diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.12/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_cronjob_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.12/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.12/config/appconfig-mcs/failsafe_context 2009-04-07 16:01:44.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/root_default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,11 +1,7 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.12/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.12/config/appconfig-mcs/seusers 2009-04-07 16:01:44.000000000 -0400
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/staff_u_default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+system_r:initrc_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/unconfined_u_default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
@@ -6,4 +6,6 @@
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.12/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.12/config/appconfig-mcs/userhelper_context 2009-04-07 16:01:44.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/user_u_default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mcs/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.12/config/appconfig-mcs/virtual_image_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mcs/virtual_image_context 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.12/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mls/default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.12/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mls/root_default_contexts 2009-04-07 16:01:44.000000000 -0400
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:qemu_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.12/config/appconfig-mls/virtual_image_context
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/config/appconfig-mls/virtual_image_context 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:virt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.12/Makefile
--- nsaserefpolicy/Makefile 2009-01-19 11:07:35.000000000 -0500
+++ serefpolicy-3.6.12/Makefile 2009-04-07 16:01:44.000000000 -0400
@@ -241,7 +241,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -315,20 +315,22 @@
# parse-rolemap modulename,outputfile
define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ echo "" >> $2
+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# perrole-expansion modulename,outputfile
define perrole-expansion
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
- $(call parse-rolemap-compat,$1,$2)
- $(verbose) echo "')" >> $2
+ echo "No longer doing perrole-expansion"
+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+# $(call parse-rolemap,$1,$2)
+# $(verbose) echo "')" >> $2
+
+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+# $(call parse-rolemap-compat,$1,$2)
+# $(verbose) echo "')" >> $2
endef
# create-base-per-role-tmpl modulenames,outputfile
@@ -397,7 +399,7 @@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
@@ -527,6 +529,10 @@
@mkdir -p $(appdir)/users
$(verbose) $(INSTALL) -m 644 $^ $@
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
+
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.12/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.12/man/man8/httpd_selinux.8 2009-04-13 10:52:18.000000000 -0400
@@ -22,7 +22,7 @@
.EX
httpd_sys_content_t
.EE
-- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
+- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
.EX
httpd_sys_script_exec_t
.EE
@@ -30,11 +30,11 @@
.EX
httpd_sys_content_rw_t
.EE
-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
.EX
httpd_sys_content_ra_t
.EE
-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
.EX
httpd_unconfined_script_exec_t
.EE
@@ -57,8 +57,7 @@
.EE
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
.PP
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
@@ -67,7 +66,7 @@
.EE
.PP
-httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
+SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
.EX
setsebool -P httpd_enable_homedirs 1
@@ -75,7 +74,7 @@
.EE
.PP
-httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
.EX
setsebool -P httpd_tty_comm 1
@@ -89,7 +88,7 @@
.EE
.PP
-httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
.EX
setsebool -P httpd_can_sendmail 1
@@ -102,7 +101,7 @@
.EE
.PP
-httpd scripts by default are not allowed to connect out to the network.
+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server and attacking
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.12/man/man8/kerberos_selinux.8
--- nsaserefpolicy/man/man8/kerberos_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.12/man/man8/kerberos_selinux.8 2009-04-13 10:53:14.000000000 -0400
@@ -12,7 +12,7 @@
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
.SH BOOLEANS
.PP
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.12/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.12/man/man8/nfs_selinux.8 2009-04-13 10:49:43.000000000 -0400
@@ -6,7 +6,7 @@
Security Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
-SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
.TP
setsebool -P nfs_export_all_ro 1
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-3.6.12/man/man8/ypbind_selinux.8
--- nsaserefpolicy/man/man8/ypbind_selinux.8 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.12/man/man8/ypbind_selinux.8 2009-04-13 10:54:03.000000000 -0400
@@ -4,7 +4,7 @@
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/policy/global_tunables 2009-04-07 16:01:44.000000000 -0400
@@ -61,15 +61,6 @@
##
##
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-##
-##
-gen_tunable(mail_read_content,false)
-
-##
-##
## Allow any files/directories to be exported read/write via NFS.
##
##
@@ -111,3 +102,12 @@
##
##
gen_tunable(user_tcp_server,false)
+
+##
##
## Allow Apache to modify public files
@@ -30,10 +32,17 @@
##
##
-## Allow Apache to use mod_auth_pam
+## Allow httpd scripts and modules execmem/execstack
##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
+##
+gen_tunable(httpd_dbus_avahi, false)
##
##
@@ -44,6 +53,13 @@
##
##
+## Allow http daemon to send mail
+##
+##
+gen_tunable(httpd_can_sendmail, false)
+
+##
+##
## Allow HTTPD scripts and modules to connect to the network using TCP.
##
##
@@ -108,6 +124,29 @@
##
gen_tunable(httpd_unified, false)
+##
+##
+## Allow httpd to access nfs file systems
+##
+##
+gen_tunable(httpd_use_nfs, false)
+
+##
+##
+## Allow httpd to access cifs file systems
+##
+##
+gen_tunable(httpd_use_cifs, false)
+
+##
+##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
+attribute httpd_ro_content;
+attribute httpd_rw_content;
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -140,6 +179,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -180,6 +222,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -187,15 +233,20 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
+
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_content_rw_t httpdcontent;
+typeattribute httpd_user_content_ra_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-userdom_user_home_content(httpd_user_script_ra_t)
-userdom_user_home_content(httpd_user_script_ro_t)
-userdom_user_home_content(httpd_user_script_rw_t)
+userdom_user_home_content(httpd_user_content_ra_t)
+userdom_user_home_content(httpd_user_content_rw_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
@@ -230,7 +281,7 @@
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -272,6 +323,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -283,9 +335,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -301,6 +353,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
@@ -312,6 +365,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -322,6 +376,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
@@ -335,12 +390,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_list_inotifyfs(httpd_t)
+fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -358,6 +413,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
@@ -372,18 +431,33 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -391,20 +465,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -415,20 +523,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
-')
-
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -451,6 +567,10 @@
')
optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
@@ -459,8 +579,13 @@
')
optional_policy(`
- kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+ dbus_system_bus_client(httpd_t)
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
')
optional_policy(`
@@ -468,22 +593,18 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
+ mailman_read_data_files(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- # Allow httpd to work with mysql
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_t)
- ')
+ mysql_read_config(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
@@ -493,6 +614,12 @@
openca_kill(httpd_t)
')
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
@@ -500,6 +627,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
')
')
@@ -508,6 +636,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -535,6 +664,22 @@
userdom_use_user_terminals(httpd_helper_t)
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+')
+
+
########################################
#
# Apache PHP script local policy
@@ -564,20 +709,25 @@
fs_search_auto_mountpoints(httpd_php_t)
+auth_use_nsswitch(httpd_php_t)
+
libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
')
-optional_policy(`
- nis_use_ypbind(httpd_php_t)
-')
optional_policy(`
- postgresql_stream_connect(httpd_php_t)
+ mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
########################################
@@ -595,23 +745,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -624,6 +775,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -641,12 +793,20 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_suexec_t)
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -672,15 +832,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
#
+auth_use_nsswitch(httpd_sys_script_t)
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -699,12 +858,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+sysnet_read_config(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -712,6 +883,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -724,6 +924,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
')
optional_policy(`
@@ -735,6 +939,8 @@
# httpd_rotatelogs local policy
#
+allow httpd_rotatelogs_t self:capability dac_override;
+
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -754,6 +960,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
')
# allow accessing files/dirs below the users home dir
@@ -762,3 +974,66 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+
+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te 2009-04-14 08:16:44.000000000 -0400
@@ -40,6 +40,9 @@
# and sample rate.
dev_write_sound(entropyd_t)
+files_read_etc_files(entropyd_t)
+files_read_usr_files(entropyd_t)
+
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
@@ -53,6 +56,11 @@
userdom_dontaudit_search_user_home_dirs(entropyd_t)
optional_policy(`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(entropyd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/automount.te 2009-04-07 16:01:44.000000000 -0400
@@ -71,6 +71,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
@@ -100,6 +101,7 @@
corenet_udp_bind_all_rpc_ports(automount_t)
dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
# for SSP
dev_read_rand(automount_t)
dev_read_urand(automount_t)
@@ -127,6 +129,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
+fs_read_nfs_files(automount_t)
storage_rw_fuse(automount_t)
@@ -142,6 +145,7 @@
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
+mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
@@ -155,7 +159,7 @@
')
optional_policy(`
- kerberos_read_keytab(automount_t)
+ kerberos_keytab_template(automount, automount_t)
kerberos_read_config(automount_t)
kerberos_dontaudit_write_config(automount_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-04-07 16:01:44.000000000 -0400
@@ -33,6 +33,7 @@
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
+files_search_var_lib(avahi_t)
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
@@ -93,6 +94,7 @@
dbus_connect_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
+ dbus_system_domain(avahi_t, avahi_exec_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.12/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/bind.fc 2009-04-13 10:45:45.000000000 -0400
@@ -1,17 +1,22 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -40,8 +45,12 @@
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)? <>
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.12/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/bind.if 2009-04-07 16:01:44.000000000 -0400
@@ -38,6 +38,42 @@
########################################
##
+## Send signulls to BIND.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_signull',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signull;
+')
+
+########################################
+##
+## Send BIND the kill signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_kill',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process sigkill;
+')
+
+########################################
+##
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
##
@@ -251,6 +287,25 @@
########################################
##
+## Execute bind server in the bind domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type bind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an bind environment
##
@@ -269,7 +324,7 @@
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_conf_t, named_var_run_t;
+ type named_conf_t, named_var_lib_t, named_var_run_t;
type named_cache_t, named_zone_t;
type dnssec_t, ndc_t;
type named_initrc_exec_t;
@@ -283,6 +338,7 @@
bind_run_ndc($1, $2)
+ bind_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
@@ -300,6 +356,9 @@
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
+ files_list_var_lib($1)
+ admin_pattern($1, named_var_lib_t)
+
files_list_pids($1)
admin_pattern($1, named_var_run_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.12/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/bind.te 2009-04-07 16:01:44.000000000 -0400
@@ -123,6 +123,7 @@
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
corenet_udp_bind_all_unreserved_ports(named_t)
dev_read_sysfs(named_t)
@@ -169,7 +170,7 @@
')
optional_policy(`
- kerberos_use(named_t)
+ kerberos_keytab_template(named, named_t)
')
optional_policy(`
@@ -229,6 +230,7 @@
files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
+fs_list_inotifyfs(ndc_t)
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.12/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/bitlbee.te 2009-04-07 16:01:44.000000000 -0400
@@ -75,6 +75,8 @@
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)
+kernel_read_system_state(bitlbee_t)
+
libs_legacy_use_shared_libs(bitlbee_t)
miscfiles_read_localization(bitlbee_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.12/policy/modules/services/certmaster.if
--- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/certmaster.if 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1,123 @@
+## policy for certmaster
+
+########################################
+##
+## Execute a domain transition to run certmaster.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`certmaster_domtrans',`
+ gen_require(`
+ type certmaster_t, certmaster_exec_t;
+ ')
+
+ domtrans_pattern($1,certmaster_exec_t,certmaster_t)
+')
+
+#######################################
+##
+## read certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_read_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+#######################################
+##
+## Append to certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_append_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_manage_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an snort environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t;
+ type certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+ ps_process_pattern($1, certmaster_t)
+
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ miscfiles_manage_cert_dirs($1)
+ miscfiles_manage_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
+ files_list_pids($1)
+ admin_pattern($1, certmaster_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, certmaster_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, certmaster_var_lib_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.12/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/certmaster.te 2009-04-07 16:01:44.000000000 -0400
@@ -0,0 +1,79 @@
+policy_module(certmaster,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# type and domain for certmaster
+type certmaster_t;
+type certmaster_exec_t;
+init_daemon_domain(certmaster_t, certmaster_exec_t)
+
+type certmaster_initrc_exec_t;
+init_script_file(certmaster_initrc_exec_t)
+
+# var/lib files
+type certmaster_var_lib_t;
+files_type(certmaster_var_lib_t)
+
+# config files
+type certmaster_etc_rw_t;
+files_config_file(certmaster_etc_rw_t)
+
+# log files
+type certmaster_var_log_t;
+logging_log_file(certmaster_var_log_t)
+
+# pid files
+type certmaster_var_run_t;
+files_pid_file(certmaster_var_run_t)
+
+###########################################
+#
+# certmaster local policy
+#
+
+allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t)
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+
+# var/lib files for certmaster
+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file )
+
+# pid file
+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file })
+
+corecmd_search_bin(certmaster_t)
+corecmd_getattr_bin_files(certmaster_t)
+
+# network
+corenet_tcp_bind_generic_node(certmaster_t)
+corenet_tcp_bind_certmaster_port(certmaster_t)
+
+files_search_etc(certmaster_t)
+files_list_var(certmaster_t)
+files_search_var_lib(certmaster_t)
+
+# read meminfo
+kernel_read_system_state(certmaster_t)
+
+auth_use_nsswitch(certmaster_t)
+
+miscfiles_read_localization(certmaster_t)
+
+miscfiles_manage_cert_dirs(certmaster_t)
+miscfiles_manage_cert_files(certmaster_t)
+
+permissive certmaster_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.12/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/clamav.fc 2009-04-07 16:01:44.000000000 -0400
@@ -1,20 +1,23 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.12/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/clamav.if 2009-04-07 16:01:44.000000000 -0400
@@ -38,6 +38,27 @@
########################################
##
+## Allow the specified domain to append
+## to clamav log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_append_log',`
+ gen_require(`
+ type clamav_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 clamav_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamav_log_t, clamav_log_t)
+')
+
+########################################
+##
## Read clamav configuration files.
##
##
@@ -91,3 +112,87 @@
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
+
+########################################
+##
+## Execute clamscan without a transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_exec_clamscan',`
+ gen_require(`
+ type clamscan_exec_t;
+ ')
+
+ can_exec($1, clamscan_exec_t)
+
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an clamav environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the clamav domain.
+##
+##
+##
+#
+interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t;
+ type clamd_var_run_t;
+
+ type clamscan_t, clamscan_tmp_t;
+
+ type freshclam_t, freshclam_var_log_t;
+
+ type clamd_initrc_exec_t;
+ ')
+
+ allow $1 clamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamd_t)
+
+ allow $1 clamscan_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process { ptrace signal_perms };
+ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, clamd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, clamd_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, clamd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, clamd_var_run_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-04-07 16:01:44.000000000 -0400
@@ -13,7 +13,10 @@
# configuration files
type clamd_etc_t;
-files_type(clamd_etc_t)
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
# tmp files
type clamd_tmp_t;
@@ -87,6 +90,9 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
@@ -97,6 +103,8 @@
corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -117,6 +125,9 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
@@ -124,6 +135,10 @@
amavis_create_pid_files(clamd_t)
')
+optional_policy(`
+ exim_read_spool_files(clamd_t)
+')
+
########################################
#
# Freshclam local policy
@@ -191,7 +206,7 @@
allow clamscan_t self:fifo_file rw_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
-allow clamscan_t self:tcp_socket { listen accept };
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
# configuration files
allow clamscan_t clamd_etc_t:dir list_dir_perms;
@@ -207,6 +222,14 @@
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_generic_if(clamscan_t)
+corenet_tcp_sendrecv_generic_node(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
kernel_read_kernel_sysctls(clamscan_t)
files_read_etc_files(clamscan_t)
@@ -221,6 +244,8 @@
clamav_stream_connect(clamscan_t)
+mta_send_mail(clamscan_t)
+
optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.12/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.fc 2009-04-07 16:01:44.000000000 -0400
@@ -1,3 +1,6 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.12/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.if 2009-04-07 16:01:44.000000000 -0400
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
')
+
+########################################
+##
+## Read consolekit log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-15 07:59:08.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_log_t;
+files_pid_file(consolekit_log_t)
+
########################################
#
# consolekit local policy
@@ -24,20 +27,27 @@
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
kernel_read_system_state(consolekit_t)
corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
@@ -47,13 +57,35 @@
auth_use_nsswitch(consolekit_t)
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+init_chat(consolekit_t)
+
+logging_send_syslog_msg(consolekit_t)
+
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
+userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_read_user_tmp_files(consolekit_t)
+
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
optional_policy(`
- dbus_system_bus_client(consolekit_t)
- dbus_connect_system_bus(consolekit_t)
+ cron_read_system_job_lib_files(consolekit_t)
+')
+optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+ optional_policy(`
hal_dbus_chat(consolekit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(consolekit_t)
+ ')
optional_policy(`
unconfined_dbus_chat(consolekit_t)
@@ -61,6 +93,32 @@
')
optional_policy(`
+ polkit_domtrans_auth(consolekit_t)
+ polkit_read_lib(consolekit_t)
+ polkit_read_reload(consolekit_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_stream_connect(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
+ xserver_common_app(consolekit_t)
+')
+
+optional_policy(`
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
+ unconfined_stream_connect(consolekit_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_list_nfs(consolekit_t)
+ fs_dontaudit_rw_nfs_files(consolekit_t)
')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_list_cifs(consolekit_t)
+ fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.12/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/courier.if 2009-04-07 16:01:44.000000000 -0400
@@ -179,6 +179,24 @@
########################################
##
+## Read courier spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`courier_read_spool',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+##
## Read and write to courier spool pipes.
##
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.12/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/courier.te 2009-04-07 16:01:44.000000000 -0400
@@ -10,6 +10,7 @@
type courier_etc_t;
files_config_file(courier_etc_t)
+mta_system_content(courier_etc_t)
courier_domain_template(pcp)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-07 16:01:44.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -17,9 +18,9 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]* -- <>
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -41,7 +42,11 @@
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/[^/]* <>
+/var/spool/fcron/.* <>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-07 16:01:44.000000000 -0400
@@ -12,6 +12,10 @@
##
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t;
+ ')
+
##############################
#
# Declarations
@@ -31,16 +35,21 @@
# dac_override is to create the file in the directory under /tmp
allow $1_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_t self:process signal_perms;
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
allow $1_t $1_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_t,$1_tmp_t,file)
# create files in /var/spool/cron
# cjp: change this to a role transition
+ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t)
manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
- files_search_spool($1_t)
+ files_list_spool($1_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_t cron_spool_t:dir setattr;
@@ -55,9 +64,16 @@
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
files_dontaudit_search_pids($1_t)
logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
+ auth_domtrans_chk_passwd($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
miscfiles_read_localization($1_t)
@@ -147,26 +163,26 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types { unconfined_cronjob_t admin_crontab_t };
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
# Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
# crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
+ ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal;
# Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+ #corecmd_shell_domtrans(admin_crontab_t, $2)
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
optional_policy(`
gen_require(`
@@ -261,10 +277,12 @@
allow $1 system_cronjob_t:fifo_file rw_file_perms;
allow $1 system_cronjob_t:process sigchld;
+ domain_auto_trans(crond_t, $2, $1)
allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
+ userdom_dontaudit_list_admin_dir($1)
role system_r types $1;
')
@@ -343,6 +361,24 @@
########################################
##
+## Allow read/write unix stream sockets from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_system_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+##
## Read and write a cron daemon unnamed pipe.
##
##
@@ -361,7 +397,7 @@
########################################
##
-## Read, and write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
@@ -369,7 +405,7 @@
##
##
#
-interface(`cron_rw_tcp_sockets',`
+interface(`cron_dontaudit_rw_tcp_sockets',`
gen_require(`
type crond_t;
')
@@ -416,6 +452,42 @@
########################################
##
+## Execute cron in the cron system domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_domtrans',`
+ gen_require(`
+ type system_cronjob_t, crond_exec_t;
+ ')
+
+ domtrans_pattern($1,crond_exec_t,system_cronjob_t)
+')
+
+########################################
+##
+## Execute crond_exec_t
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_exec',`
+ gen_require(`
+ type crond_exec_t;
+ ')
+
+ can_exec($1,crond_exec_t)
+')
+
+########################################
+##
## Inherit and use a file descriptor
## from system cron jobs.
##
@@ -481,11 +553,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -506,3 +581,101 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
+
+
+########################################
+##
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ type cron_var_run_t;
+ type system_cronjob_var_run_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+ ')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+##
+## Manage pid files used by cron
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+##
+## Execute crond server in the nscd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`cron_initrc_domtrans',`
+ gen_require(`
+ type crond_initrc_exec_t;
+')
+
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-09 05:33:16.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
+# var/lib files
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -56,8 +60,13 @@
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
@@ -74,6 +83,7 @@
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -98,11 +108,18 @@
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
+
########################################
#
# Admin crontab local policy
@@ -130,7 +147,7 @@
# Cron daemon local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -146,22 +163,23 @@
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
-allow crond_t crond_var_run_t:file manage_file_perms;
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t,crond_var_run_t,file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
+dev_read_kmsg(crond_t)
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
selinux_validate_context(crond_t)
@@ -174,6 +192,7 @@
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -183,7 +202,11 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
@@ -192,10 +215,15 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
+
+rpc_search_nfs_state_data(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -208,6 +236,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -227,21 +256,43 @@
')
')
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
+ amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -268,8 +319,8 @@
# System cron process domain
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -283,7 +334,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+allow system_cronjob_t system_cron_spool_t:file { write setattr };
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -303,6 +361,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -314,9 +373,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -370,7 +433,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_cronjob_t)
+init_telinit(system_cronjob_t)
+init_spec_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -378,6 +442,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
@@ -418,6 +483,10 @@
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -428,11 +497,20 @@
')
optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -447,6 +525,7 @@
prelink_read_cache(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
+ prelink_manage_var_lib(system_cronjob_t)
')
optional_policy(`
@@ -460,8 +539,7 @@
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_cronjob_t)
+ spamassassin_manage_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -469,24 +547,17 @@
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
-')
-
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
')
-') dnl end TODO
########################################
#
# User cronjobs local policy
#
-allow cronjob_t self:capability dac_override;
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
@@ -570,6 +641,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-04-07 16:01:44.000000000 -0400
@@ -5,27 +5,38 @@
/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +44,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -43,10 +54,19 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.12/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/cups.if 2009-04-07 16:01:44.000000000 -0400
@@ -20,6 +20,30 @@
########################################
##
+## Setup cups to transtion to the cups backend domain
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`cups_backend',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ domtrans_pattern(cupsd_t, $2, $1)
+
+ allow cupsd_t $1:process signal;
+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+ cups_read_config($1)
+ cups_append_log($1)
+')
+
+########################################
+##
## Connect to cupsd over an unix domain stream socket.
##
##
@@ -212,6 +236,25 @@
########################################
##
+## Append cups log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_append_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+##
## Write cups log files.
##
##
@@ -247,3 +290,66 @@
files_search_pids($1)
stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an cups environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cups domain.
+##
+##
+##
+#
+interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_var_run_t, ptal_etc_t;
+ type ptal_var_run_t, hplip_var_run_t;
+ type cupsd_initrc_exec_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cupsd_t)
+
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cupsd_tmp_t)
+
+ admin_pattern($1, cupsd_lpd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, cupsd_etc_t)
+
+ admin_pattern($1, ptal_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, cupsd_spool_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, cupsd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cupsd_var_run_t)
+
+ admin_pattern($1, ptal_var_run_t)
+
+ admin_pattern($1, cupsd_config_var_run_t)
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+ admin_pattern($1, hplip_var_run_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-08 08:57:24.000000000 -0400
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
type cupsd_log_t;
logging_log_file(cupsd_log_t)
@@ -48,6 +57,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
type hplip_etc_t;
files_config_file(hplip_etc_t)
@@ -55,6 +68,9 @@
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
type ptal_t;
type ptal_exec_t;
init_daemon_domain(ptal_t, ptal_exec_t)
@@ -65,6 +81,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
+type cups_pdf_t;
+type cups_pdf_exec_t;
+domain_type(cups_pdf_t)
+domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+role system_r types cups_pdf_t;
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
@@ -79,13 +105,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -97,6 +124,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
+
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -104,8 +134,11 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
@@ -116,13 +149,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+# This whole section needs to be moved to a smbspool policy
+# smbspool seems to be iterating through all existing tmp files.
+# Looking for kerberos files
+files_getattr_all_tmp_files(cupsd_t)
+userdom_read_user_tmp_files(cupsd_t)
+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
allow cupsd_t cupsd_var_run_t:dir setattr;
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
+allow cupsd_t hplip_t:process {signal sigkill };
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -149,44 +189,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-auth_domtrans_chk_passwd(cupsd_t)
-auth_dontaudit_read_pam_pid(cupsd_t)
-
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
+files_list_spool(cupsd_t)
files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
-files_search_var_lib(cupsd_t)
+files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -195,15 +240,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
-# smbspool seems to be iterating through all existing tmp files.
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
@@ -217,17 +263,21 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
-sysnet_read_config(cupsd_t)
-
+files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
ifdef(`enable_mls',`
- lpd_relabel_spool(cupsd_t)
+ mls_trusted_object(cupsd_var_run_t)
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh)
')
optional_policy(`
@@ -244,8 +294,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
+ ')
')
optional_policy(`
@@ -261,6 +319,10 @@
')
optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -279,7 +341,7 @@
# Cups configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -302,8 +364,10 @@
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
-allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -311,7 +375,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
-kernel_read_kernel_sysctls(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
@@ -324,6 +388,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -341,13 +406,14 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
-init_getattr_script_files(cupsd_config_t)
+init_getattr_all_script_files(cupsd_config_t)
auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
@@ -359,14 +425,16 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
- init_getattr_script_files(cupsd_config_t)
-
optional_policy(`
rpm_read_db(cupsd_config_t)
')
')
optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -382,6 +450,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -491,7 +560,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
cups_stream_connect(hplip_t)
@@ -500,6 +572,13 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
@@ -529,7 +608,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
@@ -553,7 +633,9 @@
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
-lpd_read_config(cupsd_t)
+
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
optional_policy(`
dbus_system_bus_client(hplip_t)
@@ -635,3 +717,49 @@
optional_policy(`
udev_read_db(ptal_t)
')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
+
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_manage_user_home_content_dirs(cups_pdf_t)
+userdom_manage_user_home_content_files(cups_pdf_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(cups_pdf_t)
+ fs_manage_cifs_files(cups_pdf_t)
+')
+
+lpd_manage_spool(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-07 16:01:44.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.12/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dbus.fc 2009-04-07 16:01:44.000000000 -0400
@@ -4,6 +4,9 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-13 10:31:12.000000000 -0400
@@ -44,6 +44,7 @@
attribute session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -76,7 +77,7 @@
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -91,7 +92,7 @@
allow $3 $1_dbusd_t:process { sigkill signal };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -117,6 +118,7 @@
dev_read_urand($1_dbusd_t)
domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t)
@@ -145,7 +147,10 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
+ term_use_all_terms($1_dbusd_t)
+
userdom_read_user_home_content_files($1_dbusd_t)
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
@@ -160,6 +165,10 @@
')
optional_policy(`
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
@@ -185,10 +194,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
- allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -197,6 +208,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
+
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
')
#######################################
@@ -244,6 +259,35 @@
########################################
##
+## Chat on user/application specific DBUS.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`dbus_chat_user_bus',`
+ gen_require(`
+ type $1_t;
+ type $1_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $1_t:dbus send_msg;
+ allow $1_t $2:dbus send_msg;
+')
+
+########################################
+##
## Read dbus configuration.
##
##
@@ -318,3 +362,79 @@
allow $1 system_dbusd_t:dbus *;
')
+
+########################################
+##
+## Allow unconfined access to the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+##
+## Create a domain for processes
+## which can be started by the system dbus
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ');
+
+ userdom_dontaudit_search_admin_dir($1)
+')
+
+########################################
+##
+## Dontaudit Read, and write system dbus TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_dbusd_t:fd use;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.12/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dbus.te 2009-04-07 16:01:44.000000000 -0400
@@ -9,14 +9,15 @@
#
# Delcarations
#
-
+attribute dbusd_unconfined;
attribute session_bus_type;
type dbusd_etc_t;
-files_type(dbusd_etc_t)
+files_config_file(dbusd_etc_t)
type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
@@ -31,11 +32,25 @@
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
-files_pid_file(system_dbusd_var_lib_t)
+files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh)
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+ mls_socket_write_all_levels(system_dbusd_t)
+ mls_socket_read_to_clearance(system_dbusd_t)
+ mls_dbus_recv_all_levels(system_dbusd_t)
+')
+
##############################
#
# System bus local policy
@@ -45,7 +60,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -53,6 +68,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t, dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -75,6 +92,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
@@ -91,9 +110,9 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_bin(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
@@ -101,6 +120,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -128,9 +149,38 @@
')
optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(system_dbusd_t)
+ polkit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+')
+
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.12/policy/modules/services/dcc.fc
--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dcc.fc 2009-04-07 16:01:44.000000000 -0400
@@ -12,6 +12,8 @@
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-04-07 16:01:44.000000000 -0400
@@ -137,6 +137,7 @@
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_generic_node(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.12/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.fc 2009-04-11 06:40:12.000000000 -0400
@@ -0,0 +1,9 @@
+
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-09 05:23:51.000000000 -0400
@@ -0,0 +1,197 @@
+
+## policy for devicekit
+
+########################################
+##
+## Execute a domain transition to run devicekit.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`devicekit_domtrans',`
+ gen_require(`
+ type devicekit_t;
+ type devicekit_exec_t;
+ ')
+
+ domtrans_pattern($1,devicekit_exec_t,devicekit_t)
+')
+
+
+########################################
+##
+## Read devicekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+##
+## Manage devicekit var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_manage_var_run',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
+
+########################################
+##
+## Send and receive messages from
+## devicekit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+ allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send signal devicekit power
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_power_signal',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:process signal;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit power over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_power_dbus_chat',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the devicekit domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, devicekit_t, devicekit_t)
+
+
+ devicekit_manage_var_run($1)
+
+')
+
+########################################
+##
+## Send to devicekit over a unix domain
+## datagram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dgram_send',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit disk over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_disk_dbus_chat',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+ allow devicekit_disk_t $1:dbus send_msg;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-13 08:28:53.000000000 -0400
@@ -0,0 +1,237 @@
+policy_module(devicekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+type devicekit_disk_t;
+type devicekit_disk_exec_t;
+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+type devicekit_tmp_t;
+files_tmp_file(devicekit_tmp_t)
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+type devicekit_var_lib_t;
+files_type(devicekit_var_lib_t)
+
+#
+# DeviceKit local policy
+#
+allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+
+dev_read_sysfs(devicekit_t)
+dev_read_urand(devicekit_t)
+
+files_read_etc_files(devicekit_t)
+
+fs_list_inotifyfs(devicekit_t)
+
+miscfiles_read_localization(devicekit_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+')
+
+optional_policy(`
+ udev_read_db(devicekit_t)
+')
+
+#
+# DeviceKit-Power local policy
+#
+allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+files_read_kernel_img(devicekit_power_t)
+
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
+domain_read_all_domains_state(devicekit_power_t)
+
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
+
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
+
+files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_power_t)
+
+fs_list_inotifyfs(devicekit_power_t)
+
+term_use_all_terms(devicekit_power_t)
+
+auth_use_nsswitch(devicekit_power_t)
+
+miscfiles_read_localization(devicekit_power_t)
+
+userdom_read_all_users_state(devicekit_power_t)
+
+optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+ hal_create_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(devicekit_power_t)
+ polkit_read_lib(devicekit_power_t)
+ polkit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(devicekit_power_t)
+ ')
+')
+
+optional_policy(`
+ bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+')
+#
+# DeviceKit disk local policy
+#
+
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+corecmd_exec_bin(devicekit_disk_t)
+
+dev_rw_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
+
+kernel_read_software_raid_state(devicekit_disk_t)
+kernel_setsched(devicekit_disk_t)
+
+files_manage_mnt_dirs(devicekit_disk_t)
+files_read_etc_files(devicekit_disk_t)
+files_read_etc_runtime_files(devicekit_disk_t)
+files_read_usr_files(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
+
+fs_list_inotifyfs(devicekit_disk_t)
+fs_mount_all_fs(devicekit_disk_t)
+fs_unmount_all_fs(devicekit_disk_t)
+
+storage_raw_read_fixed_disk(devicekit_disk_t)
+storage_raw_write_fixed_disk(devicekit_disk_t)
+storage_raw_read_removable_device(devicekit_disk_t)
+storage_raw_write_removable_device(devicekit_disk_t)
+
+term_use_all_terms(devicekit_disk_t)
+
+auth_use_nsswitch(devicekit_disk_t)
+
+miscfiles_read_localization(devicekit_disk_t)
+
+userdom_read_all_users_state(devicekit_disk_t)
+userdom_search_user_home_dirs(devicekit_disk_t)
+
+optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ lvm_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(devicekit_disk_t)
+ polkit_read_lib(devicekit_disk_t)
+ polkit_read_reload(devicekit_disk_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_disk_t)
+ ')
+')
+
+optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+')
+
+
+ifdef(`TESTING',`
+ permissive devicekit_t;
+ permissive devicekit_power_t;
+ permissive devicekit_disk_t;
+',`
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.12/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dhcp.if 2009-04-07 16:01:44.000000000 -0400
@@ -22,6 +22,25 @@
########################################
##
+## Execute dhcp server in the dhcp domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+ gen_require(`
+ type dhcpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an dhcp environment
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.12/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.if 2009-04-07 16:01:44.000000000 -0400
@@ -22,6 +22,25 @@
########################################
##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+ gen_require(`
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+##
## Send dnsmasq a signal
##
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-07 16:01:44.000000000 -0400
@@ -42,8 +42,7 @@
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
kernel_read_kernel_sysctls(dnsmasq_t)
-kernel_list_proc(dnsmasq_t)
-kernel_read_proc_symlinks(dnsmasq_t)
+kernel_read_system_state(dnsmasq_t)
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
@@ -84,6 +83,14 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+ tftp_read_content(dnsmasq_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.12/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.fc 2009-04-07 16:01:44.000000000 -0400
@@ -6,6 +6,7 @@
/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
#
# /usr
@@ -17,19 +18,22 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
-/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.12/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.if 2009-04-07 16:01:44.000000000 -0400
@@ -21,7 +21,46 @@
########################################
##
-## Do not audit attempts to delete dovecot lib files.
+## Connect to dovecot auth unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`dovecot_auth_stream_connect',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ allow $1 dovecot_var_run_t:dir search;
+ allow $1 dovecot_var_run_t:sock_file write;
+ allow $1 dovecot_auth_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute dovecot_deliver in the dovecot_deliver domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+#######################################
+##
+## Do not audit attempts to d`elete dovecot lib files.
##
##
##
@@ -36,3 +75,60 @@
dontaudit $1 dovecot_var_lib_t:file unlink;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an dovecot environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dovecot domain.
+##
+##
+##
+#
+interface(`dovecot_admin',`
+ gen_require(`
+ type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_spool_t, dovecot_var_lib_t;
+ type dovecot_var_run_t;
+
+ type dovecot_cert_t, dovecot_passwd_t;
+ type dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dovecot_t)
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dovecot_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, dovecot_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.12/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.te 2009-04-07 16:01:44.000000000 -0400
@@ -15,12 +15,21 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
@@ -31,9 +40,15 @@
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
########################################
#
# dovecot local policy
@@ -58,6 +73,10 @@
can_exec(dovecot_t, dovecot_exec_t)
+# log files
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
+
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -85,6 +104,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
@@ -98,7 +118,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -120,7 +140,7 @@
mta_manage_spool(dovecot_t)
optional_policy(`
- kerberos_use(dovecot_t)
+ kerberos_keytab_template(dovecot, dovecot_t)
')
optional_policy(`
@@ -140,25 +160,35 @@
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_auth_stream_connect(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
@@ -167,6 +197,7 @@
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -182,5 +213,58 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
+')
+
+# for gssapi (kerberos)
+userdom_list_user_tmp(dovecot_auth_t)
+userdom_read_user_tmp_files(dovecot_auth_t)
+userdom_read_user_tmp_symlinks(dovecot_auth_t)
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
+files_search_tmp(dovecot_deliver_t)
+fs_getattr_all_fs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.12/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/exim.if 2009-04-07 16:01:44.000000000 -0400
@@ -97,6 +97,26 @@
########################################
##
+## Allow the specified domain to manage exim's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
## Allow the specified domain to append
## exim log files.
##
@@ -154,3 +174,23 @@
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
+
+########################################
+##
+## Create, read, write, and delete
+## exim spool dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_manage_spool_dirs',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-15 08:33:18.000000000 -0400
@@ -21,9 +21,20 @@
##
gen_tunable(exim_manage_user_files, false)
+##