diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.13/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_cronjob_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.13/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.13/config/appconfig-mcs/failsafe_context 2009-05-21 09:48:23.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.13/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/root_default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,11 +1,7 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.13/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.13/config/appconfig-mcs/seusers 2009-05-21 09:48:23.000000000 -0400
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.13/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/staff_u_default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+system_r:initrc_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.13/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/unconfined_u_default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
@@ -6,4 +6,6 @@
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.13/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.13/config/appconfig-mcs/userhelper_context 2009-05-21 09:48:23.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.13/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/user_u_default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.13/config/appconfig-mcs/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/virtual_domain_context 2009-05-21 09:48:23.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.13/config/appconfig-mcs/virtual_image_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mcs/virtual_image_context 2009-05-21 09:48:23.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.13/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mls/default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.13/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mls/root_default_contexts 2009-05-21 09:48:23.000000000 -0400
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.13/config/appconfig-mls/securetty_types
--- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.13/config/appconfig-mls/securetty_types 2009-05-21 09:48:23.000000000 -0400
@@ -1,6 +1 @@
-auditadm_tty_device_t
-secadm_tty_device_t
-staff_tty_device_t
-sysadm_tty_device_t
-unconfined_tty_device_t
user_tty_device_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.13/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mls/virtual_domain_context 2009-05-21 09:48:23.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:qemu_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.13/config/appconfig-mls/virtual_image_context
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/config/appconfig-mls/virtual_image_context 2009-05-21 09:48:23.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:virt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.13/Makefile
--- nsaserefpolicy/Makefile 2009-01-19 11:07:35.000000000 -0500
+++ serefpolicy-3.6.13/Makefile 2009-05-21 09:48:23.000000000 -0400
@@ -241,7 +241,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -315,20 +315,22 @@
# parse-rolemap modulename,outputfile
define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ echo "" >> $2
+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# perrole-expansion modulename,outputfile
define perrole-expansion
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
- $(call parse-rolemap-compat,$1,$2)
- $(verbose) echo "')" >> $2
+ echo "No longer doing perrole-expansion"
+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+# $(call parse-rolemap,$1,$2)
+# $(verbose) echo "')" >> $2
+
+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+# $(call parse-rolemap-compat,$1,$2)
+# $(verbose) echo "')" >> $2
endef
# create-base-per-role-tmpl modulenames,outputfile
@@ -397,7 +399,7 @@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
@@ -527,6 +529,10 @@
@mkdir -p $(appdir)/users
$(verbose) $(INSTALL) -m 644 $^ $@
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
+
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.13/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.13/man/man8/httpd_selinux.8 2009-05-21 09:48:23.000000000 -0400
@@ -22,7 +22,7 @@
.EX
httpd_sys_content_t
.EE
-- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
+- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
.EX
httpd_sys_script_exec_t
.EE
@@ -30,11 +30,11 @@
.EX
httpd_sys_content_rw_t
.EE
-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
.EX
httpd_sys_content_ra_t
.EE
-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
.EX
httpd_unconfined_script_exec_t
.EE
@@ -57,8 +57,7 @@
.EE
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
.PP
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
@@ -67,7 +66,7 @@
.EE
.PP
-httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
+SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
.EX
setsebool -P httpd_enable_homedirs 1
@@ -75,7 +74,7 @@
.EE
.PP
-httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
.EX
setsebool -P httpd_tty_comm 1
@@ -89,7 +88,7 @@
.EE
.PP
-httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
.EX
setsebool -P httpd_can_sendmail 1
@@ -102,7 +101,7 @@
.EE
.PP
-httpd scripts by default are not allowed to connect out to the network.
+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server and attacking
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.13/man/man8/kerberos_selinux.8
--- nsaserefpolicy/man/man8/kerberos_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.13/man/man8/kerberos_selinux.8 2009-05-21 09:48:23.000000000 -0400
@@ -12,7 +12,7 @@
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
.SH BOOLEANS
.PP
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.13/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.13/man/man8/nfs_selinux.8 2009-05-21 09:48:23.000000000 -0400
@@ -6,7 +6,7 @@
Security Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
-SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
.TP
setsebool -P nfs_export_all_ro 1
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-3.6.13/man/man8/ypbind_selinux.8
--- nsaserefpolicy/man/man8/ypbind_selinux.8 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.13/man/man8/ypbind_selinux.8 2009-05-21 09:48:23.000000000 -0400
@@ -4,7 +4,7 @@
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.13/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.13/policy/global_tunables 2009-05-21 09:48:23.000000000 -0400
@@ -61,15 +61,6 @@
##
##
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-##
-##
-gen_tunable(mail_read_content,false)
-
-##
-##
## Allow any files/directories to be exported read/write via NFS.
##
##
@@ -111,3 +102,18 @@
##
##
gen_tunable(user_tcp_server,false)
+
+##
##
## Allow Apache to modify public files
@@ -30,10 +32,17 @@
##
##
-## Allow Apache to use mod_auth_pam
+## Allow httpd scripts and modules execmem/execstack
##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
+##
+gen_tunable(httpd_dbus_avahi, false)
##
##
@@ -44,6 +53,13 @@
##
##
+## Allow http daemon to send mail
+##
+##
+gen_tunable(httpd_can_sendmail, false)
+
+##
+##
## Allow HTTPD scripts and modules to connect to the network using TCP.
##
##
@@ -108,6 +124,29 @@
##
gen_tunable(httpd_unified, false)
+##
+##
+## Allow httpd to access nfs file systems
+##
+##
+gen_tunable(httpd_use_nfs, false)
+
+##
+##
+## Allow httpd to access cifs file systems
+##
+##
+gen_tunable(httpd_use_cifs, false)
+
+##
+##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
+attribute httpd_ro_content;
+attribute httpd_rw_content;
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -140,6 +179,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -180,6 +222,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -187,15 +233,20 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
+
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_content_rw_t httpdcontent;
+typeattribute httpd_user_content_ra_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-userdom_user_home_content(httpd_user_script_ra_t)
-userdom_user_home_content(httpd_user_script_ro_t)
-userdom_user_home_content(httpd_user_script_rw_t)
+userdom_user_home_content(httpd_user_content_ra_t)
+userdom_user_home_content(httpd_user_content_rw_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
@@ -230,7 +281,7 @@
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -272,6 +323,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -283,9 +335,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -301,6 +353,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
@@ -312,6 +365,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -322,6 +376,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
@@ -335,12 +390,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_list_inotifyfs(httpd_t)
+fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -358,6 +413,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
@@ -372,18 +431,33 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -391,20 +465,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -415,20 +523,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
-')
-
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -451,6 +567,10 @@
')
optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
@@ -459,8 +579,13 @@
')
optional_policy(`
- kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+ dbus_system_bus_client(httpd_t)
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
')
optional_policy(`
@@ -468,22 +593,18 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
+ mailman_read_data_files(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- # Allow httpd to work with mysql
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_t)
- ')
+ mysql_read_config(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
@@ -494,12 +615,23 @@
')
optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
')
')
@@ -508,6 +640,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -535,6 +668,22 @@
userdom_use_user_terminals(httpd_helper_t)
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+')
+
+
########################################
#
# Apache PHP script local policy
@@ -564,20 +713,25 @@
fs_search_auto_mountpoints(httpd_php_t)
+auth_use_nsswitch(httpd_php_t)
+
libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
')
-optional_policy(`
- nis_use_ypbind(httpd_php_t)
-')
optional_policy(`
- postgresql_stream_connect(httpd_php_t)
+ mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
########################################
@@ -595,23 +749,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -624,6 +779,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -641,12 +797,20 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_suexec_t)
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -672,15 +836,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
#
+auth_use_nsswitch(httpd_sys_script_t)
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -699,12 +862,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+sysnet_read_config(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -712,6 +887,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -724,6 +928,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
')
optional_policy(`
@@ -735,6 +943,8 @@
# httpd_rotatelogs local policy
#
+allow httpd_rotatelogs_t self:capability dac_override;
+
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -754,6 +964,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
')
# allow accessing files/dirs below the users home dir
@@ -762,3 +978,67 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+
+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.13/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-02-16 08:44:12.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/apm.te 2009-05-21 09:48:23.000000000 -0400
@@ -123,6 +123,7 @@
libs_exec_lib_files(apmd_t)
logging_send_syslog_msg(apmd_t)
+logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.13/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/audioentropy.te 2009-05-21 09:48:23.000000000 -0400
@@ -40,6 +40,9 @@
# and sample rate.
dev_write_sound(entropyd_t)
+files_read_etc_files(entropyd_t)
+files_read_usr_files(entropyd_t)
+
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
@@ -53,6 +56,11 @@
userdom_dontaudit_search_user_home_dirs(entropyd_t)
optional_policy(`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(entropyd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.13/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/automount.te 2009-05-21 09:48:23.000000000 -0400
@@ -71,6 +71,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
@@ -100,6 +101,7 @@
corenet_udp_bind_all_rpc_ports(automount_t)
dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
# for SSP
dev_read_rand(automount_t)
dev_read_urand(automount_t)
@@ -127,6 +129,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
+fs_read_nfs_files(automount_t)
storage_rw_fuse(automount_t)
@@ -142,6 +145,7 @@
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
+mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
@@ -155,7 +159,7 @@
')
optional_policy(`
- kerberos_read_keytab(automount_t)
+ kerberos_keytab_template(automount, automount_t)
kerberos_read_config(automount_t)
kerberos_dontaudit_write_config(automount_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.13/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/avahi.te 2009-05-21 09:48:23.000000000 -0400
@@ -33,6 +33,7 @@
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
+files_search_var_lib(avahi_t)
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
@@ -93,6 +94,7 @@
dbus_connect_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
+ dbus_system_domain(avahi_t, avahi_exec_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.13/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/bind.fc 2009-05-21 09:48:23.000000000 -0400
@@ -1,17 +1,22 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -40,8 +45,12 @@
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)? <>
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.13/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/bind.if 2009-05-21 09:48:23.000000000 -0400
@@ -38,6 +38,42 @@
########################################
##
+## Send signulls to BIND.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_signull',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signull;
+')
+
+########################################
+##
+## Send BIND the kill signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_kill',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process sigkill;
+')
+
+########################################
+##
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
##
@@ -251,6 +287,25 @@
########################################
##
+## Execute bind server in the bind domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type bind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an bind environment
##
@@ -269,7 +324,7 @@
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_run_t;
+ type named_conf_t, named_var_lib_t, named_var_run_t;
type named_cache_t, named_zone_t;
type dnssec_t, ndc_t;
type named_initrc_exec_t;
@@ -283,6 +338,7 @@
bind_run_ndc($1, $2)
+ bind_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
@@ -300,6 +356,9 @@
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
+ files_list_var_lib($1)
+ admin_pattern($1, named_var_lib_t)
+
files_list_pids($1)
admin_pattern($1, named_var_run_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.13/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/bind.te 2009-05-21 09:48:23.000000000 -0400
@@ -123,6 +123,7 @@
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
corenet_udp_bind_all_unreserved_ports(named_t)
dev_read_sysfs(named_t)
@@ -169,7 +170,7 @@
')
optional_policy(`
- kerberos_use(named_t)
+ kerberos_keytab_template(named, named_t)
')
optional_policy(`
@@ -229,6 +230,7 @@
files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
+fs_list_inotifyfs(ndc_t)
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.13/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/bitlbee.te 2009-05-21 09:48:23.000000000 -0400
@@ -75,6 +75,8 @@
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)
+kernel_read_system_state(bitlbee_t)
+
libs_legacy_use_shared_libs(bitlbee_t)
miscfiles_read_localization(bitlbee_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/bluetooth.te 2009-05-21 09:48:23.000000000 -0400
@@ -152,6 +152,10 @@
optional_policy(`
hal_dbus_chat(bluetooth_t)
')
+
+ optional_policy(`
+ pulseaudio_dbus_chat(bluetooth_t)
+ ')
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.13/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/clamav.fc 2009-05-21 09:48:23.000000000 -0400
@@ -1,20 +1,23 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.13/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/clamav.if 2009-05-21 09:48:23.000000000 -0400
@@ -38,6 +38,27 @@
########################################
##
+## Allow the specified domain to append
+## to clamav log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_append_log',`
+ gen_require(`
+ type clamav_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 clamav_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamav_log_t, clamav_log_t)
+')
+
+########################################
+##
## Read clamav configuration files.
##
##
@@ -91,3 +112,86 @@
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
+
+########################################
+##
+## Execute clamscan without a transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_exec_clamscan',`
+ gen_require(`
+ type clamscan_exec_t;
+ ')
+
+ can_exec($1, clamscan_exec_t)
+
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an clamav environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the clamav domain.
+##
+##
+##
+#
+interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t;
+ type clamd_var_run_t;
+
+ type clamscan_t, clamscan_tmp_t;
+
+ type freshclam_t, freshclam_var_log_t;
+
+ type clamd_initrc_exec_t;
+ ')
+
+ allow $1 clamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamd_t)
+
+ allow $1 clamscan_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process { ptrace signal_perms };
+ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, clamd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, clamd_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, clamd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, clamd_var_run_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.13/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/clamav.te 2009-05-21 09:48:23.000000000 -0400
@@ -13,7 +13,10 @@
# configuration files
type clamd_etc_t;
-files_type(clamd_etc_t)
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
# tmp files
type clamd_tmp_t;
@@ -55,7 +58,7 @@
allow clamd_t self:capability { kill setgid setuid dac_override };
allow clamd_t self:fifo_file rw_fifo_file_perms;
-allow clamd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };
@@ -87,6 +90,9 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
@@ -97,6 +103,8 @@
corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -117,6 +125,9 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
@@ -124,6 +135,10 @@
amavis_create_pid_files(clamd_t)
')
+optional_policy(`
+ exim_read_spool_files(clamd_t)
+')
+
########################################
#
# Freshclam local policy
@@ -191,7 +206,7 @@
allow clamscan_t self:fifo_file rw_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
-allow clamscan_t self:tcp_socket { listen accept };
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
# configuration files
allow clamscan_t clamd_etc_t:dir list_dir_perms;
@@ -207,6 +222,14 @@
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_generic_if(clamscan_t)
+corenet_tcp_sendrecv_generic_node(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
kernel_read_kernel_sysctls(clamscan_t)
files_read_etc_files(clamscan_t)
@@ -221,6 +244,8 @@
clamav_stream_connect(clamscan_t)
+mta_send_mail(clamscan_t)
+
optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.13/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/consolekit.te 2009-05-21 09:48:23.000000000 -0400
@@ -61,12 +61,17 @@
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
+init_chat(consolekit_t)
logging_send_syslog_msg(consolekit_t)
+logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
@@ -81,9 +86,12 @@
')
optional_policy(`
- dbus_system_bus_client(consolekit_t)
+ cron_read_system_job_lib_files(consolekit_t)
+')
optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+ optional_policy(`
hal_dbus_chat(consolekit_t)
')
@@ -97,11 +105,23 @@
')
optional_policy(`
+ polkit_domtrans_auth(consolekit_t)
+ polkit_read_lib(consolekit_t)
+ polkit_read_reload(consolekit_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
- xserver_stream_connect(consolekit_t)
+ xserver_common_app(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
+ xserver_common_app(consolekit_t)
+ corenet_tcp_connect_xserver_port(consolekit_t)
')
optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.13/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/courier.if 2009-05-21 09:48:23.000000000 -0400
@@ -179,6 +179,24 @@
########################################
##
+## Read courier spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`courier_read_spool',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+##
## Read and write to courier spool pipes.
##
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.13/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/courier.te 2009-05-21 09:48:23.000000000 -0400
@@ -10,6 +10,7 @@
type courier_etc_t;
files_config_file(courier_etc_t)
+mta_system_content(courier_etc_t)
courier_domain_template(pcp)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.13/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/cron.fc 2009-05-21 09:48:23.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -17,9 +18,9 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]* -- <>
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -41,7 +42,12 @@
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/[^/]* <>
+/var/spool/fcron/.* <>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/cron.if 2009-05-26 08:39:51.000000000 -0400
@@ -12,6 +12,10 @@
##
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t;
+ ')
+
##############################
#
# Declarations
@@ -31,16 +35,21 @@
# dac_override is to create the file in the directory under /tmp
allow $1_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_t self:process signal_perms;
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
allow $1_t $1_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_t,$1_tmp_t,file)
# create files in /var/spool/cron
# cjp: change this to a role transition
+ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t)
manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
- files_search_spool($1_t)
+ files_list_spool($1_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_t cron_spool_t:dir setattr;
@@ -55,9 +64,16 @@
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
files_dontaudit_search_pids($1_t)
logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
+ auth_domtrans_chk_passwd($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
miscfiles_read_localization($1_t)
@@ -147,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -261,10 +264,12 @@
allow $1 system_cronjob_t:fifo_file rw_file_perms;
allow $1 system_cronjob_t:process sigchld;
+ domain_auto_trans(crond_t, $2, $1)
allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
+ userdom_dontaudit_list_admin_dir($1)
role system_r types $1;
')
@@ -343,6 +348,24 @@
########################################
##
+## Allow read/write unix stream sockets from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_system_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+##
## Read and write a cron daemon unnamed pipe.
##
##
@@ -361,7 +384,7 @@
########################################
##
-## Read, and write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
@@ -369,7 +392,7 @@
##
##
#
-interface(`cron_rw_tcp_sockets',`
+interface(`cron_dontaudit_rw_tcp_sockets',`
gen_require(`
type crond_t;
')
@@ -416,6 +439,42 @@
########################################
##
+## Execute cron in the cron system domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_domtrans',`
+ gen_require(`
+ type system_cronjob_t, crond_exec_t;
+ ')
+
+ domtrans_pattern($1,crond_exec_t,system_cronjob_t)
+')
+
+########################################
+##
+## Execute crond_exec_t
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_exec',`
+ gen_require(`
+ type crond_exec_t;
+ ')
+
+ can_exec($1,crond_exec_t)
+')
+
+########################################
+##
## Inherit and use a file descriptor
## from system cron jobs.
##
@@ -481,11 +540,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -506,3 +568,101 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
+
+
+########################################
+##
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ type cron_var_run_t;
+ type system_cronjob_var_run_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+ ')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage pid files used by cron
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+##
+## Execute crond server in the nscd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`cron_initrc_domtrans',`
+ gen_require(`
+ type crond_initrc_exec_t;
+')
+
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/cron.te 2009-05-21 09:48:24.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
+# var/lib files
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -56,8 +60,13 @@
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
@@ -74,6 +83,7 @@
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -82,6 +92,7 @@
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -98,11 +109,18 @@
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
+
########################################
#
# Admin crontab local policy
@@ -130,7 +148,7 @@
# Cron daemon local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -146,20 +164,23 @@
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
-allow crond_t crond_var_run_t:file manage_file_perms;
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t,crond_var_run_t,file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
dev_read_sysfs(crond_t)
@@ -174,6 +195,7 @@
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -183,7 +205,11 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
@@ -192,10 +218,15 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
+
+rpc_search_nfs_state_data(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -208,6 +239,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -227,21 +259,45 @@
')
')
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
+ amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -268,8 +324,8 @@
# System cron process domain
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -283,7 +339,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+allow system_cronjob_t system_cron_spool_t:file { write setattr };
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -303,6 +366,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -314,9 +378,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -345,6 +413,7 @@
fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
+fs_list_inotifyfs(system_cronjob_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
@@ -370,7 +439,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_cronjob_t)
+init_telinit(system_cronjob_t)
+init_spec_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -378,6 +448,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
@@ -418,6 +489,10 @@
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -428,11 +503,20 @@
')
optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -447,6 +531,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
+ prelink_manage_var_lib(system_cronjob_t)
')
optional_policy(`
@@ -460,8 +545,7 @@
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_cronjob_t)
+ spamassassin_manage_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -469,24 +553,17 @@
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
-')
-
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
')
-') dnl end TODO
########################################
#
# User cronjobs local policy
#
-allow cronjob_t self:capability dac_override;
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
@@ -570,6 +647,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.13/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/cups.fc 2009-05-21 09:48:24.000000000 -0400
@@ -5,27 +5,38 @@
/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +44,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -43,10 +54,19 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.13/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/cups.if 2009-05-21 09:48:24.000000000 -0400
@@ -20,6 +20,30 @@
########################################
##
+## Setup cups to transtion to the cups backend domain
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`cups_backend',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ domtrans_pattern(cupsd_t, $2, $1)
+
+ allow cupsd_t $1:process signal;
+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+ cups_read_config($1)
+ cups_append_log($1)
+')
+
+########################################
+##
## Connect to cupsd over an unix domain stream socket.
##
##
@@ -212,6 +236,25 @@
########################################
##
+## Append cups log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_append_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+##
## Write cups log files.
##
##
@@ -247,3 +290,66 @@
files_search_pids($1)
stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an cups environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cups domain.
+##
+##
+##
+#
+interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_var_run_t, ptal_etc_t;
+ type ptal_var_run_t, hplip_var_run_t;
+ type cupsd_initrc_exec_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cupsd_t)
+
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cupsd_tmp_t)
+
+ admin_pattern($1, cupsd_lpd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, cupsd_etc_t)
+
+ admin_pattern($1, ptal_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, cupsd_spool_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, cupsd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cupsd_var_run_t)
+
+ admin_pattern($1, ptal_var_run_t)
+
+ admin_pattern($1, cupsd_config_var_run_t)
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+ admin_pattern($1, hplip_var_run_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/cups.te 2009-05-21 09:48:24.000000000 -0400
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
type cupsd_log_t;
logging_log_file(cupsd_log_t)
@@ -48,6 +57,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
type hplip_etc_t;
files_config_file(hplip_etc_t)
@@ -55,6 +68,9 @@
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
type ptal_t;
type ptal_exec_t;
init_daemon_domain(ptal_t, ptal_exec_t)
@@ -65,6 +81,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
+type cups_pdf_t;
+type cups_pdf_exec_t;
+domain_type(cups_pdf_t)
+domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+role system_r types cups_pdf_t;
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
@@ -79,13 +105,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -97,6 +124,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
+
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -104,8 +134,11 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
@@ -116,13 +149,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+# This whole section needs to be moved to a smbspool policy
+# smbspool seems to be iterating through all existing tmp files.
+# Looking for kerberos files
+files_getattr_all_tmp_files(cupsd_t)
+userdom_read_user_tmp_files(cupsd_t)
+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
allow cupsd_t cupsd_var_run_t:dir setattr;
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
+allow cupsd_t hplip_t:process {signal sigkill };
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -149,44 +189,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-auth_domtrans_chk_passwd(cupsd_t)
-auth_dontaudit_read_pam_pid(cupsd_t)
-
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
+files_list_spool(cupsd_t)
files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
-files_search_var_lib(cupsd_t)
+files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -195,19 +240,21 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
-# smbspool seems to be iterating through all existing tmp files.
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
libs_read_lib_files(cupsd_t)
+libs_exec_lib_files(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -215,19 +262,24 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
+miscfiles_setattr_fonts(cupsd_t)
seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
-sysnet_read_config(cupsd_t)
-
+files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
ifdef(`enable_mls',`
- lpd_relabel_spool(cupsd_t)
+ mls_trusted_object(cupsd_var_run_t)
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh)
')
optional_policy(`
@@ -244,8 +296,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
+ ')
')
optional_policy(`
@@ -261,6 +321,10 @@
')
optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -279,7 +343,7 @@
# Cups configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -302,8 +366,10 @@
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
-allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -311,7 +377,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
-kernel_read_kernel_sysctls(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
@@ -324,6 +390,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -341,13 +408,14 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
-init_getattr_script_files(cupsd_config_t)
+init_getattr_all_script_files(cupsd_config_t)
auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
@@ -359,14 +427,16 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
- init_getattr_script_files(cupsd_config_t)
-
optional_policy(`
rpm_read_db(cupsd_config_t)
')
')
optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -382,6 +452,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -491,7 +562,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
cups_stream_connect(hplip_t)
@@ -500,6 +574,13 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
@@ -529,7 +610,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
@@ -553,7 +635,9 @@
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
-lpd_read_config(cupsd_t)
+
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
optional_policy(`
dbus_system_bus_client(hplip_t)
@@ -635,3 +719,49 @@
optional_policy(`
udev_read_db(ptal_t)
')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
+
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_manage_user_home_content_dirs(cups_pdf_t)
+userdom_manage_user_home_content_files(cups_pdf_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(cups_pdf_t)
+ fs_manage_cifs_files(cups_pdf_t)
+')
+
+lpd_manage_spool(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.13/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/cvs.te 2009-05-21 09:48:24.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dbus.fc 2009-05-21 09:48:24.000000000 -0400
@@ -4,6 +4,9 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dbus.if 2009-05-21 09:48:24.000000000 -0400
@@ -44,6 +44,7 @@
attribute session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -76,7 +77,7 @@
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -91,7 +92,7 @@
allow $3 $1_dbusd_t:process { sigkill signal };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -117,6 +118,7 @@
dev_read_urand($1_dbusd_t)
domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t)
@@ -145,7 +147,10 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
+ term_use_all_terms($1_dbusd_t)
+
userdom_read_user_home_content_files($1_dbusd_t)
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
@@ -160,6 +165,10 @@
')
optional_policy(`
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
@@ -169,6 +178,26 @@
')
')
+########################################
+##
+## Connect to the the system DBUS
+## for service (acquire_svc).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_connect_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 session_bus_type:dbus acquire_svc;
+')
+
#######################################
##
## Template for creating connections to
@@ -185,10 +214,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
- allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -197,6 +228,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
+
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
')
#######################################
@@ -244,6 +279,35 @@
########################################
##
+## Chat on user/application specific DBUS.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`dbus_chat_user_bus',`
+ gen_require(`
+ type $1_t;
+ type $1_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $1_t:dbus send_msg;
+ allow $1_t $2:dbus send_msg;
+')
+
+########################################
+##
## Read dbus configuration.
##
##
@@ -318,3 +382,79 @@
allow $1 system_dbusd_t:dbus *;
')
+
+########################################
+##
+## Allow unconfined access to the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+##
+## Create a domain for processes
+## which can be started by the system dbus
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ')
+
+ userdom_dontaudit_search_admin_dir($1)
+')
+
+########################################
+##
+## Dontaudit Read, and write system dbus TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_dbusd_t:fd use;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.13/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dbus.te 2009-05-21 09:48:24.000000000 -0400
@@ -9,14 +9,15 @@
#
# Delcarations
#
-
+attribute dbusd_unconfined;
attribute session_bus_type;
type dbusd_etc_t;
-files_type(dbusd_etc_t)
+files_config_file(dbusd_etc_t)
type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
@@ -31,11 +32,25 @@
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
-files_pid_file(system_dbusd_var_lib_t)
+files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh)
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+ mls_socket_write_all_levels(system_dbusd_t)
+ mls_socket_read_to_clearance(system_dbusd_t)
+ mls_dbus_recv_all_levels(system_dbusd_t)
+')
+
##############################
#
# System bus local policy
@@ -45,7 +60,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -53,6 +68,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t, dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -75,6 +92,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
@@ -91,9 +110,9 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_bin(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
@@ -101,6 +120,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -128,9 +149,38 @@
')
optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(system_dbusd_t)
+ polkit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+')
+
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.13/policy/modules/services/dcc.fc
--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/dcc.fc 2009-05-21 09:48:24.000000000 -0400
@@ -12,6 +12,8 @@
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.13/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/devicekit.fc 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,9 @@
+
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.13/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/devicekit.if 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,197 @@
+
+## policy for devicekit
+
+########################################
+##
+## Execute a domain transition to run devicekit.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`devicekit_domtrans',`
+ gen_require(`
+ type devicekit_t;
+ type devicekit_exec_t;
+ ')
+
+ domtrans_pattern($1,devicekit_exec_t,devicekit_t)
+')
+
+
+########################################
+##
+## Read devicekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+##
+## Manage devicekit var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_manage_var_run',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
+
+########################################
+##
+## Send and receive messages from
+## devicekit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+ allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send signal devicekit power
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_power_signal',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:process signal;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit power over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_power_dbus_chat',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the devicekit domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, devicekit_t, devicekit_t)
+
+
+ devicekit_manage_var_run($1)
+
+')
+
+########################################
+##
+## Send to devicekit over a unix domain
+## datagram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dgram_send',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit disk over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_disk_dbus_chat',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+ allow devicekit_disk_t $1:dbus send_msg;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.13/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/devicekit.te 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,237 @@
+policy_module(devicekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+type devicekit_disk_t;
+type devicekit_disk_exec_t;
+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+type devicekit_tmp_t;
+files_tmp_file(devicekit_tmp_t)
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+type devicekit_var_lib_t;
+files_type(devicekit_var_lib_t)
+
+#
+# DeviceKit local policy
+#
+allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+
+dev_read_sysfs(devicekit_t)
+dev_read_urand(devicekit_t)
+
+files_read_etc_files(devicekit_t)
+
+fs_list_inotifyfs(devicekit_t)
+
+miscfiles_read_localization(devicekit_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+')
+
+optional_policy(`
+ udev_read_db(devicekit_t)
+')
+
+#
+# DeviceKit-Power local policy
+#
+allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+files_read_kernel_img(devicekit_power_t)
+
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
+domain_read_all_domains_state(devicekit_power_t)
+
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
+
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
+
+files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_power_t)
+
+fs_list_inotifyfs(devicekit_power_t)
+
+term_use_all_terms(devicekit_power_t)
+
+auth_use_nsswitch(devicekit_power_t)
+
+miscfiles_read_localization(devicekit_power_t)
+
+userdom_read_all_users_state(devicekit_power_t)
+
+optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+ hal_create_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(devicekit_power_t)
+ polkit_read_lib(devicekit_power_t)
+ polkit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(devicekit_power_t)
+ ')
+')
+
+optional_policy(`
+ bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+')
+#
+# DeviceKit disk local policy
+#
+
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+corecmd_exec_bin(devicekit_disk_t)
+
+dev_rw_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
+
+kernel_read_software_raid_state(devicekit_disk_t)
+kernel_setsched(devicekit_disk_t)
+
+files_manage_mnt_dirs(devicekit_disk_t)
+files_read_etc_files(devicekit_disk_t)
+files_read_etc_runtime_files(devicekit_disk_t)
+files_read_usr_files(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
+
+fs_list_inotifyfs(devicekit_disk_t)
+fs_mount_all_fs(devicekit_disk_t)
+fs_unmount_all_fs(devicekit_disk_t)
+
+storage_raw_read_fixed_disk(devicekit_disk_t)
+storage_raw_write_fixed_disk(devicekit_disk_t)
+storage_raw_read_removable_device(devicekit_disk_t)
+storage_raw_write_removable_device(devicekit_disk_t)
+
+term_use_all_terms(devicekit_disk_t)
+
+auth_use_nsswitch(devicekit_disk_t)
+
+miscfiles_read_localization(devicekit_disk_t)
+
+userdom_read_all_users_state(devicekit_disk_t)
+userdom_search_user_home_dirs(devicekit_disk_t)
+
+optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ lvm_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(devicekit_disk_t)
+ polkit_read_lib(devicekit_disk_t)
+ polkit_read_reload(devicekit_disk_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_disk_t)
+ ')
+')
+
+optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+')
+
+
+ifdef(`TESTING',`
+ permissive devicekit_t;
+ permissive devicekit_power_t;
+ permissive devicekit_disk_t;
+',`
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.13/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dhcp.if 2009-05-21 09:48:24.000000000 -0400
@@ -22,6 +22,25 @@
########################################
##
+## Execute dhcp server in the dhcp domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+ gen_require(`
+ type dhcpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an dhcp environment
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.13/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/dnsmasq.if 2009-05-21 09:48:24.000000000 -0400
@@ -22,6 +22,25 @@
########################################
##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+ gen_require(`
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+##
## Send dnsmasq a signal
##
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/dnsmasq.te 2009-05-21 09:48:24.000000000 -0400
@@ -42,8 +42,7 @@
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
kernel_read_kernel_sysctls(dnsmasq_t)
-kernel_list_proc(dnsmasq_t)
-kernel_read_proc_symlinks(dnsmasq_t)
+kernel_read_system_state(dnsmasq_t)
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
@@ -84,6 +83,14 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+ tftp_read_content(dnsmasq_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.13/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dovecot.fc 2009-05-21 09:48:24.000000000 -0400
@@ -6,6 +6,7 @@
/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
#
# /usr
@@ -17,19 +18,22 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
-/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.13/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dovecot.if 2009-05-21 09:48:24.000000000 -0400
@@ -21,7 +21,46 @@
########################################
##
-## Do not audit attempts to delete dovecot lib files.
+## Connect to dovecot auth unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`dovecot_auth_stream_connect',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ allow $1 dovecot_var_run_t:dir search;
+ allow $1 dovecot_var_run_t:sock_file write;
+ allow $1 dovecot_auth_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute dovecot_deliver in the dovecot_deliver domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+#######################################
+##
+## Do not audit attempts to d`elete dovecot lib files.
##
##
##
@@ -36,3 +75,60 @@
dontaudit $1 dovecot_var_lib_t:file unlink;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an dovecot environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dovecot domain.
+##
+##
+##
+#
+interface(`dovecot_admin',`
+ gen_require(`
+ type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_spool_t, dovecot_var_lib_t;
+ type dovecot_var_run_t;
+
+ type dovecot_cert_t, dovecot_passwd_t;
+ type dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dovecot_t)
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dovecot_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, dovecot_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.13/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/dovecot.te 2009-05-21 09:48:24.000000000 -0400
@@ -15,12 +15,21 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
@@ -31,9 +40,15 @@
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
########################################
#
# dovecot local policy
@@ -58,6 +73,10 @@
can_exec(dovecot_t, dovecot_exec_t)
+# log files
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
+
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -85,6 +104,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
@@ -98,7 +118,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -120,7 +140,7 @@
mta_manage_spool(dovecot_t)
optional_policy(`
- kerberos_use(dovecot_t)
+ kerberos_keytab_template(dovecot, dovecot_t)
')
optional_policy(`
@@ -140,25 +160,35 @@
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_auth_stream_connect(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
@@ -167,6 +197,7 @@
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -182,5 +213,58 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
+')
+
+# for gssapi (kerberos)
+userdom_list_user_tmp(dovecot_auth_t)
+userdom_read_user_tmp_files(dovecot_auth_t)
+userdom_read_user_tmp_symlinks(dovecot_auth_t)
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
+files_search_tmp(dovecot_deliver_t)
+fs_getattr_all_fs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.6.13/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/fail2ban.fc 2009-05-21 09:48:24.000000000 -0400
@@ -2,5 +2,9 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+
+
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.13/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/fail2ban.if 2009-05-21 09:48:24.000000000 -0400
@@ -20,6 +20,25 @@
########################################
##
+## Read fail2ban lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_read_lib_files',`
+ gen_require(`
+ type fail2ban_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
+########################################
+##
## Allow the specified domain to read fail2ban's log files.
##
##
@@ -105,7 +124,7 @@
allow $1 fail2ban_t:process { ptrace signal_perms };
ps_process_pattern($1, fail2ban_t)
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.13/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/fail2ban.te 2009-05-21 09:48:24.000000000 -0400
@@ -17,6 +17,9 @@
type fail2ban_log_t;
logging_log_file(fail2ban_log_t)
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
# pid files
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -26,6 +29,7 @@
# fail2ban local policy
#
+allow fail2ban_t self:capability { sys_tty_config };
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -36,6 +40,10 @@
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
# pid file
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.13/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/fetchmail.te 2009-05-21 09:48:24.000000000 -0400
@@ -9,6 +9,7 @@
type fetchmail_t;
type fetchmail_exec_t;
init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+application_executable_file(fetchmail_exec_t)
type fetchmail_var_run_t;
files_pid_file(fetchmail_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.13/policy/modules/services/fprintd.fc
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/fprintd.fc 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+
+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.13/policy/modules/services/fprintd.if
--- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/fprintd.if 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,43 @@
+
+## policy for fprintd
+
+########################################
+##
+## Execute a domain transition to run fprintd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`fprintd_domtrans',`
+ gen_require(`
+ type fprintd_t;
+ type fprintd_exec_t;
+ ')
+
+ domtrans_pattern($1,fprintd_exec_t,fprintd_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## fprintd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fprintd_dbus_chat',`
+ gen_require(`
+ type fprintd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 fprintd_t:dbus send_msg;
+ allow fprintd_t $1:dbus send_msg;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.13/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/fprintd.te 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,49 @@
+policy_module(fprintd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fprintd_t;
+type fprintd_exec_t;
+dbus_system_domain(fprintd_t, fprintd_exec_t)
+
+type fprintd_var_lib_t;
+files_type(fprintd_var_lib_t)
+
+allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:process { getsched signal };
+
+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
+
+corecmd_search_bin(fprintd_t)
+
+dev_rw_generic_usb_dev(fprintd_t)
+dev_read_sysfs(fprintd_t)
+
+files_read_etc_files(fprintd_t)
+files_read_usr_files(fprintd_t)
+
+auth_use_nsswitch(fprintd_t)
+
+miscfiles_read_localization(fprintd_t)
+
+userdom_use_user_ptys(fprintd_t)
+userdom_read_all_users_state(fprintd_t)
+
+optional_policy(`
+ consolekit_dbus_chat(fprintd_t)
+')
+
+optional_policy(`
+ polkit_read_reload(fprintd_t)
+ polkit_read_lib(fprintd_t)
+ polkit_domtrans_auth(fprintd_t)
+')
+
+permissive fprintd_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.13/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/ftp.te 2009-05-21 09:48:24.000000000 -0400
@@ -26,7 +26,7 @@
##
##
## Allow ftp servers to use cifs
-## used for public file transfer services.
+## for public file transfer services.
##
##
gen_tunable(allow_ftpd_use_cifs, false)
@@ -34,13 +34,20 @@
##
##
## Allow ftp servers to use nfs
-## used for public file transfer services.
+## for public file transfer services.
##
##
gen_tunable(allow_ftpd_use_nfs, false)
##
##
+## Allow ftp servers to use connect to mysql database
+##
+##
+gen_tunable(ftpd_connect_db, false)
+
+##
+##
## Allow ftp to read and write files in the user home directories
##
##
@@ -92,6 +99,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -131,6 +139,7 @@
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
+fs_list_inotifyfs(ftpd_t)
corecmd_exec_bin(ftpd_t)
@@ -160,6 +169,7 @@
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -222,9 +232,15 @@
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
userdom_manage_user_home_content_symlinks(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
+# Needed for permissive mode, to make sure everything gets labeled correctly
+userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
@@ -258,7 +274,26 @@
')
optional_policy(`
- kerberos_read_keytab(ftpd_t)
+ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+ selinux_validate_context(ftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_stream_connect(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ postgresql_stream_connect(ftpd_t)
+ ')
+')
+
+tunable_policy(`ftpd_connect_db',`
+ corenet_tcp_connect_mysqld_port(ftpd_t)
+ corenet_tcp_connect_postgresql_port(ftpd_t)
')
optional_policy(`
@@ -270,6 +305,14 @@
')
optional_policy(`
+ dbus_system_bus_client(ftpd_t)
+ optional_policy(`
+ oddjob_dbus_chat(ftpd_t)
+ oddjob_domtrans_mkhomedir(ftpd_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.13/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-04-07 15:53:35.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/git.te 2009-05-21 09:48:24.000000000 -0400
@@ -7,3 +7,4 @@
#
apache_content_template(git)
+permissive httpd_git_script_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.13/policy/modules/services/gnomeclock.fc
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gnomeclock.fc 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.13/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gnomeclock.if 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,69 @@
+
+## policy for gnomeclock
+
+########################################
+##
+## Execute a domain transition to run gnomeclock.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gnomeclock_domtrans',`
+ gen_require(`
+ type gnomeclock_t;
+ type gnomeclock_exec_t;
+ ')
+
+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
+')
+
+
+########################################
+##
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the gnomeclock domain.
+##
+##
+#
+interface(`gnomeclock_run',`
+ gen_require(`
+ type gnomeclock_t;
+ ')
+
+ gnomeclock_domtrans($1)
+ role $2 types gnomeclock_t;
+')
+
+
+########################################
+##
+## Send and receive messages from
+## gnomeclock over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnomeclock_dbus_chat',`
+ gen_require(`
+ type gnomeclock_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.13/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gnomeclock.te 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,51 @@
+policy_module(gnomeclock, 1.0.0)
+########################################
+#
+# Declarations
+#
+
+type gnomeclock_t;
+type gnomeclock_exec_t;
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
+########################################
+#
+# gnomeclock local policy
+#
+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process { getattr getsched };
+allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_bin(gnomeclock_t)
+
+userdom_ptrace_all_users(gnomeclock_t)
+
+files_read_etc_files(gnomeclock_t)
+files_read_usr_files(gnomeclock_t)
+
+miscfiles_manage_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
+
+fs_list_inotifyfs(gnomeclock_t)
+
+auth_use_nsswitch(gnomeclock_t)
+
+miscfiles_read_localization(gnomeclock_t)
+
+userdom_read_all_users_state(gnomeclock_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomeclock_t)
+')
+
+optional_policy(`
+ clock_domtrans(gnomeclock_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(gnomeclock_t)
+ polkit_read_lib(gnomeclock_t)
+ polkit_read_reload(gnomeclock_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.if serefpolicy-3.6.13/policy/modules/services/gpm.if
--- nsaserefpolicy/policy/modules/services/gpm.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/gpm.if 2009-05-21 09:48:24.000000000 -0400
@@ -16,7 +16,7 @@
type gpmctl_t, gpm_t;
')
- allow $1 gpmctl_t:sock_file { getattr write };
+ allow $1 gpmctl_t:sock_file rw_sock_file_perms;
allow $1 gpm_t:unix_stream_socket connectto;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.13/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gpm.te 2009-05-21 09:48:24.000000000 -0400
@@ -54,6 +54,8 @@
dev_rw_input_dev(gpm_t)
dev_rw_mouse(gpm_t)
+files_read_etc_files(gpm_t)
+
fs_getattr_all_fs(gpm_t)
fs_search_auto_mountpoints(gpm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.13/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gpsd.fc 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.13/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gpsd.if 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,83 @@
+## gpsd monitor daemon
+
+########################################
+##
+## Execute a domain transition to run gpsd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gpsd_domtrans',`
+ gen_require(`
+ type gpsd_t, gpsd_exec_t;
+ ')
+
+ domtrans_pattern($1, gpsd_exec_t, gpsd_t)
+')
+
+########################################
+##
+## Execute gpsd in the gpsd domain, and
+## allow the specified role the gpsd domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the gpsd domain.
+##
+##
+#
+interface(`gpsd_run',`
+ gen_require(`
+ type gpsd_t;
+ ')
+
+ gpsd_domtrans($1)
+ role $2 types gpsd_t;
+')
+
+########################################
+##
+## Read and write to gpsd shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`gpsd_rw_shm',`
+ gen_require(`
+ type gpsd_t;
+ ')
+
+ allow $1 gpsd_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Read/write gpsd tmpfs files.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`gpsd_rw_tmpfs_files',`
+ gen_require(`
+ type gpsd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.13/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/gpsd.te 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,52 @@
+policy_module(gpsd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpsd_t;
+type gpsd_exec_t;
+application_domain(gpsd_t, gpsd_exec_t)
+role system_r types gpsd_t;
+
+type gpsd_tmpfs_t;
+files_tmpfs_file(gpsd_tmpfs_t)
+
+########################################
+#
+# gpsd local policy
+#
+
+allow gpsd_t self:capability { setuid sys_nice setgid fowner };
+allow gpsd_t self:process setsched;
+allow gpsd_t self:shm create_shm_perms;
+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow gpsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+
+corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_gpsd_port(gpsd_t)
+
+term_use_unallocated_ttys(gpsd_t)
+term_setattr_unallocated_ttys(gpsd_t)
+
+auth_use_nsswitch(gpsd_t)
+
+logging_send_syslog_msg(gpsd_t)
+
+miscfiles_read_localization(gpsd_t)
+
+optional_policy(`
+ ntpd_rw_shm(gpsd_t)
+ ntpd_rw_tmpfs_files(gpsd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gpsd_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.13/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/hal.fc 2009-05-21 09:48:24.000000000 -0400
@@ -5,6 +5,7 @@
/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.13/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/hal.if 2009-05-21 09:48:24.000000000 -0400
@@ -20,6 +20,24 @@
########################################
##
+## Execute hal mac in the hal mac domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_domtrans_mac',`
+ gen_require(`
+ type hald_mac_t, hald_mac_exec_t;
+ ')
+
+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
+########################################
+##
## Get the attributes of a hal process.
##
##
@@ -51,10 +69,7 @@
type hald_t;
')
- allow $1 hald_t:dir list_dir_perms;
- read_files_pattern($1, hald_t, hald_t)
- read_lnk_files_pattern($1, hald_t, hald_t)
- dontaudit $1 hald_t:process ptrace;
+ ps_process_pattern($1, hald_t)
')
########################################
@@ -170,6 +185,24 @@
########################################
##
+## Allo read/write to a hal unix datagram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_rw_dgram_sockets',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
+
+########################################
+##
## Send to hal over a unix domain
## stream socket.
##
@@ -340,3 +373,62 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
')
+
+########################################
+##
+## Manage hald PID dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_pid_dirs',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+##
+## Manage hald PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+##
+## Manage hald log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_create_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ # log files for hald
+ manage_files_pattern($1, hald_log_t, hald_log_t)
+ logging_log_filetrans($1, hald_log_t, file)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/hal.te 2009-05-21 09:48:24.000000000 -0400
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
########################################
#
# Local policy
@@ -141,13 +150,19 @@
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
@@ -195,6 +210,7 @@
seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -277,6 +293,17 @@
')
optional_policy(`
+ ppp_read_rw_config(hald_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(hald_t)
+ polkit_domtrans_resolve(hald_t)
+ polkit_read_lib(hald_t)
+ polkit_read_reload(hald_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(hald_t)
')
@@ -298,7 +325,11 @@
')
optional_policy(`
- virt_manage_images(hald_t)
+ virtual_manage_image(hald_t)
+')
+
+optional_policy(`
+ xserver_read_pid(hald_t)
')
########################################
@@ -306,7 +337,7 @@
# Hal acl local policy
#
-allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -321,6 +352,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
corecmd_exec_bin(hald_acl_t)
@@ -339,6 +371,8 @@
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
auth_use_nsswitch(hald_acl_t)
@@ -346,12 +380,18 @@
miscfiles_read_localization(hald_acl_t)
+optional_policy(`
+ polkit_domtrans_auth(hald_acl_t)
+ polkit_read_lib(hald_acl_t)
+ polkit_read_reload(hald_acl_t)
+')
+
########################################
#
# Local hald mac policy
#
-allow hald_mac_t self:capability { setgid setuid };
+allow hald_mac_t self:capability { setgid setuid sys_admin };
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
@@ -374,6 +414,8 @@
auth_use_nsswitch(hald_mac_t)
+logging_send_syslog_msg(hald_mac_t)
+
miscfiles_read_localization(hald_mac_t)
########################################
@@ -415,6 +457,55 @@
dev_rw_input_dev(hald_keymap_t)
+files_read_etc_files(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
+
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+allow hald_dccm_t self:capability { net_bind_service };
+allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+corenet_udp_sendrecv_generic_if(hald_dccm_t)
+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
+corenet_udp_sendrecv_generic_node(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftps_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+files_read_usr_files(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)
+
+permissive hald_dccm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.6.13/policy/modules/services/inetd.if
--- nsaserefpolicy/policy/modules/services/inetd.if 2008-09-03 07:59:15.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/inetd.if 2009-05-21 09:48:24.000000000 -0400
@@ -36,8 +36,7 @@
role system_r types $1;
domtrans_pattern(inetd_t, $2, $1)
-
- allow inetd_t $1:process sigkill;
+ allow inetd_t $1:process { siginh sigkill };
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.13/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/kerberos.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,3 +1,6 @@
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+
/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
@@ -6,13 +9,14 @@
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kpropd -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -21,7 +25,7 @@
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.13/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/kerberos.if 2009-05-21 09:48:24.000000000 -0400
@@ -124,10 +124,12 @@
interface(`kerberos_read_config',`
gen_require(`
type krb5_conf_t;
+ type krb5_home_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
+ allow $1 krb5_home_t:file read_file_perms;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.13/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/kerberos.te 2009-05-21 09:48:24.000000000 -0400
@@ -33,6 +33,7 @@
type kpropd_t;
type kpropd_exec_t;
init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
files_type(krb5_conf_t)
@@ -69,6 +70,9 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
+type krb5_home_t;
+userdom_user_home_content(krb5_home_t)
+
########################################
#
# kadmind local policy
@@ -281,6 +285,7 @@
allow kpropd_t krb5_keytab_t:file read_file_perms;
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
corecmd_exec_bin(kpropd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.13/policy/modules/services/kerneloops.if
--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/kerneloops.if 2009-05-21 09:48:24.000000000 -0400
@@ -63,6 +63,25 @@
########################################
##
+## Allow domain to manage kerneloops tmp files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kerneloops_manage_tmp_files',`
+ gen_require(`
+ type kerneloops_tmp_t;
+ ')
+
+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
## All of the rules required to administrate
## an kerneloops environment
##
@@ -81,6 +100,7 @@
interface(`kerneloops_admin',`
gen_require(`
type kerneloops_t, kerneloops_initrc_exec_t;
+ type kerneloops_tmp_t;
')
allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -90,4 +110,7 @@
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
allow $2 system_r;
+
+ admin_pattern($1, kerneloops_tmp_t)
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.13/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/kerneloops.te 2009-05-21 09:48:24.000000000 -0400
@@ -13,6 +13,9 @@
type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t)
+type kerneloops_tmp_t;
+files_tmp_file(kerneloops_tmp_t)
+
########################################
#
# kerneloops local policy
@@ -21,10 +24,14 @@
allow kerneloops_t self:capability sys_nice;
allow kerneloops_t self:process { setsched getsched signal };
allow kerneloops_t self:fifo_file rw_file_perms;
-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
kernel_read_ring_buffer(kerneloops_t)
+fs_list_inotifyfs(kerneloops_t)
+
# Init script handling
domain_use_interactive_fds(kerneloops_t)
@@ -38,14 +45,13 @@
files_read_etc_files(kerneloops_t)
+auth_use_nsswitch(kerneloops_t)
+
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
miscfiles_read_localization(kerneloops_t)
-sysnet_dns_name_resolve(kerneloops_t)
-
optional_policy(`
- dbus_system_bus_client(kerneloops_t)
- dbus_connect_system_bus(kerneloops_t)
+ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.13/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/ktalk.te 2009-05-21 09:48:24.000000000 -0400
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
term_search_ptys(ktalkd_t)
+term_use_all_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.13/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-05-21 08:43:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/lircd.te 2009-05-21 09:48:24.000000000 -0400
@@ -42,7 +42,16 @@
# /dev/lircd socket
manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+dev_read_generic_usb_dev(lircd_t)
logging_send_syslog_msg(lircd_t)
+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
+fs_list_inotifyfs(lircd_t)
+
miscfiles_read_localization(lircd_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.6.13/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/lpd.if 2009-05-21 09:48:24.000000000 -0400
@@ -134,6 +134,7 @@
files_search_spool($1)
manage_dirs_pattern($1, print_spool_t, print_spool_t)
manage_files_pattern($1, print_spool_t, print_spool_t)
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.13/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/mailman.fc 2009-05-21 09:48:24.000000000 -0400
@@ -31,3 +31,4 @@
/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.13/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/mailman.if 2009-05-21 09:48:24.000000000 -0400
@@ -31,6 +31,12 @@
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
+ files_search_spool(mailman_$1_t)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
@@ -64,6 +70,7 @@
corenet_sendrecv_smtp_client_packets(mailman_$1_t)
fs_getattr_xattr_fs(mailman_$1_t)
+ fs_list_inotifyfs(mailman_$1_t)
corecmd_exec_all_executables(mailman_$1_t)
@@ -191,6 +198,7 @@
')
read_files_pattern($1, mailman_data_t, mailman_data_t)
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
#######################################
@@ -209,6 +217,7 @@
type mailman_data_t;
')
+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
@@ -250,6 +259,25 @@
#######################################
##
+## read
+## mailman logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_read_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ read_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+##
## Append to mailman logs.
##
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.13/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/mailman.te 2009-05-21 09:48:24.000000000 -0400
@@ -53,10 +53,8 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
-
- optional_policy(`
- nscd_socket_use(mailman_cgi_t)
- ')
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
')
########################################
@@ -65,15 +63,31 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
+files_search_spool(mailman_mail_t)
+fs_rw_anon_inodefs_files(mailman_mail_t)
+fs_list_inotifyfs(mailman_mail_t)
+
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
-ifdef(`TODO',`
optional_policy(`
- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
- # do we really need this?
- allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+ courier_read_spool(mailman_mail_t)
')
+
+optional_policy(`
+ postfix_search_spool(mailman_mail_t)
+')
+
+optional_policy(`
+ cron_read_pipes(mailman_mail_t)
')
########################################
@@ -99,11 +113,15 @@
# for su
seutil_dontaudit_search_config(mailman_queue_t)
+su_exec(mailman_queue_t)
+
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
userdom_search_user_home_dirs(mailman_queue_t)
-su_exec(mailman_queue_t)
+optional_policy(`
+ apache_read_config(mailman_queue_t)
+')
optional_policy(`
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.13/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2009-05-21 08:43:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/milter.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,8 +1,15 @@
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
-
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/run/milter.* -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.13/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2009-05-21 08:43:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/milter.if 2009-05-21 09:48:24.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
- files_type($1_milter_data_t);
+ files_type($1_milter_data_t)
allow $1_milter_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.13/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 2009-05-21 08:43:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/milter.te 2009-05-21 09:48:24.000000000 -0400
@@ -63,3 +63,40 @@
# The main job of the milter is to pipe spam through spamc and act on the result
spamassassin_domtrans_client(spamass_milter_t)
+
+########################################
+#
+# milter-greylist Declarations
+#
+
+milter_template(greylist)
+
+########################################
+#
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
+#
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+kernel_read_kernel_sysctls(greylist_milter_t)
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t);
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.13/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/mta.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,4 +1,4 @@
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -10,10 +10,13 @@
')
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@@ -22,7 +25,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
-#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-#')
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.13/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/mta.if 2009-05-21 09:48:24.000000000 -0400
@@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
+ optional_policy(`
+ uucp_manage_spool($1_mail_t)
+ ')
')
########################################
@@ -302,11 +311,13 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
read_files_pattern($1, mail_spool_t, mail_spool_t)
+ append_files_pattern($1, mail_spool_t, mail_spool_t)
create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
+ dovecot_domtrans_deliver($1)
')
optional_policy(`
@@ -341,6 +352,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
+ apache_append_log($1)
')
')
@@ -446,6 +458,25 @@
########################################
##
+## write mail server configuration.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mta_write_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+##
## Read mail address aliases.
##
##
@@ -591,8 +622,8 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:lnk_file read;
- allow $1 mail_spool_t:file getattr;
+ getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
########################################
@@ -612,7 +643,7 @@
')
files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search;
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
')
@@ -665,7 +696,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
- rw_files_pattern($1, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -806,6 +837,7 @@
')
files_search_spool($1)
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.13/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/mta.te 2009-05-21 09:48:24.000000000 -0400
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
+type mail_forward_t, mailcontent_type;
+files_type(mail_forward_t)
+
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -47,34 +50,49 @@
#
# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
allow system_mail_t mta_exec_type:file entrypoint;
-allow system_mail_t mailcontent_type:file read_file_perms;
+can_exec(system_mail_t, mta_exec_type)
+
+files_read_all_tmp_files(system_mail_t)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
+fs_list_inotifyfs(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+ apache_search_bugzilla_dirs(system_mail_t)
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -88,6 +106,13 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
')
optional_policy(`
@@ -95,6 +120,11 @@
')
optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
@@ -132,10 +162,6 @@
# compatability for old default main.cf
postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
')
-
- optional_policy(`
- cron_rw_tcp_sockets(system_mail_t)
- ')
')
optional_policy(`
@@ -155,6 +181,19 @@
')
optional_policy(`
+ clamav_stream_connect(system_mail_t)
+ clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(system_mail_t)
+ ')
+
+ optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
@@ -174,6 +213,25 @@
')
')
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
+
########################################
#
# User send mail local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.13/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/munin.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,4 +1,5 @@
/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
@@ -6,6 +7,8 @@
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.13/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2009-03-12 11:16:47.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/munin.if 2009-05-21 09:48:24.000000000 -0400
@@ -59,8 +59,9 @@
type munin_log_t;
')
- allow $1 munin_log_t:file append_file_perms;
logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1, munin_log_t, munin_log_t)
')
#######################################
@@ -100,3 +101,55 @@
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an munin environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the munin domain.
+##
+##
+##
+#
+interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+ type httpd_munin_content_t;
+ type munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, munin_t)
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 munin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, munin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, munin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, munin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, munin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+ admin_pattern($1, httpd_munin_content_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-03-12 11:16:47.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/munin.te 2009-05-21 09:48:24.000000000 -0400
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
type munin_log_t alias lrrd_log_t;
logging_log_file(munin_log_t)
@@ -30,21 +33,25 @@
# Local policy
#
-allow munin_t self:capability { setgid setuid };
+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(munin_t, munin_exec_t)
allow munin_t munin_etc_t:dir list_dir_perms;
read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
files_search_etc(munin_t)
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t, munin_log_t, file)
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
@@ -61,9 +68,11 @@
files_pid_filetrans(munin_t, munin_var_run_t, file)
kernel_read_system_state(munin_t)
-kernel_read_kernel_sysctls(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
@@ -73,24 +82,36 @@
corenet_udp_sendrecv_generic_node(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+corenet_tcp_bind_generic_node(munin_t)
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
+fs_list_inotifyfs(munin_t)
domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
files_read_usr_files(munin_t)
+files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
fs_search_auto_mountpoints(munin_t)
+auth_use_nsswitch(munin_t)
+
logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
-sysnet_read_config(munin_t)
+sysnet_exec_ifconfig(munin_t)
+netutils_domtrans_ping(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -105,7 +126,31 @@
')
optional_policy(`
- nis_use_ypbind(munin_t)
+ fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
+ mta_read_queue(munin_t)
+')
+
+optional_policy(`
+ mysql_read_config(munin_t)
+ mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+ postfix_list_spool(munin_t)
+ postfix_getattr_spool_files(munin_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(munin_t)
')
optional_policy(`
@@ -115,3 +160,10 @@
optional_policy(`
udev_read_db(munin_t)
')
+
+#============= http munin policy ==============
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.13/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/nagios.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,16 +1,19 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.13/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/nagios.if 2009-05-21 09:48:24.000000000 -0400
@@ -44,7 +44,7 @@
########################################
##
-## Execute the nagios CGI with
+## Execute the nagios NRPE with
## a domain transition.
##
##
@@ -53,18 +53,37 @@
##
##
#
-interface(`nagios_domtrans_cgi',`
+interface(`nagios_domtrans_nrpe',`
gen_require(`
- type nagios_cgi_t, nagios_cgi_exec_t;
+ type nrpe_t, nrpe_exec_t;
')
- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t)
+ domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
########################################
##
-## Execute the nagios NRPE with
-## a domain transition.
+## Do not audit attempts to read and write
+## NAGIOS unnamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nagios_dontaudit_rw_pipes',`
+
+ gen_require(`
+ type nagios_t;
+ ')
+
+ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Search nagios spool directories.
##
##
##
@@ -72,10 +91,63 @@
##
##
#
-interface(`nagios_domtrans_nrpe',`
+interface(`nagios_search_spool',`
gen_require(`
- type nrpe_t, nrpe_exec_t;
+ type nagios_spool_t;
')
- domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+ allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nagios environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the nagios domain.
+##
+##
+##
+#
+interface(`nagios_admin',`
+ gen_require(`
+ type nagios_t, nrpe_t;
+ type nagios_tmp_t, nagios_log_t;
+ type nagios_etc_t, nrpe_etc_t;
+ type nagios_spool_t, nagios_var_run_t;
+ type nagios_initrc_exec_t;
+ ')
+
+ allow $1 nagios_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nagios_t)
+
+ init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nagios_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, nagios_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, nagios_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
+
+ admin_pattern($1, nrpe_etc_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.13/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/nagios.te 2009-05-21 09:48:24.000000000 -0400
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
-
type nagios_etc_t;
files_config_file(nagios_etc_t)
+type nagios_initrc_exec_t;
+init_script_file(nagios_initrc_exec_t)
+
type nagios_log_t;
logging_log_file(nagios_log_t)
@@ -26,6 +25,9 @@
type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -60,6 +62,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -127,39 +131,34 @@
#
# Nagios CGI local policy
#
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
+allow httpd_nagios_script_t self:process signal_perms;
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+files_search_spool(httpd_nagios_script_t)
+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-corecmd_exec_bin(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
########################################
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.13/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/networkmanager.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,12 +1,25 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.13/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/networkmanager.if 2009-05-21 09:48:24.000000000 -0400
@@ -118,6 +118,24 @@
########################################
##
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+##
## Read NetworkManager PID files.
##
##
@@ -134,3 +152,30 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+##
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the NetworkManager domain.
+##
+##
+##
+#
+interface(`networkmanager_run',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/networkmanager.te 2009-05-21 09:48:24.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_var_lib_t;
+files_type(NetworkManager_var_lib_t)
+
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -33,9 +36,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
@@ -51,8 +54,10 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-files_search_tmp(NetworkManager_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -63,6 +68,8 @@
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -81,13 +88,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
+corenet_getattr_ppp_dev(NetworkManager_t)
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+dev_getattr_all_chr_files(NetworkManager_t)
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
mls_file_read_all_levels(NetworkManager_t)
@@ -98,15 +110,19 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
-domain_dontaudit_read_all_domains_state(NetworkManager_t)
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
+storage_getattr_fixed_disk_dev(NetworkManager_t)
+
init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+auth_use_nsswitch(NetworkManager_t)
+
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
@@ -116,25 +132,40 @@
seutil_read_config(NetworkManager_t)
-sysnet_domtrans_ifconfig(NetworkManager_t)
-sysnet_domtrans_dhcpc(NetworkManager_t)
-sysnet_signal_dhcpc(NetworkManager_t)
-sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
-sysnet_search_dhcp_state(NetworkManager_t)
-# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_kill_dhcpc(NetworkManager_t)
sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_delete_dhcpc_state(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+cron_read_system_job_lib_files(NetworkManager_t)
+
+optional_policy(`
+ avahi_domtrans(NetworkManager_t)
+ avahi_kill(NetworkManager_t)
+ avahi_signal(NetworkManager_t)
+ avahi_signull(NetworkManager_t)
+')
optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
+ bind_kill(NetworkManager_t)
bind_signal(NetworkManager_t)
+ bind_signull(NetworkManager_t)
')
optional_policy(`
@@ -146,8 +177,25 @@
')
optional_policy(`
- dbus_system_bus_client(NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t)
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ hal_write_log(NetworkManager_t)
')
optional_policy(`
@@ -155,23 +203,50 @@
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
+ iptables_domtrans(NetworkManager_t)
')
optional_policy(`
- nscd_socket_use(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
')
optional_policy(`
openvpn_domtrans(NetworkManager_t)
+ openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
')
optional_policy(`
+ polkit_domtrans_auth(NetworkManager_t)
+ polkit_read_lib(NetworkManager_t)
+ polkit_read_reload(NetworkManager_t)
+ userdom_read_all_users_state(NetworkManager_t)
+')
+
+optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
+ ppp_kill(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+ rpm_exec(NetworkManager_t)
+ rpm_read_db(NetworkManager_t)
+ rpm_dontaudit_manage_db(NetworkManager_t)
')
optional_policy(`
@@ -179,12 +254,15 @@
')
optional_policy(`
+ udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
optional_policy(`
vpn_domtrans(NetworkManager_t)
+ vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
+ vpn_signull(NetworkManager_t)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.13/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/nis.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,9 +1,13 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.13/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/nis.if 2009-05-21 09:48:24.000000000 -0400
@@ -28,7 +28,7 @@
type var_yp_t;
')
- dontaudit $1 self:capability net_bind_service;
+ allow $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@@ -49,8 +49,8 @@
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_tcp_bind_reserved_port($1)
- corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,25 @@
########################################
##
+## Use the nis to authenticate passwords
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
+')
+
+########################################
+##
## Execute ypbind in the ypbind domain.
##
##
@@ -244,3 +263,130 @@
corecmd_search_bin($1)
domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
')
+
+########################################
+##
+## Execute nis server in the nis domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`nis_initrc_domtrans',`
+ gen_require(`
+ type nis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nis_initrc_exec_t)
+')
+
+########################################
+##
+## Execute nis server in the nis domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`nis_ypbind_initrc_domtrans',`
+ gen_require(`
+ type ypbind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nis environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the nis domain.
+##
+##
+##
+#
+interface(`nis_admin',`
+ gen_require(`
+ type ypbind_t, yppasswdd_t;
+ type ypserv_t, ypxfr_t;
+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+ type ypbind_initrc_exec_t;
+ type nis_initrc_exec_t;
+ ')
+
+ allow $1 ypbind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypbind_t)
+
+ allow $1 yppasswdd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, yppasswdd_t)
+
+ allow $1 ypserv_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypserv_t)
+
+ allow $1 ypxfr_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypxfr_t)
+
+ nis_initrc_domtrans($1)
+ nis_ypbind_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, ypbind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ypbind_var_run_t)
+
+ admin_pattern($1, yppasswdd_var_run_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ypserv_conf_t)
+
+ admin_pattern($1, ypserv_tmp_t)
+
+ admin_pattern($1, ypserv_var_run_t)
+')
+
+
+########################################
+##
+## Execute ypbind in the ypbind domain, and
+## allow the specified role the ypbind domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the ypbind domain.
+##
+##
+##
+#
+interface(`nis_run_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ nis_domtrans_ypbind($1)
+ role $2 types ypbind_t;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.13/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/nis.te 2009-05-21 09:48:24.000000000 -0400
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
+type ypbind_initrc_exec_t;
+init_script_file(ypbind_initrc_exec_t)
+
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
@@ -44,6 +47,9 @@
type ypxfr_exec_t;
init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+type nis_initrc_exec_t;
+init_script_file(nis_initrc_exec_t)
+
########################################
#
# ypbind local policy
@@ -111,6 +117,16 @@
userdom_dontaudit_search_user_home_dirs(ypbind_t)
optional_policy(`
+ dbus_system_bus_client(ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ypbind_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
@@ -123,6 +139,7 @@
# yppasswdd local policy
#
+allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { setfscreate signal_perms };
@@ -153,8 +170,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_generic_node(yppasswdd_t)
corenet_udp_bind_generic_node(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
@@ -241,6 +258,8 @@
corenet_udp_bind_generic_node(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
@@ -306,6 +325,8 @@
corenet_udp_bind_generic_node(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.13/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/nscd.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.13/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/nscd.if 2009-05-21 09:48:24.000000000 -0400
@@ -58,6 +58,42 @@
########################################
##
+## Send NSCD the kill signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_kill',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process sigkill;
+')
+
+########################################
+##
+## Send signulls to NSCD.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_signull',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signull;
+')
+
+########################################
+##
## Use NSCD services by connecting using
## a unix stream socket.
##
@@ -70,15 +106,14 @@
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
@@ -198,3 +233,60 @@
nscd_domtrans($1)
role $2 types nscd_t;
')
+
+########################################
+##
+## Execute nscd server in the nscd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`nscd_initrc_domtrans',`
+ gen_require(`
+ type nscd_initrc_exec_t;
+')
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nscd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the nscd domain.
+##
+##
+##
+#
+interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
+ type nscd_initrc_exec_t;
+ ')
+
+ allow $1 nscd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nscd_t)
+
+ nscd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nscd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, nscd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.13/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/nscd.te 2009-05-21 09:48:24.000000000 -0400
@@ -20,6 +20,9 @@
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
+type nscd_initrc_exec_t;
+init_script_file(nscd_initrc_exec_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -28,14 +31,14 @@
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
@@ -50,6 +53,9 @@
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+corecmd_search_bin(nscd_t)
+can_exec(nscd_t, nscd_exec_t)
+
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
@@ -60,6 +66,7 @@
fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
+fs_list_inotifyfs(nscd_t)
# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
@@ -73,6 +80,7 @@
corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
@@ -84,12 +92,14 @@
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
# Needed to read files created by firstboot "/etc/hesiod.conf"
files_read_etc_runtime_files(nscd_t)
+logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
@@ -105,6 +115,14 @@
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
+ cron_read_system_job_tmp_files(nscd_t)
+')
+
+optional_policy(`
+ kerberos_use(nscd_t)
+')
+
+optional_policy(`
udev_read_db(nscd_t)
')
@@ -112,3 +130,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.13/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/ntp.if 2009-05-21 09:48:24.000000000 -0400
@@ -37,6 +37,32 @@
########################################
##
+## Execute ntp in the ntp domain, and
+## allow the specified role the ntp domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the ntp domain.
+##
+##
+##
+#
+interface(`ntp_run',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ ntp_domtrans($1)
+ role $2 types ntpd_t;
+')
+
+########################################
+##
## Execute ntp server in the ntpd domain.
##
##
@@ -56,6 +82,63 @@
########################################
##
+## Execute ntp server in the ntpd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ntp_initrc_domtrans',`
+ gen_require(`
+ type ntpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+#######################################
+##
+## Read/write ntpdd tmpfs files.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ntpd_rw_tmpfs_files',`
+ gen_require(`
+ type ntpd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t)
+ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+')
+
+########################################
+##
+## Read and write to ntpd shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ntpd_rw_shm',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ allow $1 ntpd_t:shm rw_shm_perms;
+')
+
+########################################
+##
## All of the rules required to administrate
## an ntp environment
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.13/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/ntp.te 2009-05-21 09:48:24.000000000 -0400
@@ -25,6 +25,9 @@
type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)
+type ntpd_tmpfs_t;
+files_tmpfs_file(ntpd_tmpfs_t)
+
type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)
@@ -38,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
# ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -52,6 +56,7 @@
can_exec(ntpd_t,ntpd_exec_t)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr;
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
@@ -62,6 +67,10 @@
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
+
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
@@ -90,6 +99,9 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
+fs_list_inotifyfs(ntpd_t)
term_use_ptmx(ntpd_t)
@@ -121,6 +133,11 @@
')
optional_policy(`
+ gpsd_rw_shm(ntpd_t)
+ gpsd_rw_tmpfs_files(ntpd_t)
+')
+
+optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
firstboot_dontaudit_rw_pipes(ntpd_t)
firstboot_dontaudit_rw_stream_sockets(ntpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.13/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/nx.te 2009-05-21 09:48:24.000000000 -0400
@@ -25,6 +25,9 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# NX server local policy
@@ -44,6 +47,9 @@
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.13/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/oddjob.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,4 +1,4 @@
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.13/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/oddjob.if 2009-05-21 09:48:24.000000000 -0400
@@ -44,6 +44,7 @@
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
@@ -84,3 +85,28 @@
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
+
+########################################
+##
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the oddjob_mkhomedir domain.
+##
+##
+##
+#
+interface(`oddjob_run_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t;
+ ')
+
+ oddjob_domtrans_mkhomedir($1)
+ role $2 types oddjob_mkhomedir_t;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.13/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/oddjob.te 2009-05-21 09:48:24.000000000 -0400
@@ -10,14 +10,21 @@
type oddjob_exec_t;
domain_type(oddjob_t)
init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
+domain_role_change_exemption(oddjob_t)
domain_subj_id_change_exemption(oddjob_t)
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh)
+')
+
# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
@@ -65,13 +72,32 @@
# oddjob_mkhomedir local policy
#
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
miscfiles_read_localization(oddjob_mkhomedir_t)
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.13/policy/modules/services/pads.fc
--- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pads.fc 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,12 @@
+
+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
+
+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
+
+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.13/policy/modules/services/pads.if
--- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pads.if 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,44 @@
+## SELinux policy for PADS daemon.
+##
+##
+## PADS is a libpcap based detection engine used to
+## passively detect network assets. It is designed to
+## complement IDS technology by providing context to IDS
+## alerts.
+##
+##
+
+########################################
+##
+## All of the rules required to administrate
+## an pads environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the pads domain.
+##
+##
+##
+#
+interface(`pads_admin', `
+ gen_require(`
+ type pads_t, pads_config_t;
+ type pads_var_run_t, pads_initrc_exec_t;
+ ')
+
+ allow $1 pads_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pads_t)
+
+ init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pads_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, pads_var_run_t)
+ admin_pattern($1, pads_config_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.13/policy/modules/services/pads.te
--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pads.te 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,65 @@
+
+policy_module(pads, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pads_t;
+type pads_exec_t;
+init_daemon_domain(pads_t, pads_exec_t)
+role system_r types pads_t;
+
+type pads_initrc_exec_t;
+init_script_file(pads_initrc_exec_t)
+
+type pads_config_t;
+files_config_file(pads_config_t)
+
+type pads_var_run_t;
+files_pid_file(pads_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+allow pads_t self:udp_socket { create ioctl };
+allow pads_t self:unix_dgram_socket { write create connect };
+
+allow pads_t pads_config_t:file manage_file_perms;
+files_etc_filetrans(pads_t, pads_config_t, file)
+
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
+corenet_tcp_sendrecv_generic_if(pads_t)
+corenet_tcp_sendrecv_generic_node(pads_t)
+
+corenet_tcp_connect_prelude_port(pads_t)
+
+dev_read_rand(pads_t)
+dev_read_urand(pads_t)
+
+kernel_read_sysctl(pads_t)
+
+files_read_etc_files(pads_t)
+files_search_spool(pads_t)
+
+miscfiles_read_localization(pads_t)
+
+logging_send_syslog_msg(pads_t)
+
+sysnet_dns_name_resolve(pads_t)
+
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.13/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pegasus.te 2009-05-21 09:48:24.000000000 -0400
@@ -30,7 +30,7 @@
# Local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -66,6 +66,8 @@
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
@@ -96,13 +98,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
@@ -115,7 +116,6 @@
miscfiles_read_localization(pegasus_t)
-sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -126,6 +126,14 @@
')
optional_policy(`
+ samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ ssh_exec(pegasus_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
@@ -137,3 +145,13 @@
optional_policy(`
unconfined_signull(pegasus_t)
')
+
+optional_policy(`
+ virt_domtrans(pegasus_t)
+ virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.13/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/polkit.fc 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,11 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.13/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/polkit.if 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,241 @@
+
+## policy for polkit_auth
+
+########################################
+##
+## Execute a domain transition to run polkit_auth.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`polkit_domtrans_auth',`
+ gen_require(`
+ type polkit_auth_t;
+ type polkit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t)
+')
+
+########################################
+##
+## Search polkit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polkit_search_lib',`
+ gen_require(`
+ type polkit_var_lib_t;
+ ')
+
+ allow $1 polkit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## read polkit lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polkit_read_lib',`
+ gen_require(`
+ type polkit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
+
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+')
+
+########################################
+##
+## read polkit reload files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polkit_read_reload',`
+ gen_require(`
+ type polkit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, polkit_reload_t, polkit_reload_t)
+')
+
+########################################
+##
+## rw polkit reload files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polkit_rw_reload',`
+ gen_require(`
+ type polkit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, polkit_reload_t, polkit_reload_t)
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_grant.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`polkit_domtrans_grant',`
+ gen_require(`
+ type polkit_grant_t;
+ type polkit_grant_exec_t;
+ ')
+
+ domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t)
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_resolve.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`polkit_domtrans_resolve',`
+ gen_require(`
+ type polkit_resolve_t;
+ type polkit_resolve_exec_t;
+ ')
+
+ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t)
+
+ allow polkit_resolve_t $1:dir list_dir_perms;
+ read_files_pattern(polkit_resolve_t, $1, $1)
+ read_lnk_files_pattern(polkit_resolve_t, $1, $1)
+ allow polkit_resolve_t $1:process getattr;
+')
+
+########################################
+##
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the load_policy domain.
+##
+##
+##
+#
+interface(`polkit_run_grant',`
+ gen_require(`
+ type polkit_grant_t;
+ ')
+
+ polkit_domtrans_grant($1)
+ role $2 types polkit_grant_t;
+ allow $1 polkit_grant_t:process signal;
+ read_files_pattern(polkit_grant_t, $1, $1)
+ allow polkit_grant_t $1:process getattr;
+')
+
+########################################
+##
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the load_policy domain.
+##
+##
+#
+interface(`polkit_run_auth',`
+ gen_require(`
+ type polkit_auth_t;
+ ')
+
+ polkit_domtrans_auth($1)
+ role $2 types polkit_auth_t;
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+#
+template(`polkit_role',`
+ polkit_run_auth($2, $1)
+ polkit_run_grant($2, $1)
+ polkit_read_lib($2)
+ polkit_read_reload($2)
+')
+
+########################################
+##
+## Send and receive messages from
+## polkit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`polkit_dbus_chat',`
+ gen_require(`
+ type polkit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 polkit_t:dbus send_msg;
+ allow polkit_t $1:dbus send_msg;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/polkit.te 2009-05-21 09:48:24.000000000 -0400
@@ -0,0 +1,237 @@
+policy_module(polkit_auth, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type polkit_t;
+type polkit_exec_t;
+init_daemon_domain(polkit_t, polkit_exec_t)
+
+type polkit_grant_t;
+type polkit_grant_exec_t;
+init_system_domain(polkit_grant_t, polkit_grant_exec_t)
+
+type polkit_resolve_t;
+type polkit_resolve_exec_t;
+init_system_domain(polkit_resolve_t, polkit_resolve_exec_t)
+
+type polkit_auth_t;
+type polkit_auth_exec_t;
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
+
+type polkit_reload_t;
+files_type(polkit_reload_t)
+
+type polkit_var_lib_t;
+files_type(polkit_var_lib_t)
+
+type polkit_var_run_t;
+files_pid_file(polkit_var_run_t)
+
+########################################
+#
+# polkit local policy
+#
+
+allow polkit_t self:capability { setgid setuid };
+allow polkit_t self:process getattr;
+
+allow polkit_t self:unix_dgram_socket create_socket_perms;
+allow polkit_t self:fifo_file rw_file_perms;
+allow polkit_t self:unix_stream_socket create_stream_socket_perms;
+
+polkit_domtrans_auth(polkit_t)
+polkit_domtrans_resolve(polkit_t)
+
+can_exec(polkit_t, polkit_exec_t)
+corecmd_exec_bin(polkit_t)
+
+domain_use_interactive_fds(polkit_t)
+
+files_read_etc_files(polkit_t)
+files_read_usr_files(polkit_t)
+
+fs_list_inotifyfs(polkit_t)
+
+kernel_read_kernel_sysctls(polkit_t)
+
+auth_use_nsswitch(polkit_t)
+
+miscfiles_read_localization(polkit_t)
+
+logging_send_syslog_msg(polkit_t)
+
+manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t)
+
+rw_files_pattern(polkit_t, polkit_reload_t, polkit_reload_t)
+
+# pid file
+manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
+
+userdom_read_all_users_state(polkit_t)
+
+optional_policy(`
+ dbus_system_domain(polkit_t, polkit_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(polkit_t)
+ ')
+')
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow polkit_auth_t self:capability setgid;
+allow polkit_auth_t self:process { getattr };
+
+allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
+allow polkit_auth_t self:fifo_file rw_file_perms;
+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_auth_t, polkit_auth_exec_t)
+corecmd_search_bin(polkit_auth_t)
+
+domain_use_interactive_fds(polkit_auth_t)
+
+files_read_etc_files(polkit_auth_t)
+files_read_usr_files(polkit_auth_t)
+
+auth_use_nsswitch(polkit_auth_t)
+
+miscfiles_read_localization(polkit_auth_t)
+
+logging_send_syslog_msg(polkit_auth_t)
+
+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
+rw_files_pattern(polkit_auth_t, polkit_reload_t, polkit_reload_t)
+
+# pid file
+manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir })
+
+userdom_dontaudit_read_user_home_content_files(polkit_auth_t)
+
+optional_policy(`
+ cron_read_system_job_lib_files(polkit_auth_t)
+')
+
+optional_policy(`
+ dbus_system_domain( polkit_auth_t, polkit_auth_exec_t)
+
+ dbus_session_bus_client(polkit_auth_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(polkit_auth_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(polkit_auth_t)
+ hal_read_state(polkit_auth_t)
+')
+
+optional_policy(`
+ xserver_xdm_append_log(polkit_auth_t)
+')
+
+########################################
+#
+# polkit_grant local policy
+#
+
+allow polkit_grant_t self:capability setuid;
+allow polkit_grant_t self:process getattr;
+
+allow polkit_grant_t self:unix_dgram_socket create_socket_perms;
+allow polkit_grant_t self:fifo_file rw_file_perms;
+allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_grant_t, polkit_grant_exec_t)
+corecmd_search_bin(polkit_grant_t)
+
+files_read_etc_files(polkit_grant_t)
+files_read_usr_files(polkit_grant_t)
+
+auth_use_nsswitch(polkit_grant_t)
+auth_domtrans_chk_passwd(polkit_grant_t)
+
+miscfiles_read_localization(polkit_grant_t)
+
+logging_send_syslog_msg(polkit_grant_t)
+
+polkit_domtrans_auth(polkit_grant_t)
+polkit_domtrans_resolve(polkit_grant_t)
+
+manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t)
+
+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
+rw_files_pattern(polkit_grant_t, polkit_reload_t, polkit_reload_t)
+userdom_read_all_users_state(polkit_grant_t)
+
+optional_policy(`
+ cron_manage_system_job_lib_files(polkit_grant_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(polkit_grant_t)
+ optional_policy(`
+ consolekit_dbus_chat(polkit_grant_t)
+ ')
+')
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow polkit_resolve_t self:process getattr;
+
+allow polkit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow polkit_resolve_t self:fifo_file rw_file_perms;
+allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t)
+read_files_pattern(polkit_resolve_t, polkit_reload_t, polkit_reload_t)
+
+can_exec(polkit_resolve_t, polkit_resolve_exec_t)
+corecmd_search_bin(polkit_resolve_t)
+
+polkit_domtrans_auth(polkit_resolve_t)
+
+files_read_etc_files(polkit_resolve_t)
+files_read_usr_files(polkit_resolve_t)
+
+auth_use_nsswitch(polkit_resolve_t)
+
+miscfiles_read_localization(polkit_resolve_t)
+
+logging_send_syslog_msg(polkit_resolve_t)
+
+userdom_read_all_users_state(polkit_resolve_t)
+userdom_ptrace_all_users(polkit_resolve_t)
+mcs_ptrace_all(polkit_resolve_t)
+
+optional_policy(`
+ dbus_system_bus_client(polkit_resolve_t)
+ optional_policy(`
+ consolekit_dbus_chat(polkit_resolve_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(polkit_resolve_t)
+ hal_read_state(polkit_resolve_t)
+')
+
+optional_policy(`
+ unconfined_ptrace(polkit_resolve_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.13/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-05-21 08:43:08.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/portreserve.te 2009-05-21 09:48:24.000000000 -0400
@@ -37,9 +37,12 @@
manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+corenet_all_recvfrom_unlabeled(portreserve_t)
+corenet_all_recvfrom_netlabel(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
corenet_tcp_bind_generic_node(portreserve_t)
corenet_udp_bind_generic_node(portreserve_t)
-corenet_tcp_bind_all_reserved_ports(portreserve_t)
-corenet_udp_bind_all_reserved_ports(portreserve_t)
+corenet_udp_bind_all_ports(portreserve_t)
files_read_etc_files(portreserve_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.13/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/postfix.fc 2009-05-21 09:48:24.000000000 -0400
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.13/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/postfix.if 2009-05-21 09:48:24.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -79,6 +80,7 @@
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
+ files_search_all_mountpoints(postfix_$1_t)
init_dontaudit_use_fds(postfix_$1_t)
init_sigchld(postfix_$1_t)
@@ -174,9 +176,8 @@
type postfix_etc_t;
')
- allow $1 postfix_etc_t:dir list_dir_perms;
- allow $1 postfix_etc_t:file read_file_perms;
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
')
@@ -232,6 +233,25 @@
########################################
##
+## Allow read/write postfix local pipes
+## TCP sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`postfix_rw_local_pipes',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
## Allow domain to read postfix local process state
##
##
@@ -378,7 +398,7 @@
##
##
#
-interface(`postfix_create_pivate_sockets',`
+interface(`postfix_create_private_sockets',`
gen_require(`
type postfix_private_t;
')
@@ -389,6 +409,25 @@
########################################
##
+## manage named socket in a postfix private directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+##
## Execute the master postfix program in the
## postfix_master domain.
##
@@ -418,10 +457,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir search_dir_perms;
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
')
@@ -437,11 +476,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
+ ')
+
+ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Getattr postfix mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir list_dir_perms;
files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
@@ -456,16 +514,16 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
##
-## Create, read, write, and delete postfix mail spool files.
+## Manage postfix mail spool files.
##
##
##
@@ -475,11 +533,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
@@ -500,3 +558,43 @@
typeattribute $1 postfix_user_domtrans;
')
+
+########################################
+##
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_domtrans_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t, postfix_postdrop_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
+########################################
+##
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/postfix.te 2009-05-21 09:48:24.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
+##
+##
+## Allow postfix_local domain full write access to mail_spool directories
+##
+##
+##
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
+attribute postfix_spool_type;
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
@@ -13,13 +22,13 @@
postfix_server_domain_template(bounce)
-type postfix_spool_bounce_t;
+type postfix_spool_bounce_t, postfix_spool_type;
files_type(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
type postfix_etc_t;
-files_type(postfix_etc_t)
+files_config_file(postfix_etc_t)
type postfix_exec_t;
application_executable_file(postfix_exec_t)
@@ -27,6 +36,12 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+userdom_read_user_home_content_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
+')
+
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
@@ -34,6 +49,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
@@ -68,13 +84,13 @@
postfix_server_domain_template(smtpd)
-type postfix_spool_t;
+type postfix_spool_t, postfix_spool_type;
files_type(postfix_spool_t)
-type postfix_spool_maildrop_t;
+type postfix_spool_maildrop_t, postfix_spool_type;
files_type(postfix_spool_maildrop_t)
-type postfix_spool_flush_t;
+type postfix_spool_flush_t, postfix_spool_type;
files_type(postfix_spool_flush_t)
type postfix_public_t;
@@ -103,6 +119,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -132,6 +149,7 @@
# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
@@ -142,6 +160,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
kernel_read_all_sysctls(postfix_master_t)
@@ -153,6 +172,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
@@ -170,6 +192,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
@@ -181,15 +205,14 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
-ifdef(`distro_redhat',`
- # for newer main.cf that uses /etc/aliases
- mta_manage_aliases(postfix_master_t)
- mta_etc_filetrans_aliases(postfix_master_t)
+optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
')
optional_policy(`
- cyrus_stream_connect(postfix_master_t)
+ kerberos_keytab_template(postfix, postfix_t)
')
optional_policy(`
@@ -202,9 +225,29 @@
')
optional_policy(`
+ postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
sendmail_signal(postfix_master_t)
')
+###########################################################
+#
+# Partially converted rules. THESE ARE ONLY TEMPORARY
+#
+
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
+ allow postfix_master_t etc_aliases_t:file manage_file_perms;
+ allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
+ mta_etc_filetrans_aliases(postfix_master_t)
+ filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file })
+')
+
+# end partially converted rules
+
########################################
#
# Postfix bounce local policy
@@ -219,6 +262,7 @@
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -240,11 +284,16 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
########################################
#
# Postfix local local policy
@@ -270,18 +319,29 @@
files_read_etc_files(postfix_local_t)
+logging_dontaudit_search_logs(postfix_local_t)
+
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
optional_policy(`
clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
')
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
+')
+
+optional_policy(`
+ nagios_search_spool(postfix_local_t)
')
optional_policy(`
@@ -292,8 +352,7 @@
#
# Postfix map local policy
#
-
-allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:capability { dac_override setgid setuid };
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -340,10 +399,6 @@
miscfiles_read_localization(postfix_map_t)
-seutil_read_config(postfix_map_t)
-
-userdom_use_user_terminals(postfix_map_t)
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
@@ -356,6 +411,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_map_t)
+')
+
########################################
#
# Postfix pickup local policy
@@ -380,6 +440,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
@@ -387,6 +448,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
@@ -396,6 +463,15 @@
')
optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+ mta_send_mail(postfix_pipe_t)
+')
+
+optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
+')
+
+optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
@@ -432,8 +508,11 @@
')
optional_policy(`
- ppp_use_fds(postfix_postqueue_t)
- ppp_sigchld(postfix_postqueue_t)
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
+ uucp_manage_spool(postfix_postdrop_t)
')
#######################################
@@ -459,6 +538,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
+optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
+
+optional_policy(`
+ ppp_use_fds(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+')
+
########################################
#
# Postfix qmgr local policy
@@ -472,6 +560,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -513,7 +602,7 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-files_dontaudit_getattr_home_dir(postfix_smtp_t)
+files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
@@ -543,9 +632,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+fs_getattr_all_fs(postfix_smtpd_t)
+
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
+ dovecot_auth_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
mailman_read_data_files(postfix_smtpd_t)
')
@@ -572,15 +670,21 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
-stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t)
+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
files_read_etc_files(postfix_virtual_t)
+files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
+userdom_manage_user_home_dirs(postfix_virtual_t)
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.13/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/postgresql.fc 2009-05-21 09:48:24.000000000 -0400
@@ -2,6 +2,7 @@
# /etc
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
#
# /usr
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.13/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-05-22 10:28:56.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/postgresql.if 2009-05-21 09:48:24.000000000 -0400
@@ -64,7 +64,7 @@
allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
allow $2 sepgsql_trusted_proc_t:process transition;
@@ -362,7 +362,7 @@
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
')
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+##
+## All of the rules required to administrate an postgresql environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the postgresql domain.
+##
+##
+##
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_initrc_exec_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.13/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-05-22 10:28:56.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/postgresql.te 2009-05-21 09:48:24.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(postgresql, 1.8.7)
+policy_module(postgresql, 1.8.6)
gen_require(`
class db_database all_db_database_perms;
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
@@ -139,6 +142,7 @@
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
@@ -158,7 +162,7 @@
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
allow postgresql_t sepgsql_procedure_type:db_procedure *;
-type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
+type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
allow postgresql_t sepgsql_blob_type:db_blob *;
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
@@ -193,7 +197,7 @@
manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
@@ -209,6 +213,7 @@
corenet_udp_sendrecv_generic_node(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_generic_node(postgresql_t)
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
@@ -347,7 +352,7 @@
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
-type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.13/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/ppp.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,7 +1,7 @@
#
# /etc
#
-/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
@@ -8,9 +8,8 @@
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-
# Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
#
# /sbin
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.13/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/ppp.if 2009-05-21 09:48:24.000000000 -0400
@@ -58,6 +58,25 @@
########################################
##
+## Send ppp a kill signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`ppp_kill',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process sigkill;
+')
+
+########################################
+##
## Send a generic signal to PPP.
##
##
@@ -298,6 +317,24 @@
########################################
##
+## Execute ppp server in the ntpd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ppp_initrc_domtrans',`
+ gen_require(`
+ type pppd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, pppd_initrc_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an ppp environment
##
@@ -315,33 +352,39 @@
type pppd_etc_rw_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
+ type pppd_initrc_exec_t;
')
allow $1 pppd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, pppd_t)
+ ppp_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 pppd_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_tmp($1)
- manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
+ admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
- manage_files_pattern($1, pppd_log_t, pppd_log_t)
+ admin_pattern($1, pppd_log_t)
- manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
+ admin_pattern($1, pppd_lock_t)
files_list_etc($1)
- manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ admin_pattern($1, pppd_etc_t)
- manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
+ admin_pattern($1, pppd_etc_rw_t)
- manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
+ admin_pattern($1, pppd_secret_t)
files_list_pids($1)
- manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+ admin_pattern($1, pppd_var_run_t)
allow $1 pptp_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, pptp_t)
- manage_files_pattern($1, pptp_log_t, pptp_log_t)
+ admin_pattern($1, pptp_log_t)
- manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
+ admin_pattern($1, pptp_var_run_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.13/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/ppp.te 2009-05-21 09:48:24.000000000 -0400
@@ -37,8 +37,8 @@
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
-type pppd_script_exec_t;
-files_type(pppd_script_exec_t)
+type pppd_initrc_exec_t;
+files_type(pppd_initrc_exec_t)
# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
@@ -114,6 +114,8 @@
# Access secret files
allow pppd_t pppd_secret_t:file read_file_perms;
+ppp_initrc_domtrans(pppd_t)
+
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
@@ -161,6 +163,7 @@
init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -174,7 +177,6 @@
userdom_use_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
-# for ~/.ppprc - if it actually exists then you need some policy to read it
userdom_search_user_home_dirs(pppd_t)
ppp_exec(pppd_t)
@@ -191,6 +193,8 @@
optional_policy(`
mta_send_mail(pppd_t)
+ mta_system_content(pppd_etc_t)
+ mta_system_content(pppd_etc_rw_t)
')
optional_policy(`
@@ -214,7 +218,7 @@
# PPTP Local policy
#
-allow pptp_t self:capability net_raw;
+allow pptp_t self:capability { net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
@@ -222,14 +226,16 @@
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-allow pptp_t pppd_etc_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
-allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
can_exec(pptp_t, pppd_etc_rw_t)
# Allow pptp to append to pppd log files
@@ -245,9 +251,13 @@
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
kernel_read_proc_symlinks(pptp_t)
+kernel_read_system_state(pptp_t)
dev_read_sysfs(pptp_t)
+corecmd_exec_shell(pptp_t)
+corecmd_read_bin_symlinks(pptp_t)
+
corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
@@ -263,17 +273,21 @@
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
+files_read_etc_files(pptp_t)
+
term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
domain_use_interactive_fds(pptp_t)
+auth_use_nsswitch(pptp_t)
+
logging_send_syslog_msg(pptp_t)
miscfiles_read_localization(pptp_t)
-sysnet_read_config(pptp_t)
+sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
userdom_dontaudit_search_user_home_dirs(pptp_t)
@@ -283,11 +297,15 @@
')
optional_policy(`
- hostname_exec(pptp_t)
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pppd_t)
+ ')
')
optional_policy(`
- nscd_socket_use(pptp_t)
+ hostname_exec(pptp_t)
')
optional_policy(`
@@ -301,6 +319,3 @@
optional_policy(`
postfix_read_config(pppd_t)
')
-
-# FIXME:
-domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.13/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/prelude.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,3 +1,9 @@
+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0)
+
+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+
/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
@@ -5,7 +11,15 @@
/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0)
+
/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+
+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.13/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/prelude.if 2009-05-21 09:48:24.000000000 -0400
@@ -6,7 +6,7 @@
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
##
##
#
@@ -42,7 +42,7 @@
##
##
##
-## Domain allowed acccess.
+## Domain allowed to transition.
##
##
#
@@ -56,6 +56,45 @@
########################################
##
+## Read the prelude spool files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelude_read_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+##
+## Manage to prelude-manager spool files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prelude_manage_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+ manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an prelude environment
##
@@ -64,6 +103,11 @@
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
##
#
interface(`prelude_admin',`
@@ -71,6 +115,10 @@
type prelude_t, prelude_spool_t;
type prelude_var_run_t, prelude_var_lib_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
+ type prelude_initrc_exec_t;
+
+ type prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_lml_var_run_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
@@ -79,11 +127,18 @@
allow $1 prelude_audisp_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_audisp_t)
- manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
-
- manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t)
-
- manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t)
+ allow $1 prelude_lml_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_lml_t)
- manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+ init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, prelude_spool_t)
+ admin_pattern($1, prelude_var_lib_t)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_tmp_t)
+ admin_pattern($1, prelude_lml_var_run_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.13/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/prelude.te 2009-05-21 09:48:24.000000000 -0400
@@ -13,25 +13,57 @@
type prelude_spool_t;
files_type(prelude_spool_t)
+type prelude_log_t;
+logging_log_file(prelude_log_t)
+
type prelude_var_run_t;
files_pid_file(prelude_var_run_t)
type prelude_var_lib_t;
files_type(prelude_var_lib_t)
+type prelude_initrc_exec_t;
+init_script_file(prelude_initrc_exec_t)
+
type prelude_audisp_t;
type prelude_audisp_exec_t;
init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+typealias prelude_audisp_t alias audisp_prelude_t;
+typealias prelude_audisp_exec_t alias audisp_prelude_exec_t;
type prelude_audisp_var_run_t;
files_pid_file(prelude_audisp_var_run_t)
+typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t;
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
+
+type prelude_lml_var_run_t;
+files_pid_file(prelude_lml_var_run_t)
+
+type prelude_lml_tmp_t;
+files_tmp_file(prelude_lml_tmp_t)
+
+########################################
+#
+# prelude_correlator declarations
+#
+
+type prelude_correlator_t;
+type prelude_correlator_exec_t;
+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+role system_r types prelude_correlator_t;
+
+type prelude_correlator_config_t;
+files_config_file(prelude_correlator_config_t)
########################################
#
# prelude local policy
#
-allow prelude_t self:capability sys_tty_config;
+allow prelude_t self:capability { dac_override sys_tty_config };
allow prelude_t self:fifo_file rw_file_perms;
allow prelude_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
@@ -49,6 +81,9 @@
manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
files_pid_filetrans(prelude_t, prelude_var_run_t, file)
+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
+logging_log_filetrans(prelude_t, prelude_log_t, file)
+
corecmd_search_bin(prelude_t)
corenet_all_recvfrom_unlabeled(prelude_t)
@@ -56,15 +91,25 @@
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
corenet_tcp_bind_generic_node(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+corenet_tcp_connect_postgresql_port(prelude_t)
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
# Init script handling
domain_use_interactive_fds(prelude_t)
files_read_etc_files(prelude_t)
+files_read_etc_runtime_files(prelude_t)
files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
auth_use_nsswitch(prelude_t)
@@ -86,7 +131,7 @@
#
# prelude_audisp local policy
#
-
+allow prelude_audisp_t self:capability dac_override;
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -107,6 +152,7 @@
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
corenet_tcp_bind_generic_node(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
@@ -114,12 +160,135 @@
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
+kernel_read_sysctl(prelude_audisp_t)
+kernel_read_system_state(prelude_audisp_t)
+
files_read_etc_files(prelude_audisp_t)
+files_read_etc_runtime_files(prelude_audisp_t)
+files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
miscfiles_read_localization(prelude_audisp_t)
+sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
+# prelude_correlator local policy
+#
+
+allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
+corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
+files_read_etc_files(prelude_correlator_t)
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+logging_send_syslog_msg(prelude_correlator_t)
+
+miscfiles_read_localization(prelude_correlator_t)
+
+sysnet_dns_name_resolve(prelude_correlator_t)
+
+########################################
+#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+
+# Init script handling
+domain_use_interactive_fds(prelude_lml_t)
+
+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+files_list_tmp(prelude_lml_t)
+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+
+files_search_spool(prelude_lml_t)
+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+
+files_search_var_lib(prelude_lml_t)
+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
+
+files_search_spool(prelude_lml_t)
+files_search_usr(prelude_lml_t)
+files_search_var_lib(prelude_lml_t)
+
+fs_list_inotifyfs(prelude_lml_t)
+fs_read_anon_inodefs_files(prelude_lml_t)
+fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_exec_lib_files(prelude_lml_t)
+libs_read_lib_files(prelude_lml_t)
+
+logging_send_syslog_msg(prelude_lml_t)
+logging_read_generic_logs(prelude_lml_t)
+
+miscfiles_read_localization(prelude_lml_t)
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
+userdom_read_all_users_state(prelude_lml_t)
+
+optional_policy(`
+ apache_search_sys_content(prelude_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
########################################
#
# prewikka_cgi Declarations
@@ -128,6 +297,20 @@
optional_policy(`
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
+ kernel_read_sysctl(httpd_prewikka_script_t)
+ kernel_search_network_sysctl(httpd_prewikka_script_t)
+
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
+ auth_use_nsswitch(httpd_prewikka_script_t)
+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
+
+ apache_search_sys_content(httpd_prewikka_script_t)
optional_policy(`
mysql_search_db(httpd_prewikka_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.13/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/privoxy.te 2009-05-21 09:48:24.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
+##
+##
+## Allow privoxy to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+##
+##
+gen_tunable(privoxy_connect_any, false)
+
type privoxy_t; # web_client_domain
type privoxy_exec_t;
init_daemon_domain(privoxy_t, privoxy_exec_t)
@@ -72,21 +80,18 @@
logging_send_syslog_msg(privoxy_t)
-miscfiles_read_localization(privoxy_t)
+auth_use_nsswitch(privoxy_t)
-sysnet_dns_name_resolve(privoxy_t)
+miscfiles_read_localization(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
userdom_use_user_terminals(privoxy_t)
-optional_policy(`
- nis_use_ypbind(privoxy_t)
-')
-
-optional_policy(`
- nscd_socket_use(privoxy_t)
+tunable_policy(`privoxy_connect_any',`
+ corenet_tcp_connect_all_ports(privoxy_t)
+ corenet_sendrecv_all_packets(privoxy_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.13/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/procmail.te 2009-05-21 09:48:24.000000000 -0400
@@ -77,6 +77,7 @@
files_read_usr_files(procmail_t)
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
miscfiles_read_localization(procmail_t)
@@ -92,6 +93,7 @@
userdom_dontaudit_search_user_home_dirs(procmail_t)
mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
@@ -128,6 +130,10 @@
')
optional_policy(`
+ nagios_search_spool(procmail_t)
+')
+
+optional_policy(`
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
@@ -136,7 +142,7 @@
mta_read_config(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
- sendmail_rw_tcp_sockets(procmail_t)
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.13/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pyzor.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.13/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pyzor.if 2009-05-21 09:48:24.000000000 -0400
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an pyzor environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the pyzor domain.
+##
+##
+##
+#
+interface(`pyzor_admin',`
+ gen_require(`
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t;
+ type pyzord_initrc_exec_t;
+ ')
+
+ allow $1 pyzord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pyzord_t)
+
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pyzord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, pyzord_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.13/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/pyzor.te 2009-05-21 09:48:24.000000000 -0400
@@ -6,6 +6,38 @@
# Declarations
#
+
+ifdef(`distro_redhat',`
+
+ gen_require(`
+ type spamc_t;
+ type spamc_exec_t;
+ type spamd_t;
+ type spamd_initrc_exec_t;
+ type spamd_exec_t;
+ type spamc_tmp_t;
+ type spamd_log_t;
+ type spamd_var_lib_t;
+ type spamd_etc_t;
+ type spamc_tmp_t;
+ type spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+
+',`
+
type pyzor_t;
type pyzor_exec_t;
typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
@@ -40,6 +72,7 @@
type pyzord_log_t;
logging_log_file(pyzord_log_t)
+')
########################################
#
@@ -83,6 +116,8 @@
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.13/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2008-11-11 16:13:45.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/razor.fc 2009-05-21 09:48:24.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.13/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/razor.if 2009-05-21 09:48:24.000000000 -0400
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
')
+
+########################################
+##
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`razor_manage_user_home_files',`
+ gen_require(`
+ type razor_home_t;
+ ')
+
+ files_search_home($1)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
+')
+
+########################################
+##
+## read razor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`razor_read_lib_files',`
+ gen_require(`
+ type razor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.13/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/razor.te 2009-05-21 09:48:24.000000000 -0400
@@ -6,6 +6,32 @@
# Declarations
#
+ifdef(`distro_redhat',`
+
+ gen_require(`
+ type spamc_t;
+ type spamc_exec_t;
+ type spamd_log_t;
+ type spamd_spool_t;
+ type spamd_var_lib_t;
+ type spamd_etc_t;
+ type spamc_home_t;
+ type spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+
+',`
+
type razor_exec_t;
corecmd_executable_file(razor_exec_t)
@@ -102,6 +128,8 @@
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+auth_use_nsswitch(razor_t)
+
logging_send_syslog_msg(razor_t)
userdom_search_user_home_dirs(razor_t)
@@ -120,5 +148,7 @@
')
optional_policy(`
- nscd_socket_use(razor_t)
+ milter_manage_spamass_state(razor_t)
+')
+
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.6.13/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/rhgb.te 2009-05-21 09:48:24.000000000 -0400
@@ -118,7 +118,7 @@
xserver_domtrans(rhgb_t)
xserver_signal(rhgb_t)
xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect(rhgb_t)
+xserver_common_app(rhgb_t)
optional_policy(`
consoletype_exec(rhgb_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.13/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/ricci.te 2009-05-21 09:48:24.000000000 -0400
@@ -133,6 +133,8 @@
dev_read_urand(ricci_t)
+domain_read_all_domains_state(ricci_t)
+
files_read_etc_files(ricci_t)
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
@@ -140,7 +142,7 @@
auth_domtrans_chk_passwd(ricci_t)
auth_append_login_records(ricci_t)
-init_dontaudit_stream_connect_script(ricci_t)
+init_stream_connect_script(ricci_t)
locallogin_dontaudit_use_fds(ricci_t)
@@ -202,7 +204,7 @@
corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
-domain_dontaudit_read_all_domains_state(ricci_modcluster_t)
+domain_read_all_domains_state(ricci_modcluster_t)
files_search_locks(ricci_modcluster_t)
files_read_etc_runtime_files(ricci_modcluster_t)
@@ -214,6 +216,8 @@
logging_send_syslog_msg(ricci_modcluster_t)
+consoletype_exec(ricci_modcluster_t)
+
miscfiles_read_localization(ricci_modcluster_t)
modutils_domtrans_insmod(ricci_modcluster_t)
@@ -229,10 +233,6 @@
')
optional_policy(`
- consoletype_exec(ricci_modcluster_t)
-')
-
-optional_policy(`
lvm_domtrans(ricci_modcluster_t)
')
@@ -287,14 +287,14 @@
corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
-domain_dontaudit_read_all_domains_state(ricci_modclusterd_t)
+domain_read_all_domains_state(ricci_modclusterd_t)
files_read_etc_files(ricci_modclusterd_t)
files_read_etc_runtime_files(ricci_modclusterd_t)
fs_getattr_xattr_fs(ricci_modclusterd_t)
-init_dontaudit_stream_connect_script(ricci_modclusterd_t)
+init_stream_connect_script(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
@@ -328,7 +328,7 @@
corecmd_exec_bin(ricci_modlog_t)
-domain_dontaudit_read_all_domains_state(ricci_modlog_t)
+domain_read_all_domains_state(ricci_modlog_t)
files_read_etc_files(ricci_modlog_t)
files_search_usr(ricci_modlog_t)
@@ -432,7 +432,7 @@
dev_read_urand(ricci_modstorage_t)
dev_manage_generic_blk_files(ricci_modstorage_t)
-domain_dontaudit_read_all_domains_state(ricci_modstorage_t)
+domain_read_all_domains_state(ricci_modstorage_t)
#Needed for editing /etc/fstab
files_manage_etc_files(ricci_modstorage_t)
@@ -440,6 +440,10 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
+files_create_default_dir(ricci_modstorage_t)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default(ricci_modstorage_t)
+
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
@@ -452,6 +456,10 @@
modutils_read_module_deps(ricci_modstorage_t)
+consoletype_exec(ricci_modstorage_t)
+
+mount_domtrans(ricci_modstorage_t)
+
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.6.13/policy/modules/services/rlogin.fc
--- nsaserefpolicy/policy/modules/services/rlogin.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/rlogin.fc 2009-05-21 09:48:24.000000000 -0400
@@ -4,3 +4,5 @@
/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.6.13/policy/modules/services/rlogin.if
--- nsaserefpolicy/policy/modules/services/rlogin.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/rlogin.if 2009-05-21 09:48:24.000000000 -0400
@@ -18,3 +18,30 @@
corecmd_search_bin($1)
domtrans_pattern($1, rlogind_exec_t, rlogind_t)
')
+
+########################################
+##
+## read rlogin homedir content (.config)
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`rlogin_read_config',`
+ gen_require(`
+ type rlogind_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
+ read_files_pattern($1, rlogind_home_t, rlogind_home_t)
+ read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.13/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/rlogin.te 2009-05-21 09:48:24.000000000 -0400
@@ -20,6 +20,9 @@
type rlogind_var_run_t;
files_pid_file(rlogind_var_run_t)
+type rlogind_home_t;
+userdom_user_home_content(rlogind_home_t)
+
########################################
#
# Local policy
@@ -79,6 +82,8 @@
logging_send_syslog_msg(rlogind_t)
+rlogin_read_config(rlogind_t)
+
miscfiles_read_localization(rlogind_t)
seutil_read_config(rlogind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.13/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/rpcbind.te 2009-05-21 09:48:24.000000000 -0400
@@ -40,6 +40,8 @@
manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
+fs_list_inotifyfs(rpcbind_t)
+
kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/rpc.te 2009-05-21 09:48:24.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
type exports_t;
-files_type(exports_t)
+files_config_file(exports_t)
rpc_domain_template(gssd)
@@ -69,15 +69,22 @@
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
+kernel_signal(rpcd_t)
corecmd_exec_bin(rpcd_t)
files_manage_mounttab(rpcd_t)
+files_getattr_all_dirs(rpcd_t)
+fs_list_inotifyfs(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
+fs_get_all_fs_quotas(rpcd_t)
+fs_getattr_all_fs(rpcd_t)
+
+storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
@@ -85,10 +92,17 @@
seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+
optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
+optional_policy(`
+ unconfined_execmem_signal(rpcd_t)
+ unconfined_signal(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -116,8 +130,9 @@
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
-files_manage_mounttab(rpcd_t)
+files_manage_mounttab(nfsd_t)
+fs_list_inotifyfs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
@@ -125,6 +140,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -141,6 +157,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
@@ -175,6 +192,7 @@
corecmd_exec_bin(gssd_t)
+fs_list_inotifyfs(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -183,9 +201,12 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t)
miscfiles_read_certs(gssd_t)
+mount_signal(gssd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.13/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/rshd.te 2009-05-21 09:48:24.000000000 -0400
@@ -51,7 +51,7 @@
files_list_home(rshd_t)
files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
+files_manage_generic_tmp_dirs(rshd_t)
auth_login_pgm_domain(rshd_t)
auth_write_login_records(rshd_t)
@@ -84,6 +84,10 @@
')
optional_policy(`
+ rlogin_read_config(rshd_t)
+')
+
+optional_policy(`
tcpd_wrapped_domain(rshd_t, rshd_exec_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.13/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/rsync.te 2009-05-21 09:48:24.000000000 -0400
@@ -8,6 +8,13 @@
##
##
+## Allow rsync to run as a client
+##
+##
+gen_tunable(rsync_client, false)
+
+##
+##
## Allow rsync to export any files/directories read only.
##
##
@@ -124,4 +131,12 @@
auth_read_all_symlinks_except_shadow(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
+
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+')
+
auth_can_read_shadow_passwords(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.13/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/samba.fc 2009-05-21 09:48:24.000000000 -0400
@@ -2,6 +2,9 @@
#
# /etc
#
+/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
@@ -15,6 +18,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
@@ -47,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/samba.if 2009-05-21 09:48:24.000000000 -0400
@@ -4,6 +4,45 @@
## from Windows NT servers.
##
+
+########################################
+##
+## Execute smbd net in the smbd_t domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`samba_domtrans_smb',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, smbd_exec_t, smbd_t)
+')
+
+########################################
+##
+## Execute nmbd net in the nmbd_t domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`samba_domtrans_nmb',`
+ gen_require(`
+ type nmbd_t, nmbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
########################################
##
## Execute samba net in the samba_net domain.
@@ -25,6 +64,25 @@
########################################
##
+## Execute samba net in the samba_unconfined_net domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+##
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
##
@@ -49,6 +107,50 @@
role $2 types samba_net_t;
')
+#######################################
+##
+## The role for the samba module.
+##
+##
+##
+## The role to be allowed the samba_net domain.
+##
+##
+#
+template(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ role $1 types smbd_t;
+')
+
+########################################
+##
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the samba_unconfined_net domain.
+##
+##
+##
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
+')
+
########################################
##
## Execute smbmount in the smbmount domain.
@@ -138,6 +240,28 @@
########################################
##
+## Allow the specified domain to read
+## and write samba configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_manage_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+ manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+##
## Allow the specified domain to read samba's log files.
##
##
@@ -281,6 +405,25 @@
########################################
##
+## dontaudit the specified domain to
+## write samba /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+##
## Allow the specified domain to
## read and write samba /var files.
##
@@ -298,6 +441,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
@@ -370,6 +514,7 @@
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
@@ -447,3 +592,202 @@
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
')
')
+
+########################################
+##
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ ')
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+##
+## Allow the specified domain to read samba's shares
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_read_share_files',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+##
+## Execute a domain transition to run smbcontrol.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
+')
+
+
+########################################
+##
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the smbcontrol domain.
+##
+##
+#
+interface(`samba_run_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+ role $2 types smbcontrol_t;
+')
+
+########################################
+##
+## Execute samba server in the samba domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`samba_initrc_domtrans',`
+ gen_require(`
+ type samba_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an samba environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the samba domain.
+##
+##
+##
+#
+interface(`samba_admin',`
+ gen_require(`
+ type nmbd_t, nmbd_var_run_t;
+ type smbd_t, smbd_tmp_t;
+ type smbd_initrc_exec_t;
+ type smbd_spool_t, smbd_var_run_t;
+
+ type samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t;
+ type samba_secrets_t;
+
+ type swat_var_run_t, swat_tmp_t;
+
+ type winbind_var_run_t, winbind_tmp_t;
+ type winbind_log_t;
+
+ type samba_unconfined_script_t, samba_unconfined_script_exec_t;
+ type samba_initrc_exec_t;
+ ')
+
+ allow $1 smbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smbd_t)
+
+ allow $1 nmbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nmbd_t)
+
+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
+
+ samba_run_smbcontrol($1, $2, $3)
+ samba_run_winbind_helper($1, $2, $3)
+ samba_run_smbmount($1, $2, $3)
+ samba_run_net($1, $2, $3)
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 samba_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, smbd_tmp_t)
+ admin_pattern($1, swat_tmp_t)
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, samba_secrets_t)
+
+ files_list_etc($1)
+ admin_pattern($1, samba_etc_t)
+
+ admin_pattern($1, samba_share_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, samba_log_t)
+ admin_pattern($1, winbind_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, smbd_spool_t)
+
+ files_list_var($1)
+ admin_pattern($1, samba_var_t)
+
+ files_list_pids($1)
+ admin_pattern($1, smbd_var_run_t)
+ admin_pattern($1, nmbd_var_run_t)
+ admin_pattern($1, swat_var_run_t)
+ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.13/policy/modules/services/samba.te 2009-05-21 09:48:24.000000000 -0400
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
+##