_use_ptmx(smbd_t) + ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) @@ -340,6 +357,23 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) +') + +# Support Samba sharing of ntfs/fusefs mount points +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +') + +optional_policy(` + kerberos_read_keytab(smbd_t) +') + +optional_policy(` + lpd_exec_lpr(smbd_t) ') optional_policy(` @@ -391,7 +425,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:sock_file read_file_perms; +allow nmbd_t self:sock_file read_sock_file_perms; allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -403,8 +437,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) -append_files_pattern(nmbd_t,samba_log_t,samba_log_t) -allow nmbd_t samba_log_t:file unlink; +manage_files_pattern(nmbd_t,samba_log_t,samba_log_t) read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -439,6 +472,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) +fs_list_inotifyfs(nmbd_t) fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) @@ -522,6 +556,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) +term_use_controlling_term(smbmount_t) corecmd_list_bin(smbmount_t) @@ -546,28 +581,37 @@ userdom_use_all_users_fds(smbmount_t) +optional_policy(` + cups_read_rw_config(smbmount_t) +') + ######################################## # # SWAT Local policy # -allow swat_t self:capability { setuid setgid }; -allow swat_t self:process signal_perms; +allow swat_t self:capability { setuid setgid sys_resource }; +allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; -allow swat_t nmbd_exec_t:file { execute read }; +allow swat_t self:unix_stream_socket connectto; +can_exec(swat_t, smbd_exec_t) +allow swat_t smbd_port_t:tcp_socket name_bind; +allow swat_t smbd_t:process { signal signull }; +allow swat_t smbd_var_run_t:file { lock unlink }; + +can_exec(swat_t, nmbd_exec_t) +allow swat_t nmbd_port_t:udp_socket name_bind; +allow swat_t nmbd_t:process { signal signull }; +allow swat_t nmbd_var_run_t:file { lock read unlink }; rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) append_files_pattern(swat_t,samba_log_t,samba_log_t) -allow swat_t smbd_exec_t:file execute ; - -allow swat_t smbd_t:process signull; - allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) @@ -577,7 +621,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) -allow swat_t winbind_exec_t:file execute; +can_exec(swat_t, winbind_exec_t) +allow swat_t winbind_var_run_t:dir { write add_name remove_name }; +allow swat_t winbind_var_run_t:sock_file { create unlink }; kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) @@ -602,6 +648,7 @@ dev_read_urand(swat_t) +files_list_var_lib(swat_t) files_read_etc_files(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) @@ -614,6 +661,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) +logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -631,6 +679,17 @@ kerberos_use(swat_t) ') +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) + +manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) +create_files_pattern(swat_t,samba_log_t,samba_log_t) + +manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t) + +manage_files_pattern(swat_t,samba_var_t,samba_var_t) +files_list_var_lib(swat_t) + ######################################## # # Winbind local policy @@ -679,6 +738,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) +corecmd_exec_bin(winbind_t) + kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) @@ -766,6 +827,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) ') ######################################## @@ -790,3 +852,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') + +######################################## +# +# smbcontrol local policy +# + +# internal communication is often done using fifo and unix sockets. +allow smbcontrol_t self:fifo_file rw_file_perms; +allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(smbcontrol_t) + +libs_use_ld_so(smbcontrol_t) +libs_use_shared_libs(smbcontrol_t) + +miscfiles_read_localization(smbcontrol_t) + +files_search_var_lib(smbcontrol_t) +samba_read_config(smbcontrol_t) +samba_rw_var_files(smbcontrol_t) +samba_search_var(smbcontrol_t) +samba_read_winbind_pid(smbcontrol_t) + +allow smbcontrol_t smbd_t:process signal; +domain_use_interactive_fds(smbcontrol_t) +allow smbd_t smbcontrol_t:process { signal signull }; + +allow nmbd_t smbcontrol_t:process signal; +allow smbcontrol_t nmbd_t:process { signal signull }; + +allow smbcontrol_t winbind_t:process { signal signull }; +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.2.7/policy/modules/services/sasl.fc --- nsaserefpolicy/policy/modules/services/sasl.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/sasl.fc 2008-02-13 16:57:15.000000000 -0500 @@ -8,3 +8,5 @@ # /var # /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) + +/etc/rc.d/init.d/sasl -- gen_context(system_u:object_r:sasl_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.2.7/policy/modules/services/sasl.if --- nsaserefpolicy/policy/modules/services/sasl.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/sasl.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,3 +18,70 @@ files_search_pids($1) stream_connect_pattern($1,saslauthd_var_run_t,saslauthd_var_run_t,saslauthd_t) ') + +######################################## +## +## Execute sasl server in the sasl domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`sasl_script_domtrans',` + gen_require(` + type sasl_script_exec_t; + ') + + init_script_domtrans_spec($1,sasl_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an sasl environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the sasl domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`sasl_admin',` + gen_require(` + type sasl_t; + type sasl_script_exec_t; + type sasl_tmp_t; + type sasl_var_run_t; + ') + + allow $1 sasl_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, sasl_t, sasl_t) + + # Allow sasl_t to restart the apache service + sasl_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sasl_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,sasl_tmp_t) + + files_list_pids($1) + manage_all_pattern($1,sasl_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.7/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/sasl.te 2008-02-13 16:57:15.000000000 -0500 @@ -23,6 +23,9 @@ type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) +type sasl_script_exec_t; +init_script_type(sasl_script_exec_t) + ######################################## # # Local policy @@ -107,6 +110,10 @@ ') optional_policy(` + nis_authenticate(saslauthd_t) +') + +optional_policy(` seutil_sigchld_newrole(saslauthd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.7/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/sendmail.if 2008-02-13 16:57:15.000000000 -0500 @@ -149,3 +149,85 @@ logging_log_filetrans($1,sendmail_log_t,file) ') + +######################################## +## +## Execute the sendmail program in the sendmail domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the sendmail domain. +## +## +## +## +## The type of the terminal allow the sendmail domain to use. +## +## +## +# +interface(`sendmail_run',` + gen_require(` + type sendmail_t; + ') + + sendmail_domtrans($1) + role $2 types sendmail_t; + allow sendmail_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute sendmail in the unconfined sendmail domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sendmail_domtrans_unconfined',` + gen_require(` + type unconfined_sendmail_t, sendmail_exec_t; + ') + + domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t) +') + +######################################## +## +## Execute sendmail in the unconfined sendmail domain, and +## allow the specified role the unconfined sendmail domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the unconfined sendmail domain. +## +## +## +## +## The type of the terminal allow the unconfined sendmail domain to use. +## +## +## +# +interface(`sendmail_run_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + sendmail_domtrans_unconfined($1) + role $2 types unconfined_sendmail_t; + allow unconfined_sendmail_t $3:chr_file rw_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.7/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/sendmail.te 2008-02-13 16:57:15.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +type unconfined_sendmail_t; +application_domain(unconfined_sendmail_t,sendmail_exec_t) +role system_r types unconfined_sendmail_t; + ######################################## # # Sendmail local policy # -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process signal; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +allow sendmail_t self:process { signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -47,6 +51,7 @@ kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command kernel_read_system_state(sendmail_t) +kernel_read_network_state(sendmail_t) corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) @@ -69,13 +74,16 @@ # for piping mail to a command corecmd_exec_shell(sendmail_t) +corecmd_exec_bin(sendmail_t) domain_use_interactive_fds(sendmail_t) files_read_etc_files(sendmail_t) +files_read_usr_files(sendmail_t) files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) +files_read_all_tmp_files(sendmail_t) init_use_fds(sendmail_t) init_use_script_ptys(sendmail_t) @@ -97,20 +105,35 @@ userdom_dontaudit_use_unpriv_user_fds(sendmail_t) userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) +userdom_read_all_users_home_content_files(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) # Write to /etc/aliases and /etc/mail. -mta_rw_aliases(sendmail_t) +mta_manage_aliases(sendmail_t) # Write to /var/spool/mail and /var/spool/mqueue. mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) +mta_sendmail_exec(sendmail_t) + +optional_policy(` + cron_read_pipes(sendmail_t) +') optional_policy(` clamav_search_lib(sendmail_t) ') optional_policy(` + cyrus_stream_connect(sendmail_t) + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + munin_dontaudit_search_lib(sendmail_t) +') + +optional_policy(` postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) @@ -118,6 +141,7 @@ optional_policy(` procmail_domtrans(sendmail_t) + procmail_rw_tmp_files(sendmail_t) ') optional_policy(` @@ -125,24 +149,25 @@ ') optional_policy(` + sasl_connect(sendmail_t) +') + +optional_policy(` + spamd_stream_connect(sendmail_t) +') + +optional_policy(` udev_read_db(sendmail_t) ') -ifdef(`TODO',` -allow sendmail_t etc_mail_t:dir rw_dir_perms; -allow sendmail_t etc_mail_t:file manage_file_perms; -# for the start script to run make -C /etc/mail -allow initrc_t etc_mail_t:dir rw_dir_perms; -allow initrc_t etc_mail_t:file manage_file_perms; -allow system_mail_t initrc_t:fd use; -allow system_mail_t initrc_t:fifo_file write; - -# When sendmail runs as user_mail_domain, it needs some extra permissions -# to update /etc/mail/statistics. -allow user_mail_domain etc_mail_t:file rw_file_perms; +######################################## +# +# Unconfined sendmail local policy +# Allow unconfined domain to run newalias and have transitions work +# -# Silently deny attempts to access /root. -dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; +optional_policy(` + mta_etc_filetrans_aliases(unconfined_sendmail_t) + unconfined_domain(unconfined_sendmail_t) +') -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.2.7/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/setroubleshoot.fc 2008-02-13 16:57:15.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/etc/rc.d/init.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.2.7/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-09-04 15:22:23.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/setroubleshoot.if 2008-02-13 16:57:15.000000000 -0500 @@ -16,8 +16,8 @@ ') files_search_pids($1) - allow $1 setroubleshoot_var_run_t:sock_file write; - allow $1 setroubleshootd_t:unix_stream_socket connectto; + stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) + allow $1 setroubleshoot_var_run_t:sock_file read; ') ######################################## @@ -39,3 +39,74 @@ dontaudit $1 setroubleshoot_var_run_t:sock_file write; dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; ') + +######################################## +## +## Execute setroubleshoot server in the setroubleshoot domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`setroubleshoot_script_domtrans',` + gen_require(` + type setroubleshoot_script_exec_t; + ') + + init_script_domtrans_spec($1,setroubleshoot_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an setroubleshoot environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the setroubleshoot domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`setroubleshoot_admin',` + gen_require(` + type setroubleshootd_t; + type setroubleshoot_script_exec_t; + type setroubleshoot_log_t; + type setroubleshoot_var_lib_t; + type setroubleshoot_var_run_t; + ') + + allow $1 setroubleshootd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, setroubleshootd_t, setroubleshootd_t) + + # Allow setroubleshootd_t to restart the apache service + setroubleshoot_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 setroubleshoot_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,setroubleshoot_log_t) + + files_list_var_lib($1) + manage_all_pattern($1,setroubleshoot_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,setroubleshoot_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.7/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/setroubleshoot.te 2008-02-13 16:57:15.000000000 -0500 @@ -22,13 +22,16 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) +type setroubleshoot_script_exec_t; +init_script_type(setroubleshoot_script_exec_t) + ######################################## # # setroubleshootd local policy # -allow setroubleshootd_t self:capability { dac_override sys_tty_config }; -allow setroubleshootd_t self:process { signull signal getattr getsched }; +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -52,7 +55,9 @@ kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) +kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) @@ -68,13 +73,17 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) +dev_getattr_all_blk_files(setroubleshootd_t) +dev_getattr_all_chr_files(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) -files_getattr_all_dirs(setroubleshootd_t) +files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) +files_getattr_all_pipes(setroubleshootd_t) +files_getattr_all_sockets(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) @@ -97,19 +106,20 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) +logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) -logging_stream_connect_auditd(setroubleshootd_t) +logging_stream_connect_audisp(setroubleshootd_t) seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) - -sysnet_read_config(setroubleshootd_t) +seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t) optional_policy(` dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) + dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.fc serefpolicy-3.2.7/policy/modules/services/smartmon.fc --- nsaserefpolicy/policy/modules/services/smartmon.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/smartmon.fc 2008-02-13 16:57:15.000000000 -0500 @@ -8,3 +8,4 @@ # /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) +/etc/rc.d/init.d/smartd -- gen_context(system_u:object_r:smartmon_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.2.7/policy/modules/services/smartmon.if --- nsaserefpolicy/policy/modules/services/smartmon.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/smartmon.if 2008-02-13 16:57:15.000000000 -0500 @@ -17,3 +17,70 @@ allow $1 fsdaemon_tmp_t:file { getattr ioctl read }; ') + +######################################## +## +## Execute smartmon server in the smartmon domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`smartmon_script_domtrans',` + gen_require(` + type smartmon_script_exec_t; + ') + + init_script_domtrans_spec($1,smartmon_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an smartmon environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the smartmon domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`smartmon_admin',` + gen_require(` + type smartmon_t; + type smartmon_script_exec_t; + type smartmon_tmp_t; + type smartmon_var_run_t; + ') + + allow $1 smartmon_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, smartmon_t, smartmon_t) + + # Allow smartmon_t to restart the apache service + smartmon_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 smartmon_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,smartmon_tmp_t) + + files_list_pids($1) + manage_all_pattern($1,smartmon_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.2.7/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/smartmon.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,9 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) +type smartmon_script_exec_t; +init_script_type(smartmon_script_exec_t) + ######################################## # # Local policy @@ -49,6 +52,7 @@ corenet_udp_sendrecv_all_ports(fsdaemon_t) dev_read_sysfs(fsdaemon_t) +dev_read_urand(fsdaemon_t) domain_use_interactive_fds(fsdaemon_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.2.7/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/snmp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -17,3 +17,6 @@ /var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) + +/etc/rc.d/init.d/snmpd -- gen_context(system_u:object_r:snmp_script_exec_t,s0) +/etc/rc.d/init.d/snmptrapd -- gen_context(system_u:object_r:snmp_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.2.7/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/snmp.if 2008-02-13 16:57:15.000000000 -0500 @@ -84,3 +84,74 @@ dontaudit $1 snmpd_var_lib_t:file write; ') + +######################################## +## +## Execute snmp server in the snmp domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`snmp_script_domtrans',` + gen_require(` + type snmp_script_exec_t; + ') + + init_script_domtrans_spec($1,snmp_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an snmp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the snmp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`snmp_admin',` + gen_require(` + type snmp_t; + type snmp_script_exec_t; + type snmp_log_t; + type snmp_var_lib_t; + type snmp_var_run_t; + ') + + allow $1 snmp_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, snmp_t, snmp_t) + + # Allow snmp_t to restart the apache service + snmp_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 snmp_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,snmp_log_t) + + files_list_var_lib($1) + manage_all_pattern($1,snmp_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,snmp_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.7/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/snmp.te 2008-02-13 16:57:15.000000000 -0500 @@ -18,6 +18,9 @@ type snmpd_var_lib_t; files_type(snmpd_var_lib_t) +type snmp_script_exec_t; +init_script_type(snmp_script_exec_t) + ######################################## # # Local policy @@ -45,6 +48,7 @@ kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) +kernel_read_fs_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) @@ -81,8 +85,7 @@ files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) -files_getattr_boot_dirs(snmpd_t) -files_dontaudit_getattr_home_dir(snmpd_t) +auth_read_all_dirs_except_shadow(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.7/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/soundserver.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,10 +1,12 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) - +/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) /usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) /usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) +/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) + /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) + +/etc/rc.d/init.d/nasd -- gen_context(system_u:object_r:soundd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.2.7/policy/modules/services/soundserver.if --- nsaserefpolicy/policy/modules/services/soundserver.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/soundserver.if 2008-02-13 16:57:15.000000000 -0500 @@ -13,3 +13,74 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Execute soundd server in the soundd domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`soundserver_script_domtrans',` + gen_require(` + type soundd_script_exec_t; + ') + + init_script_domtrans_spec($1,soundd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an soundd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the soundd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`soundserver_admin',` + gen_require(` + type soundd_t; + type soundd_script_exec_t; + type soundd_etc_t; + type soundd_tmp_t; + type soundd_var_run_t; + ') + + allow $1 soundd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, soundd_t, soundd_t) + + # Allow soundd_t to restart the apache service + soundserver_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 soundd_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,soundd_tmp_t) + + files_list_etc($1) + manage_all_pattern($1,soundd_etc_t) + + files_list_pids($1) + manage_all_pattern($1,soundd_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.7/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/soundserver.te 2008-02-13 16:57:15.000000000 -0500 @@ -10,9 +10,6 @@ type soundd_exec_t; init_daemon_domain(soundd_t,soundd_exec_t) -type soundd_etc_t alias etc_soundd_t; -files_type(soundd_etc_t) - type soundd_state_t; files_type(soundd_state_t) @@ -26,21 +23,30 @@ type soundd_var_run_t; files_pid_file(soundd_var_run_t) +type soundd_etc_t; +files_type(soundd_etc_t) + +type soundd_script_exec_t; +init_script_type(soundd_script_exec_t) + ######################################## # -# Declarations +# sound server local policy # +allow soundd_t self:capability dac_override; dontaudit soundd_t self:capability sys_tty_config; allow soundd_t self:process { setpgid signal_perms }; allow soundd_t self:tcp_socket create_stream_socket_perms; allow soundd_t self:udp_socket create_socket_perms; +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +fs_getattr_all_fs(soundd_t) + # for yiff allow soundd_t self:shm create_shm_perms; -allow soundd_t soundd_etc_t:dir list_dir_perms; -allow soundd_t soundd_etc_t:file read_file_perms; -allow soundd_t soundd_etc_t:lnk_file { getattr read }; +read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t) manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t) manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t) @@ -55,8 +61,10 @@ manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) -files_pid_filetrans(soundd_t,soundd_var_run_t,file) +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) +files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir }) kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) @@ -99,6 +107,10 @@ userdom_dontaudit_search_sysadm_home_dirs(soundd_t) optional_policy(` + alsa_domtrans(soundd_t) +') + +optional_policy(` seutil_sigchld_newrole(soundd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.7/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/spamassassin.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) @@ -6,11 +6,17 @@ /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.7/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-13 16:57:15.000000000 -0500 @@ -34,10 +34,11 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. template(`spamassassin_per_role_template',` - gen_require(` type spamc_exec_t, spamassassin_exec_t; - type spamd_t, spamd_tmp_t; + type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t; + type user_spamassassin_home_t, user_spamassassin_tmp_t; + type user_spamc_tmp_t; ') ############################## @@ -45,278 +46,28 @@ # Declarations # - type $1_spamc_t; - application_domain($1_spamc_t,spamc_exec_t) - role $3 types $1_spamc_t; - - type $1_spamc_tmp_t; - files_tmp_file($1_spamc_tmp_t) - - type $1_spamassassin_t; - application_domain($1_spamassassin_t,spamassassin_exec_t) - role $3 types $1_spamassassin_t; - - type $1_spamassassin_home_t alias $1_spamassassin_rw_t; - userdom_user_home_content($1,$1_spamassassin_home_t) - files_poly_member($1_spamassassin_home_t) - - type $1_spamassassin_tmp_t; - files_tmp_file($1_spamassassin_tmp_t) - - ############################## - # - # $1_spamc_t local policy - # - - allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_spamc_t self:fd use; - allow $1_spamc_t self:fifo_file rw_fifo_file_perms; - allow $1_spamc_t self:sock_file read_sock_file_perms; - allow $1_spamc_t self:shm create_shm_perms; - allow $1_spamc_t self:sem create_sem_perms; - allow $1_spamc_t self:msgq create_msgq_perms; - allow $1_spamc_t self:msg { send receive }; - allow $1_spamc_t self:unix_dgram_socket create_socket_perms; - allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms; - allow $1_spamc_t self:unix_dgram_socket sendto; - allow $1_spamc_t self:unix_stream_socket connectto; - allow $1_spamc_t self:tcp_socket create_stream_socket_perms; - allow $1_spamc_t self:udp_socket create_socket_perms; - - manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) - manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) - files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) - - # Allow connecting to a local spamd - allow $1_spamc_t spamd_t:unix_stream_socket connectto; - allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; - - domtrans_pattern($2, spamc_exec_t, $1_spamc_t) - - kernel_read_kernel_sysctls($1_spamc_t) - - corenet_all_recvfrom_unlabeled($1_spamc_t) - corenet_all_recvfrom_netlabel($1_spamc_t) - corenet_tcp_sendrecv_generic_if($1_spamc_t) - corenet_udp_sendrecv_generic_if($1_spamc_t) - corenet_tcp_sendrecv_all_nodes($1_spamc_t) - corenet_udp_sendrecv_all_nodes($1_spamc_t) - corenet_tcp_sendrecv_all_ports($1_spamc_t) - corenet_udp_sendrecv_all_ports($1_spamc_t) - corenet_tcp_connect_all_ports($1_spamc_t) - corenet_sendrecv_all_client_packets($1_spamc_t) - - fs_search_auto_mountpoints($1_spamc_t) - - # cjp: these should probably be removed: - corecmd_list_bin($1_spamc_t) - corecmd_read_bin_symlinks($1_spamc_t) - corecmd_read_bin_files($1_spamc_t) - corecmd_read_bin_pipes($1_spamc_t) - corecmd_read_bin_sockets($1_spamc_t) - - domain_use_interactive_fds($1_spamc_t) - - files_read_etc_files($1_spamc_t) - files_read_etc_runtime_files($1_spamc_t) - files_read_usr_files($1_spamc_t) - files_dontaudit_search_var($1_spamc_t) - # cjp: this may be removable: - files_list_home($1_spamc_t) - - libs_use_ld_so($1_spamc_t) - libs_use_shared_libs($1_spamc_t) - - logging_send_syslog_msg($1_spamc_t) - - miscfiles_read_localization($1_spamc_t) - - # cjp: this should probably be removed: - seutil_read_config($1_spamc_t) - - sysnet_read_config($1_spamc_t) - - userdom_use_unpriv_users_fds($1_spamc_t) - # cjp: this really should just be the - # terminal specific to the role - userdom_use_unpriv_users_ptys($1_spamc_t) - - # cjp: this should probably be removed: - tunable_policy(`read_default_t',` - files_list_default($1_spamc_t) - files_read_default_files($1_spamc_t) - files_read_default_symlinks($1_spamc_t) - files_read_default_sockets($1_spamc_t) - files_read_default_pipes($1_spamc_t) - ') - - optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect($1,$1_spamc_t) - ') - - optional_policy(` - nis_use_ypbind($1_spamc_t) - ') - - optional_policy(` - nscd_socket_use($1_spamc_t) - ') - - optional_policy(` - mta_read_config($1_spamc_t) - sendmail_stub($1_spamc_t) - ') - - ############################## - # - # $1_spamassassin_t local policy - # - - allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_spamassassin_t self:fd use; - allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms; - allow $1_spamassassin_t self:sock_file read_sock_file_perms; - allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms; - allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms; - allow $1_spamassassin_t self:unix_dgram_socket sendto; - allow $1_spamassassin_t self:unix_stream_socket connectto; - allow $1_spamassassin_t self:shm create_shm_perms; - allow $1_spamassassin_t self:sem create_sem_perms; - allow $1_spamassassin_t self:msgq create_msgq_perms; - allow $1_spamassassin_t self:msg { send receive }; - - manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) - - manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) - manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) - files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) - - manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) - relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) - relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) - relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) - - domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) - - manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) - userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) - - kernel_read_kernel_sysctls($1_spamassassin_t) - - dev_read_urand($1_spamassassin_t) - - fs_search_auto_mountpoints($1_spamassassin_t) - - # this should probably be removed - corecmd_list_bin($1_spamassassin_t) - corecmd_read_bin_symlinks($1_spamassassin_t) - corecmd_read_bin_files($1_spamassassin_t) - corecmd_read_bin_pipes($1_spamassassin_t) - corecmd_read_bin_sockets($1_spamassassin_t) - - domain_use_interactive_fds($1_spamassassin_t) + typealias spamc_t alias $1_spamc_t; + role $3 types spamc_t; - files_read_etc_files($1_spamassassin_t) - files_read_etc_runtime_files($1_spamassassin_t) - files_list_home($1_spamassassin_t) - files_read_usr_files($1_spamassassin_t) - files_dontaudit_search_var($1_spamassassin_t) + typealias spamassassin_t alias $1_spamassassin_t; + role $3 types spamassassin_t; - libs_use_ld_so($1_spamassassin_t) - libs_use_shared_libs($1_spamassassin_t) + ifelse(`$1',`user',`',` + typealias user_spamassassin_home_t alias $1_spamassassin_home_t; + typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t; + typealias user_spamc_tmp_t alias $1_spamc_tmp_t; + ') + + manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) - logging_send_syslog_msg($1_spamassassin_t) + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + domtrans_pattern($2, spamc_exec_t, spamc_t) - miscfiles_read_localization($1_spamassassin_t) - - # cjp: this could probably be removed - seutil_read_config($1_spamassassin_t) - - sysnet_dns_name_resolve($1_spamassassin_t) - - userdom_use_unpriv_users_fds($1_spamassassin_t) - userdom_search_user_home_dirs($1,$1_spamassassin_t) - # cjp: this really should just be the - # terminal specific to the role - userdom_use_unpriv_users_ptys($1_spamassassin_t) - - # this should probably be removed: - tunable_policy(`read_default_t',` - files_list_default($1_spamassassin_t) - files_read_default_files($1_spamassassin_t) - files_read_default_symlinks($1_spamassassin_t) - files_read_default_sockets($1_spamassassin_t) - files_read_default_pipes($1_spamassassin_t) - ') - - # set tunable if you have spamassassin do DNS lookups - tunable_policy(`spamassassin_can_network',` - allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms; - allow $1_spamassassin_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1_spamassassin_t) - corenet_all_recvfrom_netlabel($1_spamassassin_t) - corenet_tcp_sendrecv_generic_if($1_spamassassin_t) - corenet_udp_sendrecv_generic_if($1_spamassassin_t) - corenet_tcp_sendrecv_all_nodes($1_spamassassin_t) - corenet_udp_sendrecv_all_nodes($1_spamassassin_t) - corenet_tcp_sendrecv_all_ports($1_spamassassin_t) - corenet_udp_sendrecv_all_ports($1_spamassassin_t) - corenet_tcp_connect_all_ports($1_spamassassin_t) - corenet_sendrecv_all_client_packets($1_spamassassin_t) - - sysnet_read_config($1_spamassassin_t) - ') - - tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_dirs($1,spamd_t) - userdom_manage_user_home_content_files($1,spamd_t) - userdom_manage_user_home_content_symlinks($1,spamd_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_spamassassin_t) - fs_manage_nfs_files($1_spamassassin_t) - fs_manage_nfs_symlinks($1_spamassassin_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_spamassassin_t) - fs_manage_cifs_files($1_spamassassin_t) - fs_manage_cifs_symlinks($1_spamassassin_t) - ') - - optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file }) - ') - - optional_policy(` - # cjp: clearly some redundancy here - - nis_use_ypbind($1_spamassassin_t) - - tunable_policy(`spamassassin_can_network && allow_ypbind',` - nis_use_ypbind_uncond($1_spamassassin_t) - ') - ') - - optional_policy(` - mta_read_config($1_spamassassin_t) - sendmail_stub($1_spamassassin_t) - ') ') ######################################## @@ -370,7 +121,7 @@ # interface(`spamassassin_exec_spamd',` gen_require(` - type spamd_exec_t; + type spamd_eoxec_t; ') can_exec($1,spamd_exec_t) @@ -398,11 +149,65 @@ ## # template(`spamassassin_domtrans_user_client',` + spamassassin_domtrans_spamc($2) +') + +######################################## +## +## Execute spamassassin client in the spamassassin client domain. +## +## +##

+## This is a template and should only be called +## from per user domain tempaltes. +##

+##
+## +## +## The type of the process performing this action. +## +## +# +interface(`spamassassin_domtrans_spamc',` + gen_require(` + type spamc_t, spamc_exec_t; + ') + + domtrans_pattern($1,spamc_exec_t,spamc_t) +') + +######################################## +## +## Read spamassassin per user homedir +## +## +##

+## Read spamassassin per user homedir +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`spamassassin_read_user_home_files',` gen_require(` - type $1_spamc_t, spamc_exec_t; + type user_spamassassin_home_t; ') - domtrans_pattern($2,spamc_exec_t,$1_spamc_t) + allow $1 user_spamassassin_home_t:dir list_dir_perms; + allow $1 user_spamassassin_home_t:file read_file_perms; ') ######################################## @@ -446,11 +251,31 @@ ## # template(`spamassassin_domtrans_user_local_client',` + spamassassin_domtrans($2) +') + +######################################## +## +## Execute spamassassin in the user spamassassin domain. +## +## +##

+## This is a template and should only be called +## from per user domain tempaltes. +##

+##
+## +## +## The type of the process performing this action. +## +## +# +interface(`spamassassin_domtrans',` gen_require(` - type $1_spamassassin_t, spamassassin_exec_t; + type spamassassin_t, spamassassin_exec_t; ') - domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t) + domtrans_pattern($1,spamassassin_exec_t,spamassassin_t) ') ######################################## @@ -469,6 +294,7 @@ ') files_search_var_lib($1) + list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t) read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) ') @@ -528,3 +354,133 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') + +######################################## +## +## Connect to run spamd. +## +## +## +## Domain allowed to connect. +## +## +# +interface(`spamd_stream_connect',` + gen_require(` + type spamd_t, spamd_var_run_t; + ') + + stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) +') + + +######################################## +## +## Execute spamassassin server in the spamassassin domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`spamassassin_spamd_script_domtrans',` + gen_require(` + type spamd_script_exec_t; + ') + + init_script_domtrans_spec($1,spamd_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an spamassassin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the spamassassin domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`spamassassin_spamd_admin',` + gen_require(` + type spamd_t; + type spamd_script_exec_t; + type spamd_tmp_t; + type spamd_log_t; + type spamd_spool_t; + type spamd_var_lib_t; + type spamd_var_run_t; + ') + + allow $1 spamd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, spamd_t, spamd_t) + + # Allow spamd_t to restart the apache service + spamassassin_spamd_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 spamd_script_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + manage_all_pattern($1,spamd_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,spamd_log_t) + + files_list_spool($1) + manage_all_pattern($1,spamd_spool_t) + + files_list_var_lib($1) + manage_all_pattern($1,spamd_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,spamd_var_run_t) +') + +######################################## +## +## Read spamassassin per user homedir +## +## +##

+## Read spamassassin per user homedir +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`spamassassin_manage_user_home_files',` + gen_require(` + type user_spamassassin_home_t; + ') + + manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t) + razor_manage_user_home_files(user,$1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.7/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/spamassassin.te 2008-02-13 16:57:15.000000000 -0500 @@ -21,8 +21,9 @@ gen_tunable(spamd_enable_home_dirs,true) # spamassassin client executable +type spamc_t; type spamc_exec_t; -application_executable_file(spamc_exec_t) +application_domain(spamc_t,spamc_exec_t) type spamd_t; type spamd_exec_t; @@ -31,6 +32,9 @@ type spamd_spool_t; files_type(spamd_spool_t) +type spamd_log_t; +logging_log_file(spamd_log_t) + type spamd_tmp_t; files_tmp_file(spamd_tmp_t) @@ -41,8 +45,21 @@ type spamd_var_run_t; files_pid_file(spamd_var_run_t) +type spamd_script_exec_t; +init_script_type(spamd_script_exec_t) + type spamassassin_exec_t; -application_executable_file(spamassassin_exec_t) +type spamassassin_t; +application_domain(spamassassin_t,spamassassin_exec_t) + +type user_spamassassin_home_t; +userdom_user_home_content(user,user_spamassassin_home_t) + +type user_spamassassin_tmp_t; +files_tmp_file(user_spamassassin_tmp_t) + +type user_spamc_tmp_t; +files_tmp_file(user_spamc_tmp_t) ######################################## # @@ -71,6 +88,9 @@ allow spamd_t self:udp_socket create_socket_perms; allow spamd_t self:netlink_route_socket r_netlink_socket_perms; +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) +logging_log_filetrans(spamd_t,spamd_log_t,file) + manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t) manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t) files_spool_filetrans(spamd_t,spamd_spool_t, { file dir }) @@ -81,10 +101,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; -read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) +manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) @@ -149,11 +170,31 @@ userdom_search_unpriv_users_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dirs(spamd_t) +manage_dirs_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_lnk_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_sock_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) +userdom_user_home_dir_filetrans(user,spamd_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) + +optional_policy(` + # Write pid file and socket in ~/.evolution/cache/tmp + evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file }) +') + +tunable_policy(`spamd_enable_home_dirs',` + userdom_manage_user_home_content_dirs(user,spamd_t) + userdom_manage_user_home_content_files(user,spamd_t) + userdom_manage_user_home_content_symlinks(user,spamd_t) +') + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamd_t) fs_manage_nfs_files(spamd_t) ') tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamd_t) fs_manage_cifs_files(spamd_t) ') @@ -171,6 +212,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) + dcc_signal_client(spamd_t) dcc_stream_connect_dccifd(spamd_t) ') @@ -198,6 +240,10 @@ optional_policy(` razor_domtrans(spamd_t) + tunable_policy(`spamd_enable_home_dirs',` + razor_manage_user_home_files(user,spamd_t) + ') + ') optional_policy(` @@ -212,3 +258,206 @@ optional_policy(` udev_read_db(spamd_t) ') + +############################## +# +# spamassassin_t local policy +# + +allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamassassin_t self:fd use; +allow spamassassin_t self:fifo_file rw_fifo_file_perms; +allow spamassassin_t self:sock_file read_sock_file_perms; +allow spamassassin_t self:unix_dgram_socket create_socket_perms; +allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; +allow spamassassin_t self:unix_dgram_socket sendto; +allow spamassassin_t self:unix_stream_socket connectto; +allow spamassassin_t self:shm create_shm_perms; +allow spamassassin_t self:sem create_sem_perms; +allow spamassassin_t self:msgq create_msgq_perms; +allow spamassassin_t self:msg { send receive }; + +manage_dirs_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_lnk_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_fifo_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) +manage_sock_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) +userdom_user_home_dir_filetrans($1,spamassassin_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t) +manage_files_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t) +files_tmp_filetrans(spamassassin_t, user_spamassassin_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(spamassassin_t) + +dev_read_urand(spamassassin_t) + +fs_search_auto_mountpoints(spamassassin_t) + +# this should probably be removed +corecmd_list_bin(spamassassin_t) +corecmd_read_bin_symlinks(spamassassin_t) +corecmd_read_bin_files(spamassassin_t) +corecmd_read_bin_pipes(spamassassin_t) +corecmd_read_bin_sockets(spamassassin_t) + +domain_use_interactive_fds(spamassassin_t) + +files_read_etc_files(spamassassin_t) +files_read_etc_runtime_files(spamassassin_t) +files_list_home(spamassassin_t) +files_read_usr_files(spamassassin_t) +files_dontaudit_search_var(spamassassin_t) + +libs_use_ld_so(spamassassin_t) +libs_use_shared_libs(spamassassin_t) + +logging_send_syslog_msg(spamassassin_t) + +miscfiles_read_localization(spamassassin_t) + +# cjp: this could probably be removed +seutil_read_config(spamassassin_t) + +sysnet_dns_name_resolve(spamassassin_t) + +userdom_use_unpriv_users_fds(spamassassin_t) +userdom_search_user_home_dirs(user,spamassassin_t) +# cjp: this really should just be the +# terminal specific to the role +userdom_use_unpriv_users_ptys(spamassassin_t) + +# set tunable if you have spamassassin do DNS lookups +tunable_policy(`spamassassin_can_network',` + allow spamassassin_t self:tcp_socket create_stream_socket_perms; + allow spamassassin_t self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled(spamassassin_t) + corenet_all_recvfrom_netlabel(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_udp_sendrecv_generic_if(spamassassin_t) + corenet_tcp_sendrecv_all_nodes(spamassassin_t) + corenet_udp_sendrecv_all_nodes(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) + corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) + + sysnet_read_config(spamassassin_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamassassin_t) + fs_manage_nfs_files(spamassassin_t) + fs_manage_nfs_symlinks(spamassassin_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamassassin_t) + fs_manage_cifs_files(spamassassin_t) + fs_manage_cifs_symlinks(spamassassin_t) +') + +optional_policy(` + # cjp: clearly some redundancy here + + nis_use_ypbind(spamassassin_t) + + tunable_policy(`spamassassin_can_network && allow_ypbind',` + nis_use_ypbind_uncond(spamassassin_t) + ') +') + +optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) +') + +############################## +# +# spamc_t local policy +# + +allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamc_t self:fd use; +allow spamc_t self:fifo_file rw_fifo_file_perms; +allow spamc_t self:sock_file read_sock_file_perms; +allow spamc_t self:shm create_shm_perms; +allow spamc_t self:sem create_sem_perms; +allow spamc_t self:msgq create_msgq_perms; +allow spamc_t self:msg { send receive }; +allow spamc_t self:unix_dgram_socket create_socket_perms; +allow spamc_t self:unix_stream_socket create_stream_socket_perms; +allow spamc_t self:unix_dgram_socket sendto; +allow spamc_t self:unix_stream_socket connectto; +allow spamc_t self:tcp_socket create_stream_socket_perms; +allow spamc_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t) +manage_files_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t) +files_tmp_filetrans(spamc_t, user_spamc_tmp_t, { file dir }) + +# Allow connecting to a local spamd +allow spamc_t spamd_t:unix_stream_socket connectto; +allow spamc_t spamd_tmp_t:sock_file rw_file_perms; + +kernel_read_kernel_sysctls(spamc_t) + +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_udp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_all_nodes(spamc_t) +corenet_udp_sendrecv_all_nodes(spamc_t) +corenet_tcp_sendrecv_all_ports(spamc_t) +corenet_udp_sendrecv_all_ports(spamc_t) +corenet_tcp_connect_all_ports(spamc_t) +corenet_sendrecv_all_client_packets(spamc_t) + +fs_search_auto_mountpoints(spamc_t) + +# cjp: these should probably be removed: +corecmd_list_bin(spamc_t) +corecmd_read_bin_symlinks(spamc_t) +corecmd_read_bin_files(spamc_t) +corecmd_read_bin_pipes(spamc_t) +corecmd_read_bin_sockets(spamc_t) + +domain_use_interactive_fds(spamc_t) + +files_read_etc_files(spamc_t) +files_read_etc_runtime_files(spamc_t) +files_read_usr_files(spamc_t) +files_dontaudit_search_var(spamc_t) +# cjp: this may be removable: +files_list_home(spamc_t) + +auth_use_nsswitch(spamc_t) + +libs_use_ld_so(spamc_t) +libs_use_shared_libs(spamc_t) + +logging_send_syslog_msg(spamc_t) + +miscfiles_read_localization(spamc_t) + +# cjp: this should probably be removed: +seutil_read_config(spamc_t) + +sysnet_read_config(spamc_t) + +userdom_use_unpriv_users_fds(spamc_t) +# cjp: this really should just be the +# terminal specific to the role +userdom_use_unpriv_users_ptys(spamc_t) + +optional_policy(` + # Allow connection to spamd socket above + evolution_stream_connect(user,spamc_t) +') + +optional_policy(` + mta_read_config(spamc_t) + sendmail_stub(spamc_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.7/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/squid.fc 2008-02-13 16:57:15.000000000 -0500 @@ -12,3 +12,8 @@ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + +/etc/rc.d/init.d/squid -- gen_context(system_u:object_r:squid_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.7/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/squid.if 2008-02-13 16:57:15.000000000 -0500 @@ -131,3 +131,95 @@ interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Allow read and write squid +## unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`squid_rw_stream_sockets',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:unix_stream_socket { getattr read write }; +') + +######################################## +## +## Execute squid server in the squid domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`squid_script_domtrans',` + gen_require(` + type squid_script_exec_t; + ') + + init_script_domtrans_spec($1,squid_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an squid environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the squid domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`squid_admin',` + gen_require(` + type squid_t; + type squid_script_exec_t; + type squid_cache_t; + type squid_conf_t; + type squid_log_t; + type squid_var_run_t; + ') + + allow $1 squid_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, squid_t, squid_t) + + # Allow squid_t to restart the apache service + squid_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 squid_script_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + manage_all_pattern($1,squid_conf_t) + + logging_list_logs($1) + manage_all_pattern($1,squid_log_t) + + files_list_var($1) + manage_all_pattern($1,squid_cache_t) + + files_list_pids($1) + manage_all_pattern($1,squid_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.7/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/squid.te 2008-02-13 16:57:15.000000000 -0500 @@ -31,12 +31,15 @@ type squid_var_run_t; files_pid_file(squid_var_run_t) +type squid_script_exec_t; +init_script_type(squid_script_exec_t) + ######################################## # # Local policy # -allow squid_t self:capability { setgid setuid dac_override sys_resource }; +allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:fifo_file rw_fifo_file_perms; @@ -85,6 +88,7 @@ corenet_udp_sendrecv_all_ports(squid_t) corenet_tcp_bind_all_nodes(squid_t) corenet_udp_bind_all_nodes(squid_t) +corenet_tcp_bind_http_port(squid_t) corenet_tcp_bind_http_cache_port(squid_t) corenet_udp_bind_http_cache_port(squid_t) corenet_tcp_bind_ftp_port(squid_t) @@ -92,6 +96,7 @@ corenet_udp_bind_gopher_port(squid_t) corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) +corenet_udp_bind_wccp_port(squid_t) corenet_tcp_connect_ftp_port(squid_t) corenet_tcp_connect_gopher_port(squid_t) corenet_tcp_connect_http_port(squid_t) @@ -109,6 +114,8 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) +#squid requires the following when run in diskd mode, the recommended setting +fs_rw_tmpfs_files(squid_t) selinux_dontaudit_getattr_dir(squid_t) @@ -148,11 +155,7 @@ ') optional_policy(` - allow squid_t self:capability kill; - cron_use_fds(squid_t) - cron_use_system_job_fds(squid_t) - cron_rw_pipes(squid_t) - cron_write_system_job_pipes(squid_t) + cron_system_entry(squid_t,squid_exec_t) ') optional_policy(` @@ -167,7 +170,12 @@ udev_read_db(squid_t) ') -ifdef(`TODO',` -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO +optional_policy(` + apache_content_template(squid) + corenet_tcp_connect_http_cache_port(httpd_squid_script_t) + squid_read_config(httpd_squid_script_t) + allow httpd_squid_script_t self:tcp_socket create_socket_perms; + sysnet_read_config(httpd_squid_script_t) + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.7/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/ssh.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.7/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-02-06 10:33:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ssh.if 2008-02-13 16:57:15.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; + type user_ssh_home_t, user_ssh_tmp_t; ') ############################## @@ -47,8 +48,10 @@ application_domain($1_ssh_t,ssh_exec_t) role $3 types $1_ssh_t; - type $1_home_ssh_t; - files_type($1_home_ssh_t) + ifelse(`$1',`user',`',` + typealias user_ssh_home_t alias $1_ssh_home_t; + typealias user_ssh_home_t alias $1_home_ssh_t; + ') ############################## # @@ -93,18 +96,18 @@ ps_process_pattern($2,$1_ssh_t) # user can manage the keys and config - manage_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) - manage_lnk_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) - manage_sock_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t) + manage_files_pattern($2,user_ssh_home_t,user_ssh_home_t) + manage_lnk_files_pattern($2,user_ssh_home_t,user_ssh_home_t) + manage_sock_files_pattern($2,user_ssh_home_t,user_ssh_home_t) # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) - read_lnk_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) + manage_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) + read_lnk_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) # ssh servers can read the user keys and config - allow ssh_server $1_home_ssh_t:dir list_dir_perms; - read_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t) - read_lnk_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t) + allow ssh_server user_ssh_home_t:dir list_dir_perms; + read_files_pattern(ssh_server,user_ssh_home_t,user_ssh_home_t) + read_lnk_files_pattern(ssh_server,user_ssh_home_t,user_ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) @@ -202,6 +205,7 @@ # template(`ssh_per_role_template',` gen_require(` + type sshd_t; type ssh_agent_exec_t, ssh_keysign_exec_t; ') @@ -212,7 +216,7 @@ ssh_basic_client_template($1,$2,$3) - userdom_user_home_content($1,$1_home_ssh_t) + userdom_user_home_content($1,user_ssh_home_t) type $1_ssh_agent_t; application_domain($1_ssh_agent_t,ssh_agent_exec_t) @@ -240,9 +244,9 @@ manage_sock_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t) fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - manage_dirs_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) - manage_sock_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t) - userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file }) + manage_dirs_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) + manage_sock_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t) + userdom_user_home_dir_filetrans($1,$1_ssh_t,user_ssh_home_t,{ dir sock_file }) # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern($1_ssh_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t) @@ -413,6 +417,25 @@ ') ') +######################################## +## +## Execute the ssh agent client in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_agent_exec',` + gen_require(` + type ssh_agent_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1,ssh_agent_exec_t) +') + ####################################### ## ## The template to define a ssh server. @@ -443,13 +466,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) @@ -479,6 +503,10 @@ corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) + # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) fs_dontaudit_getattr_all_fs($1_t) @@ -506,9 +534,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) + userdom_read_all_users_home_content_files($1_t) + + # Allow checking users mail at login + mta_getattr_spool($1_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) + fs_read_nfs_symlinks($1_t) ') tunable_policy(`use_samba_home_dirs',` @@ -517,11 +550,7 @@ optional_policy(` kerberos_use($1_t) - ') - - optional_policy(` - # Allow checking users mail at login - mta_getattr_spool($1_t) + kerberos_manage_host_rcache($1_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.7/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/ssh.te 2008-02-13 16:57:15.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. type ssh_agent_exec_t; -files_type(ssh_agent_exec_t) +application_executable_file(ssh_agent_exec_t) # ssh client executable. type ssh_exec_t; @@ -57,6 +57,12 @@ init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') +type user_ssh_home_t; +userdom_user_home_content(user,user_ssh_home_t) + +type user_ssh_tmp_t; +files_tmp_file(user_ssh_tmp_t) + ################################# # # sshd local policy @@ -80,6 +86,10 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +userdom_read_all_users_home_dirs_symlinks(sshd_t) +userdom_read_all_users_home_content_files(sshd_t) +userdom_read_all_users_home_content_symlinks(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to @@ -101,6 +111,10 @@ ') optional_policy(` + xserver_getattr_xauth(sshd_t) +') + +optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') @@ -119,7 +133,11 @@ ') optional_policy(` - unconfined_domain(sshd_t) + usermanage_domtrans_passwd(sshd_t) + usermanage_read_crack_db(sshd_t) +') + +optional_policy(` unconfined_shell_domtrans(sshd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.7/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/telnet.te 2008-02-13 16:57:15.000000000 -0500 @@ -37,6 +37,8 @@ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(telnetd_t,telnetd_devpts_t) +domain_interactive_fd(telnetd_t) + manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) @@ -66,6 +68,7 @@ corecmd_search_bin(telnetd_t) +files_read_usr_files(telnetd_t) files_read_etc_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? @@ -80,17 +83,26 @@ miscfiles_read_localization(telnetd_t) -seutil_dontaudit_search_config(telnetd_t) +seutil_read_config(telnetd_t) remotelogin_domtrans(telnetd_t) +userdom_search_unpriv_users_home_dirs(telnetd_t) + # for identd; cjp: this should probably only be inetd_child rules? optional_policy(` kerberos_use(telnetd_t) kerberos_read_keytab(telnetd_t) + kerberos_manage_host_rcache(telnetd_t) ') -ifdef(`TODO',` -# Allow krb5 telnetd to use fork and open /dev/tty for use -allow telnetd_t userpty_type:chr_file setattr; +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telnetd_t) + fs_manage_nfs_files(telnetd_t) ') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telnetd_t) + fs_manage_cifs_files(telnetd_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.7/policy/modules/services/tftp.fc --- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/tftp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -4,3 +4,5 @@ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.2.7/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/tftp.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,44 @@ ## Trivial file transfer protocol daemon + +######################################## +## +## All of the rules required to administrate +## an tftp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the tftp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`tftp_admin',` + gen_require(` + type tftp_t; + type tftpdir_t; + type tftp_rw_t; + type tftp_var_run_t; + ') + + allow $1 tftp_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, tftp_t, tftp_t) + + manage_all_pattern($1,tftp_rw_t) + + manage_all_pattern($1,tftpdir_t) + + files_list_pids($1) + manage_all_pattern($1,tftp_var_run_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/timidity.if serefpolicy-3.2.7/policy/modules/services/timidity.if --- nsaserefpolicy/policy/modules/services/timidity.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/timidity.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,2 @@ ## MIDI to WAV converter and player configured as a service + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.2.7/policy/modules/services/tor.fc --- nsaserefpolicy/policy/modules/services/tor.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/tor.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,7 +1,10 @@ /etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) + +/etc/rc.d/init.d/tor -- gen_context(system_u:object_r:tor_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.2.7/policy/modules/services/tor.if --- nsaserefpolicy/policy/modules/services/tor.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/tor.if 2008-02-13 16:57:15.000000000 -0500 @@ -17,3 +17,77 @@ domtrans_pattern($1,tor_exec_t,tor_t) ') + +######################################## +## +## Execute tor server in the tor domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`tor_script_domtrans',` + gen_require(` + type tor_script_exec_t; + ') + + init_script_domtrans_spec($1,tor_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an tor environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the tor domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`tor_admin',` + gen_require(` + type tor_t; + type tor_script_exec_t; + type tor_log_t; + type tor_etc_t; + type tor_var_lib_t; + type tor_var_run_t; + ') + + allow $1 tor_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, tor_t, tor_t) + + # Allow tor_t to restart the apache service + tor_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tor_script_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + manage_all_pattern($1,tor_log_t) + + files_list_etc($1) + manage_all_pattern($1,tor_etc_t) + + files_list_var_lib($1) + manage_all_pattern($1,tor_var_lib_t) + + files_list_pids($1) + manage_all_pattern($1,tor_var_run_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.2.7/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/tor.te 2008-02-13 16:57:15.000000000 -0500 @@ -26,6 +26,9 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) +type tor_script_exec_t; +init_script_type(tor_script_exec_t) + ######################################## # # tor local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.2.7/policy/modules/services/uucp.fc --- nsaserefpolicy/policy/modules/services/uucp.fc 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/uucp.fc 2008-02-13 16:57:15.000000000 -0500 @@ -7,3 +7,4 @@ /var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) /var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.2.7/policy/modules/services/uucp.if --- nsaserefpolicy/policy/modules/services/uucp.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/uucp.if 2008-02-13 16:57:15.000000000 -0500 @@ -60,3 +60,56 @@ domtrans_pattern($1,uux_exec_t,uux_t) ') + +######################################## +## +## All of the rules required to administrate +## an uucp environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the uucp domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`uucp_admin',` + gen_require(` + type uucp_t; + type uucp_tmp_t; + type uucp_log_t; + type uucp_spool_t; + type uucp_ro_t; + type uucp_rw_t; + type uucp_var_run_t; + ') + + allow $1 uucp_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, uucp_t, uucp_t) + + files_list_tmp($1) + manage_all_pattern($1,uucp_tmp_t) + + logging_list_logs($1) + manage_all_pattern($1,uucp_log_t) + + files_list_spool($1) + manage_all_pattern($1,uucp_spool_t) + + manage_all_pattern($1,uucp_rw_t) + + manage_all_pattern($1,uucp_ro_t) + + files_list_pids($1) + manage_all_pattern($1,uucp_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.7/policy/modules/services/w3c.fc --- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/w3c.fc 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,2 @@ +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.7/policy/modules/services/w3c.if --- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/w3c.if 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,20 @@ +## W3C + +######################################## +## +## Execute w3c server in the w3c domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`w3c_script_domtrans',` + gen_require(` + type w3c_script_exec_t; + ') + + init_script_domtrans_spec($1,w3c_script_exec_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.7/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/w3c.te 2008-02-13 16:57:15.000000000 -0500 @@ -0,0 +1,14 @@ +policy_module(w3c,1.2.1) + +apache_content_template(w3c_validator) + +sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + +corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) +corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) +corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_certs(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/watchdog.if serefpolicy-3.2.7/policy/modules/services/watchdog.if --- nsaserefpolicy/policy/modules/services/watchdog.if 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/watchdog.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,2 @@ ## Software watchdog + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xprint.if serefpolicy-3.2.7/policy/modules/services/xprint.if --- nsaserefpolicy/policy/modules/services/xprint.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/xprint.if 2008-02-13 16:57:15.000000000 -0500 @@ -1 +1,2 @@ ## X print server + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.7/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/xserver.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,13 +1,13 @@ # # HOME_DIR # -HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0) -HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0) -HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) -HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) -HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) -HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) -HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) +HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:user_iceauth_home_t,s0) +HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:user_xauth_home_t,s0) +HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:user_xauth_home_t,s0) # # /dev @@ -32,11 +32,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) -ifdef(`distro_redhat',` -/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -') - # # /opt # @@ -58,7 +53,7 @@ # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -89,16 +84,21 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.7/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-14 15:45:10.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; + type xdm_xserver_tmp_t; ') ############################## @@ -45,7 +46,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack - allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_ptrace sys_tty_config mknod net_bind_service }; dontaudit $1_xserver_t self:capability chown; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:memprotect mmap_zero; @@ -115,18 +116,23 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) - dev_create_generic_dirs($1_xserver_t) - dev_setattr_generic_dirs($1_xserver_t) + dev_manage_generic_dirs($1_xserver_t) # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) dev_wx_raw_memory($1_xserver_t) # for other device nodes such as the NVidia binary-only driver dev_rw_xserver_misc($1_xserver_t) + dev_setattr_xserver_misc_dev($1_xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) dev_rwx_zero($1_xserver_t) + dev_read_urand($1_xserver_t) + dev_rw_generic_usb_dev($1_xserver_t) + dev_rw_generic_usb_pipes($1_xserver_t) domain_mmap_low($1_xserver_t) + domain_read_all_domains_state($1_xserver_t) + domain_dontaudit_ptrace_all_domains($1_xserver_t) files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) @@ -140,12 +146,16 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) - fs_search_ramfs($1_xserver_t) + fs_manage_ramfs_files($1_xserver_t) + fs_list_inotifyfs($1_xserver_t) auth_use_nsswitch($1_xserver_t) init_getpgid($1_xserver_t) + miscfiles_read_hwdata($1_xserver_t) + + term_search_ptys($1_xserver_t) term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) @@ -223,8 +233,10 @@ template(`xserver_per_role_template',` gen_require(` - type iceauth_exec_t, xauth_exec_t; - attribute fonts_type, fonts_cache_type, fonts_config_type; + type iceauth_exec_t, iceauth_t, user_iceauth_home_t; + type xauth_t, xauth_exec_t, user_xauth_home_t; + type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; + type xdm_xserver_tmp_t, xdm_xserver_t; ') ############################## @@ -232,66 +244,51 @@ # Declarations # + ifelse(`$1',`user',`',` + typealias user_iceauth_home_t alias $1_iceauth_home_t; + typealias user_fonts_t alias $1_fonts_t; + typealias user_fonts_config_t alias $1_fonts_config_t; + typealias user_fonts_cache_t alias $1_fonts_cache_t; + ') + xserver_common_domain_template($1) role $3 types $1_xserver_t; - type $1_fonts_t, fonts_type; - userdom_user_home_content($1,$1_fonts_t) - - type $1_fonts_cache_t, fonts_cache_type; - userdom_user_home_content($1,$1_fonts_cache_t) - - type $1_fonts_config_t, fonts_config_type; - userdom_user_home_content($1,$1_fonts_cache_t) - - type $1_iceauth_t; - domain_type($1_iceauth_t) - domain_entry_file($1_iceauth_t,iceauth_exec_t) - role $3 types $1_iceauth_t; - - type $1_iceauth_home_t alias $1_iceauth_rw_t; - files_poly_member($1_iceauth_home_t) - userdom_user_home_content($1,$1_iceauth_home_t) - - type $1_xauth_t; - domain_type($1_xauth_t) - domain_entry_file($1_xauth_t,xauth_exec_t) - role $3 types $1_xauth_t; - - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) - userdom_user_home_content($1,$1_xauth_home_t) + typealias xauth_t alias $1_xauth_t; + role $3 types xauth_t; - type $1_xauth_tmp_t; - files_tmp_file($1_xauth_tmp_t) + typealias iceauth_t alias $1_iceauth_t; + role $3 types iceauth_t; ############################## # # $1_xserver_t Local policy # + domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t) - domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) - - allow $1_xserver_t $1_xauth_home_t:file { getattr read }; + allow $1_xserver_t user_xauth_home_t:file { getattr read }; domtrans_pattern($2, xserver_exec_t, $1_xserver_t) allow $1_xserver_t $2:process signal; + read_files_pattern($1_xserver_t, $2, $2) allow $1_xserver_t $2:shm rw_shm_perms; + allow $1_xserver_t $2:file read_file_perms; - manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) - manage_files_pattern($2,$1_fonts_t,$1_fonts_t) - relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t) - relabel_files_pattern($2,$1_fonts_t,$1_fonts_t) - - manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t) - manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) - relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) + manage_dirs_pattern($2,user_fonts_t,user_fonts_t) + manage_files_pattern($2,user_fonts_t,user_fonts_t) + relabel_dirs_pattern($2,user_fonts_t,user_fonts_t) + relabel_files_pattern($2,user_fonts_t,user_fonts_t) + + manage_dirs_pattern($2,user_fonts_config_t,user_fonts_config_t) + manage_files_pattern($2,user_fonts_config_t,user_fonts_config_t) + relabel_files_pattern($2,user_fonts_config_t,user_fonts_config_t) # For startup relabel - allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; + allow $2 user_fonts_cache_t:{ dir file } { relabelto relabelfrom }; stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t) + stream_connect_pattern($2,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) allow $2 $1_xserver_tmpfs_t:file rw_file_perms; @@ -307,113 +304,49 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) + userdom_rw_user_tmp_files($1,$1_xserver_t) xserver_use_user_fonts($1,$1_xserver_t) - xserver_rw_xdm_tmp_files($1_xauth_t) optional_policy(` userhelper_search_config($1_xserver_t) ') - ifdef(`TODO',` - ifdef(`xdm.te', ` - allow $1_t xdm_tmp_t:sock_file unlink; - allow $1_xserver_t xdm_var_run_t:dir search; - ') - ') dnl end TODO - ############################## # - # $1_xauth_t Local policy + # xauth_t Local policy # - allow $1_xauth_t self:process signal; - allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; - - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) + domtrans_pattern($2, xauth_exec_t, xauth_t) - manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) - - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) - - allow $2 $1_xauth_t:process signal; + allow $2 xauth_t:process signal; # allow ps to show xauth - ps_process_pattern($2,$1_xauth_t) - - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; + ps_process_pattern($2,xauth_t) - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) - - domain_use_interactive_fds($1_xauth_t) - - files_read_etc_files($1_xauth_t) - files_search_pids($1_xauth_t) - - fs_getattr_xattr_fs($1_xauth_t) - fs_search_auto_mountpoints($1_xauth_t) - - # cjp: why? - term_use_ptmx($1_xauth_t) - - auth_use_nsswitch($1_xauth_t) - - libs_use_ld_so($1_xauth_t) - libs_use_shared_libs($1_xauth_t) - - userdom_use_user_terminals($1,$1_xauth_t) - userdom_read_user_tmp_files($1,$1_xauth_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_xauth_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_xauth_t) - ') + userdom_use_user_terminals($1,xauth_t) + userdom_read_user_tmp_files($1,xauth_t) optional_policy(` - ssh_sigchld($1_xauth_t) - ssh_read_pipes($1_xauth_t) - ssh_dontaudit_rw_tcp_sockets($1_xauth_t) + xserver_read_user_xauth($1, $2) ') ############################## # - # $1_iceauth_t Local policy + # iceauth_t Local policy # - - domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) - - allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file) + domtrans_pattern($2, iceauth_exec_t, iceauth_t) # allow ps to show iceauth - ps_process_pattern($2,$1_iceauth_t) - - allow $2 $1_iceauth_home_t:file manage_file_perms; - allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; + ps_process_pattern($2,iceauth_t) - allow xdm_t $1_iceauth_home_t:file read_file_perms; + allow $2 user_iceauth_home_t:file manage_file_perms; + allow $2 user_iceauth_home_t:file { relabelfrom relabelto }; - fs_search_auto_mountpoints($1_iceauth_t) + userdom_use_user_terminals($1,iceauth_t) - libs_use_ld_so($1_iceauth_t) - libs_use_shared_libs($1_iceauth_t) - - userdom_use_user_terminals($1,$1_iceauth_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_iceauth_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_iceauth_t) + optional_policy(` + xserver_read_user_iceauth($1, $2) ') ') @@ -523,17 +456,16 @@ template(`xserver_user_client_template',` gen_require(` - type xdm_t, xdm_tmp_t; - type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; + type xdm_t, xdm_tmp_t, xdm_xserver_t; + type xdm_var_run_t; ') - allow $2 self:shm create_shm_perms; - allow $2 self:unix_dgram_socket create_socket_perms; - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; + allow $2 $2:shm create_shm_perms; + allow $2 $2:unix_dgram_socket create_socket_perms; + allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms }; - # Read .Xauthority file - allow $2 $1_xauth_home_t:file { getattr read }; - allow $2 $1_iceauth_home_t:file { getattr read }; + # this should cause the .xsession-errors file to be written to /tmp + userdom_dontaudit_write_unpriv_user_home_content_files(xdm_t) # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -542,25 +474,55 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; + # consolekit needs this for fast user switching + allow $2 xdm_var_run_t:dir search_dir_perms; + allow $2 xdm_var_run_t:sock_file getattr; + + corenet_tcp_connect_xserver_port($2) + # Allow connections to X server. files_search_tmp($2) miscfiles_read_fonts($2) userdom_search_user_home_dirs($1,$2) - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1,$2) + userdom_manage_user_home_content_dirs($1, xdm_t) + userdom_manage_user_home_content_files($1, xdm_t) + userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file }) + userdom_manage_user_tmp_dirs($1, xdm_t) + userdom_manage_user_tmp_files($1, xdm_t) xserver_ro_session_template(xdm,$2,$3) - xserver_rw_session_template($1,$2,$3) - xserver_use_user_fonts($1,$2) xserver_read_xdm_tmp_files($2) - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 $1_xserver_t:shm rw_shm_perms; - allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + xserver_xdm_stream_connect($2) + + optional_policy(` + gnome_manage_user_gnome_config($1, xdm_t) + ') + + optional_policy(` + userdom_read_all_users_home_content_files(xdm_t) + userdom_read_all_users_home_content_files(xdm_xserver_t) + userdom_rw_user_tmpfs_files($1, xdm_xserver_t) + ') + + # Read .Xauthority file + optional_policy(` + xserver_read_user_xauth($1, $2) + ') + + optional_policy(` + xserver_read_user_iceauth($1, $2) + ') + + optional_policy(` + xserver_use_user_fonts($1,$2) + ') + + optional_policy(` + xserver_rw_session_template(xdm,$2,$3) ') ') @@ -593,26 +555,44 @@ # template(`xserver_use_user_fonts',` gen_require(` - type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t; + type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts - allow $2 $1_fonts_t:dir list_dir_perms; - allow $2 $1_fonts_t:file read_file_perms; + allow $2 user_fonts_t:dir list_dir_perms; + allow $2 user_fonts_t:file read_file_perms; # Manipulate the global font cache - manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) - manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) + manage_dirs_pattern($2,user_fonts_cache_t,user_fonts_cache_t) + manage_files_pattern($2,user_fonts_cache_t,user_fonts_cache_t) # Read per user font config - allow $2 $1_fonts_config_t:dir list_dir_perms; - allow $2 $1_fonts_config_t:file read_file_perms; + allow $2 user_fonts_config_t:dir list_dir_perms; + allow $2 user_fonts_config_t:file read_file_perms; userdom_search_user_home_dirs($1,$2) ') ######################################## ## +## Get the attributes of xauth executable +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_getattr_xauth',` + gen_require(` + type xauth_exec_t; + ') + + allow $1 xauth_exec_t:file getattr; +') + +######################################## +## ## Transition to a user Xauthority domain. ## ## @@ -638,10 +618,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` - type $1_xauth_t, xauth_exec_t; + type xauth_exec_t, xauth_t; + ') + + domtrans_pattern($2, xauth_exec_t, xauth_t) +') + +######################################## +## +## Read a user Xauthority domain. +## +## +##

+## read to a user Xauthority domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`xserver_read_user_xauth',` + gen_require(` + type user_xauth_home_t; + ') + + allow $2 user_xauth_home_t:file { getattr read }; +') + +######################################## +## +## Read a user Iceauthority domain. +## +## +##

+## read to a user Iceauthority domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`xserver_read_user_iceauth',` + gen_require(` + type user_iceauth_home_t; ') - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + # Read .Iceauthority file + allow $2 user_iceauth_home_t:file { getattr read }; ') ######################################## @@ -671,10 +718,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` - type $1_xauth_home_t; + type user_xauth_home_t; ') - userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file) + userdom_user_home_dir_filetrans($1, $2, user_xauth_home_t, file) ') ######################################## @@ -760,7 +807,7 @@ type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; + allow $1 xconsole_device_t:fifo_file { getattr read write }; ') ######################################## @@ -860,6 +907,25 @@ ######################################## ## +## Connect to apmd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_stream_connect',` + gen_require(` + type xdm_xserver_t, xserver_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t) +') + +######################################## +## ## Read xdm-writable configuration files. ## ## @@ -914,6 +980,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) + allow $1 xdm_tmp_t:sock_file unlink; ') ######################################## @@ -955,6 +1022,24 @@ ######################################## ## +## dontaudit search of XDM var lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dontaudit_xdm_lib_search',` + gen_require(` + type xdm_var_lib_t; + ') + + dontaudit $1 xdm_var_lib_t:dir search_dir_perms; +') + +######################################## +## ## Execute the X server in the XDM X server domain. ## ## @@ -965,15 +1050,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` - type xdm_xserver_t, xserver_exec_t; + type xdm_xserver_t, xserver_exec_t, xdm_t; ') allow $1 xdm_xserver_t:process siginh; + allow xdm_t $1:process sigchld; domtrans_pattern($1,xserver_exec_t,xdm_xserver_t) ') ######################################## ## +## Execute xsever in the xdm_xserver domain, and +## allow the specified role the xdm_xserver domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the xdm_xserver domain. +## +## +## +## +## The type of the terminal allow the xdm_xserver domain to use. +## +## +# +interface(`xserver_run_xdm_xserver',` + gen_require(` + type xdm_xserver_t; + ') + + xserver_domtrans_xdm_xserver($1) + role $2 types xdm_xserver_t; + allow xdm_xserver_t $3:chr_file rw_term_perms; +') + +######################################## +## ## Make an X session script an entrypoint for the specified domain. ## ## @@ -1123,7 +1240,7 @@ type xdm_xserver_tmp_t; ') - allow $1 xdm_xserver_tmp_t:file { getattr read }; + read_files_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t) ') ######################################## @@ -1312,3 +1429,65 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') + +######################################## +## +## Connect to apmd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_stream_connect',` + gen_require(` + type xdm_t, xdm_var_run_t; + ') + + files_search_pids($1) + allow $1 xdm_var_run_t:sock_file write; + allow $1 xdm_t:unix_stream_socket connectto; +') + +######################################## +## +## xdm xserver RW shared memory socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_rw_shm',` + gen_require(` + type xdm_xserver_t; + ') + + allow xdm_xserver_t $1:fd use; + allow $1 xdm_xserver_t:shm rw_shm_perms; + allow xdm_xserver_t $1:shm rw_shm_perms; + +') + +######################################## +## +## Ptrace XDM +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_ptrace_xdm',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:process ptrace; +') + + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-13 16:57:15.000000000 -0500 @@ -16,6 +16,13 @@ ## ##

+## Allows XServer to execute writable memory +##

+##
+gen_tunable(allow_xserver_execmem,false) + +## +##

## Allow xdm logins as sysadm ##

##
@@ -26,11 +33,14 @@ attribute fonts_config_type; attribute xauth_home_type; +type iceauth_t; type iceauth_exec_t; -application_executable_file(iceauth_exec_t) +application_domain(iceauth_t,iceauth_exec_t) +type xauth_t; type xauth_exec_t; -application_executable_file(xauth_exec_t) +application_domain(xauth_t, xauth_exec_t) +role system_r types xauth_t; # this is not actually a device, its a pipe type xconsole_device_t; @@ -56,6 +66,12 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) +type xserver_var_lib_t; +files_type(xserver_var_lib_t) + +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) + type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; @@ -78,6 +94,29 @@ type xserver_log_t; logging_log_file(xserver_log_t) +type user_fonts_t, fonts_type; +userdom_user_home_content(user,user_fonts_t) + +type user_fonts_cache_t, fonts_cache_type; +userdom_user_home_content(user,user_fonts_cache_t) + +type user_fonts_config_t, fonts_config_type; +userdom_user_home_content(user,user_fonts_config_t) + +type user_iceauth_home_t; +files_poly_member(user_iceauth_home_t) +userdom_user_home_content(user,user_iceauth_home_t) + +type user_xauth_home_t alias user_xauth_rw_t, xauth_home_type; +files_poly_member(user_xauth_home_t) +userdom_user_home_content(user,user_xauth_home_t) + +type admin_xauth_home_t; +files_type(user_xauth_home_t) + +type user_xauth_tmp_t; +files_tmp_file(user_xauth_tmp_t) + xserver_common_domain_template(xdm) init_system_domain(xdm_xserver_t,xserver_exec_t) @@ -95,8 +134,9 @@ # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms }; + allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; @@ -109,6 +149,8 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) @@ -131,15 +173,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_rw_tmpfs_files(xdm_xserver_t) +fs_getattr_all_fs(xdm_t) +fs_search_inotifyfs(xdm_t) +fs_list_all(xdm_t) manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) +# Read machine-id +files_read_var_lib_files(xdm_t) manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) -files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file }) +manage_sock_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) +files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file sock_file }) allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; @@ -153,6 +202,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; +read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t) # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) @@ -173,6 +223,8 @@ corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) +# Uses DBUS +corecmd_bin_entry_type(xdm_t) corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) @@ -184,6 +236,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) +corenet_udp_bind_xdmcp_port(xdm_t) corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t @@ -196,6 +249,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) +dev_rw_input_dev(xdm_t) dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) @@ -208,8 +262,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) -dev_getattr_sound_dev(xdm_t) -dev_setattr_sound_dev(xdm_t) +dev_read_sound(xdm_t) +dev_write_sound(xdm_t) dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) @@ -226,6 +280,7 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) +files_dontaudit_getattr_boot_dirs(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) @@ -245,6 +300,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) +auth_signal_pam(xdm_t) auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) @@ -256,12 +312,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) +logging_send_audit_msgs(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -sysnet_read_config(xdm_t) - userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -270,6 +325,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +# +# Wants to delete .xsession-errors file +# +userdom_unlink_unpriv_users_home_content_files(xdm_t) xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) @@ -304,7 +363,11 @@ ') optional_policy(` - consolekit_dbus_chat(xdm_t) + bootloader_domtrans(xdm_t) +') + +optional_policy(` + consolekit_read_log(xdm_t) ') optional_policy(` @@ -312,6 +375,23 @@ ') optional_policy(` + dbus_per_role_template(xdm, xdm_t, system_r) + dbus_system_bus_client_template(xdm, xdm_t) + + optional_policy(` + consolekit_dbus_chat(xdm_t) + ') + + optional_policy(` + hal_dbus_chat(xdm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') +') + +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) @@ -322,6 +402,10 @@ ') optional_policy(` + gnome_exec_gconf(xdm_t) +') + +optional_policy(` loadkeys_exec(xdm_t) ') @@ -335,6 +419,11 @@ ') optional_policy(` + polkit_domtrans_auth(xdm_t) + polkit_read_lib(xdm_t) +') + +optional_policy(` seutil_sigchld_newrole(xdm_t) ') @@ -343,8 +432,8 @@ ') optional_policy(` - unconfined_domain(xdm_t) unconfined_domtrans(xdm_t) + unconfined_signal(xdm_t) ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; @@ -380,7 +469,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; +read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t) # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) @@ -392,6 +481,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) +manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t) +manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t) +files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir) + +manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t) +manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t) +manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t) +files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir) + # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) @@ -404,6 +502,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) +userdom_manage_unpriv_users_tmp_files(xdm_xserver_t) xserver_use_all_users_fonts(xdm_xserver_t) @@ -420,6 +519,14 @@ ') optional_policy(` + locallogin_use_fds(xdm_xserver_t) +') + +optional_policy(` + mono_rw_shm(xdm_xserver_t) +') + +optional_policy(` resmgr_stream_connect(xdm_t) ') @@ -429,47 +536,103 @@ ') optional_policy(` - unconfined_domain_noaudit(xdm_xserver_t) - unconfined_domtrans(xdm_xserver_t) + rpm_dontaudit_rw_shm(xdm_xserver_t) + rpm_rw_tmpfs_files(xdm_xserver_t) +') - ifndef(`distro_redhat',` - allow xdm_xserver_t self:process { execheap execmem }; - ') +optional_policy(` + unconfined_rw_shm(xdm_xserver_t) + unconfined_execmem_rw_shm(xdm_xserver_t) + unconfined_rw_tmpfs_files(xdm_xserver_t) - ifdef(`distro_rhel4',` - allow xdm_xserver_t self:process { execheap execmem }; - ') + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) +') + + +tunable_policy(`allow_xserver_execmem', ` + allow xdm_xserver_t self:process { execheap execmem execstack }; +') + +ifndef(`distro_redhat',` + allow xdm_xserver_t self:process { execheap execmem }; ') -ifdef(`TODO',` -# Need to further investigate these permissions and -# perhaps define derived types. -allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; -allow xdm_t var_lib_t:file { create write unlink }; - -# Do not audit attempts to write to index files under /usr -dontaudit xdm_t usr_t:file write; - -ifdef(`rhgb.te', ` -allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file manage_file_perms; -allow rhgb_t xdm_xserver_t:process signal; -') - -tunable_policy(`allow_polyinstantiation',` -# xdm needs access for linking .X11-unix to poly /tmp -allow xdm_t polymember:dir { add_name remove_name write }; -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; +ifdef(`distro_rhel4',` + allow xdm_xserver_t self:process { execheap execmem }; ') +############################## # -# Wants to delete .xsession-errors file +# xauth_t Local policy # -allow xdm_t user_home_type:file unlink; +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t) + +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file) +xserver_rw_xdm_tmp_files(xauth_t) +allow xauth_t self:process signal; +allow xauth_t self:unix_stream_socket create_stream_socket_perms; + +allow xauth_t user_xauth_home_t:file manage_file_perms; +allow xdm_t user_xauth_home_t:file append_file_perms; + +manage_dirs_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t) +manage_files_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t) +files_tmp_filetrans(xauth_t, user_xauth_tmp_t, { file dir }) + +domain_use_interactive_fds(xauth_t) + +files_read_etc_files(xauth_t) +files_search_pids(xauth_t) + +fs_getattr_xattr_fs(xauth_t) +fs_search_auto_mountpoints(xauth_t) + +# cjp: why? +term_use_ptmx(xauth_t) + +auth_use_nsswitch(xauth_t) + +libs_use_ld_so(xauth_t) +libs_use_shared_libs(xauth_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(xauth_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(xauth_t) +') + +optional_policy(` + ssh_sigchld(xauth_t) + ssh_read_pipes(xauth_t) + ssh_dontaudit_rw_tcp_sockets(xauth_t) +') + +############################## # -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# iceauth_t Local policy # -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -') dnl end TODO + +allow iceauth_t user_iceauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file) + +allow xdm_t user_iceauth_home_t:file read_file_perms; + +fs_search_auto_mountpoints(iceauth_t) + +libs_use_ld_so(iceauth_t) +libs_use_shared_libs(iceauth_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(iceauth_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(iceauth_t) +') + +allow xauth_t admin_xauth_home_t:file manage_file_perms; +userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.2.7/policy/modules/services/zabbix.fc --- nsaserefpolicy/policy/modules/services/zabbix.fc 2007-04-11 15:52:54.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/services/zabbix.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,5 +1,8 @@ + /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) + +/etc/rc.d/init.d/zabbix -- gen_context(system_u:object_r:zabbix_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.if serefpolicy-3.2.7/policy/modules/services/zabbix.if --- nsaserefpolicy/policy/modules/services/zabbix.if 2008-02-06 10:33:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/zabbix.if 2008-02-13 16:57:15.000000000 -0500 @@ -79,6 +79,25 @@ ######################################## ## +## Execute zabbix server in the zabbix domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`zabbix_script_domtrans',` + gen_require(` + type zabbix_script_exec_t; + ') + + init_script_domtrans_spec($1,zabbix_script_exec_t) +') + +######################################## +## ## All of the rules required to administrate ## an zabbix environment ## @@ -101,15 +120,26 @@ # interface(`zabbix_admin',` gen_require(` - type zabbix_t, zabbix_log_t, zabbix_var_run_t; + type zabbix_t; + type zabbix_script_exec_t; + type zabbix_log_t; + type zabbix_var_run_t; ') allow $1 zabbix_t:process { ptrace signal_perms getattr }; read_files_pattern($1, zabbix_t, zabbix_t) + # Allow zabbix_t to restart the apache service + zabbix_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 zabbix_script_exec_t system_r; + allow $2 system_r; + logging_list_logs($1) - manage_files_pattern($1, zabbix_log_t, zabbix_log_t) + manage_all_pattern($1,zabbix_log_t) files_list_pids($1) - manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t) + manage_all_pattern($1,zabbix_var_run_t) ') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.2.7/policy/modules/services/zabbix.te --- nsaserefpolicy/policy/modules/services/zabbix.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/zabbix.te 2008-02-13 16:57:15.000000000 -0500 @@ -18,6 +18,9 @@ type zabbix_var_run_t; files_pid_file(zabbix_var_run_t) +type zabbix_script_exec_t; +init_script_type(zabbix_script_exec_t) + ######################################## # # zabbix local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.fc serefpolicy-3.2.7/policy/modules/services/zebra.fc --- nsaserefpolicy/policy/modules/services/zebra.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/zebra.fc 2008-02-13 16:57:15.000000000 -0500 @@ -14,3 +14,10 @@ /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) + +/etc/rc.d/init.d/bgpd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/ospf6d -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/ospfd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/ripd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/ripngd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc.d/init.d/zebra -- gen_context(system_u:object_r:zebra_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.2.7/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2008-02-06 10:33:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/zebra.if 2008-02-13 16:57:15.000000000 -0500 @@ -18,12 +18,32 @@ files_search_etc($1) allow $1 zebra_conf_t:dir list_dir_perms; - read_files_pattern($1, zebra_conf_t, zebra_conf_t) - read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) + read_files_pattern($1,zebra_conf_t,zebra_conf_t) + read_lnk_files_pattern($1,zebra_conf_t,zebra_conf_t) ') ######################################## ## +## Execute zebra server in the zebra domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`zebra_script_domtrans',` + gen_require(` + type zebra_script_exec_t; + ') + + init_script_domtrans_spec($1,zebra_script_exec_t) +') + + +######################################## +## ## All of the rules required to administrate ## an zebra environment ## @@ -46,22 +66,32 @@ # interface(`zebra_admin',` gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; + type zebra_t; + type zebra_script_exec_t; + type zebra_tmp_t; + type zebra_log_t; + type zebra_conf_t; + type zebra_var_run_t; ') allow $1 zebra_t:process { ptrace signal_perms getattr }; read_files_pattern($1, zebra_t, zebra_t) + # Allow zebra_t to restart the apache service + zebra_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 zebra_script_exec_t system_r; + allow $2 system_r; + files_list_tmp($1) - manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t) + manage_all_pattern($1,zebra_tmp_t) logging_list_logs($1) - manage_files_pattern($1, zebra_log_t, zebra_log_t) + manage_all_pattern($1,zebra_log_t) files_list_etc($1) - manage_files_pattern($1, zebra_conf_t, zebra_conf_t) + manage_all_pattern($1,zebra_conf_t) files_list_pids($1) - manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t) + manage_all_pattern($1,zebra_var_run_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.2.7/policy/modules/services/zebra.te --- nsaserefpolicy/policy/modules/services/zebra.te 2008-02-06 10:33:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/zebra.te 2008-02-13 16:57:15.000000000 -0500 @@ -30,6 +30,9 @@ type zebra_var_run_t; files_pid_file(zebra_var_run_t) +type zebra_script_exec_t; +init_script_type(zebra_script_exec_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.7/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/authlogin.fc 2008-02-13 16:57:15.000000000 -0500 @@ -40,5 +40,10 @@ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) +/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.7/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/authlogin.if 2008-02-13 16:57:15.000000000 -0500 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` gen_require(` - type system_chkpwd_t, shadow_t; + type system_chkpwd_t, shadow_t, updpwd_t; ') authlogin_common_auth_domain_template($1) @@ -169,6 +169,7 @@ interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t; + type auth_cache_t; ') domain_type($1) @@ -177,12 +178,27 @@ domain_obj_id_change_exemption($1) role system_r types $1; + # Needed for pam_selinux_permit to cleanup properly + domain_read_all_domains_state($1) + domain_kill_all_domains($1) + + # pam_keyring + allow $1 self:capability ipc_lock; + allow $1 self:process setkeycreate; + allow $1 self:key manage_key_perms; + userdom_manage_all_users_keys($1) + files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) + manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) + files_var_filetrans($1,auth_cache_t,dir) + # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers @@ -226,6 +242,31 @@ seutil_read_config($1) seutil_read_default_contexts($1) + userdom_set_rlimitnh($1) + userdom_unlink_unpriv_users_tmp_files($1) + userdom_unpriv_users_stream_connect($1) + + optional_policy(` + dbus_system_bus_client_template(notused, $1) + optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) + ') + ') + + optional_policy(` + mount_domtrans($1) + ') + + optional_policy(` + nis_authenticate($1) + ') + + optional_policy(` + ssh_agent_exec($1) + userdom_read_all_users_home_content_files($1) + ') + tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') @@ -342,6 +383,8 @@ optional_policy(` kerberos_use($1) + kerberos_read_keytab($1) + kerberos_524_connect($1) ') optional_policy(` @@ -356,6 +399,28 @@ optional_policy(` samba_stream_connect_winbind($1) ') + auth_domtrans_upd_passwd($1) +') + +######################################## +## +## Run unix_chkpwd to check a password. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_domtrans_chkpwd',` + gen_require(` + type system_chkpwd_t, chkpwd_exec_t, shadow_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) + dontaudit $1 shadow_t:file { getattr read }; + auth_domtrans_upd_passwd($1) ') ######################################## @@ -369,12 +434,12 @@ ## ## ## -## The role to allow the chkpwd domain. +## The role to allow the updpwd domain. ## ## ## ## -## The type of the terminal allow the chkpwd domain to use. +## The type of the terminal allow the updpwd domain to use. ## ## # @@ -386,6 +451,7 @@ auth_domtrans_chk_passwd($1) role $2 types system_chkpwd_t; allow system_chkpwd_t $3:chr_file rw_file_perms; + auth_run_upd_passwd($1, $2, $3) ') ######################################## @@ -1457,6 +1523,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) + samba_dontaudit_write_var_files($1) ') ') @@ -1491,3 +1558,23 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') + +######################################## +## +## Read authentication cache +## +## +## +## Domain allowed access. +## +## +## +# +interface(`auth_read_cache',` + gen_require(` + type auth_cache_t; + ') + + read_files_pattern($1, auth_cache_t, auth_cache_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.7/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/authlogin.te 2008-02-13 16:57:15.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) +type auth_cache_t; +logging_log_file(auth_cache_t) + # # var_auth_t is the type of /var/lib/auth, usually # used for auth data in pam_able @@ -73,6 +76,9 @@ authlogin_common_auth_domain_template(system) role system_r types system_chkpwd_t; +# Read only version of updpwd +domain_entry_file(system_chkpwd_t,updpwd_exec_t) + ######################################## # # PAM local policy @@ -122,6 +128,12 @@ userdom_use_unpriv_users_fds(pam_t) +userdom_write_unpriv_users_tmp_files(pam_t) +userdom_unlink_unpriv_users_tmp_files(pam_t) +userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) +userdom_dontaudit_write_user_home_content_files(user, pam_t) +userdom_append_unpriv_users_home_content_files(pam_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) @@ -297,8 +309,10 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) -term_dontaudit_use_console(updpwd_t) +term_dontaudit_use_all_user_ptys(updpwd_t) +term_dontaudit_use_all_user_ttys(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) +term_dontaudit_use_generic_ptys(updpwd_t) auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) @@ -359,11 +373,6 @@ ') optional_policy(` - # Allow utemper to write to /tmp/.xses-* - unconfined_write_tmp_files(utempter_t) -') - -optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.7/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/fstools.fc 2008-02-13 16:57:15.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -21,7 +20,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.7/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/fstools.if 2008-02-13 16:57:15.000000000 -0500 @@ -81,10 +81,10 @@ # interface(`fstools_read_pipes',` gen_require(` - type fsdaemon_t; + type fstools_t; ') - allow $1 fsdaemon_t:fifo_file read_fifo_file_perms; + allow $1 fstools_t:fifo_file read_fifo_file_perms; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.7/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/fstools.te 2008-02-13 16:57:15.000000000 -0500 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +fs_manage_nfs_files(fsadm_t) + +fs_manage_cifs_files(fsadm_t) + mls_file_read_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t) @@ -109,8 +113,7 @@ term_use_console(fsadm_t) -corecmd_list_bin(fsadm_t) -corecmd_read_bin_symlinks(fsadm_t) +corecmd_exec_bin(fsadm_t) #RedHat bug #201164 corecmd_exec_shell(fsadm_t) @@ -132,6 +135,8 @@ # Access to /initrd devices files_rw_isid_type_dirs(fsadm_t) files_rw_isid_type_blk_files(fsadm_t) +files_read_isid_type_files(fsadm_t) + # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs @@ -183,4 +188,6 @@ optional_policy(` xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.7/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/getty.te 2008-02-13 16:57:15.000000000 -0500 @@ -33,7 +33,8 @@ # # Use capabilities. -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +# getty requires sys_admin #209426 +allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid sys_admin }; dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.7/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/hostname.te 2008-02-13 16:57:15.000000000 -0500 @@ -8,7 +8,9 @@ type hostname_t; type hostname_exec_t; -init_system_domain(hostname_t,hostname_exec_t) + +#dont transition from initrc +application_domain(hostname_t, hostname_exec_t) role system_r types hostname_t; ######################################## @@ -60,3 +62,11 @@ xen_append_log(hostname_t) xen_dontaudit_use_fds(hostname_t) ') + +optional_policy(` + xen_append_log(hostname_t) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(hostname_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.7/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/hotplug.te 2008-02-13 16:57:15.000000000 -0500 @@ -179,6 +179,7 @@ sysnet_read_dhcpc_pid(hotplug_t) sysnet_rw_dhcp_config(hotplug_t) sysnet_domtrans_ifconfig(hotplug_t) + sysnet_signal_ifconfig(hotplug_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.2.7/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2007-10-12 08:56:08.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/init.fc 2008-02-13 16:57:15.000000000 -0500 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.7/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/init.if 2008-02-13 16:57:16.000000000 -0500 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') ') + tunable_policy(`allow_daemons_use_tty',` + term_use_all_user_ttys($1) + term_use_all_user_ptys($1) + ', ` + term_dontaudit_use_all_user_ttys($1) + term_dontaudit_use_all_user_ptys($1) + ') ') ######################################## @@ -242,11 +249,11 @@ init_system_domain($1,$2) ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; + range_transition initrc_t $2 $3; ') ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; + range_transition initrc_t $2 $3; ') ') @@ -540,18 +547,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute initscript; ') files_list_etc($1) - spec_domtrans_pattern($1,initrc_exec_t,initrc_t) + spec_domtrans_pattern($1,initscript,initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 initscript:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 initscript:process s0 - mls_systemhigh; ') ') @@ -567,18 +575,46 @@ # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute initscript; + ') + + files_list_etc($1) + domtrans_pattern($1,initscript,initrc_t) + + ifdef(`enable_mcs',` + range_transition $1 initscript:process s0; + ') + + ifdef(`enable_mls',` + range_transition $1 initscript:process s0 - mls_systemhigh; + ') +') + +######################################## +## +## Execute init a specific script with an automatic domain transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_script_domtrans_spec',` + gen_require(` + type initrc_t; ') files_list_etc($1) - domtrans_pattern($1,initrc_exec_t,initrc_t) + domtrans_pattern($1,$2,initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 $2:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 $2:process s0 - mls_systemhigh; ') ') @@ -609,11 +645,11 @@ # cjp: added for gentoo integrated run_init interface(`init_script_file_domtrans',` gen_require(` - type initrc_exec_t; + attribute initscript; ') files_list_etc($1) - domain_auto_trans($1,initrc_exec_t,$2) + domain_auto_trans($1,initscript,$2) ') ######################################## @@ -684,11 +720,11 @@ # interface(`init_getattr_script_files',` gen_require(` - type initrc_exec_t; + attribute initscript; ') files_list_etc($1) - allow $1 initrc_exec_t:file getattr; + allow $1 initscript:file getattr; ') ######################################## @@ -703,11 +739,11 @@ # interface(`init_exec_script_files',` gen_require(` - type initrc_exec_t; + attribute initscript; ') files_list_etc($1) - can_exec($1,initrc_exec_t) + can_exec($1,initscript) ') ######################################## @@ -931,6 +967,7 @@ dontaudit $1 initrc_t:unix_stream_socket connectto; ') + ######################################## ## ## Send messages to init scripts over dbus. @@ -1030,11 +1067,11 @@ # interface(`init_read_script_files',` gen_require(` - type initrc_exec_t; + attribute initscript; ') files_search_etc($1) - allow $1 initrc_exec_t:file read_file_perms; + allow $1 initscript:file read_file_perms; ') ######################################## @@ -1097,6 +1134,25 @@ ######################################## ## +## Read init script temporary data. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_tmp_files',` + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1,initrc_tmp_t,initrc_tmp_t) +') + +######################################## +## ## Create files in a init script ## temporary data directory. ## @@ -1252,7 +1308,7 @@ type initrc_var_run_t; ') - dontaudit $1 initrc_var_run_t:file { getattr read write append }; + dontaudit $1 initrc_var_run_t:file rw_file_perms; ') ######################################## @@ -1273,3 +1329,92 @@ files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ') + +######################################## +## +## Read the process state (/proc/pid) of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_init_state',` + gen_require(` + attribute init_t; + ') + + allow $1 init_t:dir search_dir_perms; + allow $1 init_t:file read_file_perms; + allow $1 init_t:lnk_file read_file_perms; +') + +######################################## +## +## Ptrace init +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_ptrace_init_domain',` + gen_require(` + attribute init_t; + ') + + allow $1 init_t:process ptrace; +') + +######################################## +## +## Make the specified type usable for initscripts +## in a filesystem. +## +## +## +## Type to be used for files. +## +## +# +interface(`init_script_type',` + gen_require(` + type initrc_t; + attribute initscript; + ') + + typeattribute $1 initscript; + domain_entry_file(initrc_t,$1) + +') + +######################################## +## +## Transition to system_r when execute an init script +## +## +##

+## Execute a init script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Role to transition from. +## +## +# cjp: added for gentoo integrated run_init +interface(`init_script_role_transition',` + gen_require(` + attribute initscript; + ') + + role_transition $1 initscript system_r; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.7/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/init.te 2008-02-13 16:57:16.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # +## +##

+## Allow all daemons the ability to read/write terminals +##

+##
+gen_tunable(allow_daemons_use_tty,false) + +## +##

+## Allow all daemons to write corefiles to / +##

+##
+gen_tunable(allow_daemons_dump_core,false) + # used for direct running of init scripts # by admin domains attribute direct_run_init; @@ -19,6 +33,8 @@ # Mark process types as daemons attribute daemon; +attribute initscript; + # # init_t is the domain of the init process. # @@ -45,7 +61,7 @@ mls_trusted_object(initctl_t) type initrc_t; -type initrc_exec_t; +type initrc_exec_t, initscript; domain_type(initrc_t) domain_entry_file(initrc_t,initrc_exec_t) role system_r types initrc_t; @@ -73,7 +89,7 @@ # # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ audit_control audit_write sys_module }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -163,12 +179,6 @@ fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) ') -ifndef(`distro_ubuntu',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart - userdom_shell_domtrans_sysadm(init_t) -') - optional_policy(` auth_rw_login_records(init_t) ') @@ -177,8 +187,15 @@ nscd_socket_use(init_t) ') -optional_policy(` - unconfined_domain(init_t) +ifndef(`distro_ubuntu',` +# Run the shell in the unconfined_t or sysadm_t domain for single-user mode. +ifdef(`enable_mls',` + userdom_shell_domtrans_sysadm(init_t) +',` + optional_policy(` + unconfined_shell_domtrans(init_t) + ') +') ') ######################################## @@ -187,7 +204,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; @@ -201,10 +218,9 @@ allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) -# Going to single user mode -init_exec(initrc_t) +init_telinit(initrc_t) -can_exec(initrc_t,initrc_exec_t) +can_exec(initrc_t,initscript) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) @@ -283,7 +299,6 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) -mls_fd_share_all_levels(initrc_t) selinux_get_enforce_mode(initrc_t) @@ -496,6 +511,31 @@ ') ') +domain_dontaudit_use_interactive_fds(daemon) + +userdom_dontaudit_search_sysadm_home_dirs(daemon) + +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + term_use_all_user_ttys(daemon) + term_use_all_user_ptys(daemon) +', ` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) + term_dontaudit_use_all_user_ttys(daemon) + term_dontaudit_use_all_user_ptys(daemon) + ') + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` + files_dump_core(daemon) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) +') + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) @@ -631,12 +671,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') -# cjp: require doesnt work in the else of optionals :\ -# this also would result in a type transition -# conflict if sendmail is enabled -#optional_policy(`',` -# mta_send_mail(initrc_t) -#') optional_policy(` ifdef(`distro_redhat',` @@ -697,6 +731,9 @@ # why is this needed: rpm_manage_db(initrc_t) + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) + ') optional_policy(` @@ -709,9 +746,11 @@ squid_manage_logs(initrc_t) ') -optional_policy(` - # allow init scripts to su - su_restricted_domain_template(initrc,initrc_t,system_r) +ifndef(`targeted_policy',` + optional_policy(` + # allow init scripts to su + su_restricted_domain_template(initrc,initrc_t,system_r) + ') ') optional_policy(` @@ -730,6 +769,11 @@ uml_setattr_util_sockets(initrc_t) ') +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) +') + optional_policy(` unconfined_domain(initrc_t) @@ -744,6 +788,10 @@ ') optional_policy(` + rpm_dontaudit_rw_pipes(daemon) +') + +optional_policy(` vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.7/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/ipsec.te 2008-02-13 16:57:16.000000000 -0500 @@ -297,11 +297,14 @@ read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) +kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) +corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) +corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.2.7/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/iscsi.te 2008-02-13 16:57:16.000000000 -0500 @@ -29,7 +29,7 @@ # allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; -allow iscsid_t self:process setsched; +allow iscsid_t self:process { setrlimit setsched }; allow iscsid_t self:fifo_file { read write }; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow iscsid_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.7/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/libraries.fc 2008-02-13 16:57:16.000000000 -0500 @@ -133,6 +133,7 @@ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -165,6 +166,7 @@ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -183,6 +185,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -242,7 +245,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -292,6 +295,8 @@ # # /var # +/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) + /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -304,3 +309,6 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.7/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/libraries.te 2008-02-13 16:57:16.000000000 -0500 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; +type ldconfig_cache_t; +files_type(ldconfig_cache_t) + type ldconfig_tmp_t; files_tmp_file(ldconfig_tmp_t) @@ -44,9 +47,11 @@ # ldconfig local policy # -allow ldconfig_t self:capability sys_chroot; +allow ldconfig_t self:capability { dac_override sys_chroot }; + +manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t) -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t) files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -60,8 +65,11 @@ fs_getattr_xattr_fs(ldconfig_t) +corecmd_search_bin(ldconfig_t) + domain_use_interactive_fds(ldconfig_t) +files_search_home(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) @@ -86,6 +94,10 @@ ') ') +userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t) +userdom_manage_unpriv_users_tmp_files(ldconfig_t) +userdom_manage_unpriv_users_tmp_symlinks(ldconfig_t) + ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) @@ -102,4 +114,6 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) + # smart package manager needs the following for the same reason + rpm_rw_tmp_files(ldconfig_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.7/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/locallogin.te 2008-02-13 16:57:16.000000000 -0500 @@ -131,6 +131,7 @@ miscfiles_read_localization(local_login_t) +userdom_read_all_users_home_dirs_symlinks(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) userdom_search_all_users_home_content(local_login_t) @@ -162,6 +163,11 @@ fs_read_cifs_symlinks(local_login_t) ') +tunable_policy(`allow_console_login', ` + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) +') + optional_policy(` alsa_domtrans(local_login_t) ') @@ -191,7 +197,7 @@ ') optional_policy(` - unconfined_domain(local_login_t) + unconfined_shell_domtrans(local_login_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.7/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/logging.fc 2008-02-13 16:57:16.000000000 -0500 @@ -4,6 +4,7 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) @@ -42,11 +43,10 @@ ') ifdef(`distro_redhat',` -/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) +/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) -/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) @@ -57,3 +57,9 @@ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0) +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) + + +/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.7/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/logging.if 2008-02-13 16:57:16.000000000 -0500 @@ -213,12 +213,7 @@ ## # interface(`logging_stream_connect_auditd',` - gen_require(` - type auditd_t, auditd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t) + logging_stream_connect_audisp($1) ') ######################################## @@ -400,25 +395,6 @@ ######################################## ## -## Read syslog configuration files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`logging_read_syslog_config',` - gen_require(` - type syslog_conf_t; - ') - - allow $1 syslog_conf_t:file read_file_perms; -') - -######################################## -## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. @@ -596,6 +572,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) + allow $1 logfile:dir { relabelfrom relabelto }; + allow $1 logfile:file { relabelfrom relabelto }; ') ######################################## @@ -705,6 +683,7 @@ interface(`logging_admin_audit',` gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; + type auditd_script_exec_t; type auditd_var_run_t; ') @@ -719,6 +698,15 @@ manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) + + logging_run_auditctl($1, $2, $3) + + # Allow $1 to restart the audit service + logging_audit_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 auditd_script_exec_t system_r; + allow $2 system_r; + ') ######################################## @@ -749,6 +737,7 @@ type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; + type syslogd_script_exec_t; ') allow $1 syslogd_t:process { ptrace signal_perms }; @@ -776,6 +765,13 @@ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) + + # Allow $1 to restart the syslog service + logging_syslog_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 syslogd_script_exec_t system_r; + allow $2 system_r; + ') ######################################## @@ -804,3 +800,127 @@ logging_admin_audit($1, $2, $3) logging_admin_syslog($1, $2, $3) ') + +######################################## +## +## Execute syslog server in the syslogd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`logging_syslog_script_domtrans',` + gen_require(` + type syslogd_script_exec_t; + ') + + init_script_domtrans_spec($1,syslogd_script_exec_t) +') + +######################################## +## +## Execute audit server in the auditd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`logging_audit_script_domtrans',` + gen_require(` + type auditd_script_exec_t; + ') + + init_script_domtrans_spec($1,auditd_script_exec_t) +') + +######################################## +## +## Execute a domain transition to run audisp. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`logging_domtrans_audisp',` + gen_require(` + type audisp_t; + type audisp_exec_t; + ') + + domtrans_pattern($1,audisp_exec_t,audisp_t) +') + +######################################## +## +## Signal the audisp domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`logging_audisp_signal',` + gen_require(` + type audisp_t; + ') + + allow $1 audisp_t:process signal; +') + +######################################## +## +## Create a domain for processes +## which can be started by the system audisp +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`logging_audisp_system_domain',` + gen_require(` + type audisp_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1,$2) + + role system_r types $1; + + domtrans_pattern(audisp_t,$2,$1) + + allow audisp_t $2:file getattr; +') + +######################################## +## +## Connect to auditdstored over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_audisp',` + gen_require(` + type audisp_t, audisp_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.7/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/logging.te 2008-02-13 16:57:16.000000000 -0500 @@ -61,10 +61,23 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) +type auditd_script_exec_t; +init_script_type(auditd_script_exec_t) + +type syslogd_script_exec_t; +init_script_type(syslogd_script_exec_t) + ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) ') +type audisp_t; +type audisp_exec_t; +init_system_domain(audisp_t, audisp_exec_t) + +type audisp_var_run_t; +files_pid_file(audisp_var_run_t) + ######################################## # # Auditctl local policy @@ -171,6 +184,10 @@ ') optional_policy(` + mta_send_mail(auditd_t) +') + +optional_policy(` seutil_sigchld_newrole(auditd_t) ') @@ -208,6 +225,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) +fs_search_tmpfs(klogd_t) domain_use_interactive_fds(klogd_t) @@ -399,3 +417,40 @@ # log to the xconsole xserver_rw_console(syslogd_t) ') + +######################################## +# +# audisp local policy +# + +# Init script handling +domain_use_interactive_fds(audisp_t) + +## internal communication is often done using fifo and unix sockets. +allow audisp_t self:fifo_file rw_file_perms; +allow audisp_t self:unix_stream_socket create_stream_socket_perms; +allow audisp_t auditd_t:unix_stream_socket rw_file_perms; + +manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) +files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) + +files_read_etc_files(audisp_t) + +libs_use_ld_so(audisp_t) +libs_use_shared_libs(audisp_t) + +logging_send_syslog_msg(audisp_t) + +miscfiles_read_localization(audisp_t) + +corecmd_search_bin(audisp_t) +allow audisp_t self:unix_dgram_socket create_socket_perms; + +logging_domtrans_audisp(auditd_t) +logging_audisp_signal(auditd_t) + +#gen_require(` +# type zos_remote_exec_t, zos_remote_t; +#') + +#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.7/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/lvm.te 2008-02-13 16:57:16.000000000 -0500 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # -allow clvmd_t self:capability { sys_admin mknod }; +allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; -allow clvmd_t self:process signal_perms; +allow clvmd_t self:process { signal_perms setsched }; dontaudit clvmd_t self:process ptrace; allow clvmd_t self:socket create_socket_perms; allow clvmd_t self:fifo_file rw_fifo_file_perms; @@ -54,6 +54,8 @@ allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; +init_dontaudit_getattr_initctl(clvmd_t) + manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) @@ -85,10 +87,15 @@ corenet_sendrecv_generic_server_packets(clvmd_t) dev_read_sysfs(clvmd_t) +dev_manage_generic_symlinks(clvmd_t) +dev_relabel_generic_dev_dirs(clvmd_t) +dev_manage_generic_blk_files(clvmd_t) dev_manage_generic_chr_files(clvmd_t) dev_rw_lvm_control(clvmd_t) dev_dontaudit_getattr_all_blk_files(clvmd_t) dev_dontaudit_getattr_all_chr_files(clvmd_t) +dev_create_generic_dirs(clvmd_t) +dev_delete_generic_dirs(clvmd_t) files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) @@ -99,9 +106,12 @@ fs_dontaudit_read_removable_files(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t) +storage_dev_filetrans_fixed_disk(clvmd_t) +storage_manage_fixed_disk(clvmd_t) domain_use_interactive_fds(clvmd_t) +storage_relabel_fixed_disk(clvmd_t) storage_raw_read_fixed_disk(clvmd_t) auth_use_nsswitch(clvmd_t) @@ -115,6 +125,9 @@ seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) +seutil_read_config(clvmd_t) +seutil_read_file_contexts(clvmd_t) +seutil_search_default_contexts(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) @@ -146,7 +159,8 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; +allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; +# lvm needs net_admin for multipath dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. @@ -156,7 +170,8 @@ allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; -allow lvm_t clvmd_t:unix_stream_socket connectto; +allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) @@ -188,6 +203,7 @@ manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) +files_search_mnt(lvm_t) kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) @@ -204,7 +220,6 @@ selinux_compute_user_contexts(lvm_t) dev_create_generic_chr_files(lvm_t) -dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -224,6 +239,8 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) +dev_delete_generic_dirs(lvm_t) +dev_rw_generic_files(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) @@ -242,6 +259,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) +mls_file_read_all_levels(lvm_t) term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) @@ -250,6 +268,7 @@ domain_use_interactive_fds(lvm_t) +files_read_usr_files(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: @@ -271,6 +290,8 @@ seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) +userdom_dontaudit_search_sysadm_home_dirs(lvm_t) + ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) @@ -289,5 +310,14 @@ ') optional_policy(` + modutils_domtrans_insmod(lvm_t) +') + +optional_policy(` udev_read_db(lvm_t) ') + +optional_policy(` + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.2.7/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-08-22 17:33:53.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/miscfiles.fc 2008-02-13 16:57:16.000000000 -0500 @@ -80,3 +80,4 @@ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.7/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/miscfiles.if 2008-02-13 16:57:16.000000000 -0500 @@ -489,3 +489,44 @@ manage_lnk_files_pattern($1,locale_t,locale_t) ') +######################################## +## +## Read user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_read_home_fonts',` + gen_require(` + type user_fonts_home_t; + ') + + read_files_pattern($1,user_fonts_home_t,user_fonts_home_t) + read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t) +') + +######################################## +## +## Read user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_manage_home_fonts',` + gen_require(` + type user_fonts_home_t; + ') + + manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t) + manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t) + manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.2.7/policy/modules/system/miscfiles.te --- nsaserefpolicy/policy/modules/system/miscfiles.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/miscfiles.te 2008-02-13 16:57:16.000000000 -0500 @@ -20,6 +20,14 @@ files_type(fonts_t) # +# fonts_t is the type of various font +# files in /usr +# +type user_fonts_home_t; +userdom_user_home_type(user_fonts_home_t) +files_type(user_fonts_home_t) + +# # type for /usr/share/hwdata # type hwdata_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.7/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/modutils.if 2008-02-13 16:57:16.000000000 -0500 @@ -66,6 +66,25 @@ ######################################## ## +## Unlink a file with the configuration options used when +## loading modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_unlink_module_config',` + gen_require(` + type modules_conf_t; + ') + + allow $1 modules_conf_t:file unlink; +') + +######################################## +## ## Unconditionally execute insmod in the insmod domain. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.7/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/modutils.te 2008-02-13 16:57:16.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_tty_config }; +allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; @@ -63,6 +63,7 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) +kernel_setsched(insmod_t) files_read_kernel_modules(insmod_t) # for locking: (cjp: ????) @@ -76,9 +77,7 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) -# cjp: why is this needed? insmod cannot mounton any dir -# and it also transitions to mount -dev_mount_usbfs(insmod_t) +dev_create_generic_chr_files(insmod_t) fs_getattr_xattr_fs(insmod_t) @@ -101,6 +100,7 @@ init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) +init_spec_domtrans_script(insmod_t) libs_use_ld_so(insmod_t) libs_use_shared_libs(insmod_t) @@ -118,11 +118,28 @@ ') ') +term_dontaudit_use_unallocated_ttys(insmod_t) +userdom_dontaudit_search_users_home_dirs(insmod_t) +userdom_dontaudit_search_sysadm_home_dirs(insmod_t) +fs_dontaudit_use_tmpfs_chr_dev(insmod_t) + if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } optional_policy(` + alsa_domtrans(insmod_t) +') + +optional_policy(` + firstboot_dontaudit_rw_pipes(insmod_t) +') + +optional_policy(` + hal_write_log(insmod_t) +') + +optional_policy(` hotplug_search_config(insmod_t) ') @@ -155,10 +172,12 @@ optional_policy(` rpm_rw_pipes(insmod_t) + rpm_read_script_tmp_files(insmod_t) ') optional_policy(` unconfined_dontaudit_rw_pipes(insmod_t) + unconfined_dontaudit_use_terminals(insmod_t) ') optional_policy(` @@ -185,6 +204,7 @@ files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) +files_delete_kernel_modules(depmod_t) fs_getattr_xattr_fs(depmod_t) @@ -208,9 +228,11 @@ # Read System.map from home directories. files_list_home(depmod_t) -userdom_read_staff_home_content_files(depmod_t) +userdom_read_unpriv_users_home_content_files(depmod_t) userdom_read_sysadm_home_content_files(depmod_t) +userdom_dontaudit_use_sysadm_terms(depmod_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(depmod_t) @@ -219,11 +241,12 @@ optional_policy(` # Read System.map from home directories. - unconfined_read_home_content_files(depmod_t) + unconfined_dontaudit_use_terminals(depmod_t) ') optional_policy(` rpm_rw_pipes(depmod_t) + rpm_manage_script_tmp_files(depmod_t) ') ################################# diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.7/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/mount.fc 2008-02-13 16:57:16.000000000 -0500 @@ -1,4 +1,5 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.7/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/mount.te 2008-02-13 16:57:16.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; + type mount_loopback_t; # customizable files_type(mount_loopback_t) type mount_tmp_t; files_tmp_file(mount_tmp_t) -# causes problems with interfaces when -# this is optionally declared in monolithic -# policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t,mount_exec_t) +role system_r types unconfined_mount_t; ######################################## # @@ -36,23 +37,26 @@ # # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; allow mount_t mount_loopback_t:file read_file_perms; allow mount_t mount_tmp_t:file manage_file_perms; allow mount_t mount_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) can_exec(mount_t, mount_exec_t) -files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) - +# In order to mount reiserfs_t +kernel_list_unlabeled(mount_t) kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) kernel_dontaudit_getattr_core_if(mount_t) +kernel_search_debugfs(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) @@ -62,6 +66,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) +storage_rw_fuse(mount_t) fs_getattr_xattr_fs(mount_t) fs_getattr_cifs(mount_t) @@ -100,6 +105,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) +init_stream_connect_script(mount_t) +init_rw_script_stream_sockets(mount_t) auth_use_nsswitch(mount_t) @@ -119,6 +126,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_read_sysadm_home_content_files(mount_t) ifdef(`distro_redhat',` optional_policy(` @@ -167,6 +175,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) + + rpc_domtrans_rpcd(mount_t) ') optional_policy(` @@ -181,6 +191,11 @@ ') ') +# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 +optional_policy(` + lvm_domtrans(mount_t) +') + # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) @@ -188,6 +203,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) + samba_read_config(mount_t) ') ######################################## @@ -198,4 +214,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) + optional_policy(` + hal_dbus_chat(unconfined_mount_t) + ') ') + +######################################## +# +# ntfs local policy +# +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; + +corecmd_exec_shell(mount_t) + +modutils_domtrans_insmod(mount_t) + +optional_policy(` + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_rw_pipes(mount_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.fc serefpolicy-3.2.7/policy/modules/system/qemu.fc --- nsaserefpolicy/policy/modules/system/qemu.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/qemu.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.2.7/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-13 17:10:57.000000000 -0500 @@ -0,0 +1,218 @@ + +## policy for qemu + +######################################## +## +## Execute a domain transition to run qemu. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`qemu_domtrans',` + gen_require(` + type qemu_t; + type qemu_exec_t; + ') + + domtrans_pattern($1,qemu_exec_t,qemu_t) +') + +######################################## +## +## Allow the domain to read state files in /proc. +## +## +## +## Domain to allow access. +## +## +# +interface(`qemu_read_state',` + gen_require(` + type qemu_t; + ') + + read_files_pattern($1,qemu_t,qemu_t) +') + +######################################## +## +## Send a signal to qemu. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_signal',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process signal; +') + +######################################## +## +## Send a sigill to qemu +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_sigkill',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process sigkill; +') + +######################################## +## +## Execute qemu programs in the qemu domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the PAM domain. +## +## +## +## +## The type of the terminal allow the PAM domain to use. +## +## +# +interface(`qemu_run',` + gen_require(` + type qemu_t; + ') + + qemu_domtrans($1) + role $2 types qemu_t; + allow qemu_t $3:chr_file rw_file_perms; +') + +######################################## +## +## Execute qemu programs in the qemu domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the PAM domain. +## +## +## +## +## The type of the terminal allow the PAM domain to use. +## +## +# +interface(`qemu_runas',` + gen_require(` + type qemu_t; + ') + + qemu_domtrans($1) + allow qemu_t $3:chr_file rw_file_perms; +') + +######################################## +## +## Execute qemu programs in the role. +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`qemu_role',` + gen_require(` + type qemu_t; + ') + role $1 types qemu_t; +') + +######################################## +## +## Execute qemu unconfined programs in the role. +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`qemu_unconfined_role',` + gen_require(` + type qemu_unconfined_t; + ') + role $1 types qemu_unconfined_t; +') + + +######################################## +## +## Execute a domain transition to run qemu. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`qemu_domtrans_unconfined',` + gen_require(` + type qemu_unconfined_t; + type qemu_exec_t; + ') + + domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t) +') + +######################################## +## +## Execute qemu programs in the qemu unconfined domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the PAM domain. +## +## +## +## +## The type of the terminal allow the PAM domain to use. +## +## +# +interface(`qemu_runas_unconfined',` + gen_require(` + type qemu_unconfined_t; + ') + + qemu_domtrans($1) + allow qemu_unconfined_t $3:chr_file rw_file_perms; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.7/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-14 15:46:36.000000000 -0500 @@ -0,0 +1,83 @@ +policy_module(qemu,1.0.0) + +######################################## +# +# Declarations +# + +type qemu_t; +type qemu_exec_t; +application_domain(qemu_t, qemu_exec_t) +role system_r types qemu_t; + +type qemu_unconfined_t; +domain_type(qemu_unconfined_t) + +######################################## +# +# qemu local policy +# + +# Init script handling +domain_use_interactive_fds(qemu_t) + +allow qemu_t self:process { execstack execmem signal getsched }; +allow qemu_t self:tcp_socket create_stream_socket_perms; + +## internal communication is often done using fifo and unix sockets. +allow qemu_t self:fifo_file rw_file_perms; +allow qemu_t self:unix_stream_socket create_stream_socket_perms; +allow qemu_t self:shm create_shm_perms; + +corenet_all_recvfrom_unlabeled(qemu_t) +corenet_all_recvfrom_netlabel(qemu_t) +corenet_tcp_sendrecv_all_if(qemu_t) +corenet_tcp_sendrecv_all_nodes(qemu_t) +corenet_tcp_sendrecv_all_ports(qemu_t) +corenet_tcp_bind_all_nodes(qemu_t) +corenet_tcp_bind_vnc_port(qemu_t) +corenet_rw_tun_tap_dev(qemu_t) + +kernel_read_system_state(qemu_t) + +dev_rw_kvm(qemu_t) + +files_read_etc_files(qemu_t) +files_read_usr_files(qemu_t) +files_read_var_files(qemu_t) +files_search_all(qemu_t) + +fs_rw_anon_inodefs_files(qemu_t) +fs_rw_tmpfs_files(qemu_t) + +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + +term_use_ptmx(qemu_t) +term_getattr_pty_fs(qemu_t) +term_use_generic_ptys(qemu_t) + +libs_use_ld_so(qemu_t) +libs_use_shared_libs(qemu_t) + +miscfiles_read_localization(qemu_t) + +sysnet_read_config(qemu_t) + +virt_manage_image(qemu_t) +virt_read_config(qemu_t) + +optional_policy(` + xserver_stream_connect_xdm_xserver(qemu_t) + xserver_read_xdm_tmp_files(qemu_t) + xserver_xdm_rw_shm(qemu_t) +') + +######################################## +# +# qemu_unconfined local policy +# + +unconfined_domain_noaudit(qemu_unconfined_t) +allow qemu_unconfined_t self:process { execstack execmem }; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.7/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/raid.te 2008-02-13 16:57:16.000000000 -0500 @@ -19,7 +19,7 @@ # Local policy # -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; +allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock }; dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -39,6 +39,7 @@ dev_dontaudit_getattr_generic_files(mdadm_t) dev_dontaudit_getattr_generic_chr_files(mdadm_t) dev_dontaudit_getattr_generic_blk_files(mdadm_t) +dev_read_realtime_clock(mdadm_t) fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) @@ -85,3 +86,7 @@ optional_policy(` udev_read_db(mdadm_t) ') + +optional_policy(` + unconfined_domain(mdadm_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.7/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/selinuxutil.fc 2008-02-13 16:57:16.000000000 -0500 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) -/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.7/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/selinuxutil.if 2008-02-13 16:57:16.000000000 -0500 @@ -215,8 +215,6 @@ seutil_domtrans_newrole($1) role $2 types newrole_t; allow newrole_t $3:chr_file rw_term_perms; - - auth_run_upd_passwd(newrole_t, $2, $3) ') ######################################## @@ -587,7 +585,7 @@ type selinux_config_t; ') - dontaudit $1 selinux_config_t:dir search; + dontaudit $1 selinux_config_t:dir search_dir_perms; ') ######################################## @@ -606,7 +604,7 @@ type selinux_config_t; ') - dontaudit $1 selinux_config_t:dir search; + dontaudit $1 selinux_config_t:dir search_dir_perms; dontaudit $1 selinux_config_t:file { getattr read }; ') @@ -698,6 +696,7 @@ ') files_search_etc($1) + manage_dirs_pattern($1,selinux_config_t,selinux_config_t) manage_files_pattern($1,selinux_config_t,selinux_config_t) read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') @@ -807,6 +806,28 @@ ######################################## ## +## dontaudit Read the file_contexts files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`seutil_dontaudit_read_file_contexts',` + gen_require(` + type selinux_config_t, default_context_t, file_context_t; + ') + + files_search_etc($1) + dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms; + dontaudit $1 file_context_t:dir search_dir_perms; + dontaudit $1 file_context_t:file read_file_perms; +') + +######################################## +## ## Read and write the file_contexts files. ## ## @@ -997,6 +1018,26 @@ ######################################## ## +## Execute a domain transition to run setsebool. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`seutil_domtrans_setsebool',` + gen_require(` + type setsebool_t, setsebool_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1,setsebool_exec_t,setsebool_t) +') + +######################################## +## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. @@ -1008,7 +1049,7 @@ ## ## ## -## The role to be allowed the checkpolicy domain. +## The role to be allowed the semanage domain. ## ## ## @@ -1030,6 +1071,39 @@ ######################################## ## +## Execute setsebool in the semanage domain, and +## allow the specified role the semanage domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the semanage domain. +## +## +## +## +## The type of the terminal allow the semanage domain to use. +## +## +## +# +interface(`seutil_run_setsebool',` + gen_require(` + type semanage_t; + ') + + seutil_domtrans_setsebool($1) + role $2 types setsebool_t; + allow setsebool_t $3:chr_file rw_term_perms; +') + +######################################## +## ## Full management of the semanage ## module store. ## @@ -1141,3 +1215,140 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') + +####################################### +## +## The per role template for the setsebool module. +## +## +##

+## This template creates a derived domains which are used +## for setsebool plugins that are executed by a browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`seutil_setsebool_per_role_template',` + gen_require(` + type setsebool_exec_t; + ') + + type $1_setsebool_t; + domain_type($1_setsebool_t) + domain_entry_file($1_setsebool_t,setsebool_exec_t) + role $3 types $1_setsebool_t; + + files_search_usr($2) + corecmd_search_bin($2) + domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t) + seutil_semanage_policy($1_setsebool_t) + + # Need to define per type booleans + selinux_set_boolean($1_setsebool_t) + + # Bug in semanage + seutil_domtrans_setfiles($1_setsebool_t) + seutil_manage_file_contexts($1_setsebool_t) + seutil_manage_default_contexts($1_setsebool_t) + seutil_manage_config($1_setsebool_t) +') + +####################################### +## +## All rules necessary to run semanage command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_semanage_policy',` + gen_require(` + type semanage_tmp_t; + type policy_config_t; + ') + allow $1 self:capability { dac_override audit_write }; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + logging_send_audit_msgs($1) + + # Running genhomedircon requires this for finding all users + auth_use_nsswitch($1) + + allow $1 policy_config_t:file { read write }; + + allow $1 semanage_tmp_t:dir manage_dir_perms; + allow $1 semanage_tmp_t:file manage_file_perms; + files_tmp_filetrans($1, semanage_tmp_t, { file dir }) + + kernel_read_system_state($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_bin($1) + corecmd_exec_shell($1) + + dev_read_urand($1) + + domain_use_interactive_fds($1) + + files_read_etc_files($1) + files_read_etc_runtime_files($1) + files_read_usr_files($1) + files_list_pids($1) + fs_list_inotifyfs($1) + + mls_file_write_all_levels($1) + mls_file_read_all_levels($1) + + selinux_getattr_fs($1) + selinux_validate_context($1) + selinux_get_enforce_mode($1) + + term_use_all_terms($1) + + libs_use_ld_so($1) + libs_use_shared_libs($1) + + locallogin_use_fds($1) + + logging_send_syslog_msg($1) + + miscfiles_read_localization($1) + + seutil_search_default_contexts($1) + seutil_domtrans_loadpolicy($1) + seutil_read_config($1) + seutil_manage_bin_policy($1) + seutil_use_newrole_fds($1) + seutil_manage_module_store($1) + seutil_get_semanage_trans_lock($1) + seutil_get_semanage_read_lock($1) + + userdom_dontaudit_write_unpriv_user_home_content_files($1) + + optional_policy(` + rpm_dontaudit_rw_tmp_files($1) + rpm_dontaudit_rw_pipes($1) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.7/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/selinuxutil.te 2008-02-13 16:57:16.000000000 -0500 @@ -75,7 +75,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) -role system_r types restorecond_t; type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) @@ -92,6 +91,10 @@ domain_interactive_fd(semanage_t) role system_r types semanage_t; +type setsebool_t; +type setsebool_exec_t; +init_system_domain(setsebool_t, setsebool_exec_t) + type semanage_store_t; files_type(semanage_store_t) @@ -168,6 +171,7 @@ files_read_etc_runtime_files(load_policy_t) fs_getattr_xattr_fs(load_policy_t) +fs_list_inotifyfs(load_policy_t) mls_file_read_all_levels(load_policy_t) @@ -195,15 +199,6 @@ ') ') -ifdef(`hide_broken_symptoms',` - # cjp: cover up stray file descriptors. - dontaudit load_policy_t selinux_config_t:file write; - - optional_policy(` - unconfined_dontaudit_read_pipes(load_policy_t) - ') -') - ######################################## # # Newrole local policy @@ -221,7 +216,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(newrole_t) read_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) @@ -277,6 +272,7 @@ libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) +logging_send_audit_msgs(newrole_t) logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) @@ -347,6 +343,8 @@ seutil_libselinux_linked(restorecond_t) +userdom_read_all_users_home_dirs_symlinks(restorecond_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) @@ -365,7 +363,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; -allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(run_init_t) # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit @@ -396,7 +394,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) -auth_domtrans_upd_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) @@ -435,67 +432,21 @@ # semodule local policy # -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -allow semanage_t policy_config_t:file { read write }; - -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) +seutil_semanage_policy(semanage_t) +can_exec(semanage_t, semanage_exec_t) -dev_read_urand(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) -files_list_pids(semanage_t) - -mls_file_write_all_levels(semanage_t) -mls_file_read_all_levels(semanage_t) - -selinux_validate_context(semanage_t) -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: -selinux_set_boolean(semanage_t) - -term_use_all_terms(semanage_t) - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) - -libs_use_ld_so(semanage_t) -libs_use_shared_libs(semanage_t) - -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) seutil_domtrans_setfiles(semanage_t) -seutil_domtrans_loadpolicy(semanage_t) -seutil_manage_bin_policy(semanage_t) -seutil_use_newrole_fds(semanage_t) -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) + # netfilter_contexts: seutil_manage_default_contexts(semanage_t) +userdom_search_sysadm_home_dirs(semanage_t) + ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) @@ -507,6 +458,11 @@ ') ') +optional_policy(` + #signal mcstrans on reload + init_spec_domtrans_script(semanage_t) +') + # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files @@ -514,26 +470,44 @@ # Handle pp files created in homedir and /tmp userdom_read_sysadm_home_content_files(semanage_t) userdom_read_sysadm_tmp_files(semanage_t) - - optional_policy(` - unconfined_read_home_content_files(semanage_t) - unconfined_read_tmp_files(semanage_t) - ') + userdom_read_unpriv_users_home_content_files(semanage_t) + userdom_read_unpriv_users_tmp_files(semanage_t) ') ######################################## # +# setsebool local policy +# +seutil_semanage_policy(setsebool_t) +selinux_set_boolean(setsebool_t) + +init_dontaudit_use_fds(setsebool_t) + +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) + +######################################## +# # Setfiles local policy # allow setfiles_t self:capability { dac_override dac_read_search fowner }; dontaudit setfiles_t self:capability sys_tty_config; allow setfiles_t self:fifo_file rw_file_perms; +dontaudit setfiles_t self:dir relabelfrom; +dontaudit setfiles_t self:file relabelfrom; +dontaudit setfiles_t self:lnk_file relabelfrom; + allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; +logging_send_audit_msgs(setfiles_t) + kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) @@ -555,9 +529,12 @@ files_read_etc_files(setfiles_t) files_list_all(setfiles_t) files_relabel_all_files(setfiles_t) +files_list_isid_type_dirs(setfiles_t) +files_read_isid_type_files(setfiles_t) fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) +fs_getattr_all_files(setfiles_t) fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) @@ -617,16 +594,8 @@ ') ') -ifdef(`hide_broken_symptoms',` - optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) - ') - - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') +optional_policy(` + cron_system_entry(setfiles_t, setfiles_exec_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.7/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/sysnetwork.if 2008-02-13 16:57:16.000000000 -0500 @@ -145,6 +145,25 @@ ######################################## ## +## Send a generic signal to the ifconfig client. +## +## +## +## The domain sending the signal. +## +## +## +# +interface(`sysnet_signal_ifconfig',` + gen_require(` + type ifconfig_t; + ') + + allow $1 ifconfig_t:process signal; +') + +######################################## +## ## Send and receive messages from ## dhcpc over dbus. ## @@ -493,6 +512,10 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; + + optional_policy(` + avahi_stream_connect($1) + ') ') ######################################## @@ -522,6 +545,8 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; + # LDAP Configuration using encrypted requires + dev_read_urand($1) ') ######################################## @@ -556,3 +581,49 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; ') + +######################################## +## +## Do not audit attempts to use +## the dhcp file descriptors. +## +## +## +## The domain sending the SIGCHLD. +## +## +# +interface(`sysnet_dontaudit_dhcpc_use_fds',` + gen_require(` + type dhcpc_t; + ') + + dontaudit $1 dhcpc_t:fd use; +') + +######################################## +## +## Transition to system_r when execute an dhclient script +## +## +##

+## Execute dhclient script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Role to transition from. +## +## +interface(`sysnet_role_transition_dhcpc',` + gen_require(` + type dhclient_exec_t; + ') + + role_transition $1 dhcpc_exec_t system_r; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.7/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/sysnetwork.te 2008-02-13 16:57:16.000000000 -0500 @@ -45,7 +45,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process signal_perms; +allow dhcpc_t self:process { ptrace signal_perms }; allow dhcpc_t self:fifo_file rw_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; @@ -136,6 +136,7 @@ modutils_domtrans_insmod(dhcpc_t) +userdom_dontaudit_search_sysadm_home_dirs(dhcpc_t) userdom_dontaudit_search_staff_home_dirs(dhcpc_t) ifdef(`distro_redhat', ` @@ -153,11 +154,19 @@ ') optional_policy(` + gen_require(` + class dbus send_msg; + ') + + allow dhcpc_t self:dbus send_msg; + init_dbus_chat_script(dhcpc_t) dbus_system_bus_client_template(dhcpc,dhcpc_t) dbus_connect_system_bus(dhcpc_t) + dbus_read_config(dhcpc_t) + optional_policy(` networkmanager_dbus_chat(dhcpc_t) ') @@ -186,6 +195,10 @@ ') optional_policy(` + networkmanager_domtrans(dhcpc_t) +') + +optional_policy(` nis_use_ypbind(dhcpc_t) nis_signal_ypbind(dhcpc_t) nis_read_ypbind_pid(dhcpc_t) @@ -202,9 +215,7 @@ ') optional_policy(` - # dhclient sometimes starts ntpd - init_exec_script_files(dhcpc_t) - ntp_domtrans(dhcpc_t) + ntp_script_domtrans(dhcpc_t) ') optional_policy(` @@ -215,6 +226,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) + seutil_domtrans_setfiles(dhcpc_t) ') optional_policy(` @@ -226,6 +238,10 @@ ') optional_policy(` + vmware_append_log(dhcpc_t) +') + +optional_policy(` kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) @@ -239,7 +255,6 @@ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; -dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; @@ -253,6 +268,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; +allow ifconfig_t net_conf_t:file read_file_perms; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -269,6 +285,8 @@ kernel_read_network_state(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) +# This should be put inside a boolean, but can not because of attributes +kernel_load_module(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -279,8 +297,11 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) +selinux_dontaudit_getattr_fs(ifconfig_t) + term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) +term_dontaudit_use_ptmx(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -308,7 +329,7 @@ unconfined_domain(ifconfig_t) ') ') - + ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) @@ -332,6 +353,14 @@ ') optional_policy(` + unconfined_dontaudit_rw_pipes(ifconfig_t) +') + +optional_policy(` + vmware_append_log(ifconfig_t) +') + +optional_policy(` kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.7/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/udev.te 2008-02-14 14:30:05.000000000 -0500 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) +kernel_search_debugfs(udev_t) #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) @@ -96,9 +97,6 @@ dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) dev_relabel_all_dev_nodes(udev_t) -# udev_node.c/node_symlink() symlink labels are explicitly -# preserved, instead of short circuiting the relabel -dev_relabel_generic_symlinks(udev_t) domain_read_all_domains_state(udev_t) domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these @@ -142,6 +140,7 @@ logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) +logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) @@ -189,6 +188,7 @@ optional_policy(` alsa_domtrans(udev_t) + alsa_read_lib(udev_t) alsa_read_rw_config(udev_t) ') @@ -197,6 +197,10 @@ ') optional_policy(` + clock_domtrans(udev_t) +') + +optional_policy(` consoletype_exec(udev_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.7/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/unconfined.fc 2008-02-13 16:57:16.000000000 -0500 @@ -2,15 +2,18 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/lib(64)?/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - ifdef(`distro_gentoo',` /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ') +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.7/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/unconfined.if 2008-02-14 15:02:03.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` gen_require(` - type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. - allow $1 self:capability *; + allow $1 self:capability all_capabilities; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. @@ -27,12 +26,13 @@ # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; + allow $1 self:dir rw_dir_perms; # Userland object managers - allow $1 self:nscd *; - allow $1 self:dbus *; - allow $1 self:passwd *; - allow $1 self:association *; + allow $1 self:nscd all_nscd_perms; + allow $1 self:dbus all_dbus_perms; + allow $1 self:passwd all_passwd_perms; + allow $1 self:association all_association_perms; kernel_unconfined($1) corenet_unconfined($1) @@ -70,6 +70,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) + dbus_unconfined($1) ') optional_policy(` @@ -581,7 +582,6 @@ interface(`unconfined_dbus_connect',` gen_require(` type unconfined_t; - class dbus acquire_svc; ') allow $1 unconfined_t:dbus acquire_svc; @@ -589,7 +589,7 @@ ######################################## ## -## Read files in unconfined users home directories. +## Allow ptrace of unconfined domain ## ## ## @@ -597,20 +597,53 @@ ## ## # -interface(`unconfined_read_home_content_files',` +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process ptrace; +') + +######################################## +## +## Read and write to unconfined shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_rw_shm',` gen_require(` - type unconfined_home_dir_t, unconfined_home_t; + type unconfined_t; ') - files_search_home($1) - allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; - read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) - read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) + allow $1 unconfined_t:shm rw_shm_perms; ') ######################################## ## -## Read unconfined users temporary files. +## Read and write to unconfined execmem shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_execmem_rw_shm',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:shm rw_shm_perms; +') + +######################################## +## +## Transition to the unconfined_execmem domain. ## ## ## @@ -618,31 +651,132 @@ ## ## # -interface(`unconfined_read_tmp_files',` +interface(`unconfined_execmem_domtrans',` + gen_require(` - type unconfined_tmp_t; + type unconfined_execmem_t, unconfined_execmem_exec_t; ') - files_search_tmp($1) - allow $1 unconfined_tmp_t:dir list_dir_perms; - read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) - read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) + domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t) ') ######################################## ## -## Write unconfined users temporary files. +## allow attempts to use unconfined ttys and ptys. ## ## ## +## Domain to not audit. +## +## +# +interface(`unconfined_use_terminals',` + gen_require(` + type unconfined_devpts_t; + type unconfined_tty_device_t; + ') + + allow $1 unconfined_tty_device_t:chr_file rw_term_perms; + allow $1 unconfined_devpts_t:chr_file rw_term_perms; +') + +######################################## +## +## Do not audit attempts to use unconfined ttys and ptys. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_use_terminals',` + gen_require(` + type unconfined_devpts_t; + type unconfined_tty_device_t; + ') + + dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms; + dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms; +') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_set_rlimitnh',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process rlimitinh; +') + +######################################## +## +## Allow the specified domain to read/write to +## unconfined with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_rw_stream_sockets',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket { read write }; +') + +######################################## +## +## Read/write unconfined tmpfs files. +## +## +##

+## Read/write unconfined tmpfs files. +##

+##
+## +## ## Domain allowed access. ## ## # -interface(`unconfined_write_tmp_files',` +interface(`unconfined_rw_tmpfs_files',` gen_require(` - type unconfined_tmp_t; + type unconfined_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 unconfined_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) + read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) +') + +######################################## +## +## Get the process group of unconfined. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_getpgid',` + gen_require(` + type unconfined_t; ') - allow $1 unconfined_tmp_t:file { getattr write append }; + allow $1 unconfined_t:process getpgid; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.7/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-13 17:10:39.000000000 -0500 @@ -6,35 +6,66 @@ # Declarations # +## +##

+## Transition to confined nsplugin domains from unconfined user +##

+##
+gen_tunable(allow_unconfined_nsplugin_transition,false) + +## +##

+## Transition to confined qemu domains from unconfined user +##

+##
+gen_tunable(allow_unconfined_qemu_transition,false) + # usage in this module of types created by these # calls is not correct, however we dont currently # have another method to add access to these types -userdom_base_user_template(unconfined) -userdom_manage_home_template(unconfined) -userdom_manage_tmp_template(unconfined) -userdom_manage_tmpfs_template(unconfined) +userdom_restricted_user_template(unconfined) +userdom_common_user_template(unconfined) +userdom_xwindows_client_template(unconfined) type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) +role unconfined_r types unconfined_t; + +domain_user_exemption_target(unconfined_t) +allow system_r unconfined_r; +allow unconfined_r system_r; +init_script_role_transition(unconfined_r) type unconfined_execmem_t; type unconfined_execmem_exec_t; init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) role unconfined_r types unconfined_execmem_t; +type unconfined_notrans_t; +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) +role unconfined_r types unconfined_notrans_t; + ######################################## # # Local policy # +dontaudit unconfined_t self:dir write; + +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) mcs_killall(unconfined_t) mcs_ptrace_all(unconfined_t) init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +init_domtrans_script(unconfined_t) libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -42,7 +73,10 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +# Unconfined running as system_r +mount_domtrans_unconfined(unconfined_t) +seutil_run_setsebool(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -51,13 +85,25 @@ userdom_priveleged_home_dir_manager(unconfined_t) optional_policy(` - ada_domtrans(unconfined_t) + gen_require(` + type nsplugin_t; + type nsplugin_config_t; + ') + role unconfined_r types nsplugin_t; + role unconfined_r types nsplugin_config_t; + tunable_policy(`allow_unconfined_nsplugin_transition', ` + nsplugin_use(unconfined, unconfined_t) + ') +') + +optional_policy(` + ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) apache_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: + # this is dissallowed usage: unconfined_domain(httpd_unconfined_script_t) ') @@ -69,11 +115,11 @@ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') -optional_policy(` - cron_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: - unconfined_domain(unconfined_crond_t) -') +#optional_policy(` +# cron_per_role_template(unconfined, unconfined_t, unconfined_r) +# unconfined_domain(unconfined_crontab_t) +# role system_r types unconfined_crontab_t; +#') optional_policy(` init_dbus_chat_script(unconfined_t) @@ -101,12 +147,24 @@ ') optional_policy(` + gnomeclock_dbus_chat(unconfined_t) + ') + + optional_policy(` + kerneloops_dbus_chat(unconfined_t) + ') + + optional_policy(` networkmanager_dbus_chat(unconfined_t) ') optional_policy(` oddjob_dbus_chat(unconfined_t) ') + + optional_policy(` + vpnc_dbus_chat(unconfined_t) + ') ') optional_policy(` @@ -118,11 +176,7 @@ ') optional_policy(` - inn_domtrans(unconfined_t) -') - -optional_policy(` - java_domtrans(unconfined_t) + iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` @@ -134,14 +188,6 @@ ') optional_policy(` - mono_domtrans(unconfined_t) -') - -optional_policy(` - mta_per_role_template(unconfined, unconfined_t, unconfined_r) -') - -optional_policy(` oddjob_domtrans_mkhomedir(unconfined_t) ') @@ -154,38 +200,37 @@ ') optional_policy(` - postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -') - - -optional_policy(` - pyzor_per_role_template(unconfined) -') - -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) + tunable_policy(`allow_unconfined_qemu_transition', ` + qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ', ` + qemu_runas_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + qemu_role(unconfined_r) + qemu_unconfined_role(unconfined_r) ') optional_policy(` rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) + rpm_role_transition(unconfined_r) ') optional_policy(` samba_per_role_template(unconfined) samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) + sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) ') optional_policy(` @@ -205,11 +250,30 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) + unconfined_domain(unconfined_mozilla_t) + allow unconfined_mozilla_t self:process { execstack execmem }; +') + +optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) + xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') ######################################## @@ -219,14 +283,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) +allow unconfined_execmem_t unconfined_t:process transition; optional_policy(` - dbus_stub(unconfined_execmem_t) - init_dbus_chat_script(unconfined_execmem_t) + dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) + unconfined_dbus_connect(unconfined_execmem_t) +') - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') +optional_policy(` + avahi_dbus_chat(unconfined_execmem_t) +') + +optional_policy(` + hal_dbus_chat(unconfined_execmem_t) ') + +optional_policy(` + xserver_xdm_rw_shm(unconfined_execmem_t) +') + +######################################## +# +# Unconfined notrans Local policy +# + +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.7/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/userdomain.fc 2008-02-13 16:57:16.000000000 -0500 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) - -/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) +HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-14 09:29:10.000000000 -0500 @@ -29,9 +29,14 @@ ') attribute $1_file_type; + attribute $1_usertype; - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; domain_type($1_t) + ifndef(`enable_mls',` + # ignore user componant labeling on homedir entry + domain_obj_id_change_exemption($1_t) + ') corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) @@ -45,66 +50,73 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; - - allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; - term_create_pty($1_t,$1_devpts_t) - - allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; - - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) - kernel_dontaudit_getattr_unlabeled_symlinks($1_t) - kernel_dontaudit_getattr_unlabeled_pipes($1_t) - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) - - dev_dontaudit_getattr_all_blk_files($1_t) - dev_dontaudit_getattr_all_chr_files($1_t) + allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; + + allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; + allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; + allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_usertype $1_usertype:shm create_shm_perms; + allow $1_usertype $1_usertype:sem create_sem_perms; + allow $1_usertype $1_usertype:msgq create_msgq_perms; + allow $1_usertype $1_usertype:msg { send receive }; + allow $1_usertype $1_usertype:context contains; + dontaudit $1_usertype $1_usertype:socket create; + + allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + term_create_pty($1_usertype,$1_devpts_t) + + allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; + + application_exec_all($1_usertype) + + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) + + kernel_dontaudit_list_unlabeled($1_usertype) + kernel_dontaudit_getattr_unlabeled_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) + kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) + kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) + kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_t) - domain_dontaudit_getattr_all_domains($1_t) - domain_dontaudit_getsession_all_domains($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) + domain_dontaudit_read_all_domains_state($1_usertype) + domain_dontaudit_getattr_all_domains($1_usertype) + domain_dontaudit_getsession_all_domains($1_usertype) + + files_read_etc_files($1_usertype) + files_read_etc_runtime_files($1_usertype) + files_read_usr_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) - files_read_world_readable_files($1_t) - files_read_world_readable_symlinks($1_t) - files_read_world_readable_pipes($1_t) - files_read_world_readable_sockets($1_t) + files_list_world_readable($1_usertype) + files_read_world_readable_files($1_usertype) + files_read_world_readable_symlinks($1_usertype) + files_read_world_readable_pipes($1_usertype) + files_read_world_readable_sockets($1_usertype) # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) - - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_ld_so($1_t) - - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_non_security_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype) + + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + + auth_use_nsswitch($1_usertype) + + libs_use_ld_so($1_usertype) + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) - sysnet_read_config($1_t) + miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. @@ -115,6 +127,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ') ') ####################################### @@ -141,33 +157,13 @@ # template(`userdom_ro_home_template',` gen_require(` - attribute home_type, home_dir_type, $1_file_type; + type user_home_t, user_home_dir_t; ') - # type for contents of home directory - type $1_home_t, $1_file_type, home_type; - files_type($1_home_t) - files_associate_tmp($1_home_t) - fs_associate_tmpfs($1_home_t) - files_mountpoint($1_home_t) - - # type of home directory - type $1_home_dir_t, home_dir_type, home_type; - files_type($1_home_dir_t) - files_mountpoint($1_home_dir_t) - files_associate_tmp($1_home_dir_t) - fs_associate_tmpfs($1_home_dir_t) - files_poly_member($1_home_dir_t) - - ############################## - # - # User home directory file rules - # - - allow $1_file_type $1_home_t:filesystem associate; - - # Rules used to associate a homedir as a mountpoint - allow $1_home_t self:filesystem associate; + ifelse(`$1',`user',`',` + typealias user_home_t alias $1_home_t; + typealias user_home_dir_t alias $1_home_dir_t; + ') ############################## # @@ -175,13 +171,13 @@ # # read-only home directory - allow $1_t $1_home_dir_t:dir list_dir_perms; - allow $1_t $1_home_t:dir list_dir_perms; - allow $1_t $1_home_t:file entrypoint; - read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) + allow $1_t user_home_dir_t:dir list_dir_perms; + allow $1_t user_home_t:dir list_dir_perms; + allow $1_t user_home_t:file entrypoint; + read_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) + read_lnk_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) + read_fifo_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) + read_sock_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t) files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` @@ -231,30 +227,14 @@ # template(`userdom_manage_home_template',` gen_require(` - attribute home_type, home_dir_type, $1_file_type; + attribute home_type, home_dir_type; + type user_home_t, user_home_dir_t; ') - # type for contents of home directory - type $1_home_t, $1_file_type, home_type; - files_type($1_home_t) - files_associate_tmp($1_home_t) - fs_associate_tmpfs($1_home_t) - - # type of home directory - type $1_home_dir_t, home_dir_type, home_type; - files_type($1_home_dir_t) - files_associate_tmp($1_home_dir_t) - fs_associate_tmpfs($1_home_dir_t) - - ############################## - # - # User home directory file rules - # - - allow $1_file_type $1_home_t:filesystem associate; - - # Rules used to associate a homedir as a mountpoint - allow $1_home_t self:filesystem associate; + ifelse(`$1',`user',`',` + typealias user_home_t alias $1_home_t; + typealias user_home_dir_t alias $1_home_dir_t; + ') ############################## # @@ -262,43 +242,44 @@ # # full control of the home directory - allow $1_t $1_home_t:file entrypoint; - manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) - filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) - files_list_home($1_t) + allow $1_t user_home_t:file entrypoint; + allow $1_usertype user_home_type:dir_file_class_set { relabelto relabelfrom }; + manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + filetrans_pattern($1_usertype,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) + files_list_home($1_usertype) # cjp: this should probably be removed: - allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + allow $1_usertype user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_t) - fs_manage_nfs_files($1_t) - fs_manage_nfs_symlinks($1_t) - fs_manage_nfs_named_sockets($1_t) - fs_manage_nfs_named_pipes($1_t) + fs_manage_nfs_dirs($1_usertype) + fs_manage_nfs_files($1_usertype) + fs_manage_nfs_symlinks($1_usertype) + fs_manage_nfs_named_sockets($1_usertype) + fs_manage_nfs_named_pipes($1_usertype) ',` - fs_dontaudit_manage_nfs_dirs($1_t) - fs_dontaudit_manage_nfs_files($1_t) + fs_dontaudit_manage_nfs_dirs($1_usertype) + fs_dontaudit_manage_nfs_files($1_usertype) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($1_t) - fs_manage_cifs_files($1_t) - fs_manage_cifs_symlinks($1_t) - fs_manage_cifs_named_sockets($1_t) - fs_manage_cifs_named_pipes($1_t) + fs_manage_cifs_dirs($1_usertype) + fs_manage_cifs_files($1_usertype) + fs_manage_cifs_symlinks($1_usertype) + fs_manage_cifs_named_sockets($1_usertype) + fs_manage_cifs_named_pipes($1_usertype) ',` - fs_dontaudit_manage_cifs_dirs($1_t) - fs_dontaudit_manage_cifs_files($1_t) + fs_dontaudit_manage_cifs_dirs($1_usertype) + fs_dontaudit_manage_cifs_files($1_usertype) ') ') @@ -316,14 +297,20 @@ ## # template(`userdom_exec_home_template',` - can_exec($1_t,$1_home_t) - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1_t) + tunable_policy(`allow_$1_exec_content', ` + can_exec($1_usertype,user_home_type) + ',` + dontaudit $1_usertype user_home_type:file execute; ') - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1_t) + + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') + + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) ') ') @@ -341,11 +328,10 @@ ## # template(`userdom_poly_home_template',` - type_member $1_t $1_home_dir_t:dir $1_home_dir_t; - files_poly($1_home_dir_t) - files_poly_parent($1_home_dir_t) - files_poly_parent($1_home_t) - files_poly_member($1_home_t) + gen_require(` + type user_home_dir_t; + ') + type_member $1_t user_home_dir_t:dir user_home_dir_t; ') ####################################### @@ -369,18 +355,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` - attribute $1_file_type; + type user_tmp_t; ') - type $1_tmp_t, $1_file_type; - files_tmp_file($1_tmp_t) - - manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) + ifelse(`$1',`user',`',` + typealias user_tmp_t alias $1_tmp_t; + ') + manage_dirs_pattern($1_usertype,user_tmp_t,user_tmp_t) + manage_files_pattern($1_usertype,user_tmp_t,user_tmp_t) + manage_lnk_files_pattern($1_usertype,user_tmp_t,user_tmp_t) + manage_sock_files_pattern($1_usertype,user_tmp_t,user_tmp_t) + manage_fifo_files_pattern($1_usertype,user_tmp_t,user_tmp_t) + files_tmp_filetrans($1_usertype, user_tmp_t, { dir file lnk_file sock_file fifo_file }) ') ####################################### @@ -396,7 +382,13 @@ ## # template(`userdom_exec_tmp_template',` - exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + gen_require(` + type user_tmp_t; + ') + + tunable_policy(`allow_$1_exec_content', ` + exec_files_pattern($1_usertype, user_tmp_t, user_tmp_t) + ') ') ####################################### @@ -445,12 +437,12 @@ type $1_tmpfs_t, $1_file_type; files_tmpfs_file($1_tmpfs_t) - manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + manage_dirs_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) + manage_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) + manage_lnk_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) + manage_sock_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) + manage_fifo_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) + fs_tmpfs_filetrans($1_usertype,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ') ####################################### @@ -510,10 +502,6 @@ ## # template(`userdom_exec_generic_pgms_template',` - gen_require(` - type $1_t; - ') - corecmd_exec_bin($1_t) ') @@ -531,27 +519,20 @@ ## # template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') - - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_all_if($1_t) - corenet_udp_sendrecv_all_if($1_t) - corenet_tcp_sendrecv_all_nodes($1_t) - corenet_udp_sendrecv_all_nodes($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) + allow $1_usertype self:tcp_socket create_stream_socket_perms; + allow $1_usertype self:udp_socket create_socket_perms; - optional_policy(` - ipsec_match_default_spd($1_t) - ') + corenet_all_recvfrom_unlabeled($1_usertype) + corenet_all_recvfrom_netlabel($1_usertype) + corenet_tcp_sendrecv_all_if($1_usertype) + corenet_udp_sendrecv_all_if($1_usertype) + corenet_tcp_sendrecv_all_nodes($1_usertype) + corenet_udp_sendrecv_all_nodes($1_usertype) + corenet_tcp_sendrecv_all_ports($1_usertype) + corenet_udp_sendrecv_all_ports($1_usertype) + corenet_tcp_connect_all_ports($1_usertype) + corenet_sendrecv_all_client_packets($1_usertype) ') ####################################### @@ -568,30 +549,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` - type $1_t, $1_tmpfs_t; + type $1_tmpfs_t; ') - dev_rw_xserver_misc($1_t) - dev_rw_power_management($1_t) - dev_read_input($1_t) - dev_read_misc($1_t) - dev_write_misc($1_t) + dev_rw_xserver_misc($1_usertype) + dev_rw_power_management($1_usertype) + dev_read_input($1_usertype) + dev_read_misc($1_usertype) + dev_write_misc($1_usertype) # open office is looking for the following - dev_getattr_agp_dev($1_t) - dev_dontaudit_rw_dri($1_t) + dev_getattr_agp_dev($1_usertype) + dev_dontaudit_rw_dri($1_usertype) # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) - - xserver_user_client_template($1,$1_t,$1_tmpfs_t) - xserver_xsession_entry_type($1_t) - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) + dev_rw_usbfs($1_usertype) + xserver_user_client_template($1,$1_usertype,$1_tmpfs_t) + xserver_xsession_entry_type($1_usertype) + xserver_dontaudit_write_log($1_usertype) + xserver_stream_connect_xdm($1_usertype) # certain apps want to read xdm.pid file - xserver_read_xdm_pid($1_t) + xserver_read_xdm_pid($1_usertype) # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($1_t) + xserver_create_xdm_tmp_sockets($1_usertype) # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($1_t) + xserver_manage_xdm_tmp_files($1_usertype) ') ####################################### @@ -686,183 +666,192 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) + kernel_read_system_state($1_usertype) + kernel_read_network_state($1_usertype) + kernel_read_net_sysctls($1_usertype) # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) + kernel_read_device_sysctls($1_usertype) - corenet_udp_bind_all_nodes($1_t) - corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_all_nodes($1_usertype) + corenet_udp_bind_generic_port($1_usertype) - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) + files_search_locks($1_usertype) # Check to see if cdrom is mounted - files_search_mnt($1_t) + files_search_mnt($1_usertype) # cjp: perhaps should cut back on file reads: - files_read_var_files($1_t) - files_read_var_symlinks($1_t) - files_read_generic_spool($1_t) - files_read_var_lib_files($1_t) + files_read_var_files($1_usertype) + files_read_var_symlinks($1_usertype) + files_read_generic_spool($1_usertype) + files_read_var_lib_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) + + tunable_policy(`user_rw_noexattrfile',` + fs_manage_noxattr_fs_files($1_usertype) + fs_manage_noxattr_fs_dirs($1_usertype) + ',` + fs_read_noxattr_fs_files($1_usertype) + ') + + logging_send_syslog_msg($1_usertype) + logging_dontaudit_send_audit_msgs($1_usertype) + # Need to to this just so screensaver will work. Should be moved to screensaver domain + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) - selinux_validate_context($1_t) - selinux_compute_access_vector($1_t) - selinux_compute_create_context($1_t) - selinux_compute_relabel_context($1_t) - selinux_compute_user_contexts($1_t) + selinux_get_fs_mount($1_usertype) + selinux_validate_context($1_usertype) + selinux_compute_access_vector($1_usertype) + selinux_compute_create_context($1_usertype) + selinux_compute_relabel_context($1_usertype) + selinux_compute_user_contexts($1_usertype) # for eject - storage_getattr_fixed_disk_dev($1_t) + storage_getattr_fixed_disk_dev($1_usertype) - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) + auth_read_login_records($1_usertype) + auth_search_pam_console_data($1_usertype) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + authlogin_per_role_template($1, $1_t, $1_r) - init_read_utmp($1_t) + init_read_utmp($1_usertype) - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. seutil_dontaudit_signal_newrole($1_t) tunable_policy(`read_default_t',` - files_list_default($1_t) - files_read_default_files($1_t) - files_read_default_symlinks($1_t) - files_read_default_sockets($1_t) - files_read_default_pipes($1_t) + files_list_default($1_usertype) + files_read_default_files($1_usertype) + files_read_default_symlinks($1_usertype) + files_read_default_sockets($1_usertype) + files_read_default_pipes($1_usertype) ') tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) - ') - - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) + dev_read_mouse($1_usertype) ') optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) ') optional_policy(` # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) + canna_stream_connect($1_usertype) ') optional_policy(` - dbus_system_bus_client_template($1,$1_t) + dbus_system_bus_client_template($1,$1_usertype) optional_policy(` - bluetooth_dbus_chat($1_t) + bluetooth_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) + consolekit_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) + evolution_dbus_chat($1,$1_usertype) + evolution_alarm_dbus_chat($1,$1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) + networkmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) + vpnc_dbus_chat($1_usertype) ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) + locate_read_lib_files($1_usertype) ') # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) + mta_rw_spool($1_usertype) ') - optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') + alsa_read_rw_config($1_usertype) ') - optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) + optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_usertype) + ') + ') + + tunable_policy(`user_ttyfile_stat',` + term_getattr_all_user_ttys($1_usertype) ') optional_policy(` - pcscd_read_pub_files($1_t) - pcscd_stream_connect($1_t) + # to allow monitoring of pcmcia status + pcmcia_read_pid($1_usertype) ') optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) - ') + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) + slrnpull_search_spool($1_usertype) ') optional_policy(` @@ -889,6 +878,8 @@ ## # template(`userdom_login_user_template', ` + gen_tunable(allow_$1_exec_content,true) + userdom_base_user_template($1) userdom_manage_home_template($1) @@ -917,26 +908,26 @@ allow $1_t self:context contains; - kernel_dontaudit_read_system_state($1_t) + kernel_dontaudit_read_system_state($1_usertype) - dev_read_sysfs($1_t) - dev_read_urand($1_t) + dev_read_sysfs($1_usertype) + dev_read_urand($1_usertype) - domain_use_interactive_fds($1_t) + domain_use_interactive_fds($1_usertype) # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) + domain_dontaudit_exec_all_entry_files($1_usertype) - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) - fs_search_auto_mountpoints($1_t) - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) + files_dontaudit_list_default($1_usertype) + files_dontaudit_read_default_files($1_usertype) + + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) auth_dontaudit_write_login_records($1_t) @@ -944,43 +935,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) + init_dontaudit_rw_utmp($1_usertype) # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) - logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) + miscfiles_read_man_pages($1_usertype) # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) - - seutil_read_config($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) + seutil_read_config($1_usertype) optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) + kerberos_use($1_usertype) + kerberos_524_connect($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) + quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + rpm_read_db($1_usertype) + rpm_dontaudit_manage_db($1_usertype) ') ') @@ -1014,9 +1005,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; - typeattribute $1_home_dir_t user_home_dir_type; - typeattribute $1_home_t user_home_type; - typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; ############################## @@ -1025,16 +1013,29 @@ # # privileged home directory writers - manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) + manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) + + optional_policy(` + dbus_per_role_template($1, $1_usertype, $1_r) + dbus_system_bus_client_template($1, $1_usertype) + + optional_policy(` + consolekit_dbus_chat($1_usertype) + ') + optional_policy(` + cups_dbus_chat($1_usertype) + ') + ') optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) ') + ') ####################################### @@ -1062,6 +1063,13 @@ userdom_restricted_user_template($1) + # Should be optional but policy will not build because of compiler problems + # Must be before xwindows calls + #optional_policy(` + gnome_per_role_template($1, $1_usertype, $1_r) + gnome_exec_gconf($1_t) + #') + userdom_xwindows_client_template($1) ############################## @@ -1070,14 +1078,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) + dev_dontaudit_read_rand($1_usertype) - logging_send_syslog_msg($1_t) + logging_send_syslog_msg($1_usertype) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain @@ -1085,32 +1093,21 @@ selinux_get_enforce_mode($1_t) optional_policy(` - alsa_read_rw_config($1_t) - ') - - optional_policy(` - dbus_per_role_template($1, $1_t, $1_r) - dbus_system_bus_client_template($1, $1_t) - - optional_policy(` - consolekit_dbus_chat($1_t) - ') - - optional_policy(` - cups_dbus_chat($1_t) - ') + alsa_read_rw_config($1_usertype) ') - optional_policy(` - java_per_role_template($1, $1_t, $1_r) - ') + # Broken Cover up bugzilla #345921 Should be removed when this is fixed + corenet_tcp_connect_soundd_port($1_t) + corenet_tcp_sendrecv_soundd_port($1_t) + corenet_tcp_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_lo_node($1_t) optional_policy(` - mono_per_role_template($1, $1_t, $1_r) + nsplugin_per_role_template($1, $1_usertype, $1_r) ') optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) + polkit_per_role_template($1, $1_usertype, $1_r) ') ') @@ -1121,10 +1118,10 @@ ##
## ##

-## The template for creating a unprivileged user roughly -## equivalent to a regular linux user. -##

-##

+## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +##

+##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. @@ -1187,12 +1184,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + hal_dbus_chat($1_t) ') # Run pppd in pppd_t by default for user @@ -1201,7 +1197,23 @@ ') optional_policy(` - setroubleshoot_stream_connect($1_t) + nsplugin_per_role_template($1, $1_usertype, $1_r) + ') + + optional_policy(` + polkit_per_role_template($1, $1_usertype, $1_r) + ') + + optional_policy(` + java_per_role_template($1, $1_t, $1_r) + ') + + optional_policy(` + mono_per_role_template($1, $1_t, $1_r) + ') + + optional_policy(` + gpg_per_role_template($1, $1_usertype, $1_r) ') ') @@ -1278,8 +1290,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) @@ -1357,13 +1367,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - ',` - fs_read_noxattr_fs_files($1_t) - ') - optional_policy(` userhelper_exec($1_t) ') @@ -1416,6 +1419,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) + files_create_default_dir($1) # Necessary for managing /boot/efi fs_manage_dos_files($1) @@ -1781,10 +1785,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; + attribute user_home_type; + attribute home_type; ') typeattribute $2 $1_file_type; - files_type($2) + typeattribute $2 user_home_type; + typeattribute $2 home_type; + files_poly_member($2) ') ######################################## @@ -1880,11 +1888,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` - type $1_home_dir_t; + type user_home_dir_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; + allow $2 user_home_dir_t:dir search_dir_perms; ') ######################################## @@ -1914,11 +1922,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` - type $1_home_dir_t; + type user_home_dir_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir list_dir_perms; + allow $2 user_home_dir_t:dir list_dir_perms; ') ######################################## @@ -1962,12 +1970,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - domain_auto_trans($2,$1_home_t,$3) + allow $2 user_home_dir_t:dir search_dir_perms; + domain_auto_trans($2,user_home_t,$3) ') ######################################## @@ -1997,10 +2005,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` - type $1_home_dir_t; + type user_home_dir_t; ') - dontaudit $2 $1_home_dir_t:dir list_dir_perms; + dontaudit $2 user_home_dir_t:dir list_dir_perms; ') ######################################## @@ -2032,11 +2040,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; + attribute user_home_type; ') files_search_home($2) - manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_dirs_pattern($2,{ user_home_dir_t user_home_type },user_home_t) +') + +######################################## +##

+## dontaudit attemps to Create files +## in a user home subdirectory. +## +## +##

+## Create, read, write, and delete directories +## in a user home subdirectory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_dontaudit_create_user_home_content_files',` + gen_require(` + type user_home_dir_t; + ') + + dontaudit $2 user_home_dir_t:file create; ') ######################################## @@ -2068,10 +2112,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') - dontaudit $2 $1_home_t:file setattr; + dontaudit $2 user_home_t:file setattr; ') ######################################## @@ -2101,11 +2145,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) + read_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -2135,11 +2179,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` - type $1_home_t; + type user_home_t; ') - dontaudit $2 $1_home_t:dir list_dir_perms; - dontaudit $2 $1_home_t:file read_file_perms; + dontaudit $2 user_home_t:dir list_dir_perms; + dontaudit $2 user_home_t:file read_file_perms; ') ######################################## @@ -2169,10 +2213,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` - type $1_home_t; + type user_home_t; ') - dontaudit $2 $1_home_t:file write; + dontaudit $2 user_home_t:file write; + fs_dontaudit_list_nfs($2) + fs_dontaudit_rw_nfs_files($2) + fs_dontaudit_list_cifs($2) + fs_dontaudit_rw_cifs_files($2) ') ######################################## @@ -2202,11 +2250,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) + read_lnk_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -2236,11 +2284,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) + exec_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -2270,10 +2318,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` - type $1_home_t; + type user_home_t; ') - dontaudit $2 $1_home_t:file execute; + dontaudit $2 user_home_t:file execute; ') ######################################## @@ -2305,12 +2353,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; + manage_files_pattern($2,user_home_t,user_home_t) ') ######################################## @@ -2342,10 +2390,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') - dontaudit $2 $1_home_t:dir manage_dir_perms; + dontaudit $2 user_home_t:dir manage_dir_perms; ') ######################################## @@ -2377,12 +2425,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_lnk_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; + manage_lnk_files_pattern($2,user_home_t,user_home_t) ') ######################################## @@ -2414,12 +2462,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_fifo_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; + manage_fifo_files_pattern($2,user_home_t,user_home_t) ') ######################################## @@ -2451,12 +2499,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - allow $2 $1_home_dir_t:dir search_dir_perms; - manage_sock_files_pattern($2,$1_home_t,$1_home_t) + allow $2 user_home_dir_t:dir search_dir_perms; + manage_sock_files_pattern($2,user_home_t,user_home_t) ') ######################################## @@ -2501,11 +2549,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` - type $1_home_dir_t; + type user_home_dir_t; ') files_search_home($2) - filetrans_pattern($2,$1_home_dir_t,$3,$4) + filetrans_pattern($2,user_home_dir_t,$3,$4) ') ######################################## @@ -2550,11 +2598,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` - type $1_home_t; + type user_home_t; ') files_search_home($2) - filetrans_pattern($2,$1_home_t,$3,$4) + filetrans_pattern($2,user_home_t,$3,$4) ') ######################################## @@ -2594,11 +2642,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` - type $1_home_dir_t, $1_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($2) - filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) + filetrans_pattern($2,user_home_dir_t,user_home_t,$3) ') ######################################## @@ -2628,11 +2676,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - allow $2 $1_tmp_t:sock_file write; + write_sock_files_pattern($2, user_tmp_t, user_tmp_t) ') ######################################## @@ -2662,11 +2710,11 @@ # template(`userdom_list_user_tmp',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; + allow $2 user_tmp_t:dir list_dir_perms; ') ######################################## @@ -2698,10 +2746,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') - dontaudit $2 $1_tmp_t:dir list_dir_perms; + dontaudit $2 user_tmp_t:dir list_dir_perms; ') ######################################## @@ -2733,10 +2781,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') - dontaudit $2 $1_tmp_t:dir manage_dir_perms; + dontaudit $2 user_tmp_t:dir manage_dir_perms; ') ######################################## @@ -2766,12 +2814,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; - read_files_pattern($2,$1_tmp_t,$1_tmp_t) + allow $2 user_tmp_t:dir list_dir_perms; + read_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -2803,10 +2851,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') - dontaudit $2 $1_tmp_t:file read_file_perms; + dontaudit $2 user_tmp_t:file read_file_perms; ') ######################################## @@ -2838,10 +2886,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; + ') + + dontaudit $2 user_tmp_t:file append; +') + +######################################## +## +## unlink all unprivileged users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_unlink_unpriv_users_tmp_files',` + gen_require(` + attribute user_tmpfile; + ') + + files_delete_tmp_dir_entry($1) + allow $1 user_tmpfile:file unlink; +') + +######################################## +## +## Connect to unpriviledged users over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_unpriv_users_stream_connect',` + gen_require(` + attribute user_tmpfile; + attribute userdomain; ') - dontaudit $2 $1_tmp_t:file append; + stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain) ') ######################################## @@ -2871,12 +2957,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; - rw_files_pattern($2,$1_tmp_t,$1_tmp_t) + allow $2 user_tmp_t:dir list_dir_perms; + rw_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -2908,10 +2994,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') - dontaudit $2 $1_tmp_t:file manage_file_perms; + dontaudit $2 user_tmp_t:file manage_file_perms; ') ######################################## @@ -2943,12 +3029,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - allow $2 $1_tmp_t:dir list_dir_perms; - read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) + allow $2 user_tmp_t:dir list_dir_perms; + read_lnk_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -2980,11 +3066,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t) + manage_dirs_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -3016,11 +3102,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - manage_files_pattern($2,$1_tmp_t,$1_tmp_t) + manage_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -3052,11 +3138,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t) + manage_lnk_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -3088,11 +3174,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t) + manage_fifo_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -3124,11 +3210,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') files_search_tmp($2) - manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t) + manage_sock_files_pattern($2,user_tmp_t,user_tmp_t) ') ######################################## @@ -3173,10 +3259,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') - filetrans_pattern($2,$1_tmp_t,$3,$4) + filetrans_pattern($2,user_tmp_t,$3,$4) files_search_tmp($2) ') @@ -3217,10 +3303,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` - type $1_tmp_t; + type user_tmp_t; ') - files_tmp_filetrans($2,$1_tmp_t,$3) + files_tmp_filetrans($2,user_tmp_t,$3) ') ######################################## @@ -3248,6 +3334,42 @@ ##
## # +template(`userdom_read_user_tmpfs_files',` + gen_require(` + type $1_tmpfs_t; + ') + + fs_search_tmpfs($2) + allow $2 $1_tmpfs_t:dir list_dir_perms; + read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) + read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) +') + +######################################## +## +## Read/write user tmpfs files. +## +## +##

+## Read/write user tmpfs files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; @@ -4225,11 +4347,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` - type staff_home_dir_t; + type user_home_dir_t; ') files_search_home($1) - allow $1 staff_home_dir_t:dir search_dir_perms; + allow $1 user_home_dir_t:dir search_dir_perms; ') ######################################## @@ -4245,10 +4367,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` - type staff_home_dir_t; + type user_home_dir_t; ') - dontaudit $1 staff_home_dir_t:dir search_dir_perms; + dontaudit $1 user_home_dir_t:dir search_dir_perms; ') ######################################## @@ -4264,11 +4386,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` - type staff_home_dir_t; + type user_home_dir_t; ') files_search_home($1) - allow $1 staff_home_dir_t:dir manage_dir_perms; + allow $1 user_home_dir_t:dir manage_dir_perms; ') ######################################## @@ -4283,16 +4405,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` - type staff_home_dir_t; + type user_home_dir_t; ') files_search_home($1) - allow $1 staff_home_dir_t:dir relabelto; + allow $1 user_home_dir_t:dir relabelto; ') ######################################## ## -## Do not audit attempts to append to the staff +## Do not audit attempts to append to the ## users home directory. ## ## @@ -4301,18 +4423,33 @@ ##
## # -interface(`userdom_dontaudit_append_staff_home_content_files',` +interface(`userdom_dontaudit_append_unpriv_home_content_files',` gen_require(` - type staff_home_t; + type user_home_t; ') - dontaudit $1 staff_home_t:file append; + dontaudit $1 user_home_t:file append_file_perms; ') ######################################## ## -## Read files in the staff users home directory. -## +## Do not audit attempts to append to the staff +## users home directory. +##
+## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_append_staff_home_content_files',` + userdom_dontaudit_append_unpriv_home_content_files($1) +') + +######################################## +## +## Read files in the staff users home directory. +## ## ## ## Domain allowed access. @@ -4321,13 +4458,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` - type staff_home_dir_t, staff_home_t; + type user_home_dir_t, user_home_t; ') files_search_home($1) - allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; - read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) - read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) + allow $1 { user_home_dir_t user_home_t }:dir list_dir_perms; + read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) + read_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') ######################################## @@ -4525,10 +4662,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - allow $1 sysadm_home_dir_t:dir getattr; + allow $1 admin_home_t:dir getattr; ') ######################################## @@ -4545,10 +4682,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - dontaudit $1 sysadm_home_dir_t:dir getattr; + dontaudit $1 admin_home_t:dir getattr; ') ######################################## @@ -4563,10 +4700,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - allow $1 sysadm_home_dir_t:dir search_dir_perms; + allow $1 admin_home_t:dir search_dir_perms; ') ######################################## @@ -4582,10 +4719,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; + dontaudit $1 admin_home_t:dir search_dir_perms; ') ######################################## @@ -4600,10 +4737,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - allow $1 sysadm_home_dir_t:dir list_dir_perms; + allow $1 admin_home_t:dir list_dir_perms; ') ######################################## @@ -4619,10 +4756,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - dontaudit $1 sysadm_home_dir_t:dir list_dir_perms; + dontaudit $1 admin_home_t:dir list_dir_perms; ') ######################################## @@ -4638,12 +4775,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` - type sysadm_home_dir_t, sysadm_home_t; + type admin_home_t; ') - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:file read_file_perms; + dontaudit $1 admin_home_t:dir search_dir_perms; + dontaudit $1 admin_home_t:file read_file_perms; ') ######################################## @@ -4670,10 +4806,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` - type sysadm_home_dir_t; + type admin_home_t; ') - filetrans_pattern($1,sysadm_home_dir_t,$2,$3) + filetrans_pattern($1,admin_home_t,$2,$3) ') ######################################## @@ -4688,10 +4824,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` - type sysadm_home_dir_t, sysadm_home_t; + type admin_home_t; ') - allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms; + allow $1 admin_home_t:dir search_dir_perms; ') ######################################## @@ -4706,13 +4842,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` - type sysadm_home_dir_t, sysadm_home_t; + type admin_home_t; ') files_search_home($1) - allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; - read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) - read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) + allow $1 admin_home_t:dir list_dir_perms; + read_files_pattern($1, admin_home_t, admin_home_t) + read_lnk_files_pattern($1, admin_home_t, admin_home_t) ') ######################################## @@ -4748,11 +4884,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` + attribute user_home_dir_type; + ') + + files_list_home($1) + allow $1 user_home_dir_type:dir search_dir_perms; +') + +######################################## +## +## Read all users home directories symlinks. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_all_users_home_dirs_symlinks',` + gen_require(` attribute home_dir_type; ') files_list_home($1) - allow $1 home_dir_type:dir search_dir_perms; + allow $1 home_dir_type:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Read all users home directories symlinks. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_all_users_home_content_symlinks',` + gen_require(` + type user_home_t; + ') + + files_list_home($1) + allow $1 user_home_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -4772,6 +4946,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(crond_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(crond_t) + ') ') ######################################## @@ -4833,6 +5015,26 @@ ######################################## ## +## delete all directories +## in all users home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_users_home_content_dirs',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) + delete_dirs_pattern($1, home_type, home_type) +') + +######################################## +## ## Create, read, write, and delete all directories ## in all users home directories. ## @@ -4853,6 +5055,25 @@ ######################################## ## +## Delete all files +## in all users home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_users_home_content_files',` + gen_require(` + attribute home_type; + ') + + delete_files_pattern($1,home_type,home_type) +') + +######################################## +## ## Create, read, write, and delete all files ## in all users home directories. ## @@ -4873,6 +5094,26 @@ ######################################## ## +## Delete all symlinks +## in all users home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_users_home_content_symlinks',` + gen_require(` + attribute home_type; + ') + + files_list_home($1) + delete_lnk_files_pattern($1,home_type,home_type) +') + +######################################## +## ## Create, read, write, and delete all symlinks ## in all users home directories. ## @@ -5109,7 +5350,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` - type staff_home_dir_t; + type user_home_dir_t; ') files_search_home($1) @@ -5298,6 +5539,50 @@ ######################################## ## +## append all unprivileged users home directory +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_unpriv_users_home_content_files',` + gen_require(` + attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) + allow $1 user_home_type:dir list_dir_perms; + append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) +') + +######################################## +## +## dontaudit Read all unprivileged users home directory +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_read_unpriv_users_home_content_files',` + gen_require(` + attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; + dontaudit $1 user_home_type:file read_lnk_file_perms; + +') + +######################################## +## ## Create, read, write, and delete directories in ## unprivileged users home directories. ## @@ -5503,6 +5788,42 @@ ######################################## ## +## Write all unprivileged users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_unpriv_users_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + manage_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Write all unprivileged users lnk_files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_unpriv_users_tmp_symlinks',` + gen_require(` + type user_tmp_t; + ') + + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## ## Read and write unprivileged user ttys. ## ## @@ -5668,6 +5989,42 @@ ######################################## ## +## Manage keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; +') + +######################################## +## +## dontaudit search keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_search_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:key search; +') + +######################################## +## ## Send a dbus message to all user domains. ## ## @@ -5698,3 +6055,368 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## allow getattr all user file type +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_list_user_files',` + gen_require(` + attribute $1_file_type; + ') + + allow $2 $1_file_type:dir search_dir_perms; + allow $2 $1_file_type:file getattr; +') + +######################################## +## +## Do not audit attempts to write to homedirs of sysadm users +## home directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_write_sysadm_home_dirs',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir write; +') + +######################################## +## +## Ptrace all user domains. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_ptrace_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process ptrace; +') + +######################################## +## +## unlink all unprivileged users home directory +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_unlink_unpriv_users_home_content_files',` + gen_require(` + attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) + allow $1 user_home_dir_type:dir list_dir_perms; + allow $1 user_home_type:file unlink; +') + +######################################## +## +## dontaudit search all users home directory +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_search_users_home_dirs',` + + gen_require(` + attribute user_home_dir_type; + ') + + files_search_home($1) + dontaudit $1 user_home_dir_type:dir search_dir_perms; +') + + +######################################## +## +## Identify specified type as being in a users home directory +## +## +##

+## Make the specified type a home type. +##

+##
+## +## +## Type to be used as a home directory type. +## +## +# +interface(`userdom_user_home_type',` + gen_require(` + attribute user_home_type; + attribute home_type; + ') + typeattribute $1 user_home_type; + typeattribute $1 home_type; +') + +######################################## +## +## Do not audit attempts to relabel unpriv user +## home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_relabel_unpriv_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + dontaudit $1 user_home_type:file { relabelto relabelfrom }; +') + + +######################################## +## +## Mmap of unpriv user +## home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_mmap_unpriv_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + files_search_home($1) + allow $1 user_home_type:file execute; +') + +######################################## +## +## dontaudit attempts to write to user home dir files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_write_unpriv_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:file write; +') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_set_rlimitnh',` + gen_require(` + attribute userdomain; + ') + allow $1 userdomain:process rlimitinh; +') + +######################################## +## +## Define this type as a Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_unpriv_usertype',` + gen_require(` + attribute unpriv_userdomain, userdomain; + attribute $1_usertype; + ') + typeattribute $2 $1_usertype; + typeattribute $2 unpriv_userdomain; + typeattribute $2 userdomain; +') + + +######################################## +## +## Manage and create all files in /tmp on behalf of the user +## +## +##

+## The interface for full access to the temporary directories. +## This creates a derived type for the user +## temporary type. Execute access is not given. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## If not specified, file is used. +## +## +# +template(`userdom_transition_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + files_tmp_filetrans($2, user_tmp_t, $3) +') + +################################################ +## +## Allow unpriv users read domains system state +## +## +## Allow the ps command visibility to processes in +## the specified domain when used by an +## unprivileged user +## +## +## +## Domain for which the ps command will have access +## +## +## +## +# +interface(`userdom_readable_process',` + gen_require(` + attribute unpriv_process; + ') + + typeattribute $1 unpriv_process; +') + + +####################################### +## +## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +## +## +##

+## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +##

+##

+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`userdom_admin_login_user_template', ` + + userdom_unpriv_user_template($1) + + allow $1_t self:capability sys_nice; + + domain_read_all_domains_state($1_t) + domain_getattr_all_domains($1_t) + + files_read_kernel_modules($1_t) + + kernel_read_fs_sysctls($1_t) + + modutils_read_module_config($1_t) + modutils_read_module_deps($1_t) + + miscfiles_read_hwdata($1_t) + + sudo_per_role_template($1, $1_t, $1_r) + seutil_run_newrole($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) + + optional_policy(` + gnomeclock_dbus_chat($1_t) + ') + + optional_policy(` + kerneloops_dbus_chat($1_t) + ') + + optional_policy(` + rpm_dbus_chat($1_t) + ') + + optional_policy(` + setroubleshoot_stream_connect($1_t) + ') + + optional_policy(` + netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-13 16:57:16.000000000 -0500 @@ -2,12 +2,7 @@ policy_module(userdomain,2.5.0) gen_require(` - role sysadm_r, staff_r, user_r; - - ifdef(`enable_mls',` - role secadm_r; - role auditadm_r; - ') + role sysadm_r; ') ######################################## @@ -17,20 +12,13 @@ ## ##

-## Allow sysadm to debug or ptrace all processes. +## Allow sysadm to debug or ptrace all processes ##

##
gen_tunable(allow_ptrace,false) ## ##

-## Allow users to connect to mysql -##

-##
-gen_tunable(allow_user_mysql_connect,false) - -## -##

## Allow users to connect to PostgreSQL ##

##
@@ -74,6 +62,9 @@ # users home directory contents attribute home_type; +# Executables to be run by user +attribute user_exec_type; + # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) @@ -97,44 +88,54 @@ # unprivileged user domains attribute unpriv_userdomain; +attribute unpriv_process; attribute untrusted_content_type; attribute untrusted_content_tmp_type; -######################################## -# -# Local policy -# +type admin_home_t, home_type; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) + +type user_home_t, user_file_type, user_home_type, home_type; +files_type(user_home_t) +files_associate_tmp(user_home_t) +fs_associate_tmpfs(user_home_t) +files_mountpoint(user_home_t) +files_poly_parent(user_home_t) +files_poly_member(user_home_t) + +# type of home directory +type user_home_dir_t, home_dir_type, user_home_dir_type, home_type; +files_type(user_home_dir_t) +files_mountpoint(user_home_dir_t) +files_associate_tmp(user_home_dir_t) +fs_associate_tmpfs(user_home_dir_t) +files_poly(user_home_dir_t) +files_poly_member(user_home_dir_t) +files_poly_parent(user_home_dir_t) -userdom_admin_user_template(sysadm) -userdom_unpriv_user_template(staff) -userdom_unpriv_user_template(user) +type user_tmp_t, user_file_type, user_tmpfile; +files_tmp_file(user_tmp_t) -# user role change rules: -# sysadm_r can change to user roles -userdom_role_change_template(sysadm, user) -userdom_role_change_template(sysadm, staff) - -# only staff_r can change to sysadm_r -userdom_role_change_template(staff, sysadm) -dontaudit staff_t admin_terminal:chr_file { read write }; - -ifdef(`enable_mls',` - userdom_unpriv_user_template(secadm) - userdom_unpriv_user_template(auditadm) +############################## +# +# User home directory file rules +# - userdom_role_change_template(staff, auditadm) - userdom_role_change_template(staff, secadm) +allow user_file_type user_home_t:filesystem associate; - userdom_role_change_template(sysadm, secadm) - userdom_role_change_template(sysadm, auditadm) +# Rules used to associate a homedir as a mountpoint +allow user_home_t self:filesystem associate; - userdom_role_change_template(auditadm, secadm) - userdom_role_change_template(auditadm, sysadm) +######################################## +# +# Local policy +# - userdom_role_change_template(secadm, auditadm) - userdom_role_change_template(secadm, sysadm) -') +userdom_admin_user_template(sysadm) ######################################## # @@ -154,6 +155,11 @@ init_exec(sysadm_t) +kernel_sigstop_unlabeled(sysadm_t) +kernel_signal_unlabeled(sysadm_t) +kernel_kill_unlabeled(sysadm_t) +kernel_read_unlabeled_state(sysadm_t) + # Following for sending reboot and wall messages userdom_use_unpriv_users_ptys(sysadm_t) userdom_use_unpriv_users_ttys(sysadm_t) @@ -170,46 +176,7 @@ ') ') -ifdef(`enable_mls',` - allow auditadm_t self:capability { dac_read_search dac_override }; - seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) - domain_kill_all_domains(auditadm_t) - seutil_read_bin_policy(auditadm_t) - corecmd_exec_shell(auditadm_t) - logging_send_syslog_msg(auditadm_t) - logging_read_generic_logs(auditadm_t) - logging_manage_audit_log(auditadm_t) - logging_manage_audit_config(auditadm_t) - logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) - logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) - userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) - - allow secadm_t self:capability { dac_read_search dac_override }; - corecmd_exec_shell(secadm_t) - domain_obj_id_change_exemption(secadm_t) - mls_process_read_up(secadm_t) - mls_file_read_all_levels(secadm_t) - mls_file_write_all_levels(secadm_t) - mls_file_upgrade(secadm_t) - mls_file_downgrade(secadm_t) - auth_relabel_all_files_except_shadow(secadm_t) - dev_relabel_all_dev_nodes(secadm_t) - auth_relabel_shadow(secadm_t) - init_exec(secadm_t) - logging_read_audit_log(secadm_t) - logging_read_generic_logs(secadm_t) - logging_read_audit_config(secadm_t) - userdom_dontaudit_append_staff_home_content_files(secadm_t) - userdom_dontaudit_read_sysadm_home_content_files(secadm_t) - - optional_policy(` - aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) - ') - - optional_policy(` - netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) - ') -',` +ifdef(`enable_mls',`',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal) @@ -224,6 +191,10 @@ ') optional_policy(` + amtu_run(sysadm_t, sysadm_r, admin_terminal) +') + +optional_policy(` apache_run_helper(sysadm_t, sysadm_r, admin_terminal) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -279,14 +250,6 @@ ') optional_policy(` - consoletype_exec(sysadm_t) - - ifdef(`enable_mls',` - consoletype_exec(auditadm_t) - ') -') - -optional_policy(` cron_admin_template(sysadm, sysadm_t, sysadm_r) ') @@ -302,12 +265,9 @@ optional_policy(` dmesg_exec(sysadm_t) - - ifdef(`enable_mls',` - dmesg_exec(auditadm_t) - ') ') + optional_policy(` dmidecode_run(sysadm_t, sysadm_r, admin_terminal) ') @@ -352,6 +312,10 @@ ') optional_policy(` + kismet_run(sysadm_t, sysadm_r, admin_terminal) +') + +optional_policy(` lvm_run(sysadm_t, sysadm_r, admin_terminal) ') @@ -387,6 +351,10 @@ ') optional_policy(` + netlabel_run_mgmt(sysadm_t, sysadm_r, admin_terminal) +') + +optional_policy(` netutils_run(sysadm_t, sysadm_r, admin_terminal) netutils_run_ping(sysadm_t, sysadm_r, admin_terminal) netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal) @@ -436,15 +404,19 @@ optional_policy(` samba_run_net(sysadm_t, sysadm_r, admin_terminal) + samba_run_smbcontrol(sysadm_t, sysadm_r, admin_terminal) samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal) ') optional_policy(` + seutil_run_setsebool(sysadm_t, sysadm_r, admin_terminal) seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal) seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal) ifdef(`enable_mls',` - userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t }) +# tunable_policy(`allow_sysadm_manage_security',` + userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) +# ') ', ` userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) ') @@ -487,3 +459,13 @@ optional_policy(` yam_run(sysadm_t, sysadm_r, admin_terminal) ') + +tunable_policy(`allow_console_login', ` + term_use_console(userdomain) +') + +# Allow unpriv users to read system state of unpriv processes +read_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) +read_lnk_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) +allow unpriv_userdomain unpriv_process:process getattr; +dontaudit unpriv_userdomain unpriv_process:process ptrace; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.7/policy/modules/system/virt.fc --- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/virt.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,13 @@ + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) + +/etc/rc.d/init.d/libvirtd -- gen_context(system_u:object_r:virtd_script_exec_t,s0) +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.7/policy/modules/system/virt.if --- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/virt.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,324 @@ + +## policy for virt + +######################################## +## +## Execute a domain transition to run virt. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`virt_domtrans',` + gen_require(` + type virtd_t; + type virtd_exec_t; + ') + + domtrans_pattern($1,virtd_exec_t,virtd_t) +') + + +######################################## +## +## Execute virt server in the virt domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`virtd_script_domtrans',` + gen_require(` + type virtd_script_exec_t; + ') + + init_script_domtrans_spec($1,virtd_script_exec_t) +') + +######################################## +## +## Read virt PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_read_pid_files',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + allow $1 virt_var_run_t:file read_file_perms; +') + +######################################## +## +## Read virt config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_read_config',` + gen_require(` + type virt_etc_t; + type virt_etc_rw_t; + ') + + files_search_etc($1) + read_files_pattern($1, virt_etc_t, virt_etc_t) + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## +## Manage virt var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_manage_var_run',` + gen_require(` + type virt_var_run_t; + ') + + manage_dirs_pattern($1,virt_var_run_t,virt_var_run_t) + manage_files_pattern($1,virt_var_run_t,virt_var_run_t) + manage_lnk_files_pattern($1,virt_var_run_t,virt_var_run_t) +') + + +######################################## +## +## Search virt lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_search_lib',` + gen_require(` + type virt_var_lib_t; + ') + + allow $1 virt_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read virt lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_read_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## virt lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_manage_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## +## Manage virt var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_manage_var_lib',` + gen_require(` + type virt_var_lib_t; + ') + + manage_dirs_pattern($1,virt_var_lib_t,virt_var_lib_t) + manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t) + manage_lnk_files_pattern($1,virt_var_lib_t,virt_var_lib_t) +') + + +######################################## +## +## Allow the specified domain to read virt's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`virt_read_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## +## Allow the specified domain to append +## virt log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`virt_append_log',` + gen_require(` + type var_log_t, virt_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## +## Allow domain to manage virt log files +## +## +## +## Domain to not audit. +## +## +# +interface(`virt_manage_log',` + gen_require(` + type virt_log_t; + ') + + manage_dirs_pattern($1,virt_log_t,virt_log_t) + manage_files_pattern($1,virt_log_t,virt_log_t) + manage_lnk_files_pattern($1,virt_log_t,virt_log_t) +') + +######################################## +## +## All of the rules required to administrate +## an virt environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the virt domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`virt_admin',` + gen_require(` + type virtd_t; + type virtd_script_exec_t; + ') + + allow $1 virtd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, virtd_t, virtd_t) + + + # Allow virtd_t to restart the apache service + virt_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 virtd_script_exec_t system_r; + allow $2 system_r; + + virt_manage_var_run($1) + + virt_manage_var_lib($1) + + virt_manage_log($1) + +') + +######################################## +## +## Allow domain to manage virt image files +## +## +## +## Domain to not audit. +## +## +# +interface(`virt_manage_image',` + gen_require(` + type virt_image_t; + type virt_var_lib_t; + ') + + virt_search_lib($1) + allow $1 virt_image_t:dir list_dir_perms; + manage_dirs_pattern($1,virt_image_t,virt_image_t) + manage_files_pattern($1,virt_image_t,virt_image_t) + read_lnk_files_pattern($1,virt_image_t,virt_image_t) + rw_blk_files_pattern($1,virt_image_t,virt_image_t) + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_manage_nfs_files($1) + fs_manage_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.7/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,158 @@ + +policy_module(virt,1.0.0) + +## +##

+## Allow virt to manage nfs files +##

+##
+gen_tunable(virt_use_nfs,false) + +## +##

+## Allow virt to manage cifs files +##

+##
+gen_tunable(virt_use_samba,false) + +######################################## +# +# Declarations +# + +type virtd_t; +type virtd_exec_t; +domain_type(virtd_t) +init_daemon_domain(virtd_t, virtd_exec_t) + +type virtd_script_exec_t; +init_script_type(virtd_script_exec_t) + +type virt_var_run_t; +files_pid_file(virt_var_run_t) + +type virt_var_lib_t; +files_type(virt_var_lib_t) + +type virt_etc_t; +files_type(virt_etc_t) + +type virt_etc_rw_t; +files_type(virt_etc_rw_t) + +type virt_log_t; +logging_log_file(virt_log_t) + +# virt Image files +type virt_image_t; # customizable +files_type(virt_image_t) +# virt_image_t can be assigned to blk devices +dev_node(virt_image_t) + +######################################## +# +# virtd local policy +# +allow virtd_t self:capability { kill net_admin setgid }; +allow virtd_t self:process sigkill; +allow virtd_t self:fifo_file rw_file_perms; +allow virtd_t self:unix_stream_socket create_stream_socket_perms; +allow virtd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +files_pid_filetrans(virtd_t,virt_var_run_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir } ) + +manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) +logging_log_filetrans(virtd_t, virt_log_t, { file dir } ) + +read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) +read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + +manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +corenet_all_recvfrom_unlabeled(virtd_t) +corenet_all_recvfrom_netlabel(virtd_t) +corenet_tcp_sendrecv_all_if(virtd_t) +corenet_tcp_sendrecv_all_nodes(virtd_t) +corenet_tcp_sendrecv_all_ports(virtd_t) +corenet_tcp_bind_all_nodes(virtd_t) +corenet_tcp_bind_virt_port(virtd_t) +corenet_tcp_bind_vnc_port(virtd_t) +corenet_tcp_connect_vnc_port(virtd_t) +corenet_tcp_connect_soundd_port(virtd_t) +corenet_rw_tun_tap_dev(virtd_t) + +dev_read_sysfs(virtd_t) + +kernel_read_system_state(virtd_t) +kernel_read_network_state(virtd_t) +kernel_rw_net_sysctls(virtd_t) +kernel_write_xen_state(virtd_t) + +# Init script handling +domain_use_interactive_fds(virtd_t) + +files_read_etc_files(virtd_t) +files_read_etc_runtime_files(virtd_t) +files_search_all(virtd_t) + +libs_use_ld_so(virtd_t) +libs_use_shared_libs(virtd_t) + +miscfiles_read_localization(virtd_t) +miscfiles_read_certs(virtd_t) + +auth_use_nsswitch(virtd_t) + +logging_send_syslog_msg(virtd_t) + +optional_policy(` + brctl_domtrans(virtd_t) +') + +optional_policy(` + dbus_system_bus_client_template(virtd,virtd_t) + optional_policy(` + avahi_dbus_chat(virtd_t) + ') + + optional_policy(` + hal_dbus_chat(virtd_t) + ') +') + +optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) +') + +optional_policy(` + iptables_domtrans(virtd_t) +') + +optional_policy(` + qemu_domtrans(virtd_t) + qemu_read_state(virtd_t) + qemu_signal(virtd_t) + qemu_sigkill(virtd_t) +') + +optional_policy(` + sasl_connect(virtd_t) +') + +optional_policy(` + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.7/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-13 16:57:16.000000000 -0500 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` gen_require(` - type xend_t, xend_var_run_t; + type xend_t, xend_var_run_t, xend_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) + + files_search_var_lib($1) + stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t) ') ######################################## @@ -191,3 +194,24 @@ domtrans_pattern($1,xm_exec_t,xm_t) ') + +######################################## +## +## Allow the specified domain to read/write +## xend image files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xen_rw_image_files',` + gen_require(` + type xen_image_t, xend_var_lib_t; + ') + + files_list_var_lib($1) + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1,xen_image_t,xen_image_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.7/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/xen.te 2008-02-13 16:57:16.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # +## +##

+## Allow xen to manage nfs files +##

+##
+gen_tunable(xen_use_nfs,false) + # console ptys type xen_devpts_t; term_pty(xen_devpts_t); @@ -45,9 +52,7 @@ type xenstored_t; type xenstored_exec_t; -domain_type(xenstored_t) -domain_entry_file(xenstored_t,xenstored_exec_t) -role system_r types xenstored_t; +init_daemon_domain(xenstored_t,xenstored_exec_t) # var/lib files type xenstored_var_lib_t; @@ -59,8 +64,7 @@ type xenconsoled_t; type xenconsoled_exec_t; -domain_type(xenconsoled_t) -domain_entry_file(xenconsoled_t,xenconsoled_exec_t) +init_daemon_domain(xenconsoled_t,xenconsoled_exec_t) role system_r types xenconsoled_t; # pid files @@ -95,7 +99,7 @@ read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t) rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t) -allow xend_t xenctl_t:fifo_file manage_file_perms; +allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t) @@ -103,14 +107,14 @@ files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) # pid file -allow xend_t xend_var_run_t:dir setattr; +manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) -files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file }) +files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir }) # log files -allow xend_t xend_var_log_t:dir setattr; +manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t) manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) @@ -122,15 +126,13 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) +init_stream_connect_script(xend_t) + # transition to store -domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t) -allow xenstored_t xend_t:fd use; -allow xenstored_t xend_t:process sigchld; -allow xenstored_t xend_t:fifo_file write; +domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) # transition to console -domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) -allow xenconsoled_t xend_t:fd use; +domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) @@ -176,6 +178,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t,file) files_read_usr_files(xend_t) +files_read_default_symlinks(xend_t) storage_raw_read_fixed_disk(xend_t) storage_raw_write_fixed_disk(xend_t) @@ -214,6 +217,10 @@ netutils_domtrans(xend_t) optional_policy(` + brctl_domtrans(xend_t) +') + +optional_policy(` consoletype_exec(xend_t) ') @@ -224,7 +231,7 @@ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; -allow xenconsoled_t self:fifo_file { read write }; +allow xenconsoled_t self:fifo_file rw_fifo_file_perms; allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; @@ -257,7 +264,7 @@ miscfiles_read_localization(xenconsoled_t) -xen_append_log(xenconsoled_t) +xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) ######################################## @@ -265,7 +272,7 @@ # Xen store local policy # -allow xenstored_t self:capability { dac_override mknod ipc_lock }; +allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; @@ -318,12 +325,13 @@ allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; # internal communication is often done using fifo and unix sockets. -allow xm_t self:fifo_file { read write }; +allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xm_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) +manage_sock_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; @@ -336,6 +344,7 @@ kernel_write_xen_state(xm_t) corecmd_exec_bin(xm_t) +corecmd_exec_shell(xm_t) corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_all_nodes(xm_t) @@ -351,8 +360,11 @@ storage_raw_read_fixed_disk(xm_t) +fs_getattr_all_fs(xm_t) + term_use_all_terms(xm_t) +init_stream_connect_script(xm_t) init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) @@ -363,6 +375,19 @@ sysnet_read_config(xm_t) +userdom_dontaudit_search_sysadm_home_dirs(xm_t) + xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) + +#Should have a boolean wrapping these +fs_list_auto_mountpoints(xend_t) +files_search_mnt(xend_t) +fs_getattr_all_fs(xend_t) +fs_read_dos_files(xend_t) + +tunable_policy(`xen_use_nfs',` + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.2.7/policy/modules/users/auditadm.fc --- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/auditadm.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No auditadm file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.if serefpolicy-3.2.7/policy/modules/users/auditadm.if --- nsaserefpolicy/policy/modules/users/auditadm.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/auditadm.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for auditadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.te serefpolicy-3.2.7/policy/modules/users/auditadm.te --- nsaserefpolicy/policy/modules/users/auditadm.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/auditadm.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,25 @@ +policy_module(auditadm,1.0.1) +gen_require(` + role staff_r; +') + +userdom_unpriv_user_template(auditadm) + +userdom_role_change_template(staff, auditadm) + +allow auditadm_t self:capability { dac_read_search dac_override }; +seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +domain_kill_all_domains(auditadm_t) +seutil_read_bin_policy(auditadm_t) +corecmd_exec_shell(auditadm_t) +logging_send_syslog_msg(auditadm_t) +logging_read_generic_logs(auditadm_t) +logging_manage_audit_log(auditadm_t) +logging_manage_audit_config(auditadm_t) +logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) + +optional_policy(` + dmesg_exec(auditadm_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.7/policy/modules/users/guest.fc --- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/guest.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No guest file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.7/policy/modules/users/guest.if --- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/guest.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.7/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/guest.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,21 @@ +policy_module(guest,1.0.1) +userdom_restricted_user_template(guest) + +optional_policy(` + java_per_role_template(guest, guest_t, guest_r) +') + +optional_policy(` + mono_per_role_template(guest, guest_t, guest_r) +') + +userdom_restricted_user_template(gadmin) + +optional_policy(` + gen_require(` + type xguest_mozilla_t; + ') + + dbus_chat_user_bus(xguest,xguest_mozilla_t) + dbus_connectto_user_bus(xguest,xguest_mozilla_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.7/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/logadm.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No logadm file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.7/policy/modules/users/logadm.if --- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/logadm.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for logadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.7/policy/modules/users/logadm.te --- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/logadm.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,11 @@ +policy_module(logadm,1.0.0) + +######################################## +# +# logadmin local policy +# +userdom_base_user_template(logadm) + +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.7/policy/modules/users/metadata.xml --- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/metadata.xml 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +Policy modules for users diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.fc serefpolicy-3.2.7/policy/modules/users/secadm.fc --- nsaserefpolicy/policy/modules/users/secadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/secadm.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No secadm file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.if serefpolicy-3.2.7/policy/modules/users/secadm.if --- nsaserefpolicy/policy/modules/users/secadm.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/secadm.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for secadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.te serefpolicy-3.2.7/policy/modules/users/secadm.te --- nsaserefpolicy/policy/modules/users/secadm.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/secadm.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,39 @@ +policy_module(secadm,1.0.1) +gen_require(` + role staff_r; +') + +userdom_unpriv_user_template(secadm) +userdom_role_change_template(staff, secadm) + +allow secadm_t self:capability { dac_read_search dac_override }; +corecmd_exec_shell(secadm_t) +domain_obj_id_change_exemption(secadm_t) +mls_process_read_up(secadm_t) +mls_file_read_all_levels(secadm_t) +mls_file_write_all_levels(secadm_t) +mls_file_upgrade(secadm_t) +mls_file_downgrade(secadm_t) +auth_relabel_all_files_except_shadow(secadm_t) +dev_relabel_all_dev_nodes(secadm_t) +auth_relabel_shadow(secadm_t) +init_exec(secadm_t) +logging_read_audit_log(secadm_t) +logging_read_generic_logs(secadm_t) +logging_read_audit_config(secadm_t) +userdom_dontaudit_append_staff_home_content_files(secadm_t) +userdom_dontaudit_read_sysadm_home_content_files(secadm_t) + +userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) + +optional_policy(` + aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) +') + +optional_policy(` + netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) +') + +optional_policy(` + dmesg_exec(secadm_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.fc serefpolicy-3.2.7/policy/modules/users/staff.fc --- nsaserefpolicy/policy/modules/users/staff.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/staff.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No staff file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.if serefpolicy-3.2.7/policy/modules/users/staff.if --- nsaserefpolicy/policy/modules/users/staff.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/staff.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.7/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-14 15:56:33.000000000 -0500 @@ -0,0 +1,11 @@ +policy_module(staff,1.0.1) +userdom_admin_login_user_template(staff) + +# only staff_r can change to sysadm_r +userdom_role_change_template(staff, sysadm) +userdom_dontaudit_use_sysadm_terms(staff_t) + +optional_policy(` + xserver_domtrans_xdm_xserver(staff_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.7/policy/modules/users/user.fc --- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/user.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No user file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if serefpolicy-3.2.7/policy/modules/users/user.if --- nsaserefpolicy/policy/modules/users/user.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/user.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for user user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.7/policy/modules/users/user.te --- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/user.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,4 @@ +policy_module(user,1.0.1) +userdom_unpriv_user_template(user) + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.7/policy/modules/users/webadm.fc --- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/webadm.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No webadm file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.7/policy/modules/users/webadm.if --- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/webadm.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for webadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.7/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/webadm.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,42 @@ +policy_module(webadm,1.0.0) + +######################################## +# +# webadmin local policy +# + +userdom_base_user_template(webadm) +allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +bool webadm_read_user_files false; +bool webadm_manage_user_files false; + +if (webadm_read_user_files) { + userdom_read_unpriv_users_home_content_files(webadm_t) + userdom_read_unpriv_users_tmp_files(webadm_t) +} + +if (webadm_manage_user_files) { + userdom_manage_unpriv_users_home_content_dirs(webadm_t) + userdom_read_unpriv_users_tmp_files(webadm_t) + userdom_write_unpriv_users_tmp_files(webadm_t) +} + +files_dontaudit_search_all_dirs(webadm_t) +files_manage_generic_locks(webadm_t) +files_list_var(webadm_t) +selinux_get_enforce_mode(webadm_t) +seutil_domtrans_setfiles(webadm_t) + +logging_send_syslog_msg(webadm_t) + +userdom_dontaudit_search_sysadm_home_dirs(webadm_t) +userdom_dontaudit_search_generic_user_home_dirs(webadm_t) + +apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t }) + +gen_require(` + type staff_t; +') +allow staff_t webadm_t:process transition; +allow webadm_t staff_t:dir getattr; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.7/policy/modules/users/xguest.fc --- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/xguest.fc 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +# No xguest file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.7/policy/modules/users/xguest.if --- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/xguest.if 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1 @@ +## Policy for xguest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.7/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/xguest.te 2008-02-13 16:57:16.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(xguest,1.0.1) + +## +##

+## Allow xguest users to mount removable media +##

+##
+gen_tunable(xguest_mount_media,false) + +## +##

+## Allow xguest to configure Network Manager +##

+##
+gen_tunable(xguest_connect_network,false) + +## +##

+## Allow xguest to use blue tooth devices +##

+##
+gen_tunable(xguest_use_bluetooth,false) + +userdom_restricted_xwindows_user_template(xguest) + +optional_policy(` + mozilla_per_role_template(xguest, xguest_t, xguest_r) +') + +optional_policy(` + java_per_role_template(xguest, xguest_t, xguest_r) +') + +optional_policy(` + mono_per_role_template(xguest, xguest_t, xguest_r) +') + +# Allow mounting of file systems +optional_policy(` + tunable_policy(`xguest_mount_media',` + hal_dbus_chat(xguest_t) + init_read_utmp(xguest_t) + auth_list_pam_console_data(xguest_t) + kernel_read_fs_sysctls(xguest_t) + files_dontaudit_getattr_boot_dirs(xguest_t) + files_search_mnt(xguest_t) + fs_manage_noxattr_fs_files(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) + fs_getattr_noxattr_fs(xguest_t) + fs_read_noxattr_fs_symlinks(xguest_t) + ') +') + +optional_policy(` + tunable_policy(`xguest_connect_network',` + networkmanager_dbus_chat(xguest_t) + ') +') + +optional_policy(` + tunable_policy(`xguest_use_bluetooth',` + bluetooth_dbus_chat(xguest_t) + ') +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.2.7/policy/support/file_patterns.spt --- nsaserefpolicy/policy/support/file_patterns.spt 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/policy/support/file_patterns.spt 2008-02-13 16:57:16.000000000 -0500 @@ -537,3 +537,23 @@ allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3; ') + +define(`manage_all_pattern',` + manage_dirs_pattern($1,$2,$2) + manage_files_pattern($1,$2,$2) + manage_lnk_files_pattern($1,$2,$2) + manage_fifo_files_pattern($1,$2,$2) + manage_sock_files_pattern($1,$2,$2) + + relabelto_dirs_pattern($1,$2,$2) + relabelto_files_pattern($1,$2,$2) + relabelto_lnk_files_pattern($1,$2,$2) + relabelto_fifo_files_pattern($1,$2,$2) + relabelto_sock_files_pattern($1,$2,$2) + + relabelfrom_dirs_pattern($1,$2,$2) + relabelfrom_files_pattern($1,$2,$2) + relabelfrom_lnk_files_pattern($1,$2,$2) + relabelfrom_fifo_files_pattern($1,$2,$2) + relabelfrom_sock_files_pattern($1,$2,$2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.7/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/support/obj_perm_sets.spt 2008-02-13 16:57:16.000000000 -0500 @@ -315,3 +315,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') + +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control } +') + +define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.7/policy/users --- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.7/policy/users 2008-02-13 16:57:16.000000000 -0500 @@ -16,7 +16,7 @@ # and a user process should never be assigned the system user # identity. # -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(system_u, user, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no @@ -25,13 +25,10 @@ # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # -gen_user(user_u, user, user_r, s0, s0) +gen_user(user_u, user, user_r system_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute @@ -39,8 +36,4 @@ # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, unconfined, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.2.7/Rules.modular --- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.7/Rules.modular 2008-02-13 16:57:16.000000000 -0500 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(call perrole-expansion,$(basename $(@F)),$@.role) - $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) +# $(call perrole-expansion,$(basename $(@F)),$@.role) + $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ $(tmpdir)/%.mod.fc: $(m4support) %.fc @@ -129,7 +129,7 @@ @test -d $(tmpdir) || mkdir -p $(tmpdir) # define all available object classes $(verbose) $(genperm) $(avs) $(secclass) > $@ - $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) +# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy @@ -147,7 +147,7 @@ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy $(tmpdir)/rolemap.conf: $(rolemap) $(verbose) echo "" > $@ - $(call parse-rolemap,base,$@) +# $(call parse-rolemap,base,$@) $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.7/Rules.monolithic --- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 +++ serefpolicy-3.2.7/Rules.monolithic 2008-02-13 16:57:16.000000000 -0500 @@ -96,7 +96,7 @@ # # Load the binary policy # -reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) +reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) @echo "Loading $(NAME) $(loadpath)" $(verbose) $(LOADPOLICY) -q $(loadpath) @touch $(tmpdir)/load