##
@@ -276,9 +274,9 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
ifdef(`targeted_policy',`
- unconfined_domain(xdm_t)
+# unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+# userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -321,6 +319,8 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
+ dbus_system_bus_client_template(xdm, xdm_t)
+ dbus_send_system_bus(xdm_t)
')
optional_policy(`
@@ -427,7 +427,7 @@
')
ifdef(`targeted_policy',`
- unconfined_domain_noaudit(xdm_xserver_t)
+# unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
ifndef(`distro_redhat',`
@@ -449,28 +449,6 @@
')
ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file manage_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-tunable_policy(`allow_polyinstantiation',`
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-')
-
#
# Wants to delete .xsession-errors file
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-2.6.5/policy/modules/system/application.fc
--- nsaserefpolicy/policy/modules/system/application.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/application.fc 2007-05-22 14:41:13.000000000 -0400
@@ -0,0 +1 @@
+# No application file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-2.6.5/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/application.if 2007-05-22 14:41:13.000000000 -0400
@@ -0,0 +1,104 @@
+## Policy for application domains
+
+########################################
+##
+## Make the specified type usable as an application domain.
+##
+##
+##
+## Type to be used as a domain type.
+##
+##
+#
+interface(`application_type',`
+ gen_require(`
+ attribute application_domain_type;
+ ')
+
+ typeattribute $1 application_domain_type;
+
+ # start with basic domain
+ domain_type($1)
+')
+
+########################################
+##
+## Make the specified type usable for files
+## that are exectuables, such as binary programs.
+## This does not include shared libraries.
+##
+##
+##
+## Type to be used for files.
+##
+##
+#
+interface(`application_executable_file',`
+ gen_require(`
+ attribute application_exec_type;
+ ')
+
+ typeattribute $1 application_exec_type;
+
+ corecmd_executable_file($1)
+')
+
+########################################
+##
+## Execute application executables in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`application_exec',`
+ gen_require(`
+ attribute application_exec_type;
+ ')
+
+ can_exec($1, application_exec_type)
+')
+
+########################################
+##
+## Execute all executable files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`application_exec_all',`
+ # Need this dontaudit or command completion fires hundreds of avcs
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+ corecmd_exec_chroot($1)
+ application_exec($1)
+')
+
+########################################
+##
+## Create a domain which can be started by users
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`application_domain',`
+
+ application_type($1)
+ application_executable_file($2)
+ domain_entry_file($1,$2)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-2.6.5/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/application.te 2007-05-22 14:41:13.000000000 -0400
@@ -0,0 +1,14 @@
+
+policy_module(application,1.0.0)
+
+# Attribute of user applications
+attribute application_domain_type;
+
+# Executables to be run by user
+attribute application_exec_type;
+
+optional_policy(`
+ ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-2.6.5/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/authlogin.fc 2007-05-22 14:41:13.000000000 -0400
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-03-26 10:39:07.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/authlogin.if 2007-05-24 15:13:17.000000000 -0400
@@ -27,11 +27,9 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
- allow $1_chkpwd_t self:capability { audit_control setuid };
+ allow $1_chkpwd_t self:capability { dac_override setuid };
allow $1_chkpwd_t self:process getattr;
- send_audit_msgs_pattern($1_chkpwd_t)
-
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
@@ -53,6 +51,7 @@
libs_use_shared_libs($1_chkpwd_t)
logging_send_syslog_msg($1_chkpwd_t)
+ logging_send_audit_msg($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
@@ -109,7 +108,7 @@
role $3 types system_chkpwd_t;
# cjp: is this really needed?
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ logging_send_audit_msg($2)
dontaudit $2 shadow_t:file { getattr read };
@@ -152,21 +151,12 @@
##
#
template(`auth_domtrans_user_chk_passwd',`
- ifdef(`targeted_policy',`
- gen_require(`
- type system_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,system_chkpwd_t)
- ',`
- gen_require(`
- type $1_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
+ gen_require(`
+ type $1_chkpwd_t, chkpwd_exec_t;
')
+
+ corecmd_search_bin($2)
+ domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
')
########################################
@@ -180,6 +170,9 @@
##
#
interface(`auth_login_pgm_domain',`
+ gen_require(`
+ attribute keyring_type;
+ ')
domain_type($1)
domain_subj_id_change_exemption($1)
@@ -187,6 +180,12 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
+ logging_send_audit_msg($1)
+ logging_set_loginuid($1)
+
# for SSP/ProPolice
dev_read_urand($1)
@@ -211,9 +210,11 @@
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
- auth_append_faillog($1)
+ auth_rw_faillog($1)
auth_exec_pam($1)
+ auth_domtrans_upd_passwd($1)
+
init_rw_utmp($1)
logging_send_syslog_msg($1)
@@ -221,6 +222,7 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
@@ -320,10 +322,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
- # cjp: is this really needed?
- allow $1 self:capability audit_control;
- send_audit_msgs_pattern($1)
-
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@@ -357,6 +355,37 @@
########################################
##
+## Execute chkpwd programs in the chkpwd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the updpwd domain.
+##
+##
+##
+##
+## The type of the terminal allow the updpwd domain to use.
+##
+##
+#
+interface(`auth_run_chk_passwd',`
+ gen_require(`
+ type system_chkpwd_t;
+ ')
+
+ auth_domtrans_chk_passwd($1)
+ role $2 types system_chkpwd_t;
+ allow system_chkpwd_t $3:chr_file rw_file_perms;
+
+')
+
+########################################
+##
## Get the attributes of the shadow passwords file.
##
##
@@ -1391,3 +1420,114 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
+
+########################################
+##
+## read login keyrings.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_read_key',`
+ gen_require(`
+ attribute keyring_type;
+ ')
+
+ allow $1 keyring_type:key { read search view };
+')
+
+########################################
+##
+## search login keyrings.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_search_key',`
+ gen_require(`
+ attribute keyring_type;
+ ')
+
+ allow $1 keyring_type:key { search link };
+')
+
+
+
+########################################
+##
+## Make the specified domain a keyring domain
+##
+##
+##
+## Domain type used for a login program domain.
+##
+##
+#
+interface(`auth_keyring_domain',`
+ gen_require(`
+ attribute keyring_type;
+ ')
+
+ typeattribute $1 keyring_type;
+')
+
+########################################
+##
+## Execute a domain transition to run unix_update.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`auth_domtrans_upd_passwd',`
+ gen_require(`
+ type updpwd_t, updpwd_exec_t;
+ ')
+
+ domain_auto_trans($1,updpwd_exec_t,updpwd_t)
+ allow updpwd_t $1:fd use;
+ allow updpwd_t $1:fifo_file rw_file_perms;
+ allow updpwd_t $1:process sigchld;
+ auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+##
+## Execute updpwd programs in the updpwd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the updpwd domain.
+##
+##
+##
+##
+## The type of the terminal allow the updpwd domain to use.
+##
+##
+#
+interface(`auth_run_upd_passwd',`
+ gen_require(`
+ type updpwd_t;
+ ')
+
+ auth_domtrans_upd_passwd($1)
+ role $2 types updpwd_t;
+ allow updpwd_t $3:chr_file rw_file_perms;
+ auth_dontaudit_read_shadow($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-04-30 10:41:38.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/authlogin.te 2007-05-24 15:01:06.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute keyring_type;
+
+type updpwd_t;
+type updpwd_exec_t;
+domain_type(updpwd_t)
+domain_entry_file(updpwd_t,updpwd_exec_t)
+role system_r types updpwd_t;
type chkpwd_exec_t;
corecmd_executable_file(chkpwd_exec_t)
@@ -244,7 +251,6 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
- xserver_use_xdm_fds(pam_t)
')
########################################
@@ -252,12 +258,16 @@
# System check password local policy
#
+logging_send_audit_msg(system_chkpwd_t)
+
allow system_chkpwd_t shadow_t:file { getattr read };
corecmd_search_bin(system_chkpwd_t)
domain_dontaudit_use_interactive_fds(system_chkpwd_t)
+selinux_get_fs_mount(system_chkpwd_t)
+
term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
term_dontaudit_use_generic_ptys(system_chkpwd_t)
@@ -305,3 +315,30 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
+
+########################################
+#
+# updpwd local policy
+#
+
+allow updpwd_t self:process setfscreate;
+allow updpwd_t self:fifo_file { read write };
+allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+allow updpwd_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(updpwd_t)
+libs_use_ld_so(updpwd_t)
+libs_use_shared_libs(updpwd_t)
+miscfiles_read_localization(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+files_manage_etc_files(updpwd_t)
+kernel_read_system_state(updpwd_t)
+logging_send_syslog_msg(updpwd_t)
+
+optional_policy(`
+ nscd_socket_use(updpwd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.5/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/clock.te 2007-05-22 14:41:13.000000000 -0400
@@ -26,8 +26,6 @@
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file { getattr read write };
-send_audit_msgs_pattern(hwclock_t)
-
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
@@ -61,6 +59,7 @@
libs_use_shared_libs(hwclock_t)
logging_send_syslog_msg(hwclock_t)
+logging_send_audit_msg(hwclock_t)
miscfiles_read_localization(hwclock_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.6.5/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/fstools.fc 2007-05-22 14:41:13.000000000 -0400
@@ -19,7 +19,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/fstools.te 2007-05-22 14:41:13.000000000 -0400
@@ -9,6 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t)
+application_executable_file(fsadm_exec_t)
role system_r types fsadm_t;
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-2.6.5/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/fusermount.fc 2007-05-22 14:41:13.000000000 -0400
@@ -0,0 +1,6 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-2.6.5/policy/modules/system/fusermount.if
--- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/fusermount.if 2007-05-22 14:41:13.000000000 -0400
@@ -0,0 +1,41 @@
+## policy for fusermount
+
+########################################
+##
+## Execute a domain transition to run fusermount.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`fusermount_domtrans',`
+ gen_require(`
+ type fusermount_t, fusermount_exec_t;
+ ')
+
+ domain_auto_trans($1,fusermount_exec_t,fusermount_t)
+
+ allow fusermount_t $1:fd use;
+ allow fusermount_t $1:fifo_file rw_file_perms;
+ allow fusermount_t $1:process sigchld;
+')
+
+########################################
+##
+## Inherit and use file descriptors from fusermount.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fusermount_use_fds',`
+ gen_require(`
+ type fusermount_t;
+ ')
+
+ allow $1 fusermount_t:fd use;
+')
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-2.6.5/policy/modules/system/fusermount.te
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/fusermount.te 2007-05-22 14:41:13.000000000 -0400
@@ -0,0 +1,51 @@
+policy_module(fusermount,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fusermount_t;
+type fusermount_exec_t;
+application_domain(fusermount_t, fusermount_exec_t)
+role system_r types fusermount_t;
+
+########################################
+#
+# fusermount local policy
+#
+allow fusermount_t self:capability sys_admin;
+allow fusermount_t self:fifo_file { read write };
+allow fusermount_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(fusermount_t)
+
+libs_use_ld_so(fusermount_t)
+libs_use_shared_libs(fusermount_t)
+
+miscfiles_read_localization(fusermount_t)
+
+files_manage_etc_runtime_files(fusermount_t)
+files_etc_filetrans_etc_runtime(fusermount_t,file)
+files_mounton_all_mountpoints(fusermount_t)
+
+fs_mount_fusefs(fusermount_t)
+
+storage_raw_read_fixed_disk(fusermount_t)
+storage_raw_write_fixed_disk(fusermount_t)
+
+optional_policy(`
+ hal_write_log(fusermount_t)
+ hal_use_fds(fusermount_t)
+ hal_rw_pipes(fusermount_t)
+')
+
+optional_policy(`
+ mount_ntfs_rw_stream_sockets(fusermount_t)
+')
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(fusermount_t)
+ term_use_console(fusermount_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.6.5/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/getty.te 2007-05-22 14:41:13.000000000 -0400
@@ -33,7 +33,8 @@
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+# getty requires sys_admin #209426
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid sys_admin };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.6.5/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/hostname.te 2007-05-22 14:41:13.000000000 -0400
@@ -8,8 +8,12 @@
type hostname_t;
type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
role system_r types hostname_t;
+application_executable_file(hostname_exec_t)
########################################
#
@@ -60,3 +64,11 @@
xen_append_log(hostname_t)
xen_dontaudit_use_fds(hostname_t)
')
+
+optional_policy(`
+ xen_append_log(hostname_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.6.5/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/init.fc 2007-05-25 09:03:41.000000000 -0400
@@ -14,9 +14,7 @@
/etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
-ifdef(`strict_policy',`
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
-')
#
# /dev
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.6.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/init.if 2007-05-22 14:41:13.000000000 -0400
@@ -194,11 +194,14 @@
gen_require(`
type initrc_t;
role system_r;
+ attribute daemon;
')
domain_type($1)
domain_entry_file($1,$2)
+ typeattribute $1 daemon;
+
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -300,6 +303,9 @@
interface(`init_getpgid',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
')
allow $1 init_t:process getpgid;
@@ -318,6 +324,9 @@
interface(`init_signull',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
')
allow $1 init_t:process signull;
@@ -336,6 +345,9 @@
interface(`init_sigchld',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
')
allow $1 init_t:process sigchld;
@@ -354,6 +366,9 @@
interface(`init_use_fds',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
')
allow $1 init_t:fd use;
@@ -373,6 +388,9 @@
interface(`init_dontaudit_use_fds',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ attribute direct_run_init;
')
dontaudit $1 init_t:fd use;
@@ -1073,7 +1091,7 @@
')
files_search_tmp($1)
- rw_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
+ allow $1 initrc_tmp_t:file rw_file_perms;
')
########################################
@@ -1254,3 +1272,42 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
+
+########################################
+##
+## Read the process state (/proc/pid) of init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_init_state',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file r_file_perms;
+ allow $1 init_t:lnk_file r_file_perms;
+')
+
+########################################
+##
+## Ptrace init
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_ptrace_init_domain',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-04-30 10:41:38.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/init.te 2007-05-22 14:41:13.000000000 -0400
@@ -10,13 +10,20 @@
# Declarations
#
-ifdef(`targeted_policy',`
##
##
## Allow all daemons the ability to use unallocated ttys
##
##
gen_tunable(allow_daemons_use_tty,false)
+
+ifdef(`targeted_policy',`
+##
+##
+## Allow all daemons to write corefiles to /
+##
+##
+gen_tunable(allow_daemons_dump_core,false)
')
# used for direct running of init scripts
@@ -82,7 +89,7 @@
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -198,7 +205,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
@@ -213,8 +220,7 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
-# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
can_exec(initrc_t,initrc_exec_t)
@@ -508,6 +514,12 @@
')
')
+optional_policy(`
+ rhgb_use_ptys(daemon)
+')
+
+domain_dontaudit_use_interactive_fds(daemon)
+
ifdef(`targeted_policy',`
domain_subj_id_change_exemption(initrc_t)
unconfined_domain(initrc_t)
@@ -520,11 +532,21 @@
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
- ')
-
+ unconfined_rw_pipes(daemon)
+ ', `
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+
+ ')
+
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
+ ')
+
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
@@ -735,6 +757,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-2.6.5/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2007-03-26 16:24:13.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/ipsec.if 2007-05-22 14:41:13.000000000 -0400
@@ -114,6 +114,26 @@
########################################
##
+## Allow an IPsec SA to be used by an IPsec Policy.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ipsec_labeled',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association polmatch;
+ domain_ipsec_labels($1)
+')
+
+
+########################################
+##
## Execute racoon in the racoon domain.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-2.6.5/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/ipsec.te 2007-05-22 14:41:13.000000000 -0400
@@ -289,6 +289,7 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket { create read setopt write };
+logging_send_audit_msg(racoon_t)
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.6.5/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/iptables.te 2007-05-22 14:41:13.000000000 -0400
@@ -56,6 +56,7 @@
domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
+files_read_etc_runtime_files(iptables_t)
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
@@ -112,3 +113,7 @@
optional_policy(`
udev_read_db(iptables_t)
')
+
+optional_policy(`
+ fail2ban_append_log(iptables_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-04 12:19:22.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/libraries.fc 2007-05-22 14:41:13.000000000 -0400
@@ -81,8 +81,8 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -132,13 +132,16 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/transgaming_cedega/gddb_parser.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib/transgaming_cedega/gddb_parser.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-04 12:19:23.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/libraries.te 2007-05-22 14:41:13.000000000 -0400
@@ -62,7 +62,8 @@
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
+manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
@@ -101,6 +102,7 @@
files_read_generic_tmp_symlinks(ldconfig_t)
term_dontaudit_use_generic_ptys(ldconfig_t)
term_dontaudit_use_unallocated_ttys(ldconfig_t)
+ files_read_generic_tmp_files(ldconfig_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.6.5/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-03-26 10:39:07.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/locallogin.te 2007-05-22 14:41:13.000000000 -0400
@@ -48,6 +48,8 @@
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
allow local_login_t self:key { search write link };
+allow local_login_t self:appletalk_socket create_socket_perms;
+allow local_login_t self:socket create_socket_perms;
allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
@@ -56,6 +58,7 @@
allow local_login_t local_login_tmp_t:file manage_file_perms;
files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+kernel_read_network_state(local_login_t)
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
kernel_search_key(local_login_t)
@@ -98,6 +101,11 @@
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
+tunable_policy(`allow_console_login', `
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
+')
+
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
auth_manage_pam_console_data(local_login_t)
@@ -162,6 +170,10 @@
')
optional_policy(`
+ consolekit_dbus_chat(local_login_t)
+')
+
+optional_policy(`
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-03-26 10:39:07.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/logging.if 2007-05-24 15:05:14.000000000 -0400
@@ -223,6 +223,25 @@
########################################
##
+## Execute klogd in the klog domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_domtrans_klog',`
+ gen_require(`
+ type klogd_t, klogd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,klogd_exec_t,klogd_t)
+')
+
+########################################
+##
## Create an object in the log directory, with a private
## type using a type transition.
##
@@ -302,6 +321,25 @@
########################################
##
+## dontaudit search of auditd configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`logging_dontaudit_search_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ dontaudit $1 auditd_etc_t:dir search_dir_perms;
+')
+
+########################################
+##
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
@@ -436,7 +474,7 @@
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
- read_files_pattern($1,var_log_t,logfile)
+ read_files_pattern($1,logfile, logfile)
')
########################################
@@ -480,6 +518,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
+ allow $1 logfile:dir { relabelfrom relabelto };
+ allow $1 logfile:file { relabelfrom relabelto };
')
########################################
@@ -563,3 +603,121 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
+
+########################################
+##
+## Send audit messages
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_send_audit_msg',`
+ gen_require(`
+ attribute can_send_audit_msg;
+ ')
+
+ typeattribute $1 can_send_audit_msg;
+ allow $1 self:capability audit_write;
+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay };
+')
+
+########################################
+##
+## Set login uid
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_set_loginuid',`
+ gen_require(`
+ attribute can_set_loginuid;
+ attribute can_send_audit_msg;
+ ')
+
+ typeattribute $1 can_set_loginuid, can_send_audit_msg;
+
+ allow $1 self:capability audit_control;
+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay };
+')
+
+########################################
+##
+## Set up audit
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_set_audit',`
+ gen_require(`
+ attribute can_set_audit;
+ attribute can_send_audit_msg;
+ ')
+
+ typeattribute $1 can_set_audit, can_send_audit_msg;
+ allow $1 self:capability { audit_write audit_control };
+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_write nlmsg_relay };
+')
+
+########################################
+##
+## Set audit control rules
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_set_auditctl',`
+ gen_require(`
+ attribute can_set_auditctl;
+ ')
+
+ typeattribute $1 can_set_auditctl;
+ logging_set_audit($1)
+ allow $1 self:netlink_audit_socket nlmsg_readpriv;
+')
+
+########################################
+##
+## Unconfined access to the loggin module.
+##
+##
+##
+## Unconfined access to the authlogin module.
+##
+##
+## Currently, this only allows assertions for
+## the audit susbsystem to be passed.
+## No access is granted yet.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_unconfined',`
+ gen_require(`
+ attribute can_set_audit;
+ attribute can_set_auditctl;
+ attribute can_send_audit_msg;
+ attribute can_set_loginuid;
+ ')
+
+ typeattribute $1 can_set_loginuid;
+ typeattribute $1 can_set_audit;
+ typeattribute $1 can_set_auditctl;
+ typeattribute $1 can_send_audit_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/logging.te 2007-05-22 14:41:13.000000000 -0400
@@ -7,10 +7,15 @@
#
attribute logfile;
+attribute can_set_audit;
+attribute can_set_auditctl;
+attribute can_set_loginuid;
+attribute can_send_audit_msg;
type auditctl_t;
type auditctl_exec_t;
init_system_domain(auditctl_t,auditctl_exec_t)
+application_type(auditctl_t)
role system_r types auditctl_t;
type auditd_etc_t;
@@ -59,14 +64,17 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
+neverallow ~{ can_set_loginuid can_set_audit } self:capability audit_control;
+neverallow ~can_set_audit self:netlink_audit_socket nlmsg_write;
+neverallow ~can_set_auditctl self:netlink_audit_socket nlmsg_readpriv;
+neverallow ~can_send_audit_msg self:capability audit_write;
+neverallow ~can_send_audit_msg self:netlink_audit_socket nlmsg_relay;
+
########################################
#
# Auditd local policy
#
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -91,6 +99,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
+logging_set_auditctl(auditctl_t)
logging_send_syslog_msg(auditctl_t)
ifdef(`targeted_policy',`
@@ -103,12 +112,11 @@
# Auditd local policy
#
-allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
+allow auditd_t self:capability { fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
@@ -146,6 +154,7 @@
init_telinit(auditd_t)
+logging_set_audit(auditd_t)
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
@@ -267,6 +276,9 @@
# create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
+# r/w log fifo_files files.
+rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t)
+
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -331,6 +343,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
+files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.6.5/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/lvm.fc 2007-05-22 14:41:13.000000000 -0400
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
/etc/lvm/\.cache -- gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/cache(./*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.6.5/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/lvm.te 2007-05-23 13:27:59.000000000 -0400
@@ -16,6 +16,7 @@
type lvm_t;
type lvm_exec_t;
init_system_domain(lvm_t,lvm_exec_t)
+application_type(lvm_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
domain_obj_id_change_exemption(lvm_t)
@@ -155,7 +156,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+# lvm needs net_admin for multipath
+
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
@@ -233,6 +236,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
+dev_delete_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
@@ -251,6 +256,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
+mls_file_read_up(lvm_t)
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
@@ -305,5 +311,15 @@
')
optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+')
+
+optional_policy(`
udev_read_db(lvm_t)
')
+
+optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.6.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-02 15:04:46.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/modutils.te 2007-05-22 14:41:13.000000000 -0400
@@ -102,6 +102,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
@@ -123,6 +124,14 @@
')
optional_policy(`
+ alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+ hal_write_log(insmod_t)
+')
+
+optional_policy(`
hotplug_search_config(insmod_t)
')
@@ -155,6 +164,7 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
+ rpm_read_script_tmp_files(insmod_t)
')
optional_policy(`
@@ -185,6 +195,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
+files_delete_kernel_modules(depmod_t)
fs_getattr_xattr_fs(depmod_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-2.6.5/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/mount.fc 2007-05-22 14:41:13.000000000 -0400
@@ -1,4 +1,3 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.ntfs-3g -- gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.6.5/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/mount.if 2007-05-22 14:41:13.000000000 -0400
@@ -143,3 +143,40 @@
mount_domtrans($1)
')
')
+
+########################################
+##
+## Execute a domain transition to run mount_ntfs.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mount_ntfs_domtrans',`
+ gen_require(`
+ type mount_ntfs_t, mount_ntfs_exec_t;
+ ')
+
+ domtrans_pattern($1,mount_ntfs_exec_t,mount_ntfs_t)
+')
+
+########################################
+##
+## Allow the specified domain to read/write to
+## init scripts with a unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mount_ntfs_rw_stream_sockets',`
+ gen_require(`
+ type mount_ntfs_t;
+ ')
+
+ allow $1 mount_ntfs_t:unix_stream_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/mount.te 2007-05-22 14:41:13.000000000 -0400
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
##
##
+## Allow mount to mount any dir
+##
+##
+gen_tunable(allow_mounton_anydir,true)
+
+##
+##
## Allow mount to mount any file
##
##
@@ -18,8 +25,13 @@
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
role system_r types mount_t;
+type mount_ntfs_t;
+type mount_ntfs_exec_t;
+init_system_domain(mount_ntfs_t, mount_ntfs_exec_t)
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
@@ -38,7 +50,7 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
@@ -130,10 +142,15 @@
')
ifdef(`targeted_policy',`
+ tunable_policy(`allow_mounton_anydir',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ files_mounton_non_security_dir(mount_t)
+ ')
+
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
- files_mounton_non_security(mount_t)
+ files_mounton_non_security_files(mount_t)
')
')
@@ -205,3 +222,53 @@
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
')
+
+########################################
+#
+# mount_ntfs local policy
+#
+allow mount_ntfs_t self:capability { setuid sys_admin };
+allow mount_ntfs_t self:fifo_file { read write };
+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_ntfs_t self:unix_dgram_socket { connect create };
+
+corecmd_read_bin_symlinks(mount_ntfs_t)
+corecmd_exec_shell(mount_ntfs_t)
+
+files_read_etc_files(mount_ntfs_t)
+
+libs_use_ld_so(mount_ntfs_t)
+libs_use_shared_libs(mount_ntfs_t)
+
+fusermount_domtrans(mount_ntfs_t)
+fusermount_use_fds(mount_ntfs_t)
+
+init_dontaudit_use_fds(mount_ntfs_t)
+
+kernel_read_system_state(mount_ntfs_t)
+
+logging_send_syslog_msg(mount_ntfs_t)
+
+miscfiles_read_localization(mount_ntfs_t)
+
+modutils_domtrans_insmod(mount_ntfs_t)
+
+mount_ntfs_domtrans(mount_t)
+
+storage_raw_read_fixed_disk(mount_ntfs_t)
+storage_raw_write_fixed_disk(mount_ntfs_t)
+
+optional_policy(`
+ nscd_socket_use(mount_ntfs_t)
+')
+
+optional_policy(`
+ hal_write_log(mount_ntfs_t)
+ hal_use_fds(mount_ntfs_t)
+ hal_rw_pipes(mount_ntfs_t)
+')
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(mount_ntfs_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.5/policy/modules/system/netlabel.te
--- nsaserefpolicy/policy/modules/system/netlabel.te 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/netlabel.te 2007-05-22 14:41:13.000000000 -0400
@@ -20,6 +20,10 @@
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+init_use_script_ptys(netlabel_mgmt_t)
+
+files_read_etc_files(netlabel_mgmt_t)
+
kernel_read_network_state(netlabel_mgmt_t)
libs_use_ld_so(netlabel_mgmt_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.5/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/raid.te 2007-05-22 14:41:13.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -46,6 +46,7 @@
# RAID block device access
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.6.5/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.fc 2007-05-22 14:41:13.000000000 -0400
@@ -40,6 +40,7 @@
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/genhomedircon -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.6.5/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.if 2007-05-22 14:41:13.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
allow $2 system_r;
+ auth_run_upd_passwd($1,$2,$3)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.5/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.te 2007-05-24 15:37:32.000000000 -0400
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.5.1)
-ifdef(`strict_policy',`
- gen_require(`
- bool secure_mode;
- ')
+gen_require(`
+ bool secure_mode;
')
########################################
@@ -26,11 +24,9 @@
files_type(selinux_config_t)
type checkpolicy_t, can_write_binary_policy;
-domain_type(checkpolicy_t)
-role system_r types checkpolicy_t;
-
type checkpolicy_exec_t;
-domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
+application_domain(checkpolicy_t, checkpolicy_exec_t)
+role system_r types checkpolicy_t;
#
# default_context_t is the type applied to
@@ -83,25 +79,27 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
type run_init_t;
type run_init_exec_t;
-domain_type(run_init_t)
-domain_entry_file(run_init_t,run_init_exec_t)
+application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
+role system_r types run_init_t;
type semanage_t;
-domain_type(semanage_t)
-domain_interactive_fd(semanage_t)
-
type semanage_exec_t;
-domain_entry_file(semanage_t, semanage_exec_t)
+application_domain(semanage_t, semanage_exec_t)
+domain_interactive_fd(semanage_t)
role system_r types semanage_t;
+ifdef(`targeted_policy',`
+init_use_fds(semanage_t)
+init_system_domain(semanage_t, semanage_exec_t)
+')
+
type semanage_store_t;
files_type(semanage_store_t)
@@ -115,9 +113,12 @@
files_type(semanage_trans_lock_t)
type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
-type setfiles_exec_t alias restorecon_exec_t;
-init_system_domain(setfiles_t,setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
+domain_type(setfiles_t)
+role system_r types setfiles_t;
+
+type setfiles_exec_t alias restorecon_exec_t;
+domain_entry_file(setfiles_t,setfiles_exec_t)
ifdef(`distro_redhat',`
init_system_domain(setfiles_t,setfiles_exec_t)
@@ -186,6 +187,7 @@
fs_getattr_xattr_fs(load_policy_t)
mls_file_read_up(load_policy_t)
+mls_file_write_down(load_policy_t)
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
@@ -208,7 +210,7 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
+ unconfined_dontaudit_rw_pipes(load_policy_t)
')
')
@@ -234,7 +236,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(newrole_t)
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
@@ -272,6 +274,7 @@
term_dontaudit_use_unallocated_ttys(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
+auth_domtrans_upd_passwd(newrole_t)
auth_rw_faillog(newrole_t)
corecmd_list_bin(newrole_t)
@@ -301,15 +304,13 @@
userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t)
-ifdef(`strict_policy',`
- # if secure mode is enabled, then newrole
- # can only transition to unprivileged users
- if(secure_mode) {
- userdom_spec_domtrans_unpriv_users(newrole_t)
- } else {
- userdom_spec_domtrans_all_users(newrole_t)
- }
-')
+# if secure mode is enabled, then newrole
+# can only transition to unprivileged users
+if(secure_mode) {
+ userdom_spec_domtrans_unpriv_users(newrole_t)
+} else {
+ userdom_spec_domtrans_all_users(newrole_t)
+}
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
@@ -387,7 +388,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(run_init_t)
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -401,6 +402,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
+auth_domtrans_upd_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
@@ -457,7 +459,7 @@
allow semanage_t self:capability { dac_override audit_write };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(semanage_t)
allow semanage_t policy_config_t:file { read write };
@@ -468,7 +470,10 @@
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
+
corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)
dev_read_urand(semanage_t)
@@ -483,6 +488,7 @@
mls_rangetrans_target(semanage_t)
mls_file_read_up(semanage_t)
+selinux_get_fs_mount(semanage_t)
selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
# for setsebool:
@@ -492,6 +498,8 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
@@ -518,6 +526,15 @@
userdom_search_sysadm_home_dirs(semanage_t)
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_rw_tmp_files(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.5/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/sysnetwork.te 2007-05-22 14:41:13.000000000 -0400
@@ -164,6 +164,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
+ dbus_read_config(dhcpc_t)
+
+ dbus_dontaudit_rw_system_selinux_socket(dhcpc_t)
+
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
@@ -221,6 +225,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
+ seutil_domtrans_setfiles(dhcpc_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.5/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/udev.te 2007-05-22 14:41:13.000000000 -0400
@@ -83,12 +83,19 @@
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_read_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
+
corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
+dev_search_usbfs_dirs(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -194,5 +201,24 @@
')
optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(udev_t)
+ pcscd_domtrans(udev_t)
+')
+
+optional_policy(`
+ xen_append_log(udev_t)
+ kernel_write_xen_state(udev_t)
+ kernel_read_xen_state(udev_t)
+ xen_read_image_files(udev_t)
+')
+
+optional_policy(`
xserver_read_xdm_pid(udev_t)
')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.6.5/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/unconfined.fc 2007-05-22 14:41:13.000000000 -0400
@@ -10,4 +10,5 @@
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/vmware.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/unconfined.if 2007-05-22 14:41:13.000000000 -0400
@@ -18,7 +18,7 @@
')
# Use any Linux capability.
- allow $1 self:capability *;
+ allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
@@ -28,10 +28,10 @@
allow $1 self:file rw_file_perms;
# Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
+ allow $1 self:nscd all_nscd;
+ allow $1 self:dbus all_dbus;
+ allow $1 self:passwd all_passwd;
+ allow $1 self:association all_association;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -78,6 +78,10 @@
')
optional_policy(`
+ logging_unconfined($1)
+ ')
+
+ optional_policy(`
nscd_unconfined($1)
')
@@ -556,3 +560,22 @@
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+##
+## Allow ptrace of unconfined domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/unconfined.te 2007-05-22 14:41:13.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
+ifdef(`targeted_policy',`
+##
+##
+## Allow unconfined to dyntrans to unconfined_execmem
+##
+##
+gen_tunable(allow_unconfined_execmem_dyntrans,false)
+')
+
type unconfined_t;
type unconfined_exec_t;
init_system_domain(unconfined_t,unconfined_exec_t)
@@ -50,6 +59,8 @@
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
+ term_user_pty(unconfined_t, devpts_t)
+
optional_policy(`
ada_domtrans(unconfined_t)
')
@@ -63,10 +74,6 @@
')
optional_policy(`
- bootloader_domtrans(unconfined_t)
- ')
-
- optional_policy(`
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
@@ -93,6 +100,7 @@
optional_policy(`
networkmanager_dbus_chat(unconfined_t)
+ networkmanager_domtrans(unconfined_t)
')
optional_policy(`
@@ -153,6 +161,8 @@
optional_policy(`
rpm_domtrans(unconfined_t)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
')
optional_policy(`
@@ -192,6 +202,9 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
+ mcs_killall(unconfined_t)
+ mcs_ptrace_all(unconfined_t)
+
')
########################################
@@ -200,10 +213,18 @@
#
ifdef(`targeted_policy',`
+ tunable_policy(`allow_unconfined_execmem_dyntrans',`
+ allow unconfined_t unconfined_execmem_t:process dyntransition;
+ ')
+
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
dbus_stub(unconfined_execmem_t)
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/userdomain.if 2007-05-24 14:35:27.000000000 -0400
@@ -114,6 +114,18 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_t)
+ ')
+
+ optional_policy(`
+ consoletype_exec($1_t)
+ ')
+
+ optional_policy(`
+ hostname_exec($1_t)
+ ')
')
#######################################
@@ -764,6 +776,8 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_run_upd_passwd($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_read_key($1_t)
init_read_utmp($1_t)
# The library functions always try to open read-write first,
@@ -953,6 +967,38 @@
##
##
#
+template(`userdom_privhome_user_template',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
+ ')
+
+ # privileged home directory writers
+ manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+##
+## The template for creating a unprivileged user.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
template(`userdom_unpriv_user_template', `
gen_require(`
@@ -979,20 +1025,13 @@
userdom_poly_home_template($1)
userdom_poly_tmp_template($1)
+ userdom_privhome_user_template($1)
+
##############################
#
# Local policy
#
-
- # privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-
- corecmd_exec_all_executables($1_t)
+ application_exec_all($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -1059,10 +1098,6 @@
dontaudit xdm_t $1_home_t:file rw_file_perms;
')
- # Do not audit write denials to /etc/ld.so.cache.
- dontaudit $1_t ld_so_cache_t:file write;
-
- dontaudit $1_t sysadm_home_t:file { read append };
') dnl end TODO
')
@@ -1126,7 +1161,7 @@
# $1_t local policy
#
- allow $1_t self:capability ~sys_module;
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
@@ -1138,8 +1173,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1352,11 +1385,7 @@
##
#
template(`userdom_role_change_generic_user',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,user)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1,user)
')
########################################
@@ -1383,11 +1412,7 @@
##
#
template(`userdom_role_change_from_generic_user',`
- ifdef(`strict_policy',`
- userdom_role_change_template(user,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(user,$1)
')
########################################
@@ -1413,11 +1438,7 @@
##
#
template(`userdom_role_change_staff',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,staff)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1,staff)
')
########################################
@@ -1444,11 +1465,7 @@
##
#
template(`userdom_role_change_from_staff',`
- ifdef(`strict_policy',`
- userdom_role_change_template(staff,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(staff,$1)
')
########################################
@@ -1474,11 +1491,7 @@
##
#
template(`userdom_role_change_sysadm',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,sysadm)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1,sysadm)
')
########################################
@@ -1505,11 +1518,7 @@
##
#
template(`userdom_role_change_from_sysadm',`
- ifdef(`strict_policy',`
- userdom_role_change_template(sysadm,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(sysadm,$1)
')
########################################
@@ -1697,13 +1706,11 @@
##
#
template(`userdom_setattr_user_ptys',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- allow $2 $1_devpts_t:chr_file setattr;
+ gen_require(`
+ type $1_devpts_t;
')
+
+ allow $2 $1_devpts_t:chr_file setattr;
')
########################################
@@ -1732,13 +1739,11 @@
##
#
template(`userdom_create_user_pty',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- term_create_pty($2,$1_devpts_t)
+ gen_require(`
+ type $1_devpts_t;
')
+
+ term_create_pty($2,$1_devpts_t)
')
########################################
@@ -3623,13 +3628,12 @@
template(`userdom_setattr_user_ttys',`
ifdef(`targeted_policy',`
term_setattr_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file setattr;
')
+ gen_require(`
+ type $1_tty_device_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file setattr;
')
########################################
@@ -3660,13 +3664,12 @@
template(`userdom_use_user_ttys',`
ifdef(`targeted_policy',`
term_use_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
')
+ gen_require(`
+ type $1_tty_device_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
')
########################################
@@ -3695,18 +3698,13 @@
##
#
template(`userdom_use_user_terminals',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- term_use_generic_ptys($2)
- ',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
- allow $2 $1_devpts_t:chr_file rw_term_perms;
- term_list_ptys($2)
+ gen_require(`
+ type $1_tty_device_t, $1_devpts_t;
')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ allow $2 $1_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($2)
')
########################################
@@ -4682,18 +4680,14 @@
##
#
interface(`userdom_read_sysadm_home_content_files',`
- ifdef(`strict_policy',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
- read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
- ',`
- userdom_read_generic_user_home_content_files($1)
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
')
+
+ files_search_home($1)
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+ read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+ read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
')
########################################
@@ -4707,18 +4701,14 @@
##
#
interface(`userdom_read_sysadm_tmp_files',`
- ifdef(`strict_policy',`
- gen_require(`
- type sysadm_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
- read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
- ',`
- files_read_generic_tmp_files($1)
+ gen_require(`
+ type sysadm_tmp_t;
')
+
+ files_search_tmp($1)
+ allow $1 sysadm_tmp_t:dir list_dir_perms;
+ read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
+ read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
')
########################################
@@ -5352,14 +5342,13 @@
interface(`userdom_use_unpriv_users_ptys',`
ifdef(`targeted_policy',`
term_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- term_search_ptys($1)
- allow $1 user_ptynode:chr_file rw_file_perms;
')
+ gen_require(`
+ attribute user_ptynode;
+ ')
+
+ term_search_ptys($1)
+ allow $1 user_ptynode:chr_file rw_file_perms;
')
########################################
@@ -5376,13 +5365,13 @@
interface(`userdom_dontaudit_use_unpriv_users_ptys',`
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
+ ')
- dontaudit $1 user_ptynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ptynode;
')
+
+ dontaudit $1 user_ptynode:chr_file rw_file_perms;
')
########################################
@@ -5435,13 +5424,12 @@
interface(`userdom_list_unpriv_users_tmp',`
ifdef(`targeted_policy',`
files_list_tmp($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:dir list_dir_perms;
')
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:dir list_dir_perms;
')
########################################
@@ -5457,13 +5445,12 @@
interface(`userdom_read_unpriv_users_tmp_files',`
ifdef(`targeted_policy',`
files_read_generic_tmp_files($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:file { read getattr };
')
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:file { read getattr };
')
########################################
@@ -5479,13 +5466,12 @@
interface(`userdom_read_unpriv_users_tmp_symlinks',`
ifdef(`targeted_policy',`
files_read_generic_tmp_symlinks($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:lnk_file { getattr read };
')
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:lnk_file { getattr read };
')
########################################
@@ -5519,13 +5505,12 @@
interface(`userdom_use_unpriv_users_ttys',`
ifdef(`targeted_policy',`
term_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- allow $1 user_ttynode:chr_file rw_term_perms;
')
+ gen_require(`
+ attribute user_ttynode;
+ ')
+
+ allow $1 user_ttynode:chr_file rw_term_perms;
')
########################################
@@ -5542,13 +5527,12 @@
interface(`userdom_dontaudit_use_unpriv_users_ttys',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
+ gen_require(`
+ attribute user_ttynode;
+ ')
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
########################################
@@ -5672,15 +5656,11 @@
##
#
interface(`userdom_create_all_users_keys',`
- ifdef(`strict_policy',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:key create;
- ',`
- unconfined_create_keys($1)
+ gen_require(`
+ attribute userdomain;
')
+
+ allow $1 userdomain:key create;
')
########################################
@@ -5720,3 +5700,112 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
+
+
+########################################
+##
+## Manage and create all files in /tmp on behalf of the user
+##
+##
+##
+## The interface for full access to the temporary directories.
+## This creates a derived type for the user
+## temporary type. Execute access is not given.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+## If not specified, file is used.
+##
+##
+#
+template(`userdom_transition_user_tmp',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_tmp_filetrans($2,$1_tmp_t, $3)
+')
+
+########################################
+##
+## dontaudit getattr all user file type
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`userdom_dontaudit_list_user_files',`
+ gen_require(`
+ attribute $1_file_type;
+ ')
+
+ dontaudit $2 $1_file_type:dir search_dir_perms;
+ dontaudit $2 $1_file_type:file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to write to homedirs of sysadm users
+## home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`userdom_dontaudit_write_sysadm_home_dirs',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir write;
+ ', `
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir write;
+ ')
+')
+
+########################################
+##
+## Ptrace all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process ptrace;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.6.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/userdomain.te 2007-05-25 08:27:29.000000000 -0400
@@ -15,7 +15,6 @@
# Declarations
#
-ifdef(`strict_policy',`
##
##
## Allow sysadm to ptrace all processes
@@ -58,7 +57,6 @@
##
##
gen_tunable(user_ttyfile_stat,false)
-')
# admin users terminals (tty and pty)
attribute admin_terminal;
@@ -69,6 +67,9 @@
# users home directory contents
attribute home_type;
+# Executables to be run by user
+attribute user_exec_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -101,440 +102,421 @@
# Local policy
#
-ifdef(`strict_policy',`
- userdom_admin_user_template(sysadm)
- userdom_unpriv_user_template(staff)
- userdom_unpriv_user_template(user)
-
- # user role change rules:
- # sysadm_r can change to user roles
- userdom_role_change_template(sysadm, user)
- userdom_role_change_template(sysadm, staff)
-
- # only staff_r can change to sysadm_r
- userdom_role_change_template(staff, sysadm)
- dontaudit staff_t admin_terminal:chr_file { read write };
+userdom_unpriv_user_template(user)
+userdom_admin_user_template(sysadm)
- ifdef(`enable_mls',`
- userdom_unpriv_user_template(secadm)
- userdom_unpriv_user_template(auditadm)
+optional_policy(`
+ cron_admin_template(sysadm,sysadm_t,sysadm_r)
+')
- userdom_role_change_template(staff,auditadm)
- userdom_role_change_template(staff,secadm)
+optional_policy(`
+ ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
+')
- userdom_role_change_template(sysadm,secadm)
- userdom_role_change_template(sysadm,auditadm)
+optional_policy(`
+ lpr_admin_template(sysadm,sysadm_t,sysadm_r)
+')
- userdom_role_change_template(auditadm,secadm)
- userdom_role_change_template(auditadm,sysadm)
+optional_policy(`
+ mta_admin_template(sysadm,sysadm_t,sysadm_r)
+')
- userdom_role_change_template(secadm,auditadm)
- userdom_role_change_template(secadm,sysadm)
- ')
+userdom_unpriv_user_template(staff)
- # this should be tunable_policy, but
- # currently type_change and RBAC allow
- # do not work in conditionals
- ifdef(`user_canbe_sysadm',`
- userdom_role_change_template(user,sysadm)
- ')
+# user role change rules:
+# sysadm_r can change to user roles
+userdom_role_change_template(sysadm, user)
+userdom_role_change_template(sysadm, staff)
- ########################################
- #
- # Sysadm local policy
- #
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+dontaudit staff_t admin_terminal:chr_file { read write };
- # for su
- allow sysadm_t userdomain:fd use;
+ifdef(`enable_mls',`
+ userdom_unpriv_user_template(secadm)
+ userdom_unpriv_user_template(auditadm)
- # Add/remove user home directories
- allow sysadm_t user_home_dir_t:dir manage_dir_perms;
- files_home_filetrans(sysadm_t,user_home_dir_t,dir)
+ userdom_role_change_template(staff,auditadm)
+ userdom_role_change_template(staff,secadm)
- corecmd_exec_shell(sysadm_t)
+ userdom_role_change_template(sysadm,secadm)
+ userdom_role_change_template(sysadm,auditadm)
- mls_process_read_up(sysadm_t)
+ userdom_role_change_template(auditadm,secadm)
+ userdom_role_change_template(auditadm,sysadm)
- init_exec(sysadm_t)
+ userdom_role_change_template(secadm,auditadm)
+ userdom_role_change_template(secadm,sysadm)
+')
- # Following for sending reboot and wall messages
- userdom_use_unpriv_users_ptys(sysadm_t)
- userdom_use_unpriv_users_ttys(sysadm_t)
+# this should be tunable_policy, but
+# currently type_change and RBAC allow
+# do not work in conditionals
+ifdef(`user_canbe_sysadm',`
+ userdom_role_change_template(user,sysadm)
+')
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
- ')
- ',`
- ifdef(`distro_gentoo',`
- optional_policy(`
- seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
- ')
+########################################
+#
+# Sysadm local policy
+#
- ifdef(`enable_mls',`
- allow auditadm_t self:capability { dac_read_search dac_override };
- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
- allow secadm_t self:capability { dac_read_search dac_override };
- corecmd_exec_shell(secadm_t)
- domain_obj_id_change_exemption(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_read_up(secadm_t)
- mls_file_write_down(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
- auth_relabel_all_files_except_shadow(secadm_t)
- dev_relabel_all_dev_nodes(secadm_t)
- auth_relabel_shadow(secadm_t)
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+# for su
+allow sysadm_t userdomain:fd use;
- optional_policy(`
- aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
+# Add/remove user home directories
+allow sysadm_t user_home_dir_t:dir manage_dir_perms;
+files_home_filetrans(sysadm_t,user_home_dir_t,dir)
+corecmd_exec_shell(sysadm_t)
+
+mls_process_read_up(sysadm_t)
+
+init_exec(sysadm_t)
+
+kernel_sigstop_unlabeled(sysadm_t)
+kernel_signal_unlabeled(sysadm_t)
+kernel_kill_unlabeled(sysadm_t)
+kernel_read_unlabeled_state(sysadm_t)
+
+# Following for sending reboot and wall messages
+userdom_use_unpriv_users_ptys(sysadm_t)
+userdom_use_unpriv_users_ttys(sysadm_t)
+
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
+ ')
+',`
+ ifdef(`distro_gentoo',`
optional_policy(`
- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
')
- ',`
- logging_manage_audit_log(sysadm_t)
- logging_manage_audit_config(sysadm_t)
- logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
+')
- tunable_policy(`allow_ptrace',`
- domain_ptrace_all_domains(sysadm_t)
+ifdef(`enable_mls',`
+ allow auditadm_t self:capability { dac_read_search dac_override };
+ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ domain_kill_all_domains(auditadm_t)
+ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+
+ allow secadm_t self:capability { dac_read_search dac_override };
+ corecmd_exec_shell(secadm_t)
+ domain_obj_id_change_exemption(secadm_t)
+ mls_process_read_up(secadm_t)
+ mls_file_read_up(secadm_t)
+ mls_file_write_down(secadm_t)
+ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+ auth_relabel_all_files_except_shadow(secadm_t)
+ dev_relabel_all_dev_nodes(secadm_t)
+ auth_relabel_shadow(secadm_t)
+ init_exec(secadm_t)
+ logging_read_audit_log(secadm_t)
+ logging_read_generic_logs(secadm_t)
+ logging_read_audit_config(secadm_t)
+ userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
+ optional_policy(`
+ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
')
optional_policy(`
- amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
- ')
+ netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
+',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
- #apache_run_all_scripts(sysadm_t,sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
- ')
+tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+')
- optional_policy(`
- tzdata_domtrans(sysadm_t)
- ')
+optional_policy(`
+ amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- raid_domtrans_mdadm(sysadm_t)
- ')
+optional_policy(`
+ amtu_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
- ')
+optional_policy(`
+ apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
+ #apache_run_all_scripts(sysadm_t,sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+')
- optional_policy(`
- apt_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ tzdata_domtrans(sysadm_t)
+')
- optional_policy(`
- backup_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ raid_domtrans_mdadm(sysadm_t)
+')
- optional_policy(`
- bootloader_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+')
- optional_policy(`
- bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ apt_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ backup_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- consoletype_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bootloader_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- clock_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ consoletype_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- cvs_exec(sysadm_t)
- ')
+optional_policy(`
+ clock_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- consoletype_exec(sysadm_t)
+optional_policy(`
+ clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
+')
- ifdef(`enable_mls',`
- consoletype_exec(auditadm_t)
- ')
- ')
+optional_policy(`
+ certwatach_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- cron_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ cvs_exec(sysadm_t)
+')
- optional_policy(`
- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
+ dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
+ dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- dmesg_exec(sysadm_t)
+optional_policy(`
+ dmesg_exec(sysadm_t)
- ifdef(`enable_mls',`
- dmesg_exec(auditadm_t)
- ')
+ ifdef(`enable_mls',`
+ dmesg_exec(auditadm_t)
')
+')
- optional_policy(`
- dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- dpkg_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dpkg_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
- ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
- ')
+optional_policy(`
+ firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
+')
- optional_policy(`
- fstools_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ fstools_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- hostname_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ hostname_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
- ')
+optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+')
- optional_policy(`
- iptables_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ iptables_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- lvm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ lvm_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- logrotate_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
- lpr_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- kudzu_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ kudzu_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- mount_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ mount_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- mta_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ mysql_stream_connect(sysadm_t)
+')
- optional_policy(`
- mysql_stream_connect(sysadm_t)
- ')
+optional_policy(`
+ netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- netutils_run(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ netutils_run(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
- ')
+optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+')
- optional_policy(`
- munin_stream_connect(sysadm_t)
- ')
+optional_policy(`
+ munin_stream_connect(sysadm_t)
+')
- optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
- ')
+optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+')
- optional_policy(`
- oav_run_update(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ oav_run_update(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- portage_run(sysadm_t,sysadm_r,admin_terminal)
- portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ portage_run(sysadm_t,sysadm_r,admin_terminal)
+ portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- quota_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ quota_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- rpm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ rpm_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- rsync_exec(sysadm_t)
- ')
+optional_policy(`
+ rsync_exec(sysadm_t)
+')
- optional_policy(`
- samba_run_net(sysadm_t,sysadm_r,admin_terminal)
- samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ samba_run_net(sysadm_t,sysadm_r,admin_terminal)
+ samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`
+ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
- ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
- ', `
+ ifdef(`enable_mls',`
+ userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+# tunable_policy(`allow_sysadm_manage_security',`
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
- ')
+# ')
+ ', `
+ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
+')
- optional_policy(`
- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
+ sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
+ tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
+ tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
+ tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- vpn_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ vpn_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- webalizer_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ webalizer_run(sysadm_t,sysadm_r,admin_terminal)
+')
- optional_policy(`
- yam_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ yam_run(sysadm_t,sysadm_r,admin_terminal)
')
ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # strict policy.
- unconfined_alias_domain(secadm_t)
- unconfined_alias_domain(auditadm_t)
- unconfined_alias_domain(sysadm_t)
-
- # User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-
- # compatibility for switching from strict
-# dominance { role secadm_r { role system_r; }}
-# dominance { role auditadm_r { role system_r; }}
-# dominance { role sysadm_r { role system_r; }}
-# dominance { role user_r { role system_r; }}
-# dominance { role staff_r { role system_r; }}
-
# dont need to use the full role_change()
allow sysadm_r system_r;
allow sysadm_r user_r;
- allow user_r system_r;
- allow user_r sysadm_r;
allow system_r sysadm_r;
allow system_r sysadm_r;
- manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
files_search_home(privhome)
ifdef(`enable_mls',`
@@ -545,7 +527,8 @@
allow staff_r auditadm_r;
')
- optional_policy(`
- samba_per_role_template(user)
- ')
+')
+
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.6.5/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/xen.if 2007-05-22 14:41:13.000000000 -0400
@@ -72,12 +72,35 @@
')
logging_search_logs($1)
+ allow $1 xend_var_log_t:dir search_dir_perms;
allow $1 xend_var_log_t:file { getattr append };
dontaudit $1 xend_var_log_t:file write;
')
########################################
##
+## Allow the specified domain to manage
+## xend log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`xen_manage_log',`
+ gen_require(`
+ type var_log_t, xend_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xend_var_log_t:dir create_dir_perms;
+ allow $1 xend_var_log_t:file create_file_perms;
+ dontaudit $1 xend_var_log_t:file write;
+')
+
+########################################
+##
## Do not audit attempts to read and write
## Xen unix domain stream sockets. These
## are leaked file descriptors.
@@ -151,3 +174,25 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
+
+########################################
+##
+## Allow the specified domain to read
+## xend image files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`xen_read_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1,xen_image_t,xen_image_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.5/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-04-23 09:36:02.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/xen.te 2007-05-22 14:41:13.000000000 -0400
@@ -25,6 +25,10 @@
domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)
+# tmp files
+type xend_tmp_t;
+files_tmp_file(xend_tmp_t)
+
# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
@@ -88,6 +92,7 @@
allow xend_t xen_image_t:dir list_dir_perms;
manage_dirs_pattern(xend_t,xen_image_t,xen_image_t)
manage_files_pattern(xend_t,xen_image_t,xen_image_t)
+read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
allow xend_t xenctl_t:fifo_file manage_file_perms;
@@ -97,7 +102,8 @@
allow xend_t xend_var_run_t:dir setattr;
manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
# log files
allow xend_t xend_var_log_t:dir setattr;
@@ -105,6 +111,10 @@
manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
+manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+manage_dirs_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
# var/lib files for xend
manage_dirs_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
manage_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
@@ -165,8 +175,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xend_t)
+ storage_raw_write_fixed_disk(xend_t)
+#')
-storage_raw_read_fixed_disk(xend_t)
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
@@ -195,6 +210,10 @@
xen_stream_connect_xenstore(xend_t)
+lvm_domtrans(xend_t)
+
+mount_domtrans(xend_t)
+
netutils_domtrans(xend_t)
optional_policy(`
@@ -284,6 +303,12 @@
files_read_usr_files(xenstored_t)
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+#')
+storage_raw_read_removable_device(xenstored_t)
+
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
@@ -317,6 +342,11 @@
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file read_file_perms;
+allow xm_t xen_image_t:blk_file r_file_perms;
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xm_t)
+#')
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -352,3 +382,11 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.6.5/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.6.5/policy/rolemap 2007-05-24 15:51:16.000000000 -0400
@@ -8,13 +8,11 @@
# syntax: role prefix user_domain
#
-ifdef(`strict_policy',`
- user_r user user_t
- staff_r staff staff_t
- sysadm_r sysadm sysadm_t
+user_r user user_t
+staff_r staff staff_t
+sysadm_r sysadm sysadm_t
- ifdef(`enable_mls',`
- secadm_r secadm secadm_t
- auditadm_r auditadm auditadm_t
- ')
+ifdef(`enable_mls',`
+ secadm_r secadm secadm_t
+ auditadm_r auditadm auditadm_t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-2.6.5/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.6.5/policy/support/misc_patterns.spt 2007-05-22 14:41:13.000000000 -0400
@@ -41,11 +41,6 @@
#
# Other process permissions
#
-define(`send_audit_msgs_pattern',`
- allow $1 self:capability audit_write;
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-')
-
define(`ps_process_pattern',`
allow $1 $2:dir { search getattr read };
allow $1 $2:{ file lnk_file } { read getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-2.6.5/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-05-04 12:19:23.000000000 -0400
+++ serefpolicy-2.6.5/policy/support/obj_perm_sets.spt 2007-05-22 14:41:13.000000000 -0400
@@ -203,7 +203,6 @@
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
define(`create_dir_perms',`{ getattr create }')
-define(`rename_dir_perms',`{ getattr rename }')
define(`delete_dir_perms',`{ getattr rmdir }')
define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
@@ -216,7 +215,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
@@ -325,3 +324,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
+define(`all_dbus', `{ acquire_svc send_msg } ')
+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.6.5/policy/users
--- nsaserefpolicy/policy/users 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.6.5/policy/users 2007-05-24 15:42:41.000000000 -0400
@@ -25,13 +25,9 @@
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-ifdef(`targeted_policy',`
-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-')
#
# The following users correspond to Unix identities.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.6.5/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-03-22 14:30:10.000000000 -0400
+++ serefpolicy-2.6.5/Rules.modular 2007-05-22 14:41:13.000000000 -0400
@@ -167,7 +167,7 @@
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
@@ -219,6 +219,16 @@
########################################
#
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc)
+ @echo "Validating file context."
+ $(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+ $(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+ @echo "Success."
+
+########################################
+#
# Clean the sources
#
clean: