##
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
##
##
## This is a templated interface, and should only
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.2/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/java.if 2007-07-16 11:47:57.000000000 -0400
@@ -32,7 +32,7 @@
##
##
#
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
gen_require(`
type java_exec_t;
')
@@ -82,8 +82,7 @@
can_exec($1_javaplugin_t, java_exec_t)
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
+ domain_auto_trans($2, java_exec_t, $1_javaplugin_t)
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
@@ -168,6 +167,51 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
+
+')
+
+#######################################
+##
+## The per role template for the java module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for java applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`java_per_role_template',`
+ gen_require(`
+ type java_exec_t;
+ attribute $1_usertype;
+ ')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t,java_exec_t)
+ role $3 types $1_java_t;
+
+ typeattribute $1_java_t $1_usertype;
+ allow $1_java_t self:process { execheap execmem };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
')
########################################
@@ -221,3 +265,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
+
+########################################
+##
+## Execute a java in the specified domain
+##
+##
+##
+## Execute the java command in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`java_spec_domtrans',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ domain_trans($1,java_exec_t,$2)
+ type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+##
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the java domain.
+##
+##
+##
+##
+## The type of the terminal allow the java domain to use.
+##
+##
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.2/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/loadkeys.te 2007-07-13 08:07:53.000000000 -0400
@@ -40,3 +40,8 @@
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.2/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/mono.if 2007-07-16 11:48:24.000000000 -0400
@@ -18,3 +18,96 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
+
+########################################
+##
+## Read and write to mono shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the mono domain.
+##
+##
+##
+##
+## The type of the terminal allow the mono domain to use.
+##
+##
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+ allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+##
+## The per role template for the mono module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for mono applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`mono_per_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ attribute $1_usertype;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t,mono_exec_t)
+ role $3 types $1_mono_t;
+
+ typeattribute $1_mono_t $1_usertype;
+ allow $1_mono_t self:process { execheap execmem };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.2/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/mozilla.if 2007-07-13 10:00:16.000000000 -0400
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
')
+ gen_tunable(browser_confine_$1,false)
+ gen_tunable(browser_write_$1_data,false)
########################################
#
@@ -53,6 +55,14 @@
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
+ type $1_mozilla_tmp_t;
+ files_tmp_file($1_mozilla_tmp_t)
+
+ ########################################
+ #
+ # Local booleans
+ #
+
########################################
#
# Local policy
@@ -97,15 +107,33 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
-
allow $1_mozilla_t $2:process signull;
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ tunable_policy(`browser_confine_$1',`
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ ',`
+ can_exec($2, mozilla_exec_t)
+ ')
+
+ userdom_read_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_tmp_filetrans_user_tmp($1,$1_mozilla_t, { file dir sock_file })
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mozilla_t)
+ fs_read_removable_files($1_mozilla_t)
+ fs_read_removable_symlinks($1_mozilla_t)
+ ')
+
+ tunable_policy(`browser_write_$1_data',`
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ ')
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
@@ -171,6 +199,8 @@
fs_list_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
+ selinux_dontaudit_getattr_fs($1_mozilla_t)
+
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
@@ -186,12 +216,9 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
- userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
+ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
@@ -213,133 +240,6 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1,$1_mozilla_t)
- userdom_read_user_tmp_files($1,$1_mozilla_t)
- userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
- userdom_read_user_home_content_files($1,$1_mozilla_t)
- userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
-
- userdom_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
-
- ')
-
optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
@@ -352,21 +252,23 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
+ cups_stream_connect($1_mozilla_t)
')
optional_policy(`
- dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
+# dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_send_system_bus($1_mozilla_t)
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
- dbus_send_user_bus($1,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_send_user_bus($1,$1_mozilla_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
')
optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
')
optional_policy(`
@@ -386,25 +288,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
- ifdef(`TODO',`
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
- optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
- ')
')
########################################
@@ -577,3 +460,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+##
+## mozilla connection template.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`mozilla_stream_connect_template',`
+ gen_require(`
+ type $1_mozilla_t;
+ ')
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.2/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/mozilla.te 2007-07-13 08:07:53.000000000 -0400
@@ -6,13 +6,6 @@
# Declarations
#
-##
-##
-## Control mozilla content access
-##
-##
-gen_tunable(mozilla_read_content,false)
-
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.0.2/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-06-15 14:54:31.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/slocate.te 2007-07-13 08:07:53.000000000 -0400
@@ -29,6 +29,8 @@
manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
+auth_use_nsswitch(locate_t)
+
kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.2/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/userhelper.if 2007-07-13 08:07:53.000000000 -0400
@@ -131,6 +131,7 @@
term_use_all_user_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_domtrans_upd_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.2/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/vmware.fc 2007-07-13 08:07:53.000000000 -0400
@@ -23,6 +23,7 @@
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.2/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-07-03 07:05:43.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/vmware.te 2007-07-13 08:07:53.000000000 -0400
@@ -29,7 +29,7 @@
allow vmware_host_t self:capability { setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -56,6 +56,8 @@
corenet_tcp_sendrecv_all_ports(vmware_host_t)
corenet_udp_sendrecv_all_ports(vmware_host_t)
corenet_raw_bind_all_nodes(vmware_host_t)
+corenet_tcp_bind_all_nodes(vmware_host_t)
+corenet_udp_bind_all_nodes(vmware_host_t)
corenet_tcp_connect_all_ports(vmware_host_t)
corenet_sendrecv_all_client_packets(vmware_host_t)
corenet_sendrecv_all_server_packets(vmware_host_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.2/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/apps/wine.if 2007-07-13 08:07:53.000000000 -0400
@@ -18,3 +18,34 @@
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
')
+
+########################################
+##
+## Execute wine in the wine domain, and
+## allow the specified role the wine domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the wine domain.
+##
+##
+##
+##
+## The type of the terminal allow the wine domain to use.
+##
+##
+#
+interface(`wine_run',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ wine_domtrans($1)
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.2/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/corecommands.fc 2007-07-13 08:07:53.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -217,6 +222,7 @@
/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-printer/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.2/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/corenetwork.te.in 2007-07-13 08:07:53.000000000 -0400
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -93,10 +98,10 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
@@ -108,12 +113,13 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
+network_port(mysqld, tcp,3306,s0, tcp,1186,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
@@ -161,12 +167,15 @@
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.2/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/devices.fc 2007-07-13 08:07:53.000000000 -0400
@@ -53,7 +53,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -65,6 +65,7 @@
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -127,3 +128,7 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
+
+/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.2/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/devices.if 2007-07-13 08:07:53.000000000 -0400
@@ -2803,6 +2803,24 @@
########################################
##
+## Get the attributes of a directory in the usb filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_search_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir search_dir_perms;
+')
+
+########################################
+##
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.2/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/domain.if 2007-07-13 08:07:53.000000000 -0400
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
+ optional_policy(`
+ unconfined_use_fds($1)
+ unconfined_sigchld($1)
+ ')
+
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
@@ -59,6 +64,7 @@
')
optional_policy(`
+ selinux_dontaudit_getattr_fs($1)
selinux_dontaudit_read_fs($1)
')
@@ -1271,3 +1277,20 @@
typeattribute $1 mmap_low_domain_type;
')
+########################################
+##
+## Allow specified type to associate ipsec packets from any domain
+##
+##
+##
+## Type of subject to be allowed this.
+##
+##
+#
+interface(`domain_ipsec_labels',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association { sendto recvfrom };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.2/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/domain.te 2007-07-13 08:07:53.000000000 -0400
@@ -6,6 +6,29 @@
# Declarations
#
+ifdef(`enable_mls',`
+##
+##
+## Allow all domains to use netlabel labeled packets
+##
+##
+gen_tunable(allow_netlabel,true)
+
+##
+##
+## Allow all domains to use ipsec labeled packets
+##
+##
+gen_tunable(allow_ipsec_label,true)
+')
+
+##
+##
+## Allow unlabeled packets to work on system
+##
+##
+gen_tunable(allow_unlabeled_packets,true)
+
# Mark process types as domains
attribute domain;
@@ -134,3 +157,25 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
+tunable_policy(`allow_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_association(domain)
+ corenet_sendrecv_unlabeled_packets(domain)
+')
+
+ifdef(`enable_mls',`
+ tunable_policy(`allow_netlabel',`
+ kernel_raw_recvfrom_unlabeled(domain)
+ kernel_tcp_recvfrom_unlabeled(domain)
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
+ tunable_policy(`allow_ipsec_label',`
+ ipsec_labeled(domain)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.2/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/files.if 2007-07-13 08:07:53.000000000 -0400
@@ -343,8 +343,7 @@
########################################
##
-## Mount a filesystem on all non-security
-## directories and files.
+## Mount a filesystem on all non-security directories.
##
##
##
@@ -352,12 +351,29 @@
##
##
#
-interface(`files_mounton_non_security',`
+interface(`files_mounton_non_security_dir',`
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
+')
+
+########################################
+##
+## Mount a filesystem on all non-security and files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
allow $1 { file_type -security_file_type }:file mounton;
')
@@ -376,7 +392,7 @@
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 { file_type -security_file_type }:dir rw_dir_perms;
')
########################################
@@ -3323,6 +3339,24 @@
########################################
##
+## Create, read, write, and delete files in the /usr directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+##
## Get the attributes of files in /usr.
##
##
@@ -3381,7 +3415,7 @@
########################################
##
-## Create, read, write, and delete files in the /usr directory.
+## Relabel a file to the type used in /usr.
##
##
##
@@ -3389,17 +3423,17 @@
##
##
#
-interface(`files_manage_usr_files',`
+interface(`files_relabelto_usr_files',`
gen_require(`
type usr_t;
')
- manage_files_pattern($1, usr_t, usr_t)
+ relabelto_files_pattern($1,usr_t,usr_t)
')
########################################
##
-## Relabel a file to the type used in /usr.
+## Relabel a file from the type used in /usr.
##
##
##
@@ -3407,12 +3441,12 @@
##
##
#
-interface(`files_relabelto_usr_files',`
+interface(`files_relabelfrom_usr_files',`
gen_require(`
type usr_t;
')
- relabelto_files_pattern($1,usr_t,usr_t)
+ relabelfrom_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -4043,7 +4077,7 @@
type var_t, var_lock_t;
')
- rw_dirs_pattern($1,var_t,var_lock_t)
+ rw_files_pattern($1,var_t,var_lock_t)
')
########################################
@@ -4560,6 +4594,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
+ files_search_home($1)
+
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
@@ -4582,6 +4618,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ corecmd_exec_bin($1)
+
')
########################################
@@ -4619,3 +4657,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.2/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/kernel.if 2007-07-13 08:07:53.000000000 -0400
@@ -1848,6 +1848,27 @@
########################################
##
+## Read the process state (/proc/pid) of all unlabeled_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1,unlabeled_t,unlabeled_t)
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+
+########################################
+##
## Do not audit attempts to list unlabeled directories.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.2/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/kernel.te 2007-07-13 08:07:53.000000000 -0400
@@ -275,6 +275,7 @@
optional_policy(`
logging_send_syslog_msg(kernel_t)
+ logging_unconfined(kernel_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-3.0.2/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/mls.if 2007-07-13 08:07:53.000000000 -0400
@@ -154,6 +154,26 @@
########################################
##
## Make specified domain MLS trusted
+## for writing to sockets at any level
+## that is dominated by the process clearance.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mls_socket_write_to_clearance',`
+ gen_require(`
+ attribute mlsnetwritetoclr;
+ ')
+
+ typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+##
+## Make specified domain MLS trusted
## for writing to sockets at any level.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-3.0.2/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/mls.te 2007-07-13 08:07:53.000000000 -0400
@@ -18,6 +18,7 @@
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
@@ -43,6 +44,8 @@
attribute mlsxwinwritecolormap;
attribute mlsxwinwritexinput;
+# Object attributes that allow MLS overrides for access by all subjects
+attribute mlsrangedobject;
attribute mlstrustedobject;
attribute privrangetrans;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.2/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/selinux.if 2007-07-13 08:07:53.000000000 -0400
@@ -32,20 +32,21 @@
########################################
##
-## Get the attributes of the selinuxfs filesystem
+## Do not audit attempts to get the
+## attributes of the selinuxfs directory.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`selinux_getattr_fs',`
+interface(`selinux_dontaudit_getattr_dir',`
gen_require(`
type security_t;
')
- allow $1 security_t:filesystem getattr;
+ dontaudit $1 security_t:dir getattr;
')
########################################
@@ -69,8 +70,8 @@
########################################
##
-## Do not audit attempts to get the
-## attributes of the selinuxfs directory.
+## Allow domain to get the
+## attributes of the selinuxfs filesystem
##
##
##
@@ -78,12 +79,12 @@
##
##
#
-interface(`selinux_dontaudit_getattr_dir',`
+interface(`selinux_getattr_fs',`
gen_require(`
type security_t;
')
- dontaudit $1 security_t:dir getattr;
+ allow $1 security_t:filesystem getattr;
')
########################################
@@ -138,6 +139,7 @@
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
@@ -159,6 +161,7 @@
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.2/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/storage.fc 2007-07-13 08:07:53.000000000 -0400
@@ -23,6 +23,7 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.2/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/storage.if 2007-07-13 08:07:53.000000000 -0400
@@ -100,6 +100,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -144,6 +145,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
typeattribute $1 fixed_disk_raw_write;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.2/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/terminal.fc 2007-07-13 08:07:53.000000000 -0400
@@ -8,6 +8,7 @@
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.2/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/kernel/terminal.te 2007-07-13 08:07:53.000000000 -0400
@@ -28,9 +28,15 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+ifdef(`targeted_policy',`
+ # cjp: the ttynode should probably be removed.
+ typeattribute devpts_t ttynode, ptynode;
+')
+
#
# devtty_t is the type of /dev/tty.
#
@@ -51,6 +57,10 @@
type tty_device_t, serial_device;
dev_node(tty_device_t)
+ifdef(`targeted_policy',`
+ typeattribute tty_device_t ttynode;
+')
+
#
# usbtty_device_t is the type of /dev/usr/tty*
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.2/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-07-03 07:06:26.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/amavis.te 2007-07-13 08:07:53.000000000 -0400
@@ -166,6 +166,7 @@
optional_policy(`
pyzor_domtrans(amavis_t)
+ pyzor_signal(amavis_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.2/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/apache.fc 2007-07-13 08:07:53.000000000 -0400
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -73,3 +72,11 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.2/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/apache.if 2007-07-13 08:07:53.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -177,48 +169,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -270,8 +220,11 @@
')
apache_content_template($1)
+ manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
- typeattribute httpd_$1_script_t httpd_script_domains;
+ typeattribute httpd_$1_content_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
@@ -436,6 +389,24 @@
########################################
##
+## getattr apache.process
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_getattr',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process getattr;
+')
+
+########################################
+##
## Inherit and use file descriptors from Apache.
##
##
@@ -754,6 +725,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
@@ -838,6 +810,10 @@
type httpd_sys_script_t;
')
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
@@ -925,7 +901,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
')
########################################
@@ -1002,3 +978,158 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache modules.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
+')
+
+########################################
+##
+## Allow the specified domain to create
+## apache lock file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_lock',`
+ gen_require(`
+ type httpd_lock_t;
+ ')
+ allow $1 httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans($1, httpd_lock_t, file)
+')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache pid file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_pid',`
+ gen_require(`
+ type httpd_var_run_t;
+ ')
+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+ files_pid_filetrans($1,httpd_var_run_t, file)
+')
+
+########################################
+##
+##f Read apache system state
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_read_state',`
+ gen_require(`
+ type httpd_t;
+ ')
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_t,httpd_t)
+ read_lnk_files_pattern($1,httpd_t,httpd_t)
+ dontaudit $1 httpd_t:process ptrace;
+')
+
+########################################
+##
+##f allow domain to signal apache
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_signal',`
+ gen_require(`
+ type httpd_t;
+ ')
+ allow $1 httpd_t:process signal;
+')
+
+########################################
+##
+## allow domain to relabel apache content
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_relabel',`
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+ ')
+
+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
+')
+
+########################################
+##
+## Allow the specified domain to search
+## apache bugzilla directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write Apache
+## bugzill script unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.2/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/apache.te 2007-07-13 08:07:53.000000000 -0400
@@ -47,6 +47,13 @@
## Allow http daemon to tcp connect
##
##
+gen_tunable(httpd_can_sendmail,false)
+
+##