rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
550cc5f4f4
selinux-policy/policy-F13.patch
Daniel J Walsh 550cc5f4f4 - Add back xserver_manage_home_fonts
2009-12-22 17:25:13 +00:00

34910 lines
1.0 MiB
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.5/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
+++ serefpolicy-3.7.5/Makefile 2009-12-21 13:07:09.000000000 -0500
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.5/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/global_tunables 2009-12-21 13:07:09.000000000 -0500
@@ -61,15 +61,6 @@
## <desc>
## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
-## <desc>
-## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
@@ -104,3 +95,18 @@
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow direct login to the console device. Required for System 390
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
+## <desc>
+## <p>
+## Allow certain domains to map low memory in the kernel
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.5/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/alsa.te 2009-12-21 13:07:09.000000000 -0500
@@ -51,6 +51,8 @@
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
+term_dontaudit_use_console(alsa_t)
+
auth_use_nsswitch(alsa_t)
init_use_fds(alsa_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.5/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/anaconda.te 2009-12-21 13:07:09.000000000 -0500
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
@@ -52,7 +53,7 @@
')
optional_policy(`
- unconfined_domain(anaconda_t)
+ unconfined_domain_noaudit(anaconda_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.5/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/brctl.te 2009-12-21 13:07:09.000000000 -0500
@@ -21,7 +21,7 @@
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
-kernel_load_module(brctl_t)
+kernel_request_load_module(brctl_t)
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.5/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/certwatch.te 2009-12-21 13:07:09.000000000 -0500
@@ -36,7 +36,7 @@
miscfiles_read_localization(certwatch_t)
userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
apache_exec_modules(certwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.5/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/consoletype.te 2009-12-21 13:07:09.000000000 -0500
@@ -10,7 +10,6 @@
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
init_domain(consoletype_t, consoletype_exec_t)
-init_system_domain(consoletype_t, consoletype_exec_t)
role system_r types consoletype_t;
########################################
@@ -84,6 +83,7 @@
optional_policy(`
hal_dontaudit_use_fds(consoletype_t)
hal_dontaudit_rw_pipes(consoletype_t)
+ hal_dontaudit_rw_dgram_sockets(consoletype_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.5/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/dmesg.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.5/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/dmesg.te 2009-12-21 13:07:09.000000000 -0500
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
init_system_domain(dmesg_t, dmesg_exec_t)
+cron_system_entry(dmesg_t, dmesg_exec_t)
########################################
#
@@ -20,12 +21,16 @@
allow dmesg_t self:process signal_perms;
+kernel_read_system_state(dmesg_t)
kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
+
+mls_process_read_all_levels(dmesg_t)
dev_read_sysfs(dmesg_t)
@@ -35,7 +40,7 @@
domain_use_interactive_fds(dmesg_t)
-files_list_etc(dmesg_t)
+files_read_etc_files(dmesg_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
@@ -57,3 +62,6 @@
optional_policy(`
udev_read_db(dmesg_t)
')
+
+#mcelog needs
+dev_read_raw_memory(dmesg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.5/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/firstboot.te 2009-12-21 13:07:09.000000000 -0500
@@ -91,8 +91,12 @@
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
+ dbus_system_bus_client(firstboot_t)
+
+ optional_policy(`
hal_dbus_chat(firstboot_t)
')
+')
optional_policy(`
nis_use_ypbind(firstboot_t)
@@ -105,7 +109,7 @@
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
- unconfined_domain(firstboot_t)
+ unconfined_domain_noaudit(firstboot_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.5/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/kismet.te 2009-12-21 13:07:09.000000000 -0500
@@ -45,6 +45,7 @@
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+userdom_search_user_home_dirs(kismet_t)
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
@@ -53,7 +54,8 @@
manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
-files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
@@ -69,6 +71,7 @@
kernel_search_debugfs(kismet_t)
kernel_read_system_state(kismet_t)
+kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.5/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/logrotate.te 2009-12-21 13:07:09.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -63,6 +63,7 @@
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+files_read_var_lib_files(logrotate_t)
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
@@ -116,8 +117,9 @@
seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
-userdom_dontaudit_search_user_home_dirs(logrotate_t)
+userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
@@ -137,6 +139,10 @@
')
optional_policy(`
+ abrt_cache_manage(logrotate_t)
+')
+
+optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
@@ -149,6 +155,15 @@
')
optional_policy(`
+ asterisk_exec(logrotate_t)
+ asterisk_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
+optional_policy(`
consoletype_exec(logrotate_t)
')
@@ -157,6 +172,10 @@
')
optional_policy(`
+ fail2ban_stream_connect(logrotate_t)
+')
+
+optional_policy(`
hostname_exec(logrotate_t)
')
@@ -183,6 +202,10 @@
')
optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
+optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.5/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/logwatch.te 2009-12-21 13:07:09.000000000 -0500
@@ -93,6 +93,13 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(logwatch_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(logwatch_t)
+')
mta_send_mail(logwatch_t)
@@ -136,4 +143,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.5/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/mrtg.te 2009-12-21 13:07:09.000000000 -0500
@@ -116,6 +116,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.5/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/netutils.te 2009-12-21 13:07:09.000000000 -0500
@@ -44,6 +44,7 @@
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
+allow netutils_t self:socket create_socket_perms;
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
@@ -85,6 +86,7 @@
miscfiles_read_localization(netutils_t)
+term_dontaudit_use_console(netutils_t)
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.5/policy/modules/admin/portage.te
--- nsaserefpolicy/policy/modules/admin/portage.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/portage.te 2009-12-21 13:07:09.000000000 -0500
@@ -196,7 +196,7 @@
# - for rsync and distfile fetching
#
-allow portage_fetch_t self:capability { dac_override fowner fsetid };
+allow portage_fetch_t self:capability { dac_override fowner fsetid sys_nice };
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.5/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/prelink.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.5/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/prelink.if 2009-12-21 13:07:09.000000000 -0500
@@ -21,6 +21,25 @@
########################################
## <summary>
+## Execute the prelink program in the current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_exec',`
+ gen_require(`
+ type prelink_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, prelink_exec_t)
+')
+
+########################################
+## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
@@ -151,11 +170,11 @@
## </summary>
## </param>
#
-interface(`prelink_relabelfrom_lib',`
+interface(`prelink_relabel_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
- relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.5/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/prelink.te 2009-12-21 13:07:09.000000000 -0500
@@ -21,8 +21,23 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
+type prelink_tmpfs_t;
+files_tmpfs_file(prelink_tmpfs_t)
+
type prelink_var_lib_t;
-files_tmp_file(prelink_var_lib_t)
+files_type(prelink_var_lib_t)
+
+########################################
+#
+# Prelink Cron system Declarations
+#
+
+type prelink_cron_system_t;
+type prelink_cron_system_exec_t;
+domain_type(prelink_cron_system_t)
+domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+permissive prelink_cron_system_t;
########################################
#
@@ -35,7 +50,6 @@
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
-files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
@@ -45,10 +59,14 @@
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
+fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
files_search_var_lib(prelink_t)
# prelink misc objects that are not system
@@ -80,6 +98,7 @@
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
+libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_manage_shared_libs(prelink_t)
@@ -89,6 +108,7 @@
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
@@ -99,5 +119,57 @@
')
optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
unconfined_domain(prelink_t)
')
+
+########################################
+#
+# Prelink Cron system Policy
+#
+
+allow prelink_cron_system_t self:capability setuid;
+allow prelink_cron_system_t self:process { setsched setfscreate };
+
+allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
+
+domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+
+read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+allow prelink_cron_system_t prelink_cache_t:file unlink;
+files_delete_etc_dir_entry(prelink_cron_system_t)
+
+manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
+
+manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
+files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
+
+corecmd_exec_bin(prelink_cron_system_t)
+corecmd_exec_shell(prelink_cron_system_t)
+
+files_read_etc_files(prelink_cron_system_t)
+
+files_search_var_lib(prelink_cron_system_t)
+files_search_var_log(prelink_cron_system_t)
+
+init_chat(prelink_cron_system_t)
+init_exec(prelink_cron_system_t)
+
+kernel_read_system_state(prelink_cron_system_t)
+
+libs_exec_ld_so(prelink_cron_system_t)
+
+miscfiles_read_localization(prelink_cron_system_t)
+
+optional_policy(`
+ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+')
+
+optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.5/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/readahead.te 2009-12-21 13:07:09.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.5/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/rpm.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,18 +1,19 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
-/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -21,15 +22,23 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/rpm.if 2009-12-21 13:07:09.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
+ type debuginfo_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
+ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+')
+
+########################################
+## <summary>
+## Execute debuginfo_install programs in the rpm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_domtrans_debuginfo',`
+ gen_require(`
+ type rpm_t;
+ type debuginfo_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
')
########################################
@@ -66,6 +89,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
+
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
@@ -146,6 +174,41 @@
########################################
## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t, rpm_var_cache_t;
+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file { read write };
+ dontaudit $1 rpm_t:tcp_socket { read write };
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file { read write };
+
+ dontaudit $1 rpm_var_run_t:file write;
+
+ dontaudit $1 rpm_tmp_t:file { read write };
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file { read write };
+ dontaudit $1 rpm_script_tmp_t:file { read write };
+ dontaudit $1 rpm_var_lib_t:file { read write };
+ dontaudit $1 rpm_var_cache_t:file { read write };
+')
+
+########################################
+## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
@@ -167,6 +230,68 @@
########################################
## <summary>
+## dontaudit attempts to Send and receive messages from
+## rpm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_dbus_chat',`
+ gen_require(`
+ type rpm_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rpm_t:dbus send_msg;
+ dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+ gen_require(`
+ type rpm_script_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_script_t:dbus send_msg;
+ allow rpm_script_t $1:dbus send_msg;
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to append
+## to rpm log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_append_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
@@ -186,6 +311,24 @@
########################################
## <summary>
+## Search RPM log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_search_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
@@ -219,7 +362,51 @@
')
files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete RPM
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+## read, RPM
+## script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
########################################
@@ -241,6 +428,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ rpm_read_cache($1)
+')
+
+########################################
+## <summary>
+## Delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_delete_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
@@ -265,6 +471,48 @@
########################################
## <summary>
+## Read the RPM cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_read_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 rpm_var_cache_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
@@ -283,3 +531,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
+#####################################
+## <summary>
+## Read rpm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ read_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
+')
+
+#####################################
+## <summary>
+## Create, read, write, and delete rpm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
+')
+
+######################################
+## <summary>
+## Create files in /var/run with the rpm pid file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_pid_filetrans',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
+')
+
+########################################
+## <summary>
+## Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:process transition;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_signull',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:process signull;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.5/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/rpm.te 2009-12-21 13:07:09.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
+
type rpm_file_t;
files_type(rpm_file_t)
@@ -31,11 +34,18 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
+type rpm_var_cache_t;
+files_type(rpm_var_cache_t)
+
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
domain_system_change_exemption(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
@@ -52,8 +62,9 @@
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
@@ -68,6 +79,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
@@ -83,12 +96,21 @@
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
+kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
corecmd_exec_all_executables(rpm_t)
@@ -108,12 +130,15 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
#devices_manage_all_device_types(rpm_t)
+fs_getattr_all_fs(rpm_t)
+fs_getattr_all_dirs(rpm_t)
+fs_list_inotifyfs(rpm_t)
fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
-fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
@@ -132,6 +157,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
+term_list_ptys(rpm_t)
+
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
@@ -155,6 +182,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
@@ -174,44 +202,41 @@
')
optional_policy(`
+ optional_policy(`
hal_dbus_chat(rpm_t)
')
optional_policy(`
- prelink_domtrans(rpm_t)
+ networkmanager_dbus_chat(rpm_t)
')
optional_policy(`
- unconfined_domain(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
+ dbus_system_domain(rpm_t, rpm_exec_t)
')
-ifdef(`TODO',`
-# read/write/create any files in the system
-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow rpm_t ttyfile:chr_file unlink;
-
-# needs rw permission to the directory for an rpm package that includes a mount
-# point
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-
-allow rpm_t mount_t:tcp_socket write;
+ optional_policy(`
+ dbus_system_domain(rpm_t, debuginfo_exec_t)
+ ')
+')
-allow rpm_t rpc_pipefs_t:dir search;
+optional_policy(`
+ prelink_domtrans(rpm_t)
+')
optional_policy(`
-allow rpm_t sysadm_gph_t:fd use;
+ unconfined_domain_noaudit(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
-') dnl endif TODO
########################################
#
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
@@ -222,12 +247,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -239,6 +267,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
+kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
@@ -254,7 +285,9 @@
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
+fs_search_all(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
@@ -272,14 +305,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(rpm_script_t)
+auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
@@ -291,8 +329,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
+init_chat(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
@@ -308,12 +348,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
+ mta_system_content(rpm_var_run_t)
')
')
@@ -326,13 +369,22 @@
')
optional_policy(`
+ lvm_domtrans(rpm_script_t)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
optional_policy(`
- unconfined_domain(rpm_script_t)
+ udev_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.5/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/shorewall.fc 2009-12-21 13:07:09.000000000 -0500
@@ -4,8 +4,11 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.5/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/shorewall.if 2009-12-21 13:07:09.000000000 -0500
@@ -75,6 +75,46 @@
rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
+######################################
+## <summary>
+## Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_var_lib',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_var_lib',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
#######################################
## <summary>
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.5/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/shorewall.te 2009-12-21 13:07:09.000000000 -0500
@@ -29,6 +29,9 @@
type shorewall_var_lib_t;
files_type(shorewall_var_lib_t)
+type shorewall_log_t;
+logging_log_file(shorewall_log_t)
+
########################################
#
# shorewall local policy
@@ -49,6 +52,10 @@
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
+
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
@@ -80,6 +87,8 @@
sysnet_domtrans_ifconfig(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
optional_policy(`
iptables_domtrans(shorewall_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.5/policy/modules/admin/smoltclient.fc
--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/smoltclient.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.5/policy/modules/admin/smoltclient.if
--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/smoltclient.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>The Fedora hardware profiler client</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.5/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/smoltclient.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(smoltclient,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type smoltclient_t;
+type smoltclient_exec_t;
+application_domain(smoltclient_t, smoltclient_exec_t)
+cron_system_entry(smoltclient_t, smoltclient_exec_t)
+
+type smoltclient_tmp_t;
+files_tmp_file(smoltclient_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow smoltclient_t self:process { setsched getsched };
+
+allow smoltclient_t self:fifo_file rw_fifo_file_perms;
+allow smoltclient_t self:tcp_socket create_socket_perms;
+allow smoltclient_t self:udp_socket create_socket_perms;
+
+can_exec(smoltclient_t, smoltclient_tmp_t)
+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
+
+kernel_read_system_state(smoltclient_t)
+kernel_read_network_state(smoltclient_t)
+kernel_read_kernel_sysctls(smoltclient_t)
+
+corecmd_exec_bin(smoltclient_t)
+corecmd_exec_shell(smoltclient_t)
+
+corenet_tcp_connect_http_port(smoltclient_t)
+
+auth_use_nsswitch(smoltclient_t)
+
+dev_read_sysfs(smoltclient_t)
+
+fs_getattr_all_fs(smoltclient_t)
+fs_getattr_all_dirs(smoltclient_t)
+
+files_getattr_generic_locks(smoltclient_t)
+files_read_etc_files(smoltclient_t)
+files_read_usr_files(smoltclient_t)
+
+miscfiles_read_localization(smoltclient_t)
+
+optional_policy(`
+ dbus_system_bus_client(smoltclient_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(smoltclient_t)
+')
+
+optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+')
+
+permissive smoltclient_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.5/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/sudo.if 2009-12-21 13:07:09.000000000 -0500
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
-
allow $1_sudo_t $3:key search;
+ allow $1_sudo_t self:key manage_key_perms;
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
@@ -84,7 +84,7 @@
kernel_link_key($1_sudo_t)
corecmd_read_bin_symlinks($1_sudo_t)
- corecmd_getattr_all_executables($1_sudo_t)
+ corecmd_exec_all_executables($1_sudo_t)
dev_read_urand($1_sudo_t)
dev_rw_generic_usb_dev($1_sudo_t)
@@ -132,9 +132,11 @@
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
- userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
+
+ mta_role($2, $1_sudo_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
@@ -147,6 +149,11 @@
optional_policy(`
dbus_system_bus_client($1_sudo_t)
')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_sudo_t)
+ ')
+
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te 2009-12-22 10:55:03.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
ifdef(`distro_redhat',`
+ userdom_list_user_home_content(tmpreaper_t)
userdom_delete_user_home_content_dirs(tmpreaper_t)
userdom_delete_user_home_content_files(tmpreaper_t)
userdom_delete_user_home_content_symlinks(tmpreaper_t)
@@ -52,6 +53,13 @@
')
optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
+ apache_list_cache(tmpreaper_t)
+ apache_delete_cache(tmpreaper_t)
+ apache_setattr_cache_dirs(tmpreaper_t)
+')
+
+optional_policy(`
kismet_manage_log(tmpreaper_t)
')
@@ -60,5 +68,9 @@
')
optional_policy(`
+ rpm_manage_cache(tmpreaper_t)
+')
+
+optional_policy(`
unconfined_domain(tmpreaper_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.5/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/usermanage.if 2009-12-21 13:07:09.000000000 -0500
@@ -113,6 +113,12 @@
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, passwd_exec_t, passwd_t)
+
+ifdef(`hide_broken_symptoms', `
+ dontaudit passwd_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms;
+ dontaudit passwd_t $1:tcp_socket rw_socket_perms;
+')
')
########################################
@@ -274,6 +280,11 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
+ # Add/remove user home directories
+ userdom_manage_home_role($2, useradd_t)
+
+ seutil_run_semanage(useradd_t, $2)
+
optional_policy(`
nscd_run(useradd_t, $2)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.5/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/usermanage.te 2009-12-21 13:07:09.000000000 -0500
@@ -82,6 +82,7 @@
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
+term_use_console(chfn_t)
term_use_all_user_ttys(chfn_t)
term_use_all_user_ptys(chfn_t)
@@ -197,6 +198,7 @@
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
+term_use_console(groupadd_t)
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
@@ -209,6 +211,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
@@ -218,14 +221,11 @@
miscfiles_read_localization(groupadd_t)
-auth_domtrans_chk_passwd(groupadd_t)
-auth_rw_lastlog(groupadd_t)
-auth_use_nsswitch(groupadd_t)
-# these may be unnecessary due to the above
-# domtrans_chk_passwd() call.
auth_manage_shadow(groupadd_t)
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
+auth_rw_lastlog(groupadd_t)
+auth_use_nsswitch(groupadd_t)
seutil_read_config(groupadd_t)
@@ -292,6 +292,7 @@
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
+term_use_console(passwd_t)
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
@@ -303,6 +304,7 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
+corecmd_exec_bin(passwd_t)
domain_use_interactive_fds(passwd_t)
@@ -333,6 +335,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
optional_policy(`
nscd_domtrans(passwd_t)
@@ -382,6 +385,7 @@
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
+term_use_console(sysadm_passwd_t)
term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)
@@ -450,6 +454,7 @@
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
+domain_read_all_domains_state(useradd_t)
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
@@ -469,18 +474,16 @@
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
+term_use_console(useradd_t)
term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)
-auth_domtrans_chk_passwd(useradd_t)
-auth_rw_lastlog(useradd_t)
-auth_rw_faillog(useradd_t)
-auth_use_nsswitch(useradd_t)
-# these may be unnecessary due to the above
-# domtrans_chk_passwd() call.
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
+auth_rw_lastlog(useradd_t)
+auth_rw_faillog(useradd_t)
+auth_use_nsswitch(useradd_t)
init_use_fds(useradd_t)
init_rw_utmp(useradd_t)
@@ -498,10 +501,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
mta_manage_spool(useradd_t)
@@ -525,6 +526,12 @@
')
optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+')
+
+optional_policy(`
puppet_rw_tmp(useradd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.5/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/admin/vbetool.te 2009-12-21 13:07:09.000000000 -0500
@@ -15,15 +15,20 @@
# Local policy
#
-allow vbetool_t self:capability { sys_tty_config sys_admin };
+allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
dev_read_raw_memory(vbetool_t)
dev_rwx_zero(vbetool_t)
-dev_read_sysfs(vbetool_t)
+dev_rw_sysfs(vbetool_t)
+dev_rw_xserver_misc(vbetool_t)
+dev_rw_mtrr(vbetool_t)
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
domain_mmap_low(vbetool_t)
+')
term_use_unallocated_ttys(vbetool_t)
@@ -34,3 +39,8 @@
hal_write_log(vbetool_t)
hal_dontaudit_append_lib_files(vbetool_t)
')
+
+optional_policy(`
+ xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.5/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/admin/vpn.te 2009-12-21 13:07:09.000000000 -0500
@@ -46,6 +46,7 @@
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
kernel_read_all_sysctls(vpnc_t)
+kernel_request_load_module(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
@@ -105,8 +106,9 @@
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
-userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
+userdom_use_all_users_fds(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.5/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/chrome.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.5/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/chrome.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,86 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+')
+
+
+########################################
+## <summary>
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the chrome_sandbox domain.
+## </summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+')
+
+########################################
+## <summary>
+## Role access for chrome sandbox
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chrome_role',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+
+ chrome_domtrans_sandbox($2)
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.5/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/chrome.te 2009-12-21 13:49:59.000000000 -0500
@@ -0,0 +1,83 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+permissive chrome_sandbox_t;
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid };
+dontaudit chrome_sandbox_t self:capability { sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
+
+userdom_rw_user_tmpfs_files(chrome_sandbox_t)
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+')
+
+optional_policy(`
+ gnome_write_inherited_config(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+ fs_dontaudit_read_nfs_files(chrome_sandbox_t)
+ fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.5/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/cpufreqselector.te 2009-12-21 13:07:09.000000000 -0500
@@ -26,7 +26,7 @@
dev_rw_sysfs(cpufreqselector_t)
userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.5/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/execmem.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,42 @@
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.5/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/execmem.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,103 @@
+## <summary>execmem domain</summary>
+
+########################################
+## <summary>
+## Execute the execmem program in the execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`execmem_exec',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+#######################################
+## <summary>
+## The role template for the execmem module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for execmem applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`execmem_role_template',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ type $1_execmem_t;
+ domain_type($1_execmem_t)
+ domain_entry_file($1_execmem_t, execmem_exec_t)
+ role $2 types $1_execmem_t;
+
+ userdom_unpriv_usertype($1, $1_execmem_t)
+ userdom_manage_tmp_role($2, $1_execmem_t)
+ userdom_manage_tmpfs_role($2, $1_execmem_t)
+
+ allow $1_execmem_t self:process { execmem execstack };
+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+
+ files_execmod_tmp($1_execmem_t)
+
+ optional_policy(`
+ chrome_role($2, $1_execmem_t)
+ ')
+
+ optional_policy(`
+ mozilla_execmod_user_home_files($1_execmem_t)
+ ')
+
+ optional_policy(`
+ xserver_role($2, $1_execmem_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute a execmem_exec file
+## in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`execmem_domtrans',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.5/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/execmem.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(execmem, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.5/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.5/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,23 @@
+
+## <summary>policy for firewallgui</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dbus_chat',`
+ gen_require(`
+ type firewallgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.5/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,64 @@
+
+policy_module(firewallgui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
+
+permissive firewallgui_t;
+
+########################################
+#
+# firewallgui local policy
+#
+
+allow firewallgui_t self:capability net_admin;
+
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
+iptables_manage_config(firewallgui_t)
+iptables_etc_filetrans_config(firewallgui_t)
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
+consoletype_exec(firewallgui_t)
+
+kernel_read_system_state(firewallgui_t)
+kernel_read_network_state(firewallgui_t)
+kernel_rw_net_sysctls(firewallgui_t)
+kernel_rw_kernel_sysctl(firewallgui_t)
+
+files_read_etc_files(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
+
+modutils_getattr_module_deps(firewallgui_t)
+
+dev_read_urand(firewallgui_t)
+dev_read_sysfs(firewallgui_t)
+
+nscd_dontaudit_search_pid(firewallgui_t)
+nscd_socket_use(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
+iptables_domtrans(firewallgui_t)
+iptables_initrc_domtrans(firewallgui_t)
+
+optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.5/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/gitosis.if 2009-12-21 13:07:09.000000000 -0500
@@ -43,3 +43,48 @@
role $2 types gitosis_t;
')
+#######################################
+## <summary>
+## Allow the specified domain to read
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_read_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_manage_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.5/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/gnome.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,8 +1,17 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.5/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/gnome.if 2009-12-21 13:07:09.000000000 -0500
@@ -84,10 +84,201 @@
#
interface(`gnome_manage_config',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
+
+########################################
+## <summary>
+## Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+ gen_require(`
+ attribute gnomedomain;
+ ')
+
+ allow $1 gnomedomain:process signal;
+')
+
+########################################
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_read_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
+## <summary>
+## read gconf config files
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+#######################################
+## <summary>
+## Manage gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Read gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## manage gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+## Connect to gnome over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+## Write all inherited gnome home config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_write_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.5/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/gnome.te 2009-12-21 13:07:09.000000000 -0500
@@ -7,18 +7,30 @@
#
attribute gnomedomain;
+attribute gnome_home_type;
type gconf_etc_t;
-files_type(gconf_etc_t)
+files_config_file(gconf_etc_t)
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
userdom_user_home_content(gconf_home_t)
type gconf_tmp_t;
typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)
@@ -29,11 +41,20 @@
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
##############################
#
# Local Policy
@@ -73,3 +94,89 @@
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gconfdefaultsm_t)
+ fs_manage_nfs_files(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gconfdefaultsm_t)
+ fs_manage_cifs_files(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gconf-defaults-mechanisms local policy
+#
+
+allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gconfdefaultsm_t)
+
+files_read_etc_files(gconfdefaultsm_t)
+files_read_usr_files(gconfdefaultsm_t)
+
+miscfiles_read_localization(gconfdefaultsm_t)
+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(gconfdefaultsm_t)
+ policykit_dbus_chat(gconfdefaultsm_t)
+ policykit_read_lib(gconfdefaultsm_t)
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomesystemmm_t)
+ policykit_domtrans_auth(gnomesystemmm_t)
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.5/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/java.fc 2009-12-21 13:07:09.000000000 -0500
@@ -2,15 +2,17 @@
# /opt
#
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#
+/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +22,16 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.5/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/java.if 2009-12-21 13:07:09.000000000 -0500
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
allow java_t $2:unix_stream_socket { read write };
+ allow java_t $2:tcp_socket { read write };
')
########################################
@@ -71,24 +72,130 @@
########################################
## <summary>
-## Execute the java program in the unconfined java domain.
+## Execute java in the java domain, and
+## allow the specified role the java domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed the java domain.
+## </summary>
+## </param>
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+')
+
+########################################
+## <summary>
+## Execute java in the unconfined java domain, and
+## allow the specified role the unconfined java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the java domain.
## </summary>
## </param>
#
interface(`java_run_unconfined',`
gen_require(`
type unconfined_java_t;
+ type java_t;
')
java_domtrans_unconfined($1)
role $2 types unconfined_java_t;
+ role $2 types java_t;
+ nsplugin_role_notrans($2, unconfined_java_t)
+')
+
+########################################
+## <summary>
+## Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_exec',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ can_exec($1, java_exec_t)
+')
+
+#######################################
+## <summary>
+## The role template for the java module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`java_role_template',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t, java_exec_t)
+ role $2 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_unpriv_usertype($1, $1_java_t)
+ userdom_manage_tmpfs_role($2, $1_java_t)
+
+ allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
+ dontaudit $1_java_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, java_exec_t, $1_java_t)
+ dev_dontaudit_append_rand($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+ corecmd_bin_domtrans($1_java_t, $1_t)
+
+ files_execmod_all_files($1_java_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_java_t)
+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.5/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/java.te 2009-12-21 13:07:09.000000000 -0500
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+role system_r types java_t;
+
type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
@@ -32,9 +34,6 @@
typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
-type unconfined_java_t;
-init_system_domain(unconfined_java_t, java_exec_t)
-
########################################
#
# Local policy
@@ -80,6 +79,7 @@
dev_write_sound(java_t)
dev_read_urand(java_t)
dev_read_rand(java_t)
+dev_dontaudit_append_rand(java_t)
files_read_etc_files(java_t)
files_read_usr_files(java_t)
@@ -134,17 +134,5 @@
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
-########################################
-#
-# Unconfined java local policy
-#
-
-optional_policy(`
- # execheap is needed for itanium/BEA jrocket
- allow unconfined_java_t self:process { execstack execmem execheap };
- init_dbus_chat_script(unconfined_java_t)
- unconfined_domain_noaudit(unconfined_java_t)
- unconfined_dbus_chat(unconfined_java_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.5/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/kdumpgui.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.5/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/kdumpgui.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,2 @@
+## <summary>system-config-kdump policy</summary>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.5/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/kdumpgui.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,67 @@
+policy_module(kdumpgui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdumpgui_t;
+type kdumpgui_exec_t;
+
+dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+
+######################################
+#
+# system-config-kdump local policy
+#
+
+allow kdumpgui_t self:capability { net_admin sys_rawio };
+allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+
+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kdump_manage_config(kdumpgui_t)
+kdump_initrc_domtrans(kdumpgui_t)
+
+corecmd_exec_bin(kdumpgui_t)
+corecmd_exec_shell(kdumpgui_t)
+consoletype_exec(kdumpgui_t)
+
+kernel_read_system_state(kdumpgui_t)
+kernel_read_network_state(kdumpgui_t)
+
+storage_raw_read_fixed_disk(kdumpgui_t)
+storage_raw_write_fixed_disk(kdumpgui_t)
+
+dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
+dev_read_sysfs(kdumpgui_t)
+
+# for blkid.tab
+files_manage_etc_runtime_files(kdumpgui_t)
+files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+
+files_manage_boot_files(kdumpgui_t)
+files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(kdumpgui_t)
+
+auth_use_nsswitch(kdumpgui_t)
+
+logging_send_syslog_msg(kdumpgui_t)
+
+miscfiles_read_localization(kdumpgui_t)
+
+dontaudit_init_read_all_script_files(kdumpgui_t)
+
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+optional_policy(`
+ dev_rw_lvm_control(kdumpgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
+')
+
+permissive kdumpgui_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.5/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/livecd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.5/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/livecd.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,52 @@
+
+## <summary>policy for livecd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+ gen_require(`
+ type livecd_t;
+ type livecd_exec_t;
+ ')
+
+ domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+
+########################################
+## <summary>
+## Execute livecd in the livecd domain, and
+## allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the livecd domain.
+## </summary>
+## </param>
+#
+interface(`livecd_run',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ livecd_domtrans($1)
+ role $2 types livecd_t;
+
+ seutil_run_setfiles_mac(livecd_t, $2)
+ usermanage_run_passwd(livecd_t, $2)
+ usermanage_run_chfn(livecd_t, $2)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.5/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/livecd.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+########################################
+#
+# livecd local policy
+#
+dontaudit livecd_t self:capability2 mac_admin;
+
+unconfined_domain_noaudit(livecd_t)
+domain_ptrace_all_domains(livecd_t)
+
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.5/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/loadkeys.te 2009-12-21 13:07:09.000000000 -0500
@@ -40,8 +40,12 @@
miscfiles_read_localization(loadkeys_t)
userdom_use_user_ttys(loadkeys_t)
-userdom_list_user_home_dirs(loadkeys_t)
+userdom_list_user_home_content(loadkeys_t)
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
+
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.5/policy/modules/apps/mono.fc
--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/mono.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1 +1 @@
-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.5/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/mono.if 2009-12-21 13:07:09.000000000 -0500
@@ -21,6 +21,105 @@
########################################
## <summary>
+## Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mono domain.
+## </summary>
+## </param>
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+')
+
+#######################################
+## <summary>
+## The role template for the mono module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mono applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mono_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+ application_type($1_mono_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
+
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_mono_t)
+ ')
+')
+
+########################################
+## <summary>
## Execute the mono program in the caller domain.
## </summary>
## <param name="domain">
@@ -31,7 +130,7 @@
#
interface(`mono_exec',`
gen_require(`
- type mono_t, mono_exec_t;
+ type mono_exec_t;
')
corecmd_search_bin($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.5/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/mono.te 2009-12-21 13:07:09.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
init_dbus_chat_script(mono_t)
@@ -42,7 +42,12 @@
')
optional_policy(`
- unconfined_domain_noaudit(mono_t)
+ unconfined_domain(mono_t)
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
+ application_type(mono_t)
+')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.5/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/mozilla.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.5/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/mozilla.if 2009-12-21 13:07:09.000000000 -0500
@@ -48,6 +48,12 @@
mozilla_dbus_chat($2)
+ userdom_manage_tmp_role($1, mozilla_t)
+
+ optional_policy(`
+ nsplugin_role($1, mozilla_t)
+ ')
+
optional_policy(`
pulseaudio_role($1, mozilla_t)
')
@@ -108,7 +114,7 @@
type mozilla_home_t;
')
- dontaudit $1 mozilla_home_t:file rw_file_perms;
+ dontaudit $1 mozilla_home_t:file { read write };
')
########################################
@@ -186,3 +192,22 @@
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Write mozilla home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_execmod_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.5/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/mozilla.te 2009-12-21 13:07:09.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
@@ -133,21 +134,18 @@
fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
+term_use_all_user_ttys(mozilla_t)
logging_send_syslog_msg(mozilla_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_read_fonts(mozilla_t)
miscfiles_read_localization(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_manage_user_home_content_symlinks(mozilla_t)
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -244,6 +242,13 @@
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home(mozilla_t)
')
optional_policy(`
@@ -264,5 +269,10 @@
')
optional_policy(`
+ nsplugin_manage_rw(mozilla_t)
+ nsplugin_manage_home_files(mozilla_t)
+')
+
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.5/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.5/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,321 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for nsplugin web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
+ class dbus send_msg;
+ ')
+
+ role $1 types nsplugin_t;
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
+ dontaudit nsplugin_t $2:shm destroy;
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
+ userdom_use_user_terminals(nsplugin_t)
+ userdom_use_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmpfs_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Role access for nsplugin
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_role_notrans($1, $2)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+## <summary>
+## Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Read nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_home',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## nsplugin named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_pipes',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.te 2009-12-22 10:16:59.000000000 -0500
@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+userdom_user_home_content(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+domain_type(nsplugin_t)
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_search_sysfs(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+userdom_dontaudit_delete_user_home_content_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(nsplugin_t)
+ dbus_connect_session_bus(nsplugin_t)
+ dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
+ xserver_use_user_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_dontaudit_read_rand(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_read_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_read_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_read_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_read_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_config_t)
+ mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+ pulseaudio_exec(nsplugin_t)
+ pulseaudio_stream_connect(nsplugin_t)
+ pulseaudio_manage_home(nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_exec(nsplugin_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.5/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/openoffice.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.5/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/openoffice.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,92 @@
+## <summary>Openoffice</summary>
+
+#######################################
+## <summary>
+## The per role template for the openoffice module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`openoffice_plugin_role',`
+ gen_require(`
+ type openoffice_exec_t;
+ type openoffice_t;
+ ')
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($1, openoffice_exec_t, openoffice_t)
+ allow $1 openoffice_t:process { signal sigkill };
+')
+
+#######################################
+## <summary>
+## role for openoffice
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`openoffice_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ role $2 types $1_openoffice_t;
+
+ type $1_openoffice_t;
+ domain_type($1_openoffice_t)
+ domain_entry_file($1_openoffice_t, openoffice_exec_t)
+ domain_interactive_fd($1_openoffice_t)
+
+ userdom_unpriv_usertype($1, $1_openoffice_t)
+ userdom_exec_user_home_content_files($1_openoffice_t)
+
+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+ allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $1_openoffice_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
+
+ dev_read_urand($1_openoffice_t)
+ dev_read_rand($1_openoffice_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+
+ allow $3 $1_openoffice_t:process { signal sigkill };
+ allow $1_openoffice_t $3:unix_stream_socket connectto;
+ optional_policy(`
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.5/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/openoffice.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(openoffice, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.5/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/podsleuth.te 2009-12-21 13:07:09.000000000 -0500
@@ -50,6 +50,7 @@
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
kernel_read_system_state(podsleuth_t)
+kernel_request_load_module(podsleuth_t)
corecmd_exec_bin(podsleuth_t)
@@ -66,6 +67,7 @@
fs_search_dos(podsleuth_t)
fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
+fs_rw_removable_blk_files(podsleuth_t)
miscfiles_read_localization(podsleuth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.5/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/ptchown.if 2009-12-21 13:07:09.000000000 -0500
@@ -18,3 +18,27 @@
domtrans_pattern($1, ptchown_exec_t, ptchown_t)
')
+########################################
+## <summary>
+## Execute ptchown in the ptchown domain, and
+## allow the specified role the ptchown domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ptchown domain.
+## </summary>
+## </param>
+#
+interface(`ptchown_run',`
+ gen_require(`
+ type ptchown_t;
+ ')
+
+ ptchown_domtrans($1)
+ role $2 types ptchown_t;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.5/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1 +1,4 @@
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.5/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.if 2009-12-21 13:07:09.000000000 -0500
@@ -40,7 +40,7 @@
userdom_manage_tmpfs_role($1, pulseaudio_t)
allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
@@ -144,3 +144,43 @@
allow pulseaudio_t $1:process signull;
allow $1 pulseaudio_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## read pulseaudio homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`pulseaudio_read_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ list_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## manage pulseaudio homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`pulseaudio_manage_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te 2009-12-22 09:44:29.000000000 -0500
@@ -11,6 +11,9 @@
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
########################################
#
# pulseaudio local policy
@@ -18,7 +21,7 @@
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
-allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
@@ -26,6 +29,7 @@
can_exec(pulseaudio_t, pulseaudio_exec_t)
+kernel_getattr_proc(pulseaudio_t)
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
@@ -63,12 +67,17 @@
miscfiles_read_localization(pulseaudio_t)
optional_policy(`
- gnome_manage_config(pulseaudio_t)
+ bluetooth_stream_connect(pulseaudio_t)
')
+userdom_search_user_home_dirs(pulseaudio_t)
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+
optional_policy(`
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
+ dbus_connect_session_bus(pulseaudio_t)
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
@@ -88,6 +97,10 @@
')
optional_policy(`
+ rtkit_daemon_system_domain(pulseaudio_t)
+')
+
+optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
@@ -98,6 +111,8 @@
')
optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.5/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/qemu.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,2 +1,2 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.5/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/qemu.if 2009-12-21 13:07:09.000000000 -0500
@@ -40,6 +40,10 @@
qemu_domtrans($1)
role $2 types qemu_t;
+
+ optional_policy(`
+ samba_run_smb(qemu_t, $2, $3)
+ ')
')
########################################
@@ -211,3 +215,188 @@
# xserver_xdm_rw_shm($1_t)
')
')
+
+#######################################
+## <summary>
+## The per role template for the qemu module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for qemu web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+interface(`qemu_role_notrans',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ role $1 types qemu_t;
+')
+
+#######################################
+## <summary>
+## The per role template for the qemu module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for qemu web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`qemu_role',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ qemu_role_notrans($1, $2, $3)
+
+ domtrans_pattern($3, qemu_exec_t, qemu_t)
+ domtrans_pattern($3, qemu_config_exec_t, qemu_config_t)
+')
+
+########################################
+## <summary>
+## Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`qemu_spec_domtrans',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+ domain_entry_file($2,qemu_exec_t)
+ can_exec($1,qemu_exec_t)
+
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the PAM domain.
+## </summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+ gen_require(`
+ type qemu_unconfined_t;
+ ')
+ role $1 types qemu_unconfined_t;
+')
+
+########################################
+## <summary>
+## Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ ')
+
+########################################
+## <summary>
+## Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+ #
+interface(`qemu_manage_tmp_files',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.5/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/qemu.te 2009-12-21 13:07:09.000000000 -0500
@@ -13,15 +13,46 @@
## </desc>
gen_tunable(qemu_full_network, false)
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to user serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+
type qemu_exec_t;
-qemu_domain_template(qemu)
+virt_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
-########################################
-#
-# qemu local policy
-#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+userdom_signull_unpriv_users(qemu_t)
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
@@ -35,6 +66,44 @@
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
########################################
#
# qemu_unconfined local policy
@@ -44,6 +113,10 @@
type qemu_unconfined_t;
domain_type(qemu_unconfined_t)
unconfined_domain_noaudit(qemu_unconfined_t)
+ userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t)
+ application_type(qemu_unconfined_t)
+ role unconfined_r types qemu_unconfined_t;
allow qemu_unconfined_t self:process { execstack execmem };
+ allow qemu_unconfined_t qemu_exec_t:file execmod;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.5/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sambagui.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.5/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sambagui.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.5/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sambagui.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_read_secrets(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smbd(sambagui_t)
+samba_domtrans_nmbd(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_search_usr(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
+logging_send_syslog_msg(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+nscd_dontaudit_search_pid(sambagui_t)
+
+userdom_dontaudit_search_admin_dir(sambagui_t)
+
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.5/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.5/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-22 11:04:52.000000000 -0500
@@ -0,0 +1,222 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`sandbox_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
+ attribute sandbox_domain;
+ attribute sandbox_x_domain;
+ attribute sandbox_file_type;
+ ')
+
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process sigchld;
+ allow sandbox_domain $1:fifo_file rw_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ dontaudit sandbox_x_domain $1:process signal;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+ dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { read write };
+
+ allow sandbox_x_domain $1:process { sigchld signal };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_domain_template',`
+
+ gen_require(`
+ attribute sandbox_domain;
+ attribute sandbox_file_type;
+ ')
+
+ type $1_t, sandbox_domain;
+ domain_type($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
+
+ can_exec($1_t, $1_file_t)
+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ ')
+
+ type $1_t, sandbox_x_domain;
+ domain_type($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
+
+ can_exec($1_t, $1_file_t)
+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
+ # window manager
+ miscfiles_setattr_fonts_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
+ domain_type($1_client_t)
+
+ type $1_client_tmpfs_t;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ term_search_ptys($1_t)
+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+ term_create_pty($1_client_t,sandbox_devpts_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
+ domain_entry_file($1_client_t, $1_file_t)
+
+ # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t)
+
+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+
+ can_exec($1_client_t, $1_file_t)
+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write sandbox_xserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+ gen_require(`
+ type sandbox_xserver_tmpfs_t;
+ ')
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-21 14:43:49.000000000 -0500
@@ -0,0 +1,340 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
+attribute sandbox_file_type;
+
+########################################
+#
+# Declarations
+#
+
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+permissive sandbox_xserver_t;
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process execmem;
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_if(sandbox_xserver_t)
+corenet_udp_sendrecv_all_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t)
+corenet_udp_sendrecv_all_nodes(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_all_nodes(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_rwx_zero(sandbox_xserver_t)
+
+files_read_etc_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+kernel_read_system_state(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
+
+########################################
+#
+# sandbox local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket create_socket_perms;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ attribute exec_type;
+')
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -usr_t -lib_t -locale_t )
+files_entrypoint_all_files(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_tmp(sandbox_x_domain)
+
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_list_sysfs(sandbox_x_domain)
+
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_etc_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+#auth_use_nsswitch(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+
+#============= sandbox_x_t ==============
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+#auth_use_nsswitch(sandbox_x_client_t)
+
+dbus_system_bus_client(sandbox_x_client_t)
+dbus_read_config(sandbox_x_client_t)
+selinux_get_fs_mount(sandbox_x_client_t)
+selinux_validate_context(sandbox_x_client_t)
+selinux_compute_access_vector(sandbox_x_client_t)
+selinux_compute_create_context(sandbox_x_client_t)
+selinux_compute_relabel_context(sandbox_x_client_t)
+selinux_compute_user_contexts(sandbox_x_client_t)
+seutil_read_default_contexts(sandbox_x_client_t)
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+allow sandbox_web_client_t self:capability { setuid setgid };
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_client_t self:process setsched;
+
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_web_client_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
+corenet_tcp_sendrecv_all_if(sandbox_web_client_t)
+corenet_raw_sendrecv_all_if(sandbox_web_client_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_web_client_t)
+corenet_raw_sendrecv_all_nodes(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_http_port(sandbox_web_client_t)
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_soundd_port(sandbox_web_client_t)
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+#auth_use_nsswitch(sandbox_web_client_t)
+
+dbus_system_bus_client(sandbox_web_client_t)
+dbus_read_config(sandbox_web_client_t)
+selinux_get_fs_mount(sandbox_web_client_t)
+selinux_validate_context(sandbox_web_client_t)
+selinux_compute_access_vector(sandbox_web_client_t)
+selinux_compute_create_context(sandbox_web_client_t)
+selinux_compute_relabel_context(sandbox_web_client_t)
+selinux_compute_user_contexts(sandbox_web_client_t)
+seutil_read_default_contexts(sandbox_web_client_t)
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_client_t)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
+allow sandbox_net_client_t self:udp_socket create_socket_perms;
+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_net_client_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_if(sandbox_net_client_t)
+corenet_udp_sendrecv_all_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t)
+corenet_udp_sendrecv_all_nodes(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+#auth_use_nsswitch(sandbox_net_client_t)
+
+dbus_system_bus_client(sandbox_net_client_t)
+dbus_read_config(sandbox_net_client_t)
+selinux_get_fs_mount(sandbox_net_client_t)
+selinux_validate_context(sandbox_net_client_t)
+selinux_compute_access_vector(sandbox_net_client_t)
+selinux_compute_create_context(sandbox_net_client_t)
+selinux_compute_relabel_context(sandbox_net_client_t)
+selinux_compute_user_contexts(sandbox_net_client_t)
+seutil_read_default_contexts(sandbox_net_client_t)
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.5/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/screen.if 2009-12-22 11:38:41.000000000 -0500
@@ -141,6 +141,7 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_setattr_user_ptys($1_screen_t)
+ userdom_setattr_user_ttys($1_screen_t)
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.5/policy/modules/apps/sectoolm.fc
--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sectoolm.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+
+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.5/policy/modules/apps/sectoolm.if
--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sectoolm.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,3 @@
+
+## <summary>policy for sectool-mechanism</summary>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.5/policy/modules/apps/sectoolm.te
--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sectoolm.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,120 @@
+
+policy_module(sectoolm,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sectoolm_t;
+type sectoolm_exec_t;
+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
+# /var/lib files
+type sectool_var_lib_t;
+files_type(sectool_var_lib_t)
+
+# log files
+type sectool_var_log_t;
+logging_log_file(sectool_var_log_t)
+
+# tmp files
+type sectool_tmp_t;
+files_tmp_file(sectool_tmp_t)
+
+permissive sectoolm_t;
+
+########################################
+#
+# sectool local policy
+#
+
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:process { getcap getsched signull setsched };
+dontaudit sectoolm_t self:process { execstack execmem };
+
+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
+# tmp files
+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
+# var/lib files
+manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
+files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t)
+logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file })
+
+corecmd_exec_bin(sectoolm_t)
+corecmd_exec_shell(sectoolm_t)
+
+kernel_read_net_sysctls(sectoolm_t)
+kernel_read_network_state(sectoolm_t)
+kernel_read_kernel_sysctls(sectoolm_t)
+
+dev_read_sysfs(sectoolm_t)
+dev_read_urand(sectoolm_t)
+
+dev_getattr_all_blk_files(sectoolm_t)
+dev_getattr_all_chr_files(sectoolm_t)
+
+# selinux test
+selinux_validate_context(sectoolm_t)
+
+fs_getattr_all_fs(sectoolm_t)
+fs_list_noxattr_fs(sectoolm_t)
+
+files_getattr_all_pipes(sectoolm_t)
+files_getattr_all_sockets(sectoolm_t)
+files_read_all_files(sectoolm_t)
+files_read_all_symlinks(sectoolm_t)
+
+auth_use_nsswitch(sectoolm_t)
+
+libs_exec_ld_so(sectoolm_t)
+
+logging_send_syslog_msg(sectoolm_t)
+
+# tcp_wrappers test
+application_exec_all(sectoolm_t)
+
+domain_getattr_all_domains(sectoolm_t)
+domain_read_all_domains_state(sectoolm_t)
+
+userdom_users_dgram_send(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
+userdom_manage_user_tmp_sockets(sectoolm_t)
+
+# tests related to network
+hostname_exec(sectoolm_t)
+iptables_domtrans(sectoolm_t)
+sysnet_domtrans_ifconfig(sectoolm_t)
+
+optional_policy(`
+ mount_exec(sectoolm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sectoolm_t)
+')
+
+# suid test using
+# rpm -Vf option
+optional_policy(`
+ prelink_domtrans(sectoolm_t)
+')
+
+optional_policy(`
+ rpm_exec(sectoolm_t)
+ rpm_append_log(sectoolm_t)
+ rpm_manage_pid_files(sectoolm_t)
+ rpm_pid_filetrans(sectoolm_t)
+ rpm_dontaudit_manage_db(sectoolm_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.5/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/seunshare.if 2009-12-21 13:07:09.000000000 -0500
@@ -44,6 +44,8 @@
allow $1 seunshare_t:process signal_perms;
+ sandbox_transition(seunshare_t, $2)
+
ifdef(`hide_broken_symptoms', `
dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
dontaudit seunshare_t $1:udp_socket rw_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.5/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/seunshare.te 2009-12-21 13:07:09.000000000 -0500
@@ -15,9 +15,8 @@
#
# seunshare local policy
#
-
allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
+allow seunshare_t self:process { fork setexec signal getcap setcap };
allow seunshare_t self:fifo_file rw_file_perms;
allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.5/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/slocate.te 2009-12-21 13:07:09.000000000 -0500
@@ -50,6 +50,7 @@
fs_getattr_all_symlinks(locate_t)
fs_list_all(locate_t)
fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
# getpwnam
auth_use_nsswitch(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.5/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/wine.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,4 +1,22 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.5/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/wine.if 2009-12-21 13:07:09.000000000 -0500
@@ -43,3 +43,117 @@
wine_domtrans($1)
role $2 types wine_t;
')
+
+#######################################
+## <summary>
+## The per role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ role $1 types wine_t;
+
+ domain_auto_trans($2, wine_exec_t, wine_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
+ allow wine_t $2:fd use;
+ allow wine_t $2:process { sigchld signull };
+ allow wine_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, wine_t)
+ allow $2 wine_t:process signal_perms;
+
+ allow $2 wine_t:fd use;
+ allow $2 wine_t:shm { associate getattr };
+ allow $2 wine_t:shm { unix_read unix_write };
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ manage_dirs_pattern($2, wine_home_t, wine_home_t)
+ manage_files_pattern($2, wine_home_t, wine_home_t)
+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
+
+#######################################
+## <summary>
+## The role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ role $2 types $1_wine_t;
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
+
+ domain_mmap_low_type($1_wine_t)
+ tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low($1_wine_t)
+ ')
+
+ allow $1_wine_t self:process { execmem execstack };
+ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
+ corecmd_bin_domtrans($1_wine_t, $1_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_wine_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.5/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/wine.te 2009-12-21 13:07:09.000000000 -0500
@@ -9,20 +9,44 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
+role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
########################################
#
# Local policy
#
-userdom_use_user_terminals(wine_t)
-
-optional_policy(`
allow wine_t self:process { execstack execmem execheap };
- unconfined_domain_noaudit(wine_t)
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
+
+domain_mmap_low_type(wine_t)
+tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low(wine_t)
+')
+
files_execmod_all_files(wine_t)
+userdom_use_user_terminals(wine_t)
+
optional_policy(`
hal_dbus_chat(wine_t)
')
+
+optional_policy(`
+ unconfined_domain(wine_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(wine_t)
+ xserver_rw_shm(wine_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.5/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.fc 2009-12-21 13:07:09.000000000 -0500
@@ -44,15 +44,17 @@
/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -144,6 +146,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
@@ -234,6 +239,7 @@
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -323,3 +329,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
+
+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.5/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-22 08:22:45.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, chroot_exec_t)
+ allow $1 self:capability sys_chroot;
')
########################################
@@ -918,6 +919,25 @@
########################################
## <summary>
+## Read all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_read_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ read_files_pattern($1, exec_type, exec_type)
+')
+
+########################################
+## <summary>
## Execute all executable files.
## </summary>
## <param name="domain">
@@ -973,6 +993,7 @@
type bin_t;
')
+ manage_dirs_pattern($1, bin_t, exec_type)
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2009-12-21 13:07:09.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
+network_port(afs_client, udp,7001,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
@@ -87,32 +88,41 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
+network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp, tcp,21,s0)
network_port(ftp_data, tcp,20,s0)
+network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
+network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hddtemp, tcp,7634,s0)
-network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(howl, tcp,5353,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
+network_port(chronyd, udp,323,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
+portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
+portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
@@ -129,7 +139,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
@@ -138,21 +148,29 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-network_port(netsupport, tcp,5405,s0, udp,5405,s0)
+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
+network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
+network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
+network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
network_port(postgrey, tcp,60000,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
+network_port(presence, tcp,5298,s0, udp,5298,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
@@ -172,30 +190,38 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
network_port(speech, tcp,8036,s0)
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
+network_port(ups, tcp,3493,s0)
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+network_port(virt_migration, tcp,49152,s0)
+portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
network_port(vnc, tcp,5900,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
network_port(wccp, udp,2048,s0)
-network_port(whois, tcp,43,s0, udp,43,s0)
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
@@ -224,6 +250,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
+
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.5/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/devices.fc 2009-12-21 13:07:09.000000000 -0500
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.5/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/devices.if 2009-12-21 13:07:09.000000000 -0500
@@ -801,6 +801,24 @@
########################################
## <summary>
+## Dontaudit write on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file write;
+')
+
+########################################
+## <summary>
## Dontaudit read on all character file device nodes.
## </summary>
## <param name="domain">
@@ -819,6 +837,24 @@
########################################
## <summary>
+## Dontaudit write on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file write;
+')
+
+########################################
+## <summary>
## Create all block device files.
## </summary>
## <param name="domain">
@@ -1999,6 +2035,24 @@
########################################
## <summary>
+## dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_memory_dev',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Read raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.5/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.if 2009-12-21 13:07:09.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- unconfined_use_fds($1)
- ')
- ')
-
- # send init a sigchld and signull
- optional_policy(`
- init_sigchld($1)
- init_signull($1)
- ')
-
- # these seem questionable:
-
- optional_policy(`
- rpm_use_fds($1)
- rpm_read_pipes($1)
- ')
-
- optional_policy(`
- selinux_dontaudit_getattr_fs($1)
- selinux_dontaudit_read_fs($1)
- ')
-
- optional_policy(`
- seutil_dontaudit_read_config($1)
- ')
')
########################################
@@ -746,10 +718,6 @@
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
dontaudit $1 domain:file read_file_perms;
-
- # cjp: these should be removed:
- dontaudit $1 domain:sock_file read_sock_file_perms;
- dontaudit $1 domain:fifo_file read_fifo_file_perms;
')
########################################
@@ -791,6 +759,24 @@
########################################
## <summary>
+## Get the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getsched_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getsched;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## session ID of all domains.
## </summary>
@@ -1039,6 +1025,54 @@
########################################
## <summary>
+## Get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_stream_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains
+## unnamed pipes.
+## </summary>
+## <desc>
+## <p>
+## Get the attributes of all domains
+## unnamed pipes.
+## </p>
+## <p>
+## This is commonly used for domains
+## that can use lsof on all domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_pipes',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
## </summary>
@@ -1248,18 +1282,34 @@
## </summary>
## </param>
#
-interface(`domain_mmap_low',`
+interface(`domain_mmap_low_type',`
gen_require(`
attribute mmap_low_domain_type;
')
- allow $1 self:memprotect mmap_zero;
-
typeattribute $1 mmap_low_domain_type;
')
########################################
## <summary>
+## Ability to mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## Preventing such mappings helps protect against
+## exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to mmap low memory.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+
+ allow $1 self:memprotect mmap_zero;
+')
+
+########################################
+## <summary>
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
@@ -1280,6 +1330,24 @@
########################################
## <summary>
+## Polyinstatiated access to domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_poly',`
+ gen_require(`
+ attribute polydomain;
+ ')
+
+ typeattribute $1 polydomain;
+')
+
+########################################
+## <summary>
## Unconfined access to domains.
## </summary>
## <param name="domain">
@@ -1304,3 +1372,39 @@
typeattribute $1 process_uncond_exempt;
')
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_unconfined_signal',`
+ gen_require(`
+ attribute unconfined_domain_type;
+ ')
+
+ allow $1 unconfined_domain_type:process signal;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_leaks',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-21 13:07:09.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
#
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(allow_domain_fd_use, true)
# Mark process types as domains
attribute domain;
@@ -15,6 +22,8 @@
# Domains that are unconfined
attribute unconfined_domain_type;
+attribute polydomain;
+
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
@@ -80,6 +89,8 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
@@ -97,6 +108,9 @@
# list the root directory
files_list_root(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
@@ -106,6 +120,10 @@
')
optional_policy(`
+ afs_rw_cache(domain)
+')
+
+optional_policy(`
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
@@ -118,6 +136,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
')
########################################
@@ -136,6 +155,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -153,3 +174,73 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+seutil_dontaudit_read_config(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
+ files_search_default(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
+# these seem questionable:
+
+optional_policy(`
+ abrt_domtrans_helper(domain)
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
+')
+
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+')
+
+
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
+')
+
+optional_policy(`
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+')
+')
+
+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(polydomain)
+ userdom_manage_user_home_content_dirs(polydomain)
+ userdom_manage_user_home_content_files(polydomain)
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.5/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/kernel/files.fc 2009-12-21 13:07:09.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`distro_suse',`
@@ -48,11 +49,13 @@
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -229,6 +232,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2009-12-21 13:07:09.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1431,6 +1429,24 @@
########################################
## <summary>
+## Remove file entries from the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_file',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file unlink;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -2107,6 +2123,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
+ files_read_config_files($1)
')
########################################
@@ -2189,6 +2207,24 @@
########################################
## <summary>
+## Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
## Execute generic files in /etc.
## </summary>
## <param name="domain">
@@ -2594,6 +2630,11 @@
')
delete_files_pattern($1, file_t, file_t)
+ delete_lnk_files_pattern($1, file_t, file_t)
+ delete_fifo_files_pattern($1, file_t, file_t)
+ delete_sock_files_pattern($1, file_t, file_t)
+ delete_blk_files_pattern($1, file_t, file_t)
+ delete_chr_files_pattern($1, file_t, file_t)
')
########################################
@@ -3496,6 +3537,32 @@
########################################
## <summary>
+## Allow shared library text relocations in tmp files.
+## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
+## </p>
+## <p>
+## This is added to support java policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_execmod_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file execmod;
+')
+
+########################################
+## <summary>
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
@@ -3709,6 +3776,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
')
########################################
@@ -3817,7 +3886,12 @@
type usr_t;
')
- allow $1 usr_t:file delete_file_perms;
+ delete_files_pattern($1, usr_t, usr_t)
+ delete_lnk_files_pattern($1, usr_t, usr_t)
+ delete_fifo_files_pattern($1, usr_t, usr_t)
+ delete_sock_files_pattern($1, usr_t, usr_t)
+ delete_blk_files_pattern($1, usr_t, usr_t)
+ delete_chr_files_pattern($1, usr_t, usr_t)
')
########################################
@@ -3856,6 +3930,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
+ files_read_usr_src_files($1)
')
########################################
@@ -3880,6 +3955,24 @@
########################################
## <summary>
+## dontaudit write of /usr dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir write;
+')
+
+########################################
+## <summary>
## dontaudit write of /usr files
## </summary>
## <param name="domain">
@@ -4500,6 +4593,24 @@
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
+########################################
+## <summary>
+## Search the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_log_t)
+')
+
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
@@ -4772,6 +4883,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
+#######################################
+## <summary>
+## Create generic pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_var_run_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search
@@ -4880,6 +5010,24 @@
########################################
## <summary>
+## Do not audit attempts to getattr daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
@@ -5001,6 +5149,24 @@
########################################
## <summary>
+## Set the attributes of the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
@@ -5189,12 +5355,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ fs_mount_tmpfs($1)
+ fs_unmount_tmpfs($1)
+
ifdef(`distro_redhat',`
# namespace.init
+ files_search_tmp($1)
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
- mount_domtrans($1)
')
')
@@ -5215,3 +5384,192 @@
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+## Create a default directory in /
+## </summary>
+## <desc>
+## <p>
+## Create a default_t direcrory in /
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ allow $1 default_t:dir create;
+ filetrans_pattern($1, root_t, default_t, dir)
+')
+
+########################################
+## <summary>
+## manage generic symbolic links
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+## <summary>
+## manage generic symbolic links
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_boot',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:blk_file manage_blk_file_perms;
+ allow $1 root_t:chr_file manage_chr_file_perms;
+ manage_dirs_pattern($1, root_t, root_t)
+ manage_files_pattern($1, root_t, root_t)
+ manage_lnk_files_pattern($1, root_t, root_t)
+ can_exec(kernel_t, root_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to getattr
+## all tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read security files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## rw any files inherited from another process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search_dir_perms;
+ allow $1 { file_type $2 }:file { getattr read write append lock };
+ allow $1 { file_type $2 }:fifo_file { getattr read write append ioctl lock };
+ allow $1 { file_type $2 }:sock_file { getattr read write append ioctl lock };
+ allow $1 { file_type $2 }:chr_file { getattr read write append ioctl lock };
+')
+
+########################################
+## <summary>
+## Allow any file point to be the entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_entrypoint_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+ allow $1 file_type:file entrypoint;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to rw inherited file perms
+## of non security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_all_non_security_leaks',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.5/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/files.te 2009-12-21 13:07:09.000000000 -0500
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
attribute configfile;
+attribute etcfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
@@ -43,6 +44,7 @@
#
type boot_t;
files_mountpoint(boot_t)
+dev_node(boot_t)
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
@@ -194,6 +196,7 @@
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
+fs_associate_hugetlbfs(file_type)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-22 10:30:40.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
- dontaudit $1 cifs_t:file { read write };
+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
')
########################################
@@ -2047,7 +2047,7 @@
type nfs_t;
')
- dontaudit $1 nfs_t:file rw_file_perms;
+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
')
########################################
@@ -2069,6 +2069,25 @@
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
+########################################
+## <summary>
+## Dontaudit read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, nfs_t, nfs_t)
+')
+
#########################################
## <summary>
## Read named sockets on a NFS filesystem.
@@ -4181,3 +4200,216 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
+
+########################################
+## <summary>
+## Search dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ allow $1 cgroup_t:dir search;
+')
+
+########################################
+## <summary>
+## list dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## create dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ create_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+## Manage dirs on cgroup file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+## Read and write files on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+')
+########################################
+## <summary>
+## Mount a cgroup filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_cgroup_fs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a cgroup filesystem This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_cgroup_fs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a cgroup file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_cgroup_fs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Set attributes of files on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ setattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_cgroup_dirs($1)
+')
+
+########################################
+## <summary>
+## Write files on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_cgroup_files', `
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_cgroup_dirs($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.te 2009-12-21 13:07:09.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
@@ -93,6 +94,8 @@
type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
+files_type(hugetlbfs_t)
+files_poly_parent(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t;
@@ -171,6 +174,7 @@
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t noxattrfs:filesystem associate;
@@ -205,6 +209,7 @@
#
type dosfs_t;
fs_noxattr_type(dosfs_t)
+files_mountpoint(dosfs_t)
allow dosfs_t fs_t:filesystem associate;
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
@@ -216,6 +221,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
+files_mountpoint(fusefs_t)
allow fusefs_t self:filesystem associate;
allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
@@ -228,6 +234,7 @@
#
type iso9660_t;
fs_noxattr_type(iso9660_t)
+files_mountpoint(iso9660_t)
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
@@ -238,6 +245,7 @@
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
files_type(removable_t)
+files_mountpoint(removable_t)
#
# nfs_t is the default type for NFS file systems
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.5/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/kernel.if 2009-12-21 13:07:09.000000000 -0500
@@ -1849,7 +1849,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
')
########################################
@@ -1920,6 +1920,25 @@
########################################
## <summary>
+## Mount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain mounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:filesystem mount;
+')
+
+
+########################################
+## <summary>
## Send general signals to unlabeled processes.
## </summary>
## <param name="domain">
@@ -2663,6 +2682,24 @@
########################################
## <summary>
+## Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+## <summary>
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2678,3 +2715,22 @@
typeattribute $1 kern_unconfined;
')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.5/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/kernel.te 2009-12-21 13:07:09.000000000 -0500
@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
+#
# kvmFS
#
@@ -166,6 +175,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -256,7 +266,8 @@
selinux_load_policy(kernel_t)
-term_use_console(kernel_t)
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -270,6 +281,8 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
@@ -277,12 +290,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
+
+logging_manage_generic_logs(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+
optional_policy(`
hotplug_search_config(kernel_t)
')
@@ -359,6 +378,10 @@
unconfined_domain_noaudit(kernel_t)
')
+optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
@@ -388,3 +411,5 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+files_boot(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.5/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/kernel/selinux.if 2009-12-21 13:07:09.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
# calls this interface must be in the base module:
- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
')
########################################
@@ -202,6 +202,7 @@
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
@@ -223,6 +224,7 @@
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
@@ -404,6 +406,7 @@
')
allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:dir list_dir_perms;
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
@@ -622,3 +625,23 @@
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+## <summary>
+## Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.5/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/storage.fc 2009-12-21 13:07:09.000000000 -0500
@@ -14,6 +14,7 @@
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.5/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/storage.if 2009-12-21 13:07:09.000000000 -0500
@@ -304,6 +304,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
+ dontaudit $1 fixed_disk_device_t:lnk_file relabelto_lnk_file_perms;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.5/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/terminal.if 2009-12-21 13:07:09.000000000 -0500
@@ -273,9 +273,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -811,7 +813,26 @@
attribute ptynode;
')
- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read any
+## server ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_server_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dontaudit $1 server_ptynode:chr_file { rw_inherited_term_perms lock append };
')
########################################
@@ -1028,10 +1049,12 @@
interface(`term_use_unallocated_ttys',`
gen_require(`
type tty_device_t;
+ type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file rw_chr_file_perms;
+ allow $1 console_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -1048,8 +1071,10 @@
interface(`term_dontaudit_use_unallocated_ttys',`
gen_require(`
type tty_device_t;
+ type console_device_t;
')
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.5/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/roles/guest.te 2009-12-21 13:07:09.000000000 -0500
@@ -16,7 +16,11 @@
#
optional_policy(`
- java_role(guest_r, guest_t)
+ java_role_template(guest, guest_r, guest_t)
')
-#gen_user(guest_u,, guest_r, s0, s0)
+optional_policy(`
+ mono_role_template(guest, guest_r, guest_t)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.5/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/roles/staff.te 2009-12-21 13:07:09.000000000 -0500
@@ -10,161 +10,121 @@
userdom_unpriv_user_template(staff)
+# needed for sandbox
+allow staff_t self:process setexec;
+
########################################
#
# Local policy
#
-optional_policy(`
- apache_role(staff_r, staff_t)
-')
-
-optional_policy(`
- auth_role(staff_r, staff_t)
-')
-
-optional_policy(`
- auditadm_role_change(staff_r)
-')
-
-optional_policy(`
- bluetooth_role(staff_r, staff_t)
-')
-
-optional_policy(`
- cdrecord_role(staff_r, staff_t)
-')
-
-optional_policy(`
- cron_role(staff_r, staff_t)
-')
-
-optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
-')
+kernel_read_ring_buffer(staff_t)
+kernel_getattr_core_if(staff_t)
+kernel_getattr_message_if(staff_t)
+kernel_read_software_raid_state(staff_t)
-optional_policy(`
- ethereal_role(staff_r, staff_t)
-')
+auth_domtrans_pam_console(staff_t)
-optional_policy(`
- evolution_role(staff_r, staff_t)
-')
+seutil_run_newrole(staff_t, staff_r)
+netutils_run_ping(staff_t, staff_r)
optional_policy(`
- games_role(staff_r, staff_t)
-')
-
-optional_policy(`
- gift_role(staff_r, staff_t)
+ auditadm_role_change(staff_r)
')
optional_policy(`
- gnome_role(staff_r, staff_t)
+ kerneloops_manage_tmp_files(staff_t)
')
optional_policy(`
- gpg_role(staff_r, staff_t)
+ logadm_role_change(staff_r)
')
optional_policy(`
- irc_role(staff_r, staff_t)
+ postgresql_role(staff_r, staff_t)
')
optional_policy(`
- java_role(staff_r, staff_t)
+ rtkit_daemon_system_domain(staff_t)
')
optional_policy(`
- lockdev_role(staff_r, staff_t)
+ secadm_role_change(staff_r)
')
optional_policy(`
- lpd_role(staff_r, staff_t)
+ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- mozilla_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- mplayer_role(staff_r, staff_t)
+ sysadm_role_change(staff_r)
')
optional_policy(`
- mta_role(staff_r, staff_t)
+ usernetctl_run(staff_t, staff_r)
')
optional_policy(`
- oident_manage_user_content(staff_t)
- oident_relabel_user_content(staff_t)
+ unconfined_role_change(staff_r)
')
optional_policy(`
- pyzor_role(staff_r, staff_t)
+ webadm_role_change(staff_r)
')
-optional_policy(`
- razor_role(staff_r, staff_t)
-')
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
-optional_policy(`
- rssh_role(staff_r, staff_t)
-')
+files_read_kernel_modules(staff_t)
-optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-')
+kernel_read_fs_sysctls(staff_t)
-optional_policy(`
- secadm_role_change(staff_r)
-')
+modutils_read_module_config(staff_t)
+modutils_read_module_deps(staff_t)
-optional_policy(`
- spamassassin_role(staff_r, staff_t)
-')
+miscfiles_read_hwdata(staff_t)
-optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
-')
+term_use_unallocated_ttys(staff_t)
optional_policy(`
- su_role_template(staff, staff_r, staff_t)
+ gnomeclock_dbus_chat(staff_t)
')
optional_policy(`
- sudo_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
- sysadm_role_change(staff_r)
- userdom_dontaudit_use_user_terminals(staff_t)
+ firewallgui_dbus_chat(staff_t)
')
optional_policy(`
- thunderbird_role(staff_r, staff_t)
+ lpd_list_spool(staff_t)
')
optional_policy(`
- tvtime_role(staff_r, staff_t)
+ kerneloops_dbus_chat(staff_t)
')
optional_policy(`
- uml_role(staff_r, staff_t)
+ rpm_dbus_chat(staff_usertype)
')
optional_policy(`
- userhelper_role_template(staff, staff_r, staff_t)
+ sandbox_transition(staff_t, staff_r)
')
optional_policy(`
- vmware_role(staff_r, staff_t)
+ screen_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- wireshark_role(staff_r, staff_t)
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
')
optional_policy(`
- xserver_role(staff_r, staff_t)
+ virt_stream_connect(staff_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.5/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/roles/sysadm.te 2009-12-21 13:07:09.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
-userdom_admin_user_template(sysadm)
+userdom_admin_login_user_template(sysadm)
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
@@ -35,10 +35,13 @@
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
@@ -70,7 +73,6 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -87,10 +89,6 @@
')
optional_policy(`
- auth_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
backup_run(sysadm_t, sysadm_r)
')
@@ -99,15 +97,11 @@
')
optional_policy(`
- bluetooth_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
bootloader_run(sysadm_t, sysadm_r)
')
optional_policy(`
- cdrecord_role(sysadm_r, sysadm_t)
+ certmonger_dbus_chat(sysadm_t)
')
optional_policy(`
@@ -127,7 +121,7 @@
')
optional_policy(`
- cron_admin_role(sysadm_r, sysadm_t)
+ su_exec(sysadm_t)
')
optional_policy(`
@@ -135,10 +129,6 @@
')
optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
@@ -166,10 +156,6 @@
')
optional_policy(`
- evolution_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
@@ -178,22 +164,6 @@
')
optional_policy(`
- games_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gift_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gnome_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- gpg_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')
@@ -205,6 +175,9 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
')
optional_policy(`
@@ -212,11 +185,7 @@
')
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- java_role(sysadm_r, sysadm_t)
+ kerberos_exec_kadmind(sysadm_t)
')
optional_policy(`
@@ -228,10 +197,6 @@
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
')
@@ -255,14 +220,6 @@
')
optional_policy(`
- mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- mplayer_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
mta_role(sysadm_r, sysadm_t)
')
@@ -290,11 +247,6 @@
')
optional_policy(`
- oident_manage_user_content(sysadm_t)
- oident_relabel_user_content(sysadm_t)
-')
-
-optional_policy(`
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
@@ -308,7 +260,7 @@
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
+ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -320,10 +272,6 @@
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
@@ -332,10 +280,6 @@
')
optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
rsync_exec(sysadm_t)
')
@@ -345,10 +289,6 @@
')
optional_policy(`
- screen_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
secadm_role_change(sysadm_r)
')
@@ -358,35 +298,15 @@
')
optional_policy(`
- spamassassin_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- ssh_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
staff_role_change(sysadm_r)
')
optional_policy(`
- su_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- sudo_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
sysnet_run_ifconfig(sysadm_t, sysadm_r)
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -394,18 +314,10 @@
')
optional_policy(`
- tvtime_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
tzdata_domtrans(sysadm_t)
')
optional_policy(`
- uml_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
unconfined_domtrans(sysadm_t)
')
@@ -418,17 +330,13 @@
')
optional_policy(`
- userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
-optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
')
optional_policy(`
- vmware_role(sysadm_r, sysadm_t)
+ vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -440,13 +348,16 @@
')
optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
')
optional_policy(`
- xserver_role(sysadm_r, sysadm_t)
+ yam_run(sysadm_t, sysadm_r)
')
optional_policy(`
- yam_run(sysadm_t, sysadm_r)
+ zebra_stream_connect(sysadm_t)
')
+
+init_script_role_transition(sysadm_r)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.5/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/roles/unconfineduser.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.5/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/roles/unconfineduser.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,667 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
+## <summary>
+## Change from the unconfineduser role.
+## </summary>
+## <desc>
+## <p>
+## Change from the unconfineduser role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change_to',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow unconfined_r $1;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ ')
+
+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+## <summary>
+## Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+ gen_require(`
+ attribute unconfined_login_domain;
+ ')
+ typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_run_to',`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+ role unconfined_r types $1;
+ userdom_use_user_terminals($1)
+')
+
+########################################
+## <summary>
+## Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signull',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_signull',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_signal',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signal;
+')
+
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+## Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+## Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Connect to the unconfined domain using
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom in ldconfig.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+## Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
+## <summary>
+## execute the execmem applications
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_exec',`
+
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Change to the unconfined role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow $1 unconfined_r;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.5/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/roles/unconfineduser.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,443 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+## <desc>
+## <p>
+## Transition to confined nsplugin domains from unconfined user
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+## <desc>
+## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+## <desc>
+## <p>
+## Transition to confined qemu domains from unconfined user
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_qemu_transition, false)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_execmod_user_home_files(unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t };
+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_chat(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+mount_run_unconfined(unconfined_t, unconfined_r)
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain_noaudit(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
+
+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans(unconfined_usertype)
+ nsplugin_domtrans_config(unconfined_usertype)
+ ')
+ ')
+
+ userdom_execmod_user_home_files(unconfined_usertype)
+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ avahi_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ iptables_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role(unconfined_r, unconfined_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_daemon_system_domain(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(unconfined_usertype)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
+ ')
+
+ optional_policy(`
+ sandbox_transition(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_usertype)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_usertype)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ chrome_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ init_dbus_chat_script(unconfined_t)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat_config(unconfined_t)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
+ vpnc_dbus_chat(unconfined_t)
+ ')
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ java_role_template(unconfined, unconfined_r, unconfined_t)
+ role system_r types unconfined_java_t;
+
+ files_execmod_all_files(unconfined_java_t)
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
+
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
+ ')
+')
+
+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ mono_role_template(unconfined, unconfined_r, unconfined_t)
+ unconfined_domain_noaudit(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
+')
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+# ppp_run(unconfined_t, unconfined_r)
+#')
+
+optional_policy(`
+ qemu_role_notrans(unconfined_r, unconfined_t)
+ qemu_unconfined_role(unconfined_r)
+
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_domtrans(unconfined_t)
+ ',`
+ qemu_domtrans_unconfined(unconfined_t)
+')
+')
+
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ samba_role_notrans(unconfined_r)
+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+ tzdata_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ wine_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+optional_policy(`
+ execmem_role_template(unconfined, unconfined_r, unconfined_t)
+ typealias unconfined_execmem_t alias execmem_t;
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type mplayer_exec_t;
+ type unconfined_execmem_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ gen_require(`
+ type mozilla_exec_t;
+ type unconfined_execmem_t;
+ type nsplugin_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type openoffice_exec_t;
+ type unconfined_execmem_t;
+ ')
+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
+ ')
+')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.5/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/roles/unprivuser.te 2009-12-21 13:07:09.000000000 -0500
@@ -14,96 +14,19 @@
userdom_unpriv_user_template(user)
optional_policy(`
- apache_role(user_r, user_t)
+ kerneloops_dontaudit_dbus_chat(user_t)
')
optional_policy(`
- auth_role(user_r, user_t)
+ rpm_dontaudit_dbus_chat(user_t)
')
optional_policy(`
- bluetooth_role(user_r, user_t)
+ rtkit_daemon_system_domain(user_t)
')
optional_policy(`
- cdrecord_role(user_r, user_t)
-')
-
-optional_policy(`
- cron_role(user_r, user_t)
-')
-
-optional_policy(`
- dbus_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- ethereal_role(user_r, user_t)
-')
-
-optional_policy(`
- evolution_role(user_r, user_t)
-')
-
-optional_policy(`
- games_role(user_r, user_t)
-')
-
-optional_policy(`
- gift_role(user_r, user_t)
-')
-
-optional_policy(`
- gnome_role(user_r, user_t)
-')
-
-optional_policy(`
- gpg_role(user_r, user_t)
-')
-
-optional_policy(`
- irc_role(user_r, user_t)
-')
-
-optional_policy(`
- java_role(user_r, user_t)
-')
-
-optional_policy(`
- lockdev_role(user_r, user_t)
-')
-
-optional_policy(`
- lpd_role(user_r, user_t)
-')
-
-optional_policy(`
- mozilla_role(user_r, user_t)
-')
-
-optional_policy(`
- mplayer_role(user_r, user_t)
-')
-
-optional_policy(`
- mta_role(user_r, user_t)
-')
-
-optional_policy(`
- oident_manage_user_content(user_t)
- oident_relabel_user_content(user_t)
-')
-
-optional_policy(`
- pyzor_role(user_r, user_t)
-')
-
-optional_policy(`
- razor_role(user_r, user_t)
-')
-
-optional_policy(`
- rssh_role(user_r, user_t)
+ sandbox_transition(user_t, user_r)
')
optional_policy(`
@@ -111,45 +34,5 @@
')
optional_policy(`
- spamassassin_role(user_r, user_t)
-')
-
-optional_policy(`
- ssh_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- su_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- sudo_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- thunderbird_role(user_r, user_t)
-')
-
-optional_policy(`
- tvtime_role(user_r, user_t)
-')
-
-optional_policy(`
- uml_role(user_r, user_t)
-')
-
-optional_policy(`
- userhelper_role_template(user, user_r, user_t)
-')
-
-optional_policy(`
- vmware_role(user_r, user_t)
-')
-
-optional_policy(`
- wireshark_role(user_r, user_t)
-')
-
-optional_policy(`
- xserver_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.5/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/roles/xguest.te 2009-12-21 13:07:09.000000000 -0500
@@ -35,6 +35,23 @@
#
# Local policy
#
+ifndef(`enable_mls',`
+ fs_exec_noxattr(xguest_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ # Write floppies
+ storage_raw_read_removable_device(xguest_t)
+ storage_raw_write_removable_device(xguest_t)
+ ',`
+ storage_raw_read_removable_device(xguest_t)
+ ')
+')
+# Dontaudit fusermount
+mount_dontaudit_exec_fusermount(xguest_t)
+
+allow xguest_t self:process execmem;
# Allow mounting of file systems
optional_policy(`
@@ -49,10 +66,9 @@
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
-
- init_read_utmp(xguest_t)
')
')
@@ -67,17 +83,60 @@
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ java_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
')
optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
+ networkmanager_read_var_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+ corenet_all_recvfrom_unlabeled(xguest_usertype)
+ corenet_all_recvfrom_netlabel(xguest_usertype)
+ corenet_tcp_sendrecv_generic_if(xguest_usertype)
+ corenet_raw_sendrecv_generic_if(xguest_usertype)
+ corenet_tcp_sendrecv_generic_node(xguest_usertype)
+ corenet_raw_sendrecv_generic_node(xguest_usertype)
+ corenet_tcp_sendrecv_http_port(xguest_usertype)
+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+ corenet_tcp_connect_http_port(xguest_usertype)
+ corenet_tcp_connect_http_cache_port(xguest_usertype)
+ corenet_tcp_connect_flash_port(xguest_usertype)
+ corenet_tcp_connect_ftp_port(xguest_usertype)
+ corenet_tcp_connect_ipp_port(xguest_usertype)
+ corenet_tcp_connect_generic_port(xguest_usertype)
+ corenet_tcp_connect_soundd_port(xguest_usertype)
+ corenet_sendrecv_http_client_packets(xguest_usertype)
+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
+ corenet_sendrecv_generic_client_packets(xguest_usertype)
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
')
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
+')
+
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.5/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/abrt.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,11 +1,17 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.5/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/abrt.if 2009-12-21 13:07:09.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
+#####################################
+## <summary>
+## Execute abrt-helper in the abrt-helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`abrt_domtrans_helper',`
+ gen_require(`
+ type abrt_helper_t, abrt_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+')
+
######################################
## <summary>
## Execute abrt
@@ -56,6 +74,32 @@
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
')
+########################################
+## <summary>
+## Execute abrt helper in the abrt_helper domain, and
+## allow the specified role the abrt_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the abrt_helper domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_run_helper',`
+ gen_require(`
+ type abrt_helper_t;
+ ')
+
+ abrt_domtrans_helper($1)
+ role $2 types abrt_helper_t;
+')
+
######################################
## <summary>
## Read abrt logs.
@@ -75,6 +119,101 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
+######################################
+## <summary>
+## Read abrt PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_pid_files',`
+ gen_require(`
+ type abrt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the domain to read abrt state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_state',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ ps_process_pattern($1, abrt_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## abrt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_dbus_chat',`
+ gen_require(`
+ type abrt_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 abrt_t:dbus send_msg;
+ allow abrt_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## abrt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_cache_manage',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+## Send a null signal to abrt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_signull',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:process signull;
+')
+
#####################################
## <summary>
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-22 08:42:16.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
+# type needed to allow all domains
+# to handle /var/cache/abrt
+type abrt_helper_t;
+type abrt_helper_exec_t;
+application_domain(abrt_helper_t, abrt_helper_exec_t)
+role system_r types abrt_helper_t;
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
+
########################################
#
# abrt local policy
#
-allow abrt_t self:capability { setuid setgid sys_nice dac_override };
+allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -58,15 +70,18 @@
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
-manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
# abrt pid files
-manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
@@ -75,18 +90,34 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
+corenet_tcp_connect_ftp_port(abrt_t)
+corenet_tcp_connect_all_ports(abrt_t)
dev_read_urand(abrt_t)
+dev_rw_sysfs(abrt_t)
+dev_dontaudit_read_memory_dev(abrt_t)
+
+domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
+files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
+files_read_kernel_modules(abrt_t)
+
+files_dontaudit_list_default(abrt_t)
+files_dontaudit_read_default_files(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
+fs_read_fusefs_files(abrt_t)
+fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
@@ -96,22 +127,92 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
-# to run bugzilla plugin
-# read ~/.abrt/Bugzilla.conf
-userdom_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_user_home_content_files(abrt_t)
+
+optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(abrt_t)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+')
optional_policy(`
- dbus_connect_system_bus(abrt_t)
- dbus_system_bus_client(abrt_t)
+ prelink_exec(abrt_t)
+ libs_exec_ld_so(abrt_t)
+ corecmd_exec_all_executables(abrt_t)
')
# to install debuginfo packages
optional_policy(`
- rpm_manage_db(abrt_t)
- rpm_domtrans(abrt_t)
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
')
# to run mailx plugin
optional_policy(`
sendmail_domtrans(abrt_t)
')
+
+optional_policy(`
+ sssd_stream_connect(abrt_t)
+')
+
+permissive abrt_t;
+
+########################################
+#
+# abrt--helper local policy
+#
+
+allow abrt_helper_t self:capability { chown setgid };
+read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
+
+domain_read_all_domains_state(abrt_helper_t)
+
+manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
+files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
+fs_list_inotifyfs(abrt_helper_t)
+
+auth_use_nsswitch(abrt_helper_t)
+
+miscfiles_read_localization(abrt_helper_t)
+
+userdom_dontaudit_use_user_terminals(abrt_helper_t)
+
+ifdef(`hide_broken_symptoms', `
+ domain_dontaudit_leaks(abrt_helper_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+ userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+ dev_dontaudit_read_all_blk_files(abrt_helper_t)
+ dev_dontaudit_read_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+')
+
+permissive abrt_helper_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.5/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/afs.fc 2009-12-21 13:07:09.000000000 -0500
@@ -22,10 +22,10 @@
/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
-/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
+/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
/vicepa gen_context(system_u:object_r:afs_files_t,s0)
/vicepb gen_context(system_u:object_r:afs_files_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.5/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/afs.te 2009-12-21 13:07:09.000000000 -0500
@@ -71,7 +71,7 @@
# afs client local policy
#
-allow afs_t self:capability { sys_nice sys_tty_config };
+allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
allow afs_t self:process setsched;
allow afs_t self:udp_socket create_socket_perms;
allow afs_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.5/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/aisexec.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.5/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/aisexec.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run aisexec.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aisexec_domtrans',`
+ gen_require(`
+ type aisexec_t, aisexec_exec_t;
+ ')
+
+ domtrans_pattern($1, aisexec_exec_t, aisexec_t)
+')
+
+#####################################
+## <summary>
+## Connect to aisexec over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_stream_connect',`
+ gen_require(`
+ type aisexec_t, aisexec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read aisexec's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_read_log',`
+ gen_require(`
+ type aisexec_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+ read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an aisexec environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the aisexecd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aisexecd_admin',`
+ gen_require(`
+ type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
+ type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
+ type aisexec_initrc_exec_t;
+ ')
+
+ allow $1 aisexec_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aisexec_t)
+
+ init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 aisexec_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, aisexec_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, aisexec_var_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, aisexec_var_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, aisexec_tmp_t)
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.5/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/aisexec.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,112 @@
+
+policy_module(aisexec,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aisexec_t;
+type aisexec_exec_t;
+init_daemon_domain(aisexec_t, aisexec_exec_t)
+
+type aisexec_initrc_exec_t;
+init_script_file(aisexec_initrc_exec_t);
+
+# tmp files
+type aisexec_tmp_t;
+files_tmp_file(aisexec_tmp_t)
+
+type aisexec_tmpfs_t;
+files_tmpfs_file(aisexec_tmpfs_t)
+
+# log files
+type aisexec_var_log_t;
+logging_log_file(aisexec_var_log_t)
+
+# var/lib files
+type aisexec_var_lib_t;
+files_type(aisexec_var_lib_t)
+
+# pid files
+type aisexec_var_run_t;
+files_pid_file(aisexec_var_run_t)
+
+########################################
+#
+# aisexec local policy
+#
+
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:process { setrlimit setsched signal };
+
+allow aisexec_t self:fifo_file rw_fifo_file_perms;
+allow aisexec_t self:sem create_sem_perms;
+allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow aisexec_t self:unix_dgram_socket create_socket_perms;
+allow aisexec_t self:udp_socket create_socket_perms;
+
+# tmp files
+manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
+
+manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t,{ dir file })
+
+# var/lib files
+manage_files_pattern(aisexec_t, aisexec_var_lib_t,aisexec_var_lib_t)
+manage_dirs_pattern(aisexec_t, aisexec_var_lib_t,aisexec_var_lib_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t,aisexec_var_lib_t)
+files_var_lib_filetrans(aisexec_t,aisexec_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(aisexec_t, aisexec_var_log_t,aisexec_var_log_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_log_t,aisexec_var_log_t)
+logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file })
+
+# pid file
+manage_files_pattern(aisexec_t, aisexec_var_run_t,aisexec_var_run_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_run_t,aisexec_var_run_t)
+files_pid_filetrans(aisexec_t,aisexec_var_run_t, { file sock_file })
+
+corenet_udp_bind_netsupport_port(aisexec_t)
+corenet_tcp_bind_reserved_port(aisexec_t)
+corenet_udp_bind_cluster_port(aisexec_t)
+
+ccs_stream_connect(aisexec_t)
+
+corecmd_exec_bin(aisexec_t)
+
+kernel_read_system_state(aisexec_t)
+
+files_manage_mounttab(aisexec_t)
+
+auth_use_nsswitch(aisexec_t)
+
+dev_read_urand(aisexec_t)
+
+libs_use_ld_so(aisexec_t)
+libs_use_shared_libs(aisexec_t)
+miscfiles_read_localization(aisexec_t)
+
+init_rw_script_tmp_files(aisexec_t)
+
+logging_send_syslog_msg(aisexec_t)
+
+# to communication with RHCS
+dlm_controld_manage_tmpfs_files(aisexec_t)
+dlm_controld_rw_semaphores(aisexec_t)
+
+fenced_manage_tmpfs_files(aisexec_t)
+fenced_rw_semaphores(aisexec_t)
+
+gfs_controld_manage_tmpfs_files(aisexec_t)
+gfs_controld_rw_semaphores(aisexec_t)
+gfs_controld_t_rw_shm(aisexec_t)
+
+groupd_manage_tmpfs_files(aisexec_t)
+groupd_rw_semaphores(aisexec_t)
+groupd_rw_shm(aisexec_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.5/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/apache.fc 2009-12-21 13:07:09.000000000 -0500
@@ -2,11 +2,15 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -21,10 +25,13 @@
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -32,31 +39,51 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
@@ -64,11 +91,33 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-22 10:55:59.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
gen_require(`
- attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t;
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
- type httpd_$1_htaccess_t; # customizable;
+ type httpd_$1_htaccess_t;
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
@@ -42,20 +37,22 @@
# The following three are the only areas that
# scripts can read, read/write, or append to
- type httpd_$1_script_ro_t, httpdcontent; # customizable
- files_type(httpd_$1_script_ro_t)
+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
- type httpd_$1_script_rw_t, httpdcontent; # customizable
- files_type(httpd_$1_script_rw_t)
+ type httpd_$1_content_rw_t;
+ files_type(httpd_$1_content_rw_t)
+ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;
- type httpd_$1_script_ra_t, httpdcontent; # customizable
- files_type(httpd_$1_script_ra_t)
+ type httpd_$1_content_ra_t;
+ files_type(httpd_$1_content_ra_t)
+ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;
- allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
@@ -65,29 +62,26 @@
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+ list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-
- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-
- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file })
+ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+
+ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -96,6 +90,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
@@ -109,34 +104,21 @@
seutil_dontaudit_search_config(httpd_$1_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
- can_exec(httpd_$1_script_t, httpdcontent)
- ')
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-
- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-
- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
+ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+
+ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -149,9 +131,13 @@
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
@@ -175,50 +161,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_udp_sendrecv_generic_node(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
- optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_$1_script_t)
- ')
- ')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -227,15 +169,13 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_$1_script_t)
- ')
')
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
+
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
')
########################################
@@ -258,8 +198,8 @@
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
- type httpd_user_script_ra_t, httpd_user_script_ro_t;
- type httpd_user_script_rw_t;
+ type httpd_user_content_ra_t, httpd_user_content_t;
+ type httpd_user_content_rw_t;
')
role $1 types httpd_user_script_t;
@@ -268,26 +208,26 @@
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
- manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
- manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
- manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
- relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
- relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
- relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
-
- manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
- manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
- manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
- relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
- relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
- relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
-
- manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
- manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
- manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
- relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
- relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
- relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
+ manage_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ relabel_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ relabel_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ manage_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ manage_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ relabel_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ relabel_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -365,6 +305,24 @@
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+#######################################
+## <summary>
+## Send a signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_signal',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process signal;
+')
+
########################################
## <summary>
## Send a null signal to apache.
@@ -441,6 +399,25 @@
########################################
## <summary>
## Do not audit attempts to read and write Apache
+## fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
## TCP sockets.
## </summary>
## <param name="domain">
@@ -503,6 +480,105 @@
########################################
## <summary>
+## Allow the specified domain to list
+## Apache cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_cache',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
+## Apache cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_cache',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+ delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+## Allow domain to set the attributes
+## of the APACHE cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_setattr_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ allow $1 httpd_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_tmp',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+########################################
+## <summary>
+## Dontaudit attempts ti write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_dontaudit_write_tmp',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file write;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
@@ -579,7 +655,7 @@
## </param>
## <param name="role">
## <summary>
-## The role to be allowed the dmidecode domain.
+## The role to be allowed the http_helper domain.
## </summary>
## </param>
## <rolecap/>
@@ -715,6 +791,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
')
########################################
@@ -782,6 +859,32 @@
########################################
## <summary>
+## Allow the specified domain to delete
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_content_rw_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+')
+
+########################################
+## <summary>
## Execute all web scripts in the system
## script domain.
## </summary>
@@ -791,16 +894,18 @@
## </summary>
## </param>
#
-# cjp: this interface specifically added to allow
-# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
- attribute httpdcontent;
type httpd_sys_script_t;
+ type httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t)
')
')
@@ -859,6 +964,8 @@
## </summary>
## </param>
#
+# cjp: this is missing the terminal since scripts
+# do not output to the terminal
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
@@ -884,7 +991,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file read_file_perms;
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
')
########################################
@@ -1043,6 +1150,44 @@
########################################
## <summary>
+## Allow the specified domain to search
+## apache bugzilla directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## bugzill script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## All of the rules required to administrate an apache environment
## </summary>
## <param name="prefix">
@@ -1072,11 +1217,17 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_initrc_exec_t, httpd_bool_t;
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
ps_process_pattern($1, httpd_t)
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -1096,12 +1247,57 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
-
+ ps_process_pattern($1, httpd_t)
read_lnk_files_pattern($1, httpd_t, httpd_t)
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+ files_tmp_filetrans($1, httpd_tmp_t, { file dir })
+
+ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t )
+ seutil_setsebool_role_template($1, $3, $2)
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
+')
+
+########################################
+## <summary>
+## Mark content as being readable by standard apache processes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`apache_ro_content',`
+ gen_require(`
+ attribute httpd_ro_content;
+ ')
+ typeattribute $1 httpd_ro_content;
+')
+
+########################################
+## <summary>
+## Mark content as being read/write by standard apache processes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`apache_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+ typeattribute $1 httpd_rw_content;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/apache.te 2009-12-21 13:07:09.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
## <desc>
## <p>
## Allow Apache to modify public files
@@ -30,10 +32,17 @@
## <desc>
## <p>
-## Allow Apache to use mod_auth_pam
+## Allow httpd scripts and modules execmem/execstack
## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
## <desc>
## <p>
@@ -44,6 +53,13 @@
## <desc>
## <p>
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail, false)
+
+## <desc>
+## <p>
## Allow HTTPD scripts and modules to connect to the network using TCP.
## </p>
## </desc>
@@ -87,6 +103,13 @@
## <desc>
## <p>
+## Allow httpd to read user content
+## </p>
+## </desc>
+gen_tunable(httpd_read_user_content, false)
+
+## <desc>
+## <p>
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
@@ -94,6 +117,13 @@
## <desc>
## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
@@ -108,6 +138,29 @@
## </desc>
gen_tunable(httpd_unified, false)
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
+attribute httpd_ro_content;
+attribute httpd_rw_content;
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -140,6 +193,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -180,6 +236,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -187,28 +247,28 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
+
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_content_rw_t httpdcontent;
+typeattribute httpd_user_content_ra_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-userdom_user_home_content(httpd_user_script_ra_t)
-userdom_user_home_content(httpd_user_script_ro_t)
-userdom_user_home_content(httpd_user_script_rw_t)
+userdom_user_home_content(httpd_user_content_ra_t)
+userdom_user_home_content(httpd_user_content_rw_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
-typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
-typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
-typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
-typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
-typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
-typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
-typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
-typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t httpd_auditadm_script_t httpd_secadm_script_t };
+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
+typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+typealias httpd_user_content_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
+typealias httpd_user_content_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
# for apache2 memory mapped files
type httpd_var_lib_t;
@@ -230,7 +290,7 @@
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -249,6 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, dir)
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -272,6 +333,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -283,9 +345,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -301,6 +363,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
@@ -312,16 +375,18 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-corenet_tcp_sendrecv_generic_if(httpd_t)
-corenet_udp_sendrecv_generic_if(httpd_t)
-corenet_tcp_sendrecv_generic_node(httpd_t)
-corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_if(httpd_t)
+corenet_udp_sendrecv_all_if(httpd_t)
+corenet_tcp_sendrecv_all_nodes(httpd_t)
+corenet_udp_sendrecv_all_nodes(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
-corenet_tcp_bind_generic_node(httpd_t)
+corenet_tcp_bind_all_nodes(httpd_t)
+corenet_udp_bind_all_nodes(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
@@ -335,15 +400,15 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
+files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -358,6 +423,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
@@ -372,18 +441,33 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+')
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -391,32 +475,71 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_signal(httpd_t)
+ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
')
-tunable_policy(`httpd_enable_ftp_server',`
- corenet_tcp_bind_ftp_port(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -424,11 +547,23 @@
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -451,6 +586,18 @@
')
optional_policy(`
+ cobbler_search_lib(httpd_t)
+')
+
+optional_policy(`
+ ccs_read_config(httpd_t)
+')
+
+optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
@@ -459,8 +606,13 @@
')
optional_policy(`
- kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+ dbus_system_bus_client(httpd_t)
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
')
optional_policy(`
@@ -468,22 +620,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
+ mailman_read_data_files(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- # Allow httpd to work with mysql
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_t)
- ')
+ mysql_read_config(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -494,12 +643,23 @@
')
optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
')
')
@@ -508,6 +668,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -535,6 +696,23 @@
userdom_use_user_terminals(httpd_helper_t)
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
+')
+
+
########################################
#
# Apache PHP script local policy
@@ -564,20 +742,25 @@
fs_search_auto_mountpoints(httpd_php_t)
+auth_use_nsswitch(httpd_php_t)
+
libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
')
-optional_policy(`
- nis_use_ypbind(httpd_php_t)
-')
optional_policy(`
- postgresql_stream_connect(httpd_php_t)
+ mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
########################################
@@ -595,23 +778,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
dev_read_urand(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -624,6 +808,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -631,22 +816,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
- corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
- corenet_udp_sendrecv_generic_if(httpd_suexec_t)
- corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
- corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_if(httpd_suexec_t)
+ corenet_udp_sendrecv_all_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
+ corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
+read_files_pattern(httpd_suexec_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_suexec_t)
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -672,15 +866,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
#
+auth_use_nsswitch(httpd_sys_script_t)
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -699,12 +892,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+sysnet_read_config(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -712,6 +917,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+ corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -724,6 +958,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
')
optional_policy(`
@@ -735,6 +973,8 @@
# httpd_rotatelogs local policy
#
+allow httpd_rotatelogs_t self:capability dac_override;
+
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -754,11 +994,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
+')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
+')
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
')
+
+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+
+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_content_rw_t alias { httpd_fastcgi_content_rw_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_content_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.5/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/apm.te 2009-12-21 13:07:09.000000000 -0500
@@ -223,6 +223,10 @@
unconfined_domain(apmd_t)
')
+optional_policy(`
+ vbetool_domtrans(apmd_t)
+')
+
# cjp: related to sleep/resume (?)
optional_policy(`
xserver_domtrans(apmd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.5/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/arpwatch.te 2009-12-21 13:07:09.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -46,6 +47,7 @@
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+kernel_read_network_state(arpwatch_t)
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.5/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/asterisk.if 2009-12-21 13:07:09.000000000 -0500
@@ -2,27 +2,27 @@
#####################################
## <summary>
-## Connect to asterisk over a unix domain
-## stream socket.
+## Connect to asterisk over a unix domain
+## stream socket.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`asterisk_stream_connect',`
- gen_require(`
- type asterisk_t, asterisk_var_run_t;
- ')
+ gen_require(`
+ type asterisk_t, asterisk_var_run_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
')
########################################
## <summary>
-## All of the rules required to administrate
+## All of the rules required to administrate
## an asterisk environment
## </summary>
## <param name="domain">
@@ -71,3 +71,22 @@
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
')
+
+
+######################################
+## <summary>
+## Execute asterisk
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`asterisk_exec',`
+ gen_require(`
+ type asterisk_exec_t;
+ ')
+
+ can_exec($1, asterisk_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.5/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/asterisk.te 2009-12-21 13:07:09.000000000 -0500
@@ -34,18 +34,21 @@
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
+permissive asterisk_t;
+
########################################
#
# Local policy
#
# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
dontaudit asterisk_t self:capability sys_tty_config;
-allow asterisk_t self:process { setsched signal_perms };
+allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
+allow asterisk_t self:unix_stream_socket connectto;
allow asterisk_t self:tcp_socket create_stream_socket_perms;
allow asterisk_t self:udp_socket create_socket_perms;
@@ -79,11 +82,15 @@
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+can_exec(asterisk_t, asterisk_exec_t)
+
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
+kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)
+corecmd_exec_shell(asterisk_t)
corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
@@ -104,10 +111,12 @@
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
+dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -120,17 +129,25 @@
fs_getattr_all_fs(asterisk_t)
fs_search_auto_mountpoints(asterisk_t)
+auth_use_nsswitch(asterisk_t)
+
logging_send_syslog_msg(asterisk_t)
miscfiles_read_localization(asterisk_t)
-sysnet_read_config(asterisk_t)
-
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- nis_use_ypbind(asterisk_t)
+ mta_send_mail(asterisk_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(asterisk_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(asterisk_t)
')
optional_policy(`
@@ -138,10 +155,10 @@
')
optional_policy(`
- udev_read_db(asterisk_t)
+ snmp_stream_connect(asterisk_t)
')
-ifdef(`TODO',`
-allow initrc_t asterisk_var_run_t:fifo_file unlink;
-allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
+optional_policy(`
+ udev_read_db(asterisk_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.5/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/automount.te 2009-12-21 13:07:09.000000000 -0500
@@ -75,6 +75,7 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
+fs_search_all(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -129,6 +130,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
+fs_read_nfs_files(automount_t)
storage_rw_fuse(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.5/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/avahi.te 2009-12-21 13:07:09.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
@@ -32,6 +32,7 @@
allow avahi_t self:unix_dgram_socket create_socket_perms;
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
+allow avahi_t self:packet_socket create_socket_perms;
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
@@ -42,11 +43,13 @@
allow avahi_t avahi_var_run_t:dir setattr;
files_pid_filetrans(avahi_t, avahi_var_run_t, file)
+kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
-kernel_list_proc(avahi_t)
-kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
+corecmd_exec_bin(avahi_t)
+corecmd_exec_shell(avahi_t)
+
corenet_all_recvfrom_unlabeled(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
@@ -85,6 +88,10 @@
miscfiles_read_localization(avahi_t)
miscfiles_read_certs(avahi_t)
+sysnet_domtrans_ifconfig(avahi_t)
+sysnet_manage_config(avahi_t)
+sysnet_etc_filetrans_config(avahi_t)
+
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.5/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/bind.if 2009-12-21 13:07:09.000000000 -0500
@@ -235,7 +235,7 @@
########################################
## <summary>
-## Do not audit attempts to set the attributes
+## Allow domain to set the attributes
## of the BIND pid directory.
## </summary>
## <param name="domain">
@@ -254,6 +254,25 @@
########################################
## <summary>
+## Allow domain to set attributes
+## of the BIND zone directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ allow $1 named_zone_t:dir setattr;
+')
+
+########################################
+## <summary>
## Read BIND zone files.
## </summary>
## <param name="domain">
@@ -287,6 +306,25 @@
########################################
## <summary>
+## Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type bind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an bind environment
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.5/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/bluetooth.if 2009-12-21 13:07:09.000000000 -0500
@@ -153,6 +153,27 @@
dontaudit $1 bluetooth_helper_t:file { read getattr };
')
+#####################################
+## <summary>
+## Connect to bluetooth over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_stream_connect',`
+ gen_require(`
+ type bluetooth_t, bluetooth_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 bluetooth_t:socket rw_socket_perms;
+ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.5/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/bluetooth.te 2009-12-21 13:07:09.000000000 -0500
@@ -54,9 +54,9 @@
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
-allow bluetooth_t self:process { getsched signal_perms };
+allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
@@ -94,6 +95,8 @@
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
+kernel_request_load_module(bluetooth_t)
+kernel_search_debugfs(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
@@ -111,6 +114,7 @@
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
+dev_rw_wireless(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -154,6 +158,10 @@
')
optional_policy(`
+ networkmanager_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
pulseaudio_dbus_chat(bluetooth_t)
')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.5/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ccs.fc 2009-12-21 13:07:09.000000000 -0500
@@ -2,9 +2,5 @@
/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-/usr/sbin/aisexec -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0)
-
-/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
-/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.5/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ccs.te 2009-12-21 13:07:09.000000000 -0500
@@ -10,23 +10,21 @@
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
-# conf files
type cluster_conf_t;
files_type(cluster_conf_t)
-# tmp files
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
-# log files
-type ccs_var_log_t;
-logging_log_file(ccs_var_log_t)
+type ccs_tmpfs_t;
+files_tmpfs_file(ccs_tmpfs_t)
-# var lib files
type ccs_var_lib_t;
logging_log_file(ccs_var_lib_t)
-# pid files
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
type ccs_var_run_t;
files_pid_file(ccs_var_run_t)
@@ -35,7 +33,7 @@
# ccs local policy
#
-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
@@ -55,23 +53,29 @@
manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
-# log files
-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-allow ccs_t ccs_var_log_t:dir setattr;
-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t,{ dir file })
# var lib files
manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+# log files
+manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+allow ccs_t ccs_var_log_t:dir setattr;
+logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+
# pid file
manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+aisexec_stream_connect(ccs_t)
+
kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
@@ -104,6 +108,9 @@
sysnet_dns_name_resolve(ccs_t)
+userdom_manage_unpriv_user_shared_mem(ccs_t)
+userdom_manage_unpriv_user_semaphores(ccs_t)
+
ifdef(`hide_broken_symptoms', `
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.5/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/certmaster.fc 2009-12-21 13:07:09.000000000 -0500
@@ -3,5 +3,6 @@
/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0)
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.5/policy/modules/services/certmonger.fc
--- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/certmonger.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
+/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
+/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.5/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/certmonger.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,217 @@
+
+## <summary>Certificate status monitor and PKI enrollment client</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run certmonger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmonger_domtrans',`
+ gen_require(`
+ type certmonger_t, certmonger_exec_t;
+ ')
+
+ domtrans_pattern($1, certmonger_exec_t, certmonger_t)
+')
+
+
+########################################
+## <summary>
+## Execute certmonger server in the certmonger domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`certmonger_initrc_domtrans',`
+ gen_require(`
+ type certmonger_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read certmonger PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_read_pid_files',`
+ gen_require(`
+ type certmonger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 certmonger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage certmonger var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_manage_var_run',`
+ gen_require(`
+ type certmonger_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern($1, certmonger_var_run_t, certmonger_var_run_t)
+ manage_lnk_files_pattern($1, certmonger_var_run_t, certmonger_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Search certmonger lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_search_lib',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ allow $1 certmonger_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read certmonger lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_read_lib_files',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## certmonger lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_manage_lib_files',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage certmonger var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_manage_var_lib',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_lnk_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## certmonger over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_dbus_chat',`
+ gen_require(`
+ type certmonger_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 certmonger_t:dbus send_msg;
+ allow certmonger_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an certmonger environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmonger_admin',`
+ gen_require(`
+ type certmonger_t, certmonger_initrc_exec_t;
+ ')
+
+ allow $1 certmonger_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, certmonger_t, certmonger_t)
+
+ # Allow certmonger_t to restart the apache service
+ certmonger_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, cermonger_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, cermonger_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.5/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/certmonger.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,74 @@
+policy_module(certmonger,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type certmonger_t;
+type certmonger_exec_t;
+init_daemon_domain(certmonger_t, certmonger_exec_t)
+
+permissive certmonger_t;
+
+type certmonger_initrc_exec_t;
+init_script_file(certmonger_initrc_exec_t)
+
+type certmonger_var_run_t;
+files_pid_file(certmonger_var_run_t)
+
+type certmonger_var_lib_t;
+files_type(certmonger_var_lib_t)
+
+########################################
+#
+# certmonger local policy
+#
+
+allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:process { fork getsched setsched sigkill };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+
+manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+
+domain_use_interactive_fds(certmonger_t)
+
+corenet_tcp_sendrecv_generic_if(certmonger_t)
+corenet_tcp_sendrecv_generic_node(certmonger_t)
+corenet_tcp_sendrecv_all_ports(certmonger_t)
+corenet_tcp_connect_certmaster_port(certmonger_t)
+
+dev_read_urand(certmonger_t)
+
+files_read_etc_files(certmonger_t)
+files_read_usr_files(certmonger_t)
+files_list_tmp(certmonger_t)
+
+miscfiles_read_localization(certmonger_t)
+miscfiles_manage_cert_files(certmonger_t)
+
+logging_send_syslog_msg(certmonger_t)
+
+sysnet_dns_name_resolve(certmonger_t)
+
+optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+ dbus_connect_system_bus(certmonger_t)
+')
+
+optional_policy(`
+ kerberos_use(certmonger_t)
+')
+
+optional_policy(`
+ unconfined_dbus_send(certmonger_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.5/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc 2009-12-22 11:06:28.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
+
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t, s0)
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.5/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cgroup.if 2009-12-22 11:07:12.000000000 -0500
@@ -0,0 +1,52 @@
+## <summary>Control group rules engine daemon.</summary>
+## <desc>
+## <p>
+## cgrulesengd is a daemon, which distributes processes
+## to control groups. When any process changes its
+## effective UID or GID, cgred inspects list of
+## rules loaded from cgrules.conf file and moves the
+## process to the appropriate control group.
+## </p>
+## <p>
+## The list of rules is read during the daemon startup and
+## are cached in daemons memory. The daemon reloads the
+## list of rules when it receives SIGUSR2 signal.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Read and write cgred sock file in /var/run.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_cgred_rw_pid_sock_file', `
+ gen_require(`
+ type cgred_var_run_t;
+ ')
+
+ rw_sock_files_pattern($1, cgred_var_run_t, cgred_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Unix stream socket connect to cgred.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_cgred_stream_connect', `
+ gen_require(`
+ type cgred_t;
+ ')
+
+ allow $1 cgred_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.5/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cgroup.te 2009-12-22 11:05:59.000000000 -0500
@@ -0,0 +1,88 @@
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
+# cgred personal declarations.
+#
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+permissive cgred_t;
+
+########################################
+#
+# cgconfig personal declarations.
+#
+
+type cgconfigparser_t;
+type cgconfigparser_exec_t;
+init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+permissive cgconfigparser_t;
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+manage_sock_files_pattern(cgred_t, cgred_var_run_t,
+cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+
+domain_read_all_domains_state(cgred_t)
+
+files_read_etc_files(cgred_t)
+
+files_search_all(cgred_t)
+files_getattr_all_files(cgred_t)
+files_getattr_all_dirs(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_getattr_all_pipes(cgred_t)
+files_getattr_all_symlinks(cgred_t)
+# read all link files.
+
+kernel_read_system_state(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
+
+optional_policy(`
+ fs_write_cgroup_files(cgred_t)
+')
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+optional_policy(`
+ fs_manage_cgroup_dirs(cgconfigparser_t)
+ fs_rw_cgroup_files(cgconfigparser_t)
+ fs_setattr_cgroup_files(cgconfigparser_t)
+ fs_mount_cgroup_fs(cgconfigparser_t)
+')
+
+files_mounton_mnt(cgconfigparser_t)
+files_manage_mnt_dirs(cgconfigparser_t)
+
+files_read_etc_files(cgconfigparser_t)
+
+# /mnt/cgroups/cpu
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.5/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/chronyd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
+/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+
+/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+
+/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.5/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/chronyd.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,105 @@
+## <summary>chrony background daemon</summary>
+
+#####################################
+## <summary>
+## Execute chronyd in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans',`
+ gen_require(`
+ type chronyd_t, chronyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+')
+
+####################################
+## <summary>
+## Execute chronyd
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`chronyd_exec',`
+ gen_require(`
+ type chronyd_exec_t;
+ ')
+
+ can_exec($1, chronyd_exec_t)
+')
+
+#####################################
+## <summary>
+## Read chronyd logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_log',`
+ gen_require(`
+ type chronyd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+')
+
+####################################
+## <summary>
+## All of the rules required to administrate
+## an chronyd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the chronyd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_admin',`
+ gen_require(`
+ type chronyd_t, chronyd_var_log_t;
+ type chronyd_var_run_t, chronyd_var_lib_t;
+ type chronyd_initrc_exec_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, chronyd_t)
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, chronyd_tmp_t)
+
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.5/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/chronyd.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,67 @@
+policy_module(chronyd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chronyd_t;
+type chronyd_exec_t;
+init_daemon_domain(chronyd_t, chronyd_exec_t)
+
+type chronyd_initrc_exec_t;
+init_script_file(chronyd_initrc_exec_t)
+
+# var/lib files
+type chronyd_var_lib_t;
+files_type(chronyd_var_lib_t)
+
+# log files
+type chronyd_var_log_t;
+logging_log_file(chronyd_var_log_t)
+
+# pid files
+type chronyd_var_run_t;
+files_pid_file(chronyd_var_run_t)
+
+
+########################################
+#
+# chronyd local policy
+#
+
+allow chronyd_t self:capability { setuid setgid sys_time };
+allow chronyd_t self:process { getcap setcap };
+
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+
+# chronyd var/lib files
+manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyd_t,chronyd_var_lib_t, { file dir })
+
+# chronyd log files
+manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyd_t, chronyd_var_log_t,{ file dir })
+
+# chronyd pid files
+manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t,chronyd_var_run_t, { file })
+
+corenet_udp_bind_ntp_port(chronyd_t)
+# bind to udp/323
+corenet_udp_bind_chronyd_port(chronyd_t)
+
+# real time clock option
+dev_rw_realtime_clock(chronyd_t)
+
+auth_use_nsswitch(chronyd_t)
+
+logging_send_syslog_msg(chronyd_t)
+
+miscfiles_read_localization(chronyd_t)
+
+permissive chronyd_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.5/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/clamav.te 2009-12-21 13:07:09.000000000 -0500
@@ -57,6 +57,7 @@
#
allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -117,9 +118,9 @@
logging_send_syslog_msg(clamd_t)
-miscfiles_read_localization(clamd_t)
+auth_use_nsswitch(clamd_t)
-sysnet_dns_name_resolve(clamd_t)
+miscfiles_read_localization(clamd_t)
cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
@@ -187,15 +188,15 @@
files_read_etc_files(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
-miscfiles_read_localization(freshclam_t)
+auth_use_nsswitch(freshclam_t)
+
+logging_send_syslog_msg(freshclam_t)
-sysnet_dns_name_resolve(freshclam_t)
+miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
-cron_use_fds(freshclam_t)
-cron_use_system_job_fds(freshclam_t)
-cron_rw_pipes(freshclam_t)
+cron_system_entry(freshclam_t, freshclam_exec_t)
########################################
#
@@ -247,5 +248,9 @@
mta_send_mail(clamscan_t)
optional_policy(`
+ amavis_read_spool_files(clamscan_t)
+')
+
+optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.5/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/clogd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.5/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/clogd.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,98 @@
+## <summary>clogd - clustered mirror log server</summary>
+
+######################################
+## <summary>
+## Execute a domain transition to run clogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clogd_domtrans',`
+ gen_require(`
+ type clogd_t, clogd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,clogd_exec_t,clogd_t)
+
+')
+
+#####################################
+## <summary>
+## Connect to clogd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clogd_stream_connect',`
+ gen_require(`
+ type clogd_t, clogd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t)
+')
+
+#####################################
+## <summary>
+## Manage clogd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`clogd_manage_tmpfs_files',`
+ gen_require(`
+ type clogd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+ manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to clogd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clogd_rw_semaphores',`
+ gen_require(`
+ type clogd_t;
+ ')
+
+ allow $1 clogd_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`clogd_rw_shm',`
+ gen_require(`
+ type clogd_t;
+ ')
+
+ allow $1 clogd_t:shm { rw_shm_perms destroy };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.5/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/clogd.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,62 @@
+
+policy_module(clogd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type clogd_t;
+type clogd_exec_t;
+init_daemon_domain(clogd_t, clogd_exec_t)
+
+type clogd_tmpfs_t;
+files_tmpfs_file(clogd_tmpfs_t)
+
+# pid files
+type clogd_var_run_t;
+files_pid_file(clogd_var_run_t)
+
+permissive clogd_t;
+
+########################################
+#
+# clogd local policy
+#
+
+allow clogd_t self:capability { net_admin mknod };
+allow clogd_t self:process { signal };
+
+allow clogd_t self:sem create_sem_perms;
+allow clogd_t self:shm create_shm_perms;
+allow clogd_t self:netlink_socket create_socket_perms;
+allow clogd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
+manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
+fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t,{ dir file })
+
+# pid files
+manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
+
+aisexec_stream_connect(clogd_t)
+
+dev_manage_generic_blk_files(clogd_t)
+
+storage_raw_read_fixed_disk(clogd_t)
+storage_raw_write_fixed_disk(clogd_t)
+
+libs_use_ld_so(clogd_t)
+libs_use_shared_libs(clogd_t)
+
+logging_send_syslog_msg(clogd_t)
+
+miscfiles_read_localization(clogd_t)
+
+optional_policy(`
+ dev_read_lvm_control(clogd_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.5/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cobbler.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,2 @@
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.5/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cobbler.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,44 @@
+## <summary>
+## Cobbler var_lib_t
+## </summary>
+
+########################################
+## <summary>
+## Read cobbler lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ allow $1 cobbler_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+
+########################################
+## <summary>
+## Read cobbler lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_search_lib',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ allow $1 cobbler_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.5/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cobbler.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(cobbler, 1.10.0)
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.5/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/consolekit.fc 2009-12-21 13:07:09.000000000 -0500
@@ -2,4 +2,5 @@
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.5/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/consolekit.if 2009-12-21 13:07:09.000000000 -0500
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
')
+
+########################################
+## <summary>
+## Manage consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_manage_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Read consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_read_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.5/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/consolekit.te 2009-12-21 13:07:09.000000000 -0500
@@ -21,7 +21,7 @@
# consolekit local policy
#
-allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
@@ -59,16 +59,21 @@
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
+init_chat(consolekit_t)
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
@@ -84,9 +89,12 @@
')
optional_policy(`
- dbus_system_domain(consolekit_t, consolekit_exec_t)
+ cron_read_system_job_lib_files(consolekit_t)
+')
optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+ optional_policy(`
hal_dbus_chat(consolekit_t)
')
@@ -100,6 +108,7 @@
')
optional_policy(`
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
@@ -109,9 +118,18 @@
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
corenet_tcp_connect_xserver_port(consolekit_t)
+ xserver_stream_connect(consolekit_t)
+')
+
+optional_policy(`
+ udev_domtrans(consolekit_t)
+ udev_read_db(consolekit_t)
+ udev_signal(consolekit_t)
')
optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.5/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/corosync.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
+
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.5/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/corosync.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,108 @@
+## <summary>SELinux policy for Corosync Cluster Engine</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run corosync.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`corosync_domtrans',`
+ gen_require(`
+ type corosync_t, corosync_exec_t;
+ ')
+
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
+#####################################
+## <summary>
+## Connect to corosync over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read corosync's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_read_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
+ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an corosync environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the corosyncd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corosyncd_admin',`
+ gen_require(`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+ type corosync_initrc_exec_t;
+ ')
+
+ allow $1 corosync_t:process { ptrace signal_perms };
+ ps_process_pattern($1, corosync_t)
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, corosync_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, corosync_var_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, corosync_var_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, corosync_tmp_t)
+
+ admin_pattern($1, corosync_tmpfs_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.5/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/corosync.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,110 @@
+
+policy_module(corosync,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
+
+type corosync_initrc_exec_t;
+init_script_file(corosync_initrc_exec_t);
+
+# tmp files
+type corosync_tmp_t;
+files_tmp_file(corosync_tmp_t)
+
+type corosync_tmpfs_t;
+files_tmpfs_file(corosync_tmpfs_t)
+
+# log files
+type corosync_var_log_t;
+logging_log_file(corosync_var_log_t)
+
+# var/lib files
+type corosync_var_lib_t;
+files_type(corosync_var_lib_t)
+
+# pid files
+type corosync_var_run_t;
+files_pid_file(corosync_var_run_t)
+
+########################################
+#
+# corosync local policy
+#
+
+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
+allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow corosync_t self:unix_dgram_socket create_socket_perms;
+allow corosync_t self:udp_socket create_socket_perms;
+
+# tmp files
+manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+
+manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
+
+# var/lib files
+manage_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
+manage_dirs_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
+manage_sock_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
+files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(corosync_t, corosync_var_log_t,corosync_var_log_t)
+manage_sock_files_pattern(corosync_t, corosync_var_log_t,corosync_var_log_t)
+logging_log_filetrans(corosync_t,corosync_var_log_t,{ sock_file file })
+
+# pid file
+manage_files_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
+manage_sock_files_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
+files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file })
+
+kernel_read_system_state(corosync_t)
+
+corenet_udp_bind_netsupport_port(corosync_t)
+
+corecmd_exec_bin(corosync_t)
+
+dev_read_urand(corosync_t)
+
+files_manage_mounttab(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
+miscfiles_read_localization(corosync_t)
+
+init_read_script_state(corosync_t)
+init_rw_script_tmp_files(corosync_t)
+
+logging_send_syslog_msg(corosync_t)
+
+userdom_rw_user_tmpfs_files(corosync_t)
+
+# to communication with RHCS
+dlm_controld_manage_tmpfs_files(corosync_t)
+dlm_controld_rw_semaphores(corosync_t)
+
+fenced_manage_tmpfs_files(corosync_t)
+fenced_rw_semaphores(corosync_t)
+
+gfs_controld_manage_tmpfs_files(corosync_t)
+gfs_controld_rw_semaphores(corosync_t)
+
+optional_policy(`
+ ccs_read_config(corosync_t)
+')
+
+permissive corosync_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.7.5/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/courier.if 2009-12-21 13:07:09.000000000 -0500
@@ -179,6 +179,24 @@
########################################
## <summary>
+## Read courier spool files.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_read_spool',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
## Read and write to courier spool pipes.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.5/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/courier.te 2009-12-21 13:07:09.000000000 -0500
@@ -10,6 +10,7 @@
type courier_etc_t;
files_config_file(courier_etc_t)
+mta_system_content(courier_etc_t)
courier_domain_template(pcp)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.5/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/cron.fc 2009-12-21 13:07:09.000000000 -0500
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -45,3 +45,7 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/cron.if 2009-12-21 13:07:09.000000000 -0500
@@ -12,6 +12,10 @@
## </param>
#
template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t;
+ ')
+
##############################
#
# Declarations
@@ -34,6 +38,9 @@
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
allow $1_t $1_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_t, $1_tmp_t, file)
@@ -62,6 +69,7 @@
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
@@ -154,27 +162,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
- #corecmd_shell_domtrans(crontab_t, $2)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -263,6 +258,7 @@
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
+ userdom_dontaudit_list_admin_dir($1)
role system_r types $1;
')
@@ -408,7 +404,7 @@
type crond_t;
')
- allow $1 crond_t:fifo_file { getattr read write };
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -587,11 +583,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -627,7 +626,48 @@
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
+ type system_cronjob_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.5/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/cron.te 2009-12-21 13:07:09.000000000 -0500
@@ -38,6 +38,7 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
+# var/lib files
type cron_var_run_t;
files_type(cron_var_run_t)
@@ -64,6 +65,8 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
@@ -80,6 +83,7 @@
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -88,6 +92,7 @@
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -110,6 +115,13 @@
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
+
########################################
#
# Admin crontab local policy
@@ -139,7 +151,7 @@
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -194,6 +206,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
@@ -209,7 +223,9 @@
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -220,8 +236,10 @@
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -241,8 +259,12 @@
')
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
')
optional_policy(`
@@ -251,6 +273,20 @@
')
optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
+optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -260,6 +296,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
@@ -302,10 +340,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -325,6 +370,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -336,9 +382,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -361,6 +411,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
@@ -387,6 +438,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
@@ -411,6 +463,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
@@ -435,6 +489,7 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache(system_cronjob_t)
')
optional_policy(`
@@ -442,6 +497,14 @@
')
optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -456,11 +519,16 @@
')
optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -476,7 +544,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
@@ -491,6 +559,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -498,6 +567,9 @@
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.5/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/cups.fc 2009-12-22 09:33:25.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -30,6 +34,7 @@
/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
@@ -52,13 +57,22 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/cups.te 2009-12-21 13:07:09.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
@@ -64,11 +67,14 @@
# For CUPS to run as a backend
cups_backend(hplip_t, hplip_exec_t)
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
type hplip_etc_t;
files_config_file(hplip_etc_t)
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
+type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
@@ -105,6 +111,7 @@
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
+allow cupsd_t self:sem create_sem_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -116,6 +123,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
+
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -156,6 +166,7 @@
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
+kernel_request_load_module(cupsd_t)
corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
@@ -171,6 +182,7 @@
corenet_udp_bind_generic_node(cupsd_t)
corenet_tcp_bind_ipp_port(cupsd_t)
corenet_udp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
@@ -250,6 +262,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
+miscfiles_setattr_fonts_dirs(cupsd_t)
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
@@ -317,6 +330,10 @@
')
optional_policy(`
+ snmp_read_snmp_var_lib_files(cupsd_t)
+')
+
+optional_policy(`
udev_read_db(cupsd_t)
')
@@ -327,7 +344,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process signal_perms;
+allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
@@ -378,6 +395,8 @@
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
+files_search_all_mountpoints(cupsd_config_t)
+
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -407,6 +426,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
@@ -419,12 +439,15 @@
')
optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
optional_policy(`
- dbus_system_bus_client(cupsd_config_t)
- dbus_connect_system_bus(cupsd_config_t)
+ dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
optional_policy(`
hal_dbus_chat(cupsd_config_t)
@@ -446,6 +469,10 @@
')
optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
+')
+
+optional_policy(`
rpm_read_db(cupsd_config_t)
')
@@ -457,6 +484,10 @@
udev_read_db(cupsd_config_t)
')
+optional_policy(`
+ unconfined_stream_connect(cupsd_config_t)
+')
+
########################################
#
# Cups lpd support
@@ -542,6 +573,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
@@ -556,11 +589,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
lpd_manage_spool(cups_pdf_t)
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
@@ -601,6 +638,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
+manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
@@ -627,6 +667,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
+corenet_udp_bind_howl_port(hplip_t)
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.5/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/cvs.te 2009-12-21 13:07:09.000000000 -0500
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.5/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/cyrus.te 2009-12-21 13:07:09.000000000 -0500
@@ -75,6 +75,7 @@
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_bind_sieve_port(cyrus_t)
corenet_tcp_connect_all_ports(cyrus_t)
corenet_sendrecv_mail_server_packets(cyrus_t)
corenet_sendrecv_pop_server_packets(cyrus_t)
@@ -135,8 +136,10 @@
')
optional_policy(`
+ files_dontaudit_write_usr_dirs(cyrus_t)
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dbus.if 2009-12-22 09:48:30.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined;
attribute session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
')
##############################
@@ -76,7 +78,7 @@
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -88,10 +90,10 @@
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { sigkill signal };
+ allow $3 $1_dbusd_t:process { signull sigkill signal };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -127,6 +129,7 @@
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
fs_list_inotifyfs($1_dbusd_t)
+ fs_dontaudit_list_nfs($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
@@ -146,6 +149,9 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
+ term_use_all_terms($1_dbusd_t)
+
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
userdom_read_user_home_content_files($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
@@ -153,13 +159,13 @@
')
optional_policy(`
- hal_dbus_chat($1_dbusd_t)
+ gnome_read_gconf_home_files($1_dbusd_t)
')
optional_policy(`
- xserver_use_xdm_fds($1_dbusd_t)
- xserver_rw_xdm_pipes($1_dbusd_t)
+ hal_dbus_chat($1_dbusd_t)
')
+
')
#######################################
@@ -178,10 +184,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -256,7 +264,7 @@
########################################
## <summary>
-## Connect to the the session DBUS
+## Connect to the system DBUS
## for service (acquire_svc).
## </summary>
## <param name="domain">
@@ -364,6 +372,16 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
+ userdom_dontaudit_search_admin_dir($1)
+
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_send($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
@@ -405,3 +423,24 @@
typeattribute $1 dbusd_unconfined;
')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## system dbus lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_manage_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.5/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/dbus.te 2009-12-22 09:49:03.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
fs_dontaudit_list_nfs(system_dbusd_t)
@@ -121,6 +122,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -140,6 +143,15 @@
')
optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
@@ -156,5 +168,24 @@
#
# Unconfined access to this module
#
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+')
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+optional_policy(`
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.5/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dcc.te 2009-12-21 13:07:09.000000000 -0500
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+fs_getattr_all_fs(dcc_client_t)
+
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
@@ -154,6 +156,10 @@
userdom_use_user_terminals(dcc_client_t)
optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.7.5/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ddclient.if 2009-12-21 13:07:09.000000000 -0500
@@ -21,6 +21,31 @@
########################################
## <summary>
+## Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ppp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+ gen_require(`
+ type ddclient_t;
+ ')
+
+ ddclient_domtrans($1)
+ role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ddclient environment
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.5/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.fc 2009-12-22 10:13:51.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
+
+/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t, s0)
+
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-22 10:13:51.000000000 -0500
@@ -0,0 +1,91 @@
+## <summary>Deny Hosts.</summary>
+## <desc>
+## <p>
+## DenyHosts is a script intended to be run by Linux
+## system administrators to help thwart SSH server attacks
+## (also known as dictionary based attacks and brute force
+## attacks).
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run denyhosts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`denyhosts_domtrans', `
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+
+ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
+')
+
+########################################
+## <summary>
+## Execute ksmtuned server in the ksmtuned domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`denyhosts_initrc_domtrans', `
+ gen_require(`
+ type denyhosts_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an denyhosts environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`denyhosts_admin', `
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+ type denyhosts_var_log_t;
+ ')
+
+ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, denyhosts_t, denyhosts_t)
+
+ files_list_pids($1)
+ admin_pattern($1, denyhosts_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+ files_search_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ kernel_search_proc($1)
+ allow $1 denyhosts_t:dir list_dir_perms;
+ ps_process_pattern($1, denyhosts_t)
+ read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-22 10:34:58.000000000 -0500
@@ -0,0 +1,71 @@
+
+policy_module(denyhosts, 1.0.0)
+
+########################################
+#
+# DenyHosts personal declarations.
+#
+
+type denyhosts_t;
+type denyhosts_exec_t;
+init_daemon_domain(denyhosts_t, denyhosts_exec_t)
+
+type denyhosts_initrc_exec_t;
+init_script_file(denyhosts_initrc_exec_t)
+
+type denyhosts_var_lib_t;
+files_type(denyhosts_var_lib_t)
+
+type denyhosts_var_lock_t;
+files_lock_file(denyhosts_var_lock_t)
+
+type denyhosts_var_log_t;
+logging_log_file(denyhosts_var_log_t)
+
+########################################
+#
+# DenyHosts personal policy.
+#
+
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
+files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
+
+manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
+
+append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+corecmd_list_bin(denyhosts_t)
+corecmd_read_bin_symlinks(denyhosts_t)
+
+corenet_all_recvfrom_unlabeled(denyhosts_t)
+corenet_all_recvfrom_netlabel(denyhosts_t)
+corenet_tcp_sendrecv_generic_if(denyhosts_t)
+corenet_tcp_sendrecv_generic_node(denyhosts_t)
+corenet_tcp_bind_generic_node(denyhosts_t)
+corenet_sendrecv_smtp_client_packets(denyhosts_t)
+corenet_tcp_connect_smtp_port(denyhosts_t)
+
+dev_read_urand(denyhosts_t)
+
+kernel_read_system_state(denyhosts_t)
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_manage_config(denyhosts_t)
+
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.5/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/devicekit.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,8 +1,11 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.5/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/devicekit.if 2009-12-21 13:07:09.000000000 -0500
@@ -139,6 +139,26 @@
########################################
## <summary>
+## Manage devicekit var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_manage_var_run',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an devicekit environment
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.5/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/devicekit.te 2009-12-21 13:07:09.000000000 -0500
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
+kernel_read_system_state(devicekit_t)
+
miscfiles_read_localization(devicekit_t)
optional_policy(`
@@ -62,6 +64,7 @@
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -110,6 +113,7 @@
')
optional_policy(`
+ policykit_dbus_chat(devicekit_disk_t)
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
@@ -139,9 +143,10 @@
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -151,6 +156,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -159,6 +165,7 @@
domain_read_all_domains_state(devicekit_power_t)
+dev_read_input(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -167,12 +174,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
+fs_list_inotifyfs(devicekit_power_t)
+
term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
+sysnet_read_config(devicekit_power_t)
+sysnet_read_dhcp_config(devicekit_power_t)
+
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
@@ -180,8 +192,13 @@
')
optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
@@ -203,17 +220,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
+ hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
hal_dbus_chat(devicekit_power_t)
')
optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
policykit_read_reload(devicekit_power_t)
')
optional_policy(`
+ udev_read_db(devicekit_power_t)
+')
+
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.5/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.te 2009-12-21 13:07:09.000000000 -0500
@@ -83,6 +83,18 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
+ cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.5/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dovecot.fc 2009-12-21 13:07:09.000000000 -0500
@@ -34,6 +34,7 @@
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.5/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dovecot.te 2009-12-21 13:07:09.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -73,8 +73,9 @@
can_exec(dovecot_t, dovecot_exec_t)
+manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -103,6 +104,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
@@ -142,6 +144,10 @@
')
optional_policy(`
+ postgresql_stream_connect(dovecot_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dovecot_t)
')
@@ -159,7 +165,7 @@
#
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
-allow dovecot_auth_t self:process signal_perms;
+allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -220,15 +226,23 @@
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
postfix_search_spool(dovecot_auth_t)
')
+# for gssapi (kerberos)
+userdom_list_user_tmp(dovecot_auth_t)
+userdom_read_user_tmp_files(dovecot_auth_t)
+userdom_read_user_tmp_symlinks(dovecot_auth_t)
+
########################################
#
# dovecot deliver local policy
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_deliver_t dovecot_t:process signull;
+
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -260,3 +274,14 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(dovecot_deliver_t)
+ fs_manage_nfs_symlinks(dovecot_deliver_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(dovecot_deliver_t)
+ fs_manage_cifs_symlinks(dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.5/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/exim.te 2009-12-21 13:07:09.000000000 -0500
@@ -111,6 +111,7 @@
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
@@ -191,6 +192,10 @@
')
optional_policy(`
+ sendmail_manage_tmp(exim_t)
+')
+
+optional_policy(`
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.5/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/fail2ban.if 2009-12-21 13:07:09.000000000 -0500
@@ -98,6 +98,46 @@
allow $1 fail2ban_var_run_t:file read_file_perms;
')
+#####################################
+## <summary>
+## Connect to fail2ban over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_stream_connect',`
+ gen_require(`
+ type fail2ban_t, fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.5/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/fetchmail.te 2009-12-21 13:07:09.000000000 -0500
@@ -47,6 +47,9 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+corecmd_exec_bin(fetchmail_t)
+
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.5/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/fprintd.te 2009-12-21 13:07:09.000000000 -0500
@@ -37,6 +37,8 @@
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
+fs_getattr_all_fs(fprintd_t)
+
auth_use_nsswitch(fprintd_t)
miscfiles_read_localization(fprintd_t)
@@ -51,5 +53,8 @@
optional_policy(`
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.5/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ftp.te 2009-12-21 13:07:09.000000000 -0500
@@ -41,6 +41,13 @@
## <desc>
## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
+## </desc>
+gen_tunable(ftpd_connect_db, false)
+
+## <desc>
+## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
@@ -78,12 +85,20 @@
type xferlog_t;
logging_log_file(xferlog_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
########################################
#
# ftpd local policy
#
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -92,6 +107,8 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -121,8 +138,7 @@
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
@@ -160,6 +176,7 @@
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -219,10 +236,14 @@
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
- userdom_manage_user_home_content_symlinks(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+ userdom_manage_user_home_content(ftpd_t)
+
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
+', `
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -258,7 +279,26 @@
')
optional_policy(`
- kerberos_read_keytab(ftpd_t)
+ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+ selinux_validate_context(ftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_stream_connect(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ postgresql_stream_connect(ftpd_t)
+ ')
+')
+
+tunable_policy(`ftpd_connect_db',`
+ corenet_tcp_connect_mysqld_port(ftpd_t)
+ corenet_tcp_connect_postgresql_port(ftpd_t)
')
optional_policy(`
@@ -270,6 +310,14 @@
')
optional_policy(`
+ dbus_system_bus_client(ftpd_t)
+ optional_policy(`
+ oddjob_dbus_chat(ftpd_t)
+ oddjob_domtrans_mkhomedir(ftpd_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.5/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/git.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,3 +1,9 @@
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+
+/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
+
+# Conflict with Fedora cgit fc spec.
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.5/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/git.if 2009-12-21 13:07:09.000000000 -0500
@@ -1 +1,285 @@
-## <summary>GIT revision control system</summary>
+## <summary>Git daemon is a really simple server for Git repositories.</summary>
+## <desc>
+## <p>
+## A really simple TCP git daemon that normally listens on
+## port DEFAULT_GIT_PORT aka 9418. It waits for a
+## connection asking for a service, and will serve that
+## service if it is enabled.
+## </p>
+## <p>
+## It verifies that the directory has the magic file
+## git-daemon-export-ok, and it will refuse to export any
+## git directory that has not explicitly been marked for
+## export this way (unless the --export-all parameter is
+## specified). If you pass some directory paths as
+## git-daemon arguments, you can further restrict the
+## offers to a whitelist comprising of those.
+## </p>
+## <p>
+## By default, only upload-pack service is enabled, which
+## serves git-fetch-pack and git-ls-remote clients, which
+## are invoked from git-fetch, git-pull, and git-clone.
+## </p>
+## <p>
+## This is ideally suited for read-only updates, i.e.,
+## pulling from git repositories.
+## </p>
+## <p>
+## An upload-archive also exists to serve git-archive.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## Role access for Git daemon session.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`git_session_role', `
+ gen_require(`
+ type gitd_session_t, gitd_exec_t, git_home_t;
+ ')
+
+ ########################################
+ #
+ # Git daemon session data declarations.
+ #
+
+ ## <desc>
+ ## <p>
+ ## Allow transitions to the Git daemon
+ ## session domain.
+ ## </p>
+ ## </desc>
+ gen_tunable(gitd_session_transition, false)
+
+ role $1 types gitd_session_t;
+
+ ########################################
+ #
+ # Git daemon session data policy.
+ #
+
+ tunable_policy(`gitd_session_transition', `
+ domtrans_pattern($2, gitd_exec_t, gitd_session_t)
+ ', `
+ can_exec($2, gitd_exec_t)
+ ')
+
+ allow $2 gitd_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, gitd_session_t)
+
+ exec_files_pattern($2, git_home_t, git_home_t)
+ manage_dirs_pattern($2, git_home_t, git_home_t)
+ manage_files_pattern($2, git_home_t, git_home_t)
+
+ relabel_dirs_pattern($2, git_home_t, git_home_t)
+ relabel_files_pattern($2, git_home_t, git_home_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute
+## Git daemon data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_execute_data_files', `
+ gen_require(`
+ type git_data_t;
+ ')
+
+ exec_files_pattern($1, git_data_t, git_data_t)
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## Git daemon data content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_manage_data_content', `
+ gen_require(`
+ type git_data_t;
+ ')
+
+ manage_dirs_pattern($1, git_data_t, git_data_t)
+ manage_files_pattern($1, git_data_t, git_data_t)
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## Git daemon home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_manage_home_content', `
+ gen_require(`
+ type git_home_t;
+ ')
+
+ manage_dirs_pattern($1, git_home_t, git_home_t)
+ manage_files_pattern($1, git_home_t, git_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Git daemon home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_read_home_content', `
+ gen_require(`
+ type git_home_t;
+ ')
+
+ list_dirs_pattern($1, git_home_t, git_home_t)
+ read_files_pattern($1, git_home_t, git_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Git daemon data content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_read_data_content', `
+ gen_require(`
+ type git_data_t;
+ ')
+
+ list_dirs_pattern($1, git_data_t, git_data_t)
+ read_files_pattern($1, git_data_t, git_data_t)
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon data content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_relabel_data_content', `
+ gen_require(`
+ type git_data_t;
+ ')
+
+ relabel_dirs_pattern($1, git_data_t, git_data_t)
+ relabel_files_pattern($1, git_data_t, git_data_t)
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_relabel_home_content', `
+ gen_require(`
+ type git_home_t;
+ ')
+
+ relabel_dirs_pattern($1, git_home_t, git_home_t)
+ relabel_files_pattern($1, git_home_t, git_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an
+## Git daemon system environment
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the user_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the Git daemon domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_system_admin', `
+ gen_require(`
+ type gitd_t, gitd_exec_t;
+ ')
+
+ allow $1 gitd_t:process { getattr ptrace signal_perms };
+ ps_process_pattern($1, gitd_t)
+
+ kernel_search_proc($1)
+
+ manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
+
+ # This will not work since git-shell needs to execute gitd content thus public content files.
+ # There is currently no clean way to execute public content files.
+ # miscfiles_manage_public_files($1)
+
+ git_manage_data_content($1)
+ git_relabel_data_content($1)
+
+ seutil_domtrans_setfiles($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.5/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/git.te 2009-12-21 13:07:09.000000000 -0500
@@ -1,9 +1,173 @@
policy_module(git, 1.0)
+attribute gitd_type;
+attribute git_content_type;
+
+########################################
+#
+# Git daemon system private declarations.
+#
+
+## <desc>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+########################################
+#
+# Git daemon global private declarations.
+#
+type gitd_exec_t;
+
+type gitd_t, gitd_type;
+inetd_service_domain(gitd_t, gitd_exec_t)
+role system_r types gitd_t;
+
+type git_data_t, git_content_type;
+files_type(git_data_t)
+
+permissive gitd_t;
+
+########################################
+#
+# Git daemon session session private declarations.
+#
+
+## <desc>
+## <p>
+## Allow Git daemon session to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type gitd_session_t, gitd_type;
+application_domain(gitd_session_t, gitd_exec_t)
+ubac_constrained(gitd_session_t)
+
+type git_home_t, git_content_type;
+userdom_user_home_content(git_home_t)
+
+permissive gitd_session_t;
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow gitd_type self:fifo_file rw_fifo_file_perms;
+allow gitd_type self:tcp_socket create_socket_perms;
+allow gitd_type self:udp_socket create_socket_perms;
+allow gitd_type self:unix_dgram_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(gitd_type)
+corenet_all_recvfrom_unlabeled(gitd_type)
+
+corenet_tcp_sendrecv_all_if(gitd_type)
+corenet_tcp_sendrecv_all_nodes(gitd_type)
+corenet_tcp_sendrecv_all_ports(gitd_type)
+
+corenet_tcp_bind_all_nodes(gitd_type)
+corenet_tcp_bind_git_port(gitd_type)
+
+corecmd_exec_bin(gitd_type)
+
+files_read_etc_files(gitd_type)
+files_read_usr_files(gitd_type)
+
+fs_search_auto_mountpoints(gitd_type)
+
+kernel_read_system_state(gitd_type)
+
+logging_send_syslog_msg(gitd_type)
+
+auth_use_nsswitch(gitd_type)
+
+miscfiles_read_localization(gitd_type)
+
+########################################
+#
+# Git daemon system repository private policy.
+#
+
+list_dirs_pattern(gitd_t, git_content_type, git_content_type)
+read_files_pattern(gitd_t, git_content_type, git_content_type)
+files_search_var(gitd_t)
+
+# This will not work since git-shell needs to execute gitd content thus public content files.
+# There is currently no clean way to execute public content files.
+# miscfiles_read_public_files(gitd_t)
+
+tunable_policy(`git_system_enable_homedirs', `
+ userdom_search_user_home_dirs(gitd_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+ fs_list_nfs(gitd_t)
+ fs_read_nfs_files(gitd_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+ fs_list_cifs(gitd_t)
+ fs_read_cifs_files(gitd_t)
+')
+
+tunable_policy(`git_system_use_cifs', `
+ fs_list_cifs(gitd_t)
+ fs_read_cifs_files(gitd_t)
+')
+
+tunable_policy(`git_system_use_nfs', `
+ fs_list_nfs(gitd_t)
+ fs_read_nfs_files(gitd_t)
+')
+
+########################################
+#
+# Git daemon session repository private policy.
+#
+
+list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
+read_files_pattern(gitd_session_t, git_home_t, git_home_t)
+userdom_search_user_home_dirs(gitd_session_t)
+
+userdom_use_user_terminals(gitd_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_list_nfs(gitd_session_t)
+ fs_read_nfs_files(gitd_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_list_cifs(gitd_session_t)
+ fs_read_cifs_files(gitd_session_t)
+')
+
########################################
#
-# Declarations
+# cgi git Declarations
#
apache_content_template(git)
+git_read_data_content(httpd_git_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.7.5/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/gpsd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.7.5/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/gpsd.if 2009-12-21 13:07:09.000000000 -0500
@@ -33,11 +33,6 @@
## The role to be allowed the gpsd domain.
## </summary>
## </param>
-## <param name="terminal">
-## <summary>
-## The type of the role's terminal.
-## </summary>
-## </param>
#
interface(`gpsd_run',`
gen_require(`
@@ -46,7 +41,6 @@
gpsd_domtrans($1)
role $2 types gpsd_t;
- allow gpsd_t $3:chr_file rw_term_perms;
')
########################################
@@ -70,3 +64,24 @@
read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
fs_search_tmpfs($1)
')
+
+########################################
+## <summary>
+## Read/write gpsd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`gpsd_rw_tmpfs_files',`
+ gen_require(`
+ type gpsd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.5/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/gpsd.te 2009-12-21 13:07:09.000000000 -0500
@@ -11,15 +11,21 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
+
type gpsd_tmpfs_t;
files_tmpfs_file(gpsd_tmpfs_t)
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
########################################
#
# gpsd local policy
#
-allow gpsd_t self:capability { setuid sys_nice setgid fowner };
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
allow gpsd_t self:process setsched;
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -29,6 +35,10 @@
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
corenet_all_recvfrom_unlabeled(gpsd_t)
corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
@@ -51,5 +61,5 @@
')
optional_policy(`
- ntpd_rw_shm(gpsd_t)
+ ntp_rw_shm(gpsd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.5/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/hal.fc 2009-12-21 13:07:09.000000000 -0500
@@ -26,6 +26,7 @@
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.5/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/hal.if 2009-12-21 13:07:09.000000000 -0500
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
+
+########################################
+## <summary>
+## Dontaudit read/write to a hal unix datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_rw_dgram_sockets',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.5/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/hal.te 2009-12-21 13:07:09.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
########################################
#
# Local policy
@@ -100,7 +103,9 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
+kernel_search_network_sysctl(hald_t)
kernel_setsched(hald_t)
+kernel_request_load_module(hald_t)
auth_read_pam_console_data(hald_t)
@@ -156,6 +161,12 @@
fs_search_all(hald_t)
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+fs_rw_removable_blk_files(hald_t)
+
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
@@ -197,13 +208,16 @@
miscfiles_read_hwdata(hald_t)
modutils_domtrans_insmod(hald_t)
+modutils_read_module_deps(hald_t)
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
-sysnet_read_config(hald_t)
sysnet_domtrans_dhcpc(hald_t)
+sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_config(hald_t)
+sysnet_read_dhcp_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -290,6 +304,7 @@
')
optional_policy(`
+ policykit_dbus_chat(hald_t)
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
@@ -321,6 +336,10 @@
virt_manage_images(hald_t)
')
+optional_policy(`
+ xserver_read_pid(hald_t)
+')
+
########################################
#
# Hal acl local policy
@@ -341,6 +360,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
corecmd_exec_bin(hald_acl_t)
@@ -357,6 +377,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
+fs_getattr_all_fs(hald_acl_t)
+
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
@@ -369,6 +391,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
+ policykit_dbus_chat(hald_acl_t)
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
@@ -450,12 +473,16 @@
miscfiles_read_localization(hald_keymap_t)
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
########################################
#
# Local hald dccm policy
#
-
-allow hald_dccm_t self:capability { net_bind_service };
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
+allow hald_dccm_t self:capability { chown net_bind_service };
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
@@ -469,10 +496,22 @@
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)
+manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
+
+manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
+
write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+dev_read_urand(hald_dccm_t)
+
kernel_search_network_sysctl(hald_dccm_t)
+hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
@@ -484,6 +523,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftps_port(hald_dccm_t)
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
@@ -491,3 +531,7 @@
files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
+
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.5/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/howl.te 2009-12-21 13:07:09.000000000 -0500
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
kernel_read_kernel_sysctls(howl_t)
-kernel_load_module(howl_t)
+kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.7.5/policy/modules/services/inetd.fc
--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/inetd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -9,4 +9,4 @@
/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.7.5/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/inetd.te 2009-12-21 13:07:09.000000000 -0500
@@ -104,6 +104,8 @@
corenet_tcp_bind_telnetd_port(inetd_t)
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
+corenet_tcp_bind_git_port(inetd_t)
+corenet_udp_bind_git_port(inetd_t)
# service port packets:
corenet_sendrecv_amanda_server_packets(inetd_t)
@@ -138,6 +140,8 @@
files_read_etc_files(inetd_t)
files_read_etc_runtime_files(inetd_t)
+auth_use_nsswitch(inetd_t)
+
logging_send_syslog_msg(inetd_t)
miscfiles_read_localization(inetd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.5/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/kerberos.if 2009-12-21 13:07:09.000000000 -0500
@@ -74,7 +74,7 @@
')
files_search_etc($1)
- allow $1 krb5_conf_t:file read_file_perms;
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -84,6 +84,10 @@
selinux_dontaudit_validate_context($1)
seutil_dontaudit_read_file_contexts($1)
+ optional_policy(`
+ sssd_read_config_files($1)
+ ')
+
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.5/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/kerberos.te 2009-12-21 17:39:03.000000000 -0500
@@ -112,6 +112,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
@@ -283,7 +284,7 @@
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
-allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
allow kpropd_t krb5_keytab_t:file read_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.5/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,76 @@
+
+## <summary>policy for Kernel Samepage Merging (KSM) Tuning Daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ksmtuned.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ksmtuned_domtrans',`
+ gen_require(`
+ type ksmtuned_t, ksmtuned_exec_t;
+ ')
+
+ domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
+')
+
+
+########################################
+## <summary>
+## Execute ksmtuned server in the ksmtuned domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ksmtuned_initrc_domtrans',`
+ gen_require(`
+ type ksmtuned_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ksmtuned environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ksmtuned_admin',`
+ gen_require(`
+ type ksmtuned_t, ksmtuned_var_run_t;
+ type ksmtuned_initrc_exec_t;
+ ')
+
+ allow $1 ksmtuned_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, ksmtuned_t, ksmtuned_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ksmtuned_var_run_t)
+
+ # Allow ksmtuned_t to restart the apache service
+ ksmtuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ksmtuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.5/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,46 @@
+policy_module(ksmtuned,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ksmtuned_t;
+type ksmtuned_exec_t;
+init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+
+permissive ksmtuned_t;
+
+type ksmtuned_initrc_exec_t;
+init_script_file(ksmtuned_initrc_exec_t)
+
+type ksmtuned_var_run_t;
+files_pid_file(ksmtuned_var_run_t)
+
+########################################
+#
+# ksmtuned local policy
+#
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+
+# Init script handling
+domain_use_interactive_fds(ksmtuned_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow ksmtuned_t self:fifo_file rw_file_perms;
+allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
+files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
+
+kernel_read_system_state(ksmtuned_t)
+
+dev_rw_sysfs(ksmtuned_t)
+
+domain_read_all_domains_state(ksmtuned_t)
+
+corecmd_exec_bin(ksmtuned_t)
+
+files_read_etc_files(ksmtuned_t)
+
+miscfiles_read_localization(ksmtuned_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.5/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ktalk.te 2009-12-21 13:07:09.000000000 -0500
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
term_search_ptys(ktalkd_t)
+term_use_all_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.5/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ldap.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,5 +1,7 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.5/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ldap.if 2009-12-21 13:07:09.000000000 -0500
@@ -1,5 +1,43 @@
## <summary>OpenLDAP directory server</summary>
+#######################################
+## <summary>
+## Execute OpenLDAP in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ldap_domtrans',`
+ gen_require(`
+ type slapd_t, slapd_exec_t;
+ ')
+
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+
+')
+
+#######################################
+## <summary>
+## Execute OpenLDAP server in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ldap_initrc_domtrans',`
+ gen_require(`
+ type slapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+
########################################
## <summary>
## Read the contents of the OpenLDAP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.7.5/policy/modules/services/lircd.fc
--- nsaserefpolicy/policy/modules/services/lircd.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/lircd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -6,3 +6,5 @@
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.7.5/policy/modules/services/lircd.if
--- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/lircd.if 2009-12-21 13:07:09.000000000 -0500
@@ -32,12 +32,11 @@
#
interface(`lircd_stream_connect',`
gen_require(`
- type lircd_sock_t, lircd_t;
+ type lircd_var_run_t, lircd_t;
')
- allow $1 lircd_t:unix_stream_socket connectto;
- allow $1 lircd_sock_t:sock_file write_sock_file_perms;
files_search_pids($1)
+ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
')
#######################################
@@ -77,7 +76,7 @@
#
interface(`lircd_admin',`
gen_require(`
- type lircd_t, lircd_var_run_t, lircd_sock_t;
+ type lircd_t, lircd_var_run_t;
type lircd_initrc_exec_t, lircd_etc_t;
')
@@ -94,6 +93,4 @@
files_search_pids($1)
admin_pattern($1, lircd_var_run_t)
-
- admin_pattern($1, lircd_sock_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.5/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/lircd.te 2009-12-21 13:07:09.000000000 -0500
@@ -16,13 +16,9 @@
type lircd_etc_t;
files_type(lircd_etc_t)
-type lircd_var_run_t;
+type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-# type for lircd /dev/ sock file
-type lircd_sock_t;
-files_type(lircd_sock_t)
-
########################################
#
# lircd local policy
@@ -34,15 +30,27 @@
# etc file
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
-# pid file
manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
# /dev/lircd socket
-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
-dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+dev_filetrans(lircd_t, lircd_var_run_t, sock_file )
+dev_read_generic_usb_dev(lircd_t)
+dev_read_mouse(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+
+term_use_ptmx(lircd_t)
logging_send_syslog_msg(lircd_t)
+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
miscfiles_read_localization(lircd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/mailman.te 2009-12-21 13:07:09.000000000 -0500
@@ -78,6 +78,10 @@
mta_dontaudit_rw_queue(mailman_mail_t)
optional_policy(`
+ courier_read_spool(mailman_mail_t)
+')
+
+optional_policy(`
cron_read_pipes(mailman_mail_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.5/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/memcached.te 2009-12-21 13:07:09.000000000 -0500
@@ -46,6 +46,8 @@
files_read_etc_files(memcached_t)
+auth_use_nsswitch(memcached_t)
+
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.5/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/modemmanager.te 2009-12-21 13:07:09.000000000 -0500
@@ -16,8 +16,8 @@
#
# ModemManager local policy
#
-
-allow modemmanager_t self:process signal;
+allow modemmanager_t self:capability { sys_admin sys_tty_config };
+allow modemmanager_t self:process signal;
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29,6 +29,7 @@
files_read_etc_files(modemmanager_t)
+term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.5/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/mta.fc 2009-12-21 13:07:09.000000000 -0500
@@ -26,3 +26,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/mta.if 2009-12-21 13:07:09.000000000 -0500
@@ -69,6 +69,7 @@
can_exec($1_mail_t, sendmail_exec_t)
allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+ kernel_read_system_state($1_mail_t)
kernel_read_kernel_sysctls($1_mail_t)
corenet_all_recvfrom_unlabeled($1_mail_t)
@@ -87,6 +88,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
+ init_dontaudit_rw_utmp($1_mail_t)
+
auth_use_nsswitch($1_mail_t)
logging_send_syslog_msg($1_mail_t)
@@ -311,6 +314,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
read_files_pattern($1, mail_spool_t, mail_spool_t)
+ append_files_pattern($1, mail_spool_t, mail_spool_t)
create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -351,6 +355,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
+ apache_append_log($1)
')
')
@@ -376,7 +381,26 @@
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
- allow mta_user_agent $1:fifo_file { read write };
+ allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send mail client a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+#
+interface(`mta_signal',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process signal;
')
########################################
@@ -470,7 +494,8 @@
type etc_mail_t;
')
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
')
########################################
@@ -694,7 +719,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
- rw_files_pattern($1, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/mta.te 2009-12-21 13:07:09.000000000 -0500
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
+type mail_forward_t, mailcontent_type;
+files_type(mail_forward_t)
+
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -57,8 +60,10 @@
can_exec(system_mail_t, mta_exec_type)
-kernel_read_system_state(system_mail_t)
+files_read_all_tmp_files(system_mail_t)
+
kernel_read_network_state(system_mail_t)
+kernel_request_load_module(system_mail_t)
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
@@ -72,16 +77,21 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+ apache_search_bugzilla_dirs(system_mail_t)
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -100,6 +110,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_job_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -178,6 +189,10 @@
')
optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
@@ -197,6 +212,25 @@
')
')
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
+
########################################
#
# User send mail local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.5/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/munin.fc 2009-12-21 13:07:09.000000000 -0500
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.5/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/munin.te 2009-12-21 13:07:09.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
-allow munin_t self:capability { chown dac_override setgid setuid };
+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -55,7 +55,8 @@
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
-files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
+manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
# Allow access to the munin databases
manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -147,6 +148,7 @@
optional_policy(`
postfix_list_spool(munin_t)
+ postfix_getattr_spool_files(munin_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.5/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/mysql.if 2009-12-21 13:07:09.000000000 -0500
@@ -1,5 +1,43 @@
## <summary>Policy for MySQL</summary>
+######################################
+## <summary>
+## Execute MySQL in the mysql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mysql_domtrans',`
+ gen_require(`
+ type mysqld_t, mysqld_exec_t;
+ ')
+
+ domtrans_pattern($1,mysqld_exec_t,mysqld_t)
+
+')
+
+######################################
+## <summary>
+## Execute MySQL server in the mysql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mysql_domtrans_mysql_safe',`
+ gen_require(`
+ type mysqld_safe_t, mysqld_safe_exec_t;
+ ')
+
+ domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t)
+')
+
+
########################################
## <summary>
## Send a generic signal to MySQL.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2009-12-21 13:07:09.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.1)
+## <desc>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
+## </desc>
+gen_tunable(mysql_connect_any, false)
+
########################################
#
# Declarations
@@ -109,6 +116,11 @@
# for /root/.my.cnf - should not be needed:
userdom_read_user_home_content_files(mysqld_t)
+tunable_policy(`mysql_connect_any',`
+ corenet_tcp_connect_all_ports(mysqld_t)
+ corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
@@ -131,20 +143,22 @@
# Local mysqld_safe policy
#
-allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
-allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+read_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
domain_read_all_domains_state(mysqld_safe_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
kernel_read_system_state(mysqld_safe_t)
+kernel_read_kernel_sysctls(mysqld_safe_t)
dev_list_sysfs(mysqld_safe_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.5/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nagios.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,16 +1,52 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+
+
+# check disk plugins
+/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.5/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nagios.if 2009-12-21 13:07:09.000000000 -0500
@@ -64,7 +64,7 @@
########################################
## <summary>
-## Execute the nagios CGI with
+## Execute the nagios NRPE with
## a domain transition.
## </summary>
## <param name="domain">
@@ -73,18 +73,17 @@
## </summary>
## </param>
#
-interface(`nagios_domtrans_cgi',`
+interface(`nagios_domtrans_nrpe',`
gen_require(`
- type nagios_cgi_t, nagios_cgi_exec_t;
+ type nrpe_t, nrpe_exec_t;
')
- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t)
+ domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
########################################
## <summary>
-## Execute the nagios NRPE with
-## a domain transition.
+## Search nagios spool directories.
## </summary>
## <param name="domain">
## <summary>
@@ -92,10 +91,119 @@
## </summary>
## </param>
#
-interface(`nagios_domtrans_nrpe',`
+interface(`nagios_search_spool',`
gen_require(`
- type nrpe_t, nrpe_exec_t;
+ type nagios_spool_t;
')
- domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+ allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+######################################
+## <summary>
+## Read nagios logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_log',`
+ gen_require(`
+ type nagios_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, nagios_log_t, nagios_log_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for various
+## nagios plugins,
+## </summary>
+## <param name="plugins_group_name">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`nagios_plugin_template',`
+
+ gen_require(`
+ type nagios_t, nrpe_t;
+ ')
+
+ type nagios_$1_plugin_t;
+ type nagios_$1_plugin_exec_t;
+ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+ role system_r types nagios_$1_plugin_t;
+
+ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ # automatic transition rules from nrpe domain
+ # to specific nagios plugin domain
+ domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ # cjp: leaked file descriptor
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+
+ miscfiles_read_localization(nagios_$1_plugin_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nagios environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nagios domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_admin',`
+ gen_require(`
+ type nagios_t, nrpe_t;
+ type nagios_tmp_t, nagios_log_t;
+ type nagios_etc_t, nrpe_etc_t;
+ type nagios_spool_t, nagios_var_run_t;
+ type nagios_initrc_exec_t;
+ ')
+
+ allow $1 nagios_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nagios_t)
+
+ init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nagios_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, nagios_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, nagios_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
+
+ admin_pattern($1, nrpe_etc_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.5/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nagios.te 2009-12-21 13:07:09.000000000 -0500
@@ -6,17 +6,23 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(nagios_plugin_dontaudit_bind_port, false)
+
type nagios_t;
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
-
type nagios_etc_t;
files_config_file(nagios_etc_t)
+type nagios_initrc_exec_t;
+init_script_file(nagios_initrc_exec_t)
+
type nagios_log_t;
logging_log_file(nagios_log_t)
@@ -26,6 +32,9 @@
type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -33,6 +42,33 @@
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
+# creates nagios_checkdisk_plugin_exec_t for executable
+# and nagios_checkdisk_plugin_t for domain
+nagios_plugin_template(checkdisk)
+
+# creates nagios_services_plugin_exec_t for executable
+# and nagios_services_plugin_t for domain
+nagios_plugin_template(services)
+
+# creates nagios_system_plugin_exec_t for executable
+# and nagios_system_plugin_t for domain
+nagios_plugin_template(system)
+
+type nagios_system_plugin_tmp_t;
+files_tmp_file(nagios_system_plugin_tmp_t)
+
+nagios_plugin_template(unconfined)
+optional_policy(`
+ unconfined_domain(nagios_unconfined_plugin_t)
+')
+
+permissive nagios_checkdisk_plugin_t;
+permissive nagios_services_plugin_t;
+permissive nagios_system_plugin_t;
+
########################################
#
# Nagios local policy
@@ -45,6 +81,9 @@
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;
+# needed by command.cfg
+can_exec(nagios_t, nagios_checkdisk_plugin_exec_t)
+
read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;
@@ -60,6 +99,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -86,6 +127,7 @@
files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
+files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
@@ -127,52 +169,59 @@
#
# Nagios CGI local policy
#
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
+allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+files_search_spool(httpd_nagios_script_t)
+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
########################################
#
# Nagios remote plugin executor local policy
#
+allow nrpe_t self:capability {setuid setgid};
dontaudit nrpe_t self:capability sys_tty_config;
allow nrpe_t self:process { setpgid signal_perms };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
+allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
-allow nrpe_t nrpe_etc_t:file read_file_perms;
+read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
files_search_etc(nrpe_t)
+manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+files_pid_filetrans(nrpe_t,nrpe_var_run_t,file)
+files_read_etc_files(nrpe_t)
+
+corenet_tcp_bind_generic_node(nrpe_t)
+corenet_tcp_bind_inetd_child_port(nrpe_t)
+corenet_sendrecv_unlabeled_packets(nrpe_t)
+
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
@@ -183,15 +232,19 @@
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
+fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
logging_send_syslog_msg(nrpe_t)
miscfiles_read_localization(nrpe_t)
+sysnet_read_config(nrpe_t)
+
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
@@ -209,3 +262,84 @@
optional_policy(`
udev_read_db(nrpe_t)
')
+
+
+######################################
+#
+# local policy for disk check plugins
+#
+
+# needed by ioctl()
+allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+
+files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+
+fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+
+storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+
+
+#######################################
+#
+# local policy for service check plugins
+#
+allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+allow nagios_services_plugin_t self:process { signal sigkill };
+
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+
+corecmd_exec_bin(nagios_services_plugin_t)
+
+corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)
+
+auth_use_nsswitch(nagios_services_plugin_t)
+
+domain_read_all_domains_state(nagios_services_plugin_t)
+
+files_read_usr_files(nagios_services_plugin_t)
+
+# just workaround for now
+tunable_policy(`nagios_plugin_dontaudit_bind_port',`
+ corenet_dontaudit_tcp_bind_all_ports(nagios_services_plugin_t)
+ corenet_dontaudit_udp_bind_all_ports(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(nagios_services_plugin_t)
+')
+
+######################################
+#
+# local policy for system check plugins
+#
+
+allow nagios_system_plugin_t self:capability dac_override;
+
+# check_log
+manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+
+corecmd_exec_bin(nagios_system_plugin_t)
+corecmd_exec_shell(nagios_system_plugin_t)
+
+kernel_read_system_state(nagios_system_plugin_t)
+kernel_read_kernel_sysctls(nagios_system_plugin_t)
+
+files_read_etc_files(nagios_system_plugin_t)
+
+dev_read_sysfs(nagios_system_plugin_t)
+dev_read_urand(nagios_system_plugin_t)
+
+domain_read_all_domains_state(nagios_system_plugin_t)
+
+# needed by check_users plugin
+optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.5/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/networkmanager.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,12 +1,28 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.5/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/networkmanager.if 2009-12-21 13:07:09.000000000 -0500
@@ -118,6 +118,24 @@
########################################
## <summary>
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Read NetworkManager PID files.
## </summary>
## <param name="domain">
@@ -134,3 +152,50 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read NetworkManager PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_var_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the NetworkManager domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/networkmanager.te 2009-12-21 13:07:09.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_var_lib_t;
+files_type(NetworkManager_var_lib_t)
+
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -33,13 +36,14 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
@@ -51,8 +55,13 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-files_search_tmp(NetworkManager_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -62,7 +71,9 @@
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-kernel_load_module(NetworkManager_t)
+kernel_request_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -81,13 +92,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
+corenet_getattr_ppp_dev(NetworkManager_t)
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+dev_getattr_all_chr_files(NetworkManager_t)
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
mls_file_read_all_levels(NetworkManager_t)
@@ -98,15 +114,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
-domain_dontaudit_read_all_domains_state(NetworkManager_t)
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+
+storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+auth_use_nsswitch(NetworkManager_t)
+
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
@@ -116,25 +137,40 @@
seutil_read_config(NetworkManager_t)
-sysnet_domtrans_ifconfig(NetworkManager_t)
-sysnet_domtrans_dhcpc(NetworkManager_t)
-sysnet_signal_dhcpc(NetworkManager_t)
-sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
-sysnet_search_dhcp_state(NetworkManager_t)
-# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_kill_dhcpc(NetworkManager_t)
sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_delete_dhcpc_state(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+cron_read_system_job_lib_files(NetworkManager_t)
+
+optional_policy(`
+ avahi_domtrans(NetworkManager_t)
+ avahi_kill(NetworkManager_t)
+ avahi_signal(NetworkManager_t)
+ avahi_signull(NetworkManager_t)
+')
optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
+ bind_kill(NetworkManager_t)
bind_signal(NetworkManager_t)
+ bind_signull(NetworkManager_t)
')
optional_policy(`
@@ -146,8 +182,25 @@
')
optional_policy(`
- dbus_system_bus_client(NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t)
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ hal_write_log(NetworkManager_t)
')
optional_policy(`
@@ -155,23 +208,51 @@
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
+ iptables_domtrans(NetworkManager_t)
')
optional_policy(`
- nscd_socket_use(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
')
optional_policy(`
openvpn_domtrans(NetworkManager_t)
+ openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
+ policykit_domtrans_auth(NetworkManager_t)
+ policykit_read_lib(NetworkManager_t)
+ policykit_read_reload(NetworkManager_t)
+ userdom_read_all_users_state(NetworkManager_t)
')
optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
+ ppp_kill(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+ rpm_exec(NetworkManager_t)
+ rpm_read_db(NetworkManager_t)
+ rpm_dontaudit_manage_db(NetworkManager_t)
')
optional_policy(`
@@ -179,12 +260,15 @@
')
optional_policy(`
+ udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
optional_policy(`
vpn_domtrans(NetworkManager_t)
+ vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
+ vpn_signull(NetworkManager_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.5/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nis.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.5/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nis.if 2009-12-21 13:07:09.000000000 -0500
@@ -28,7 +28,7 @@
type var_yp_t;
')
- dontaudit $1 self:capability net_bind_service;
+ allow $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@@ -76,6 +76,10 @@
## <rolecap/>
#
interface(`nis_use_ypbind',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
tunable_policy(`allow_ypbind',`
nis_use_ypbind_uncond($1)
')
@@ -87,7 +91,7 @@
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
## <rolecap/>
@@ -262,6 +266,43 @@
########################################
## <summary>
+## Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+#
+interface(`nis_initrc_domtrans',`
+ gen_require(`
+ type nis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nis_ypbind_initrc_domtrans',`
+ gen_require(`
+ type ypbind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an nis environment
## </summary>
@@ -272,16 +313,19 @@
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
+## The role to be allowed to manage the nis domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`nis_admin',`
gen_require(`
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ type ypbind_t, yppasswdd_t;
+ type ypserv_t, ypxfr_t;
type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+ type ypbind_initrc_exec_t;
+ type nis_initrc_exec_t;
')
allow $1 ypbind_t:process { ptrace signal_perms };
@@ -296,6 +340,13 @@
allow $1 ypxfr_t:process { ptrace signal_perms };
ps_process_pattern($1, ypxfr_t)
+ nis_initrc_domtrans($1)
+ nis_ypbind_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_tmp($1)
admin_pattern($1, ypbind_tmp_t)
@@ -311,3 +362,31 @@
admin_pattern($1, ypserv_var_run_t)
')
+
+
+########################################
+## <summary>
+## Execute ypbind in the ypbind domain, and
+## allow the specified role the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ypbind domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_run_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ nis_domtrans_ypbind($1)
+ role $2 types ypbind_t;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.5/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nis.te 2009-12-21 13:07:09.000000000 -0500
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
+type ypbind_initrc_exec_t;
+init_script_file(ypbind_initrc_exec_t)
+
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
@@ -44,6 +47,9 @@
type ypxfr_exec_t;
init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+type nis_initrc_exec_t;
+init_script_file(nis_initrc_exec_t)
+
########################################
#
# ypbind local policy
@@ -65,9 +71,8 @@
manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+kernel_read_system_state(ypbind_t)
kernel_read_kernel_sysctls(ypbind_t)
-kernel_list_proc(ypbind_t)
-kernel_read_proc_symlinks(ypbind_t)
corenet_all_recvfrom_unlabeled(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
@@ -250,6 +255,8 @@
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
+corenet_tcp_bind_reserved_port(ypserv_t)
+corenet_udp_bind_reserved_port(ypserv_t)
corenet_tcp_bind_all_rpc_ports(ypserv_t)
corenet_udp_bind_all_rpc_ports(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
@@ -315,6 +322,8 @@
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
+corenet_tcp_bind_reserved_port(ypxfr_t)
+corenet_udp_bind_reserved_port(ypxfr_t)
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.5/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nscd.if 2009-12-21 13:07:09.000000000 -0500
@@ -121,6 +121,24 @@
########################################
## <summary>
+## Use nscd services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_use',`
+ tunable_policy(`nscd_use_shm',`
+ nscd_shm_use($1)
+ ',`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
## Use NSCD services by mapping the database from
## an inherited NSCD file descriptor.
## </summary>
@@ -168,7 +186,7 @@
type nscd_var_run_t;
')
- dontaudit $1 nscd_var_run_t:dir search;
+ dontaudit $1 nscd_var_run_t:dir search_dir_perms;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.5/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/nscd.te 2009-12-21 13:07:09.000000000 -0500
@@ -1,10 +1,17 @@
-policy_module(nscd, 1.10.0)
+policy_module(nscd, 1.10.1)
gen_require(`
class nscd all_nscd_perms;
')
+## <desc>
+## <p>
+## Allow confined applications to use nscd shared memory.
+## </p>
+## </desc>
+gen_tunable(nscd_use_shm, false)
+
########################################
#
# Declarations
@@ -91,6 +98,7 @@
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
@@ -128,3 +136,16 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.5/policy/modules/services/ntop.fc
--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ntop.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,7 +1,6 @@
/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0)
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.5/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ntop.te 2009-12-21 13:07:09.000000000 -0500
@@ -11,12 +11,12 @@
init_daemon_domain(ntop_t, ntop_exec_t)
application_domain(ntop_t, ntop_exec_t)
+type ntop_initrc_exec_t;
+init_script_file(ntop_initrc_exec_t)
+
type ntop_etc_t;
files_config_file(ntop_etc_t)
-type ntop_http_content_t;
-files_type(ntop_http_content_t)
-
type ntop_tmp_t;
files_tmp_file(ntop_tmp_t)
@@ -37,26 +37,28 @@
allow ntop_t self:fifo_file rw_fifo_file_perms;
allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
+allow ntop_t self:unix_dgram_socket create_socket_perms;
+allow ntop_t self:unix_stream_socket create_stream_socket_perms;
allow ntop_t self:packet_socket create_socket_perms;
+allow ntop_t self:socket create_socket_perms;
allow ntop_t ntop_etc_t:dir list_dir_perms;
read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
-allow ntop_t ntop_http_content_t:dir list_dir_perms;
-read_files_pattern(ntop_t, ntop_http_content_t, ntop_http_content_t)
-
manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
-create_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
-manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
-files_var_lib_filetrans(ntop_t, ntop_var_lib_t, file)
+manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
+kernel_request_load_module(ntop_t)
+kernel_read_system_state(ntop_t)
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
@@ -72,26 +74,36 @@
corenet_raw_sendrecv_generic_node(ntop_t)
corenet_tcp_sendrecv_all_ports(ntop_t)
corenet_udp_sendrecv_all_ports(ntop_t)
+corenet_tcp_bind_ntop_port(ntop_t)
+corenet_tcp_connect_ntop_port(ntop_t)
+corenet_tcp_connect_http_port(ntop_t)
dev_read_sysfs(ntop_t)
+dev_rw_generic_usb_dev(ntop_t)
domain_use_interactive_fds(ntop_t)
files_read_etc_files(ntop_t)
+files_read_usr_files(ntop_t)
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
+auth_use_nsswitch(ntop_t)
+
logging_send_syslog_msg(ntop_t)
miscfiles_read_localization(ntop_t)
-
-sysnet_read_config(ntop_t)
+miscfiles_read_fonts(ntop_t)
userdom_dontaudit_use_unpriv_user_fds(ntop_t)
userdom_dontaudit_search_user_home_dirs(ntop_t)
optional_policy(`
+ apache_read_sys_content(ntop_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(ntop_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.5/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ntp.if 2009-12-21 13:07:09.000000000 -0500
@@ -37,6 +37,32 @@
########################################
## <summary>
+## Execute ntp in the ntp domain, and
+## allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ntp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ ntp_domtrans($1)
+ role $2 types ntpd_t;
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
@@ -64,7 +90,7 @@
## </summary>
## </param>
#
-interface(`ntpd_rw_shm',`
+interface(`ntp_rw_shm',`
gen_require(`
type ntpd_t, ntpd_tmpfs_t;
')
@@ -78,6 +104,24 @@
########################################
## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+ gen_require(`
+ type ntpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ntp environment
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.5/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ntp.te 2009-12-21 13:07:09.000000000 -0500
@@ -41,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
# ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -55,6 +56,7 @@
can_exec(ntpd_t, ntpd_exec_t)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
allow ntpd_t ntpd_log_t:dir setattr;
manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
@@ -75,6 +77,7 @@
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
@@ -97,6 +100,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
@@ -129,6 +134,7 @@
optional_policy(`
gpsd_rw_shm(ntpd_t)
+ gpsd_rw_tmpfs_files(ntpd_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.5/policy/modules/services/nut.fc
--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/nut.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,16 @@
+
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+
+/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
+/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
+/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+
+#/var/www/nut-cgi-bin(/.*)? -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.5/policy/modules/services/nut.if
--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/nut.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,58 @@
+## <summary>SELinux policy for NUT - Network UPS Tools </summary>
+
+#####################################
+## <summary>
+## Execute a domain transition to run upsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nut_upsd_domtrans',`
+ gen_require(`
+ type nut_upsd_t, nut_upsd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nut_upsd_exec_t, nut_upsd_t)
+')
+
+####################################
+## <summary>
+## Execute a domain transition to run upsmon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nut_upsmon_domtrans',`
+ gen_require(`
+ type nut_upsmon_t, nut_upsmon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nut_upsmon_exec_t, nut_upsmon_t)
+')
+
+####################################
+## <summary>
+## Execute a domain transition to run upsdrvctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nut_upsdrvctl_domtrans',`
+ gen_require(`
+ type nut_upsdrvctl_t, nut_upsdrvctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nut_upsdrvctl_exec_t, nut_upsdrvctl_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.5/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/nut.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,188 @@
+
+policy_module(nut, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nut_upsd_t;
+typealias nut_upsd_t alias upsd_t;
+type nut_upsd_exec_t;
+init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
+
+type nut_upsmon_t;
+typealias nut_upsmon_t alias upsmon_t;
+type nut_upsmon_exec_t;
+init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
+
+type nut_upsdrvctl_t;
+typealias nut_upsdrvctl_t alias upsdrvctl_t;
+type nut_upsdrvctl_exec_t;
+init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+
+# conf files
+type nut_conf_t;
+files_config_file(nut_conf_t)
+
+# pid files
+type nut_var_run_t;
+files_pid_file(nut_var_run_t)
+
+permissive nut_upsd_t;
+permissive nut_upsmon_t;
+permissive nut_upsdrvctl_t;
+
+########################################
+#
+# Local policy for upsd
+#
+
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })
+
+# note: add ups port !
+corenet_tcp_bind_ups_port(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
+
+kernel_read_kernel_sysctls(nut_upsd_t)
+
+# /etc/nsswitch.conf
+auth_use_nsswitch(nut_upsd_t)
+
+files_read_usr_files(nut_upsd_t)
+
+logging_send_syslog_msg(nut_upsd_t)
+
+miscfiles_read_localization(nut_upsd_t)
+
+
+########################################
+#
+# Local policy for upsmon
+#
+
+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+
+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })
+
+corenet_tcp_connect_ups_port(nut_upsmon_t)
+#corenet_tcp_connect_generic_port(nut_upsmon_t)
+
+corecmd_exec_bin(nut_upsmon_t)
+corecmd_exec_shell(nut_upsmon_t)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
+kernel_read_system_state(nut_upsmon_t)
+
+# creates /etc/killpower
+#files_manage_etc_files(nut_upsmon_t)
+
+# Creates /etc/killpower
+files_manage_etc_runtime_files(nut_upsmon_t)
+files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+
+auth_use_nsswitch(nut_upsmon_t)
+
+files_search_usr(nut_upsmon_t)
+
+logging_send_syslog_msg(nut_upsmon_t)
+
+miscfiles_read_localization(nut_upsmon_t)
+
+# /usr/bin/wall
+term_write_all_terms(nut_upsmon_t)
+
+#upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
+########################################
+#
+# Local policy for upsdrvctl
+#
+
+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
+allow nut_upsdrvctl_t self:process { sigchld signal signull };
+allow nut_upsdrvctl_t self:fd use;
+
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
+# /sbin/upsdrvctl executes other drivers
+# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+corecmd_exec_bin(nut_upsdrvctl_t)
+corecmd_exec_sbin(nut_upsdrvctl_t)
+
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
+# /etc/nsswitch.conf
+auth_use_nsswitch(nut_upsdrvctl_t)
+
+dev_read_urand(nut_upsdrvctl_t)
+dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
+term_use_unallocated_ttys(nut_upsdrvctl_t)
+
+logging_send_syslog_msg(nut_upsdrvctl_t)
+
+miscfiles_read_localization(nut_upsdrvctl_t)
+
+init_sigchld(nut_upsdrvctl_t)
+
+#######################################
+#
+# Local policy for NUT cgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
+#
+
+optional_policy(`
+ apache_content_template(nutups_cgi)
+
+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+# corenet_tcp_connect_generic_port(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.5/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nx.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,7 +1,15 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
+/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.5/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nx.if 2009-12-21 13:07:09.000000000 -0500
@@ -17,3 +17,70 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+
+########################################
+## <summary>
+## Read nx home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+## <summary>
+## Read nx home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_search_var_lib',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the root directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`nx_var_lib_filetrans',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.5/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/nx.te 2009-12-21 13:07:09.000000000 -0500
@@ -25,6 +25,12 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# NX server local policy
@@ -37,6 +43,10 @@
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(nx_server_t, nx_server_devpts_t)
+manage_files_pattern(nx_server_t, nx_server_var_lib_t,nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t,nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t,nx_server_var_lib_t, { file dir })
+
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
@@ -44,6 +54,9 @@
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.5/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/oddjob.if 2009-12-21 13:07:09.000000000 -0500
@@ -44,6 +44,7 @@
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/oddjob.te 2009-12-21 13:07:09.000000000 -0500
@@ -100,8 +100,7 @@
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.5/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/openvpn.te 2009-12-21 13:07:09.000000000 -0500
@@ -41,7 +41,7 @@
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
@@ -100,6 +100,8 @@
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
+auth_use_pam(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -107,7 +109,7 @@
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
-sysnet_write_config(openvpn_t)
+sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.5/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/pcscd.if 2009-12-21 13:07:09.000000000 -0500
@@ -39,6 +39,44 @@
########################################
## <summary>
+## Manage pcscd pub files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcscd_manage_pub_files',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage pcscd pub fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcscd_manage_pub_pipes',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+## <summary>
## Connect to pcscd over an unix stream socket.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.5/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/pegasus.te 2009-12-21 13:07:09.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -66,6 +66,8 @@
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
@@ -96,13 +98,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
@@ -115,7 +116,6 @@
miscfiles_read_localization(pegasus_t)
-sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -126,6 +126,14 @@
')
optional_policy(`
+ samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ ssh_exec(pegasus_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
@@ -137,3 +145,13 @@
optional_policy(`
unconfined_signull(pegasus_t)
')
+
+optional_policy(`
+ virt_domtrans(pegasus_t)
+ virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.5/policy/modules/services/plymouth.fc
--- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/plymouth.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,5 @@
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.5/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/plymouth.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,322 @@
+## <summary>policy for plymouthd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouth_domtrans', `
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+## Execute the plymoth daemon in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouth_exec', `
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+ can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the plymoth command in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouth_exec_plymouth', `
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+ can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouth_domtrans_plymouth', `
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+
+########################################
+## <summary>
+## Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_read_pid_files', `
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 plymouthd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_manage_var_run', `
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_search_lib', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_read_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_manage_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_manage_var_lib', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_search_spool', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_read_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_manage_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage plymouthd spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`plymouth_manage_spool', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an plymouthd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouth_admin', `
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+ plymouthd_manage_var_run($1)
+
+ plymouthd_manage_var_lib($1)
+
+ plymouthd_manage_spool($1)
+')
+
+########################################
+## <summary>
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouth_stream_connect', `
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.5/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/plymouth.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,102 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
+#
+# Plymouthd private declarations
+#
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+permissive plymouthd_t;
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+########################################
+#
+# Plymouth private declarations
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+init_daemon_domain(plymouth_t, plymouth_exec_t)
+
+permissive plymouth_t;
+
+########################################
+#
+# Plymouthd private policy
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+allow plymouthd_t self:process { signal };
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_read_framebuffer(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
+
+########################################
+#
+# Plymouth private policy
+#
+
+allow plymouth_t self:process { signal };
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_stream_connect(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+plymouth_stream_connect(plymouth_t)
+
+optional_policy(`
+ lvm_domtrans(plymouth_t)
+')
+
+ifdef(`hide_broken_symptoms', `
+optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
+ hal_dontaudit_rw_pipes(plymouth_t)
+')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.5/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/policykit.fc 2009-12-21 13:07:09.000000000 -0500
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.5/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/policykit.if 2009-12-21 13:07:09.000000000 -0500
@@ -17,12 +17,37 @@
class dbus send_msg;
')
+ ps_process_pattern(policykit_t, $1)
+
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
########################################
## <summary>
+## Send and receive messages from
+## policykit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_dbus_chat_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ class dbus send_msg;
+ ')
+
+ ps_process_pattern(policykit_auth_t, $1)
+
+ allow $1 policykit_auth_t:dbus send_msg;
+ allow policykit_auth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Execute a domain transition to run polkit_auth.
## </summary>
## <param name="domain">
@@ -62,6 +87,9 @@
policykit_domtrans_auth($1)
role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
')
########################################
@@ -206,4 +234,47 @@
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+')
+
+#######################################
+## <summary>
+## The per role template for the policykit module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+template(`policykit_role',`
+ policykit_run_auth($2, $1)
+ policykit_run_grant($2, $1)
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
+########################################
+## <summary>
+## Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.5/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/policykit.te 2009-12-21 13:07:09.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
-allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:capability { setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
policykit_domtrans_auth(policykit_t)
@@ -57,32 +58,52 @@
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
+fs_list_inotifyfs(policykit_t)
+
auth_use_nsswitch(policykit_t)
logging_send_syslog_msg(policykit_t)
miscfiles_read_localization(policykit_t)
+userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
+
+optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(policykit_t)
+ ')
+')
########################################
#
# polkit_auth local policy
#
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:capability { setgid setuid };
+allow policykit_auth_t self:process { getattr getsched };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+policykit_dbus_chat(policykit_auth_t)
+
can_exec(policykit_auth_t, policykit_auth_exec_t)
-corecmd_search_bin(policykit_auth_t)
+corecmd_exec_bin(policykit_auth_t)
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
@@ -92,21 +113,25 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-kernel_read_system_state(policykit_auth_t)
-
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
+
+fs_getattr_all_fs(polkit_auth_t)
+fs_search_tmpfs(polkit_auth_t)
auth_use_nsswitch(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
miscfiles_read_localization(policykit_auth_t)
+miscfiles_read_fonts(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
- dbus_system_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
@@ -119,6 +144,14 @@
hal_read_state(policykit_auth_t)
')
+optional_policy(`
+ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
+')
+
########################################
#
# polkit_grant local policy
@@ -126,7 +159,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
-allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
@@ -156,9 +190,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
- dbus_system_bus_client(policykit_grant_t)
+ cron_manage_system_job_lib_files(policykit_grant_t)
+')
optional_policy(`
+ dbus_system_bus_client(policykit_grant_t)
+ optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
')
@@ -170,7 +207,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
-allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.5/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/portreserve.te 2009-12-22 08:23:05.000000000 -0500
@@ -21,6 +21,7 @@
# Portreserve local policy
#
+allow portreserve_t self:capability { dac_read_search dac_override };
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -37,6 +38,8 @@
manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+corecmd_getattr_bin_files(portreserve_t)
+
corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_bind_generic_node(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postfix.fc 2009-12-21 13:07:09.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postfix.if 2009-12-21 13:07:09.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -79,6 +80,7 @@
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
+ files_search_all_mountpoints(postfix_$1_t)
init_dontaudit_use_fds(postfix_$1_t)
init_sigchld(postfix_$1_t)
@@ -110,6 +112,13 @@
template(`postfix_server_domain_template',`
postfix_domain_template($1)
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+ manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
+
allow postfix_$1_t self:capability { setuid setgid dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
@@ -174,9 +183,8 @@
type postfix_etc_t;
')
- allow $1 postfix_etc_t:dir list_dir_perms;
- allow $1 postfix_etc_t:file read_file_perms;
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
')
@@ -232,6 +240,25 @@
########################################
## <summary>
+## Allow read/write postfix local pipes
+## TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_rw_local_pipes',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Allow domain to read postfix local process state
## </summary>
## <param name="domain">
@@ -378,7 +405,7 @@
## </summary>
## </param>
#
-interface(`postfix_create_pivate_sockets',`
+interface(`postfix_create_private_sockets',`
gen_require(`
type postfix_private_t;
')
@@ -389,6 +416,25 @@
########################################
## <summary>
+## manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+## <summary>
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
@@ -418,10 +464,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir search_dir_perms;
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
')
@@ -437,11 +483,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
+ ')
+
+ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir list_dir_perms;
files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
@@ -456,16 +521,16 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
## <summary>
-## Create, read, write, and delete postfix mail spool files.
+## Manage postfix mail spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -475,11 +540,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
')
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
@@ -500,3 +565,62 @@
typeattribute $1 postfix_user_domtrans;
')
+
+########################################
+## <summary>
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t, postfix_postdrop_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
+########################################
+## <summary>
+## Execute the master postqueue in the
+## postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postfix.te 2009-12-21 13:07:09.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+##
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
+attribute postfix_spool_type;
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
@@ -13,13 +22,13 @@
postfix_server_domain_template(bounce)
-type postfix_spool_bounce_t;
+type postfix_spool_bounce_t, postfix_spool_type;
files_type(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
type postfix_etc_t;
-files_type(postfix_etc_t)
+files_config_file(postfix_etc_t)
type postfix_exec_t;
application_executable_file(postfix_exec_t)
@@ -27,13 +36,17 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
-type postfix_local_tmp_t;
-files_tmp_file(postfix_local_tmp_t)
+userdom_read_user_home_content_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
+')
# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
@@ -68,13 +81,13 @@
postfix_server_domain_template(smtpd)
-type postfix_spool_t;
+type postfix_spool_t, postfix_spool_type;
files_type(postfix_spool_t)
-type postfix_spool_maildrop_t;
+type postfix_spool_maildrop_t, postfix_spool_type;
files_type(postfix_spool_maildrop_t)
-type postfix_spool_flush_t;
+type postfix_spool_flush_t, postfix_spool_type;
files_type(postfix_spool_flush_t)
type postfix_public_t;
@@ -90,9 +103,6 @@
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
-type postfix_virtual_tmp_t;
-files_tmp_file(postfix_virtual_tmp_t)
-
########################################
#
# Postfix master process local policy
@@ -103,6 +113,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -132,6 +143,7 @@
# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
@@ -142,6 +154,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
kernel_read_all_sysctls(postfix_master_t)
@@ -153,6 +166,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
@@ -170,6 +186,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
@@ -181,6 +199,7 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
@@ -193,6 +212,10 @@
')
optional_policy(`
+ kerberos_keytab_template(postfix, postfix_t)
+')
+
+optional_policy(`
# for postalias
mailman_manage_data_files(postfix_master_t)
')
@@ -202,6 +225,10 @@
')
optional_policy(`
+ postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
sendmail_signal(postfix_master_t)
')
@@ -219,6 +246,7 @@
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -240,11 +268,18 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
+mta_read_aliases(postfix_cleanup_t)
+
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
########################################
#
# Postfix local local policy
@@ -253,10 +288,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
-manage_dirs_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
-manage_files_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
-files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
-
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@@ -270,18 +301,29 @@
files_read_etc_files(postfix_local_t)
+logging_dontaudit_search_logs(postfix_local_t)
+
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
optional_policy(`
clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
')
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
+')
+
+optional_policy(`
+ nagios_search_spool(postfix_local_t)
')
optional_policy(`
@@ -292,8 +334,7 @@
#
# Postfix map local policy
#
-
-allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:capability { dac_override setgid setuid };
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -340,14 +381,15 @@
miscfiles_read_localization(postfix_map_t)
-seutil_read_config(postfix_map_t)
-
-userdom_use_user_terminals(postfix_map_t)
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_map_t)
+')
+
########################################
#
# Postfix pickup local policy
@@ -372,6 +414,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
@@ -379,6 +422,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
@@ -388,6 +437,15 @@
')
optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+ mta_send_mail(postfix_pipe_t)
+')
+
+optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
+')
+
+optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
@@ -415,6 +473,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
+ apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+')
+
+optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -424,8 +486,11 @@
')
optional_policy(`
- ppp_use_fds(postfix_postqueue_t)
- ppp_sigchld(postfix_postqueue_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
+ uucp_manage_spool(postfix_postdrop_t)
')
#######################################
@@ -451,6 +516,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
+optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
+
+optional_policy(`
+ ppp_use_fds(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+')
+
########################################
#
# Postfix qmgr local policy
@@ -464,6 +538,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -505,7 +580,7 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-files_dontaudit_getattr_home_dir(postfix_smtp_t)
+files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
@@ -535,9 +610,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+fs_getattr_all_fs(postfix_smtpd_t)
+
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
+')
+
+optional_policy(`
mailman_read_data_files(postfix_smtpd_t)
')
@@ -559,20 +643,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-manage_dirs_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
-manage_files_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
-files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
-
# connect to master process
-stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t)
+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
files_read_etc_files(postfix_virtual_t)
+files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
+userdom_manage_user_home_dirs(postfix_virtual_t)
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.5/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postgresql.fc 2009-12-21 13:07:09.000000000 -0500
@@ -2,6 +2,8 @@
# /etc
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
#
# /usr
@@ -9,13 +11,11 @@
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_debian', `
-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib(64)?/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
')
ifdef(`distro_redhat', `
@@ -38,8 +38,6 @@
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
-ifdef(`distro_redhat', `
-/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-')
-
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.5/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postgresql.if 2009-12-21 13:07:09.000000000 -0500
@@ -125,6 +125,23 @@
typeattribute $1 sepgsql_table_type;
')
+######################################
+## <summary>
+## Allow domain to signal postgresql
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postgresql_signal',`
+ gen_require(`
+ type postgresql_t;
+ ')
+ allow $1 postgresql_t:process signal;
+')
+
########################################
## <summary>
## Marks as a SE-PostgreSQL system table/column/tuple object type
@@ -384,3 +401,46 @@
typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_initrc_exec_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.5/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postgresql.te 2009-12-21 13:07:09.000000000 -0500
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
@@ -139,6 +142,7 @@
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
@@ -209,9 +213,11 @@
corenet_udp_sendrecv_generic_node(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_generic_node(postgresql_t)
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
@@ -242,11 +248,12 @@
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-auth_use_nsswitch(postgresql_t)
+auth_use_pam(postgresql_t)
init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
miscfiles_read_localization(postgresql_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.5/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ppp.if 2009-12-21 13:07:09.000000000 -0500
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
type pppd_t;
+ type pptp_t;
')
ppp_domtrans($1)
role $2 types pppd_t;
+ role $2 types pptp_t;
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+ ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.5/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ppp.te 2009-12-21 13:07:09.000000000 -0500
@@ -38,7 +38,7 @@
files_type(pppd_etc_rw_t)
type pppd_initrc_exec_t alias pppd_script_exec_t;
-files_type(pppd_initrc_exec_t)
+init_script_file(pppd_initrc_exec_t)
# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
@@ -120,7 +120,7 @@
kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t)
kernel_read_network_state(pppd_t)
-kernel_load_module(pppd_t)
+kernel_request_load_module(pppd_t)
dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
@@ -193,6 +193,8 @@
optional_policy(`
mta_send_mail(pppd_t)
+ mta_system_content(pppd_etc_t)
+ mta_system_content(pppd_etc_rw_t)
')
optional_policy(`
@@ -216,7 +218,7 @@
# PPTP Local policy
#
-allow pptp_t self:capability { net_raw net_admin };
+allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
@@ -295,6 +297,14 @@
')
optional_policy(`
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pppd_t)
+ ')
+')
+
+optional_policy(`
hostname_exec(pptp_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/procmail.te 2009-12-21 13:07:09.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
-allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:unix_stream_socket create_socket_perms;
@@ -77,6 +77,7 @@
files_read_usr_files(procmail_t)
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
miscfiles_read_localization(procmail_t)
@@ -92,6 +93,7 @@
userdom_dontaudit_search_user_home_dirs(procmail_t)
mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
@@ -128,6 +130,10 @@
')
optional_policy(`
+ nagios_search_spool(procmail_t)
+')
+
+optional_policy(`
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
@@ -136,8 +142,8 @@
mta_read_config(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
- sendmail_rw_tcp_sockets(procmail_t)
- sendmail_rw_unix_stream_sockets(procmail_t)
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(procmail_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.5/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/pyzor.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.5/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/pyzor.if 2009-12-21 13:07:09.000000000 -0500
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pyzor environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the pyzor domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pyzor_admin',`
+ gen_require(`
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t;
+ type pyzord_initrc_exec_t;
+ ')
+
+ allow $1 pyzord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pyzord_t)
+
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pyzord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, pyzord_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.5/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/pyzor.te 2009-12-21 13:07:09.000000000 -0500
@@ -6,6 +6,38 @@
# Declarations
#
+
+ifdef(`distro_redhat',`
+
+ gen_require(`
+ type spamc_t;
+ type spamc_exec_t;
+ type spamd_t;
+ type spamd_initrc_exec_t;
+ type spamd_exec_t;
+ type spamc_tmp_t;
+ type spamd_log_t;
+ type spamd_var_lib_t;
+ type spamd_etc_t;
+ type spamc_tmp_t;
+ type spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+
+',`
+
type pyzor_t;
type pyzor_exec_t;
typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
@@ -40,6 +72,7 @@
type pyzord_log_t;
logging_log_file(pyzord_log_t)
+')
########################################
#
@@ -77,12 +110,16 @@
dev_read_urand(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
files_read_etc_files(pyzor_t)
auth_use_nsswitch(pyzor_t)
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/razor.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.5/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/razor.if 2009-12-21 13:07:09.000000000 -0500
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
')
+
+########################################
+## <summary>
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`razor_manage_user_home_files',`
+ gen_require(`
+ type razor_home_t;
+ ')
+
+ files_search_home($1)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+## read razor lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`razor_read_lib_files',`
+ gen_require(`
+ type razor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.5/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/razor.te 2009-12-21 13:07:09.000000000 -0500
@@ -6,6 +6,32 @@
# Declarations
#
+ifdef(`distro_redhat',`
+
+ gen_require(`
+ type spamc_t;
+ type spamc_exec_t;
+ type spamd_log_t;
+ type spamd_spool_t;
+ type spamd_var_lib_t;
+ type spamd_etc_t;
+ type spamc_home_t;
+ type spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+
+',`
+
type razor_exec_t;
corecmd_executable_file(razor_exec_t)
@@ -102,6 +128,8 @@
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+auth_use_nsswitch(razor_t)
+
logging_send_syslog_msg(razor_t)
userdom_search_user_home_dirs(razor_t)
@@ -120,5 +148,7 @@
')
optional_policy(`
- nscd_socket_use(razor_t)
+ milter_manage_spamass_state(razor_t)
+')
+
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.5/policy/modules/services/rdisc.if
--- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rdisc.if 2009-12-21 13:07:09.000000000 -0500
@@ -1 +1,20 @@
## <summary>Network router discovery daemon</summary>
+
+######################################
+## <summary>
+## Execute rdisc in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rdisc_exec',`
+ gen_require(`
+ type rdisc_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,rdisc_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.5/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/rgmanager.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,8 @@
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.5/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/rgmanager.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>SELinux policy for rgmanager</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run rgmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rgmanager_domtrans',`
+ gen_require(`
+ type rgmanager_t, rgmanager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+
+')
+
+#######################################
+## <summary>
+## Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
+')
+
+########################################
+## <summary>
+## Connect to rgmanager over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_stream_connect',`
+ gen_require(`
+ type rgmanager_t, rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.5/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/rgmanager.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,187 @@
+
+policy_module(rgmanager,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+# tmp files
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+# log files
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+# pid files
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+permissive rgmanager_t;
+########################################
+#
+# rgmanager local policy
+#
+
+allow rgmanager_t self:capability { sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process { ptrace };
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+# tmp files
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+# log files
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
+
+# pid file
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t,rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
+
+aisexec_stream_connect(rgmanager_t)
+groupd_stream_connect(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_sbin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
+dev_manage_generic_chr_files(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_shadow(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+
+files_list_all(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+
+files_create_var_run_dirs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+#term_use_ptmx(rgmanager_t)
+
+auth_use_nsswitch(rgmanager_t)
+
+libs_use_ld_so(rgmanager_t)
+libs_use_shared_libs(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+ corenet_tcp_connect_all_ports(rgmanager_t)
+')
+
+# rgmanager can run resource scripts
+
+optional_policy(`
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+ fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
+ gfs_controld_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(rgmanager_t)
+ mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ netutils_domtrans(rgmanager_t)
+ netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(rgmanager_t)
+ postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+ rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
+ samba_domtrans_smbd(rgmanager_t)
+ samba_domtrans_nmbd(rgmanager_t)
+ samba_manage_var_files(rgmanager_t)
+ samba_rw_config(rgmanager_t)
+ samba_signal_smbd(rgmanager_t)
+ samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+ udev_read_db(rgmanager_t)
+')
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.5/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/rhcs.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,22 @@
+
+/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+
+/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+
+/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+
+/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.5/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/rhcs.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,367 @@
+## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
+
+######################################
+## <summary>
+## Execute a domain transition to run groupd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`groupd_domtrans',`
+ gen_require(`
+ type groupd_t, groupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,groupd_exec_t,groupd_t)
+')
+
+#####################################
+## <summary>
+## Connect to groupd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_stream_connect',`
+ gen_require(`
+ type groupd_t, groupd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+## <summary>
+## Manage groupd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`groupd_manage_tmpfs_files',`
+ gen_require(`
+ type groupd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ manage_lnk_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_rw_semaphores',`
+ gen_require(`
+ type groupd_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`groupd_rw_shm',`
+ gen_require(`
+ type groupd_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run dlm_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_domtrans',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,dlm_controld_exec_t,dlm_controld_t)
+
+')
+
+#####################################
+## <summary>
+## Connect to dlm_controld over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_stream_connect',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+## Manage dlm_controld tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_manage_tmpfs_files',`
+ gen_require(`
+ type dlm_controld_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+ manage_lnk_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to dlm_controld semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_rw_semaphores',`
+ gen_require(`
+ type dlm_controld_t;
+ ')
+
+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fenced_domtrans',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,fenced_exec_t,fenced_t)
+
+')
+
+######################################
+## <summary>
+## Connect to fenced over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fenced_stream_connect',`
+ gen_require(`
+ type fenced_var_run_t, fenced_t;
+ ')
+
+ allow $1 fenced_t:unix_stream_socket connectto;
+ allow $1 fenced_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
+
+#####################################
+## <summary>
+## Managed fenced tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fenced_manage_tmpfs_files',`
+ gen_require(`
+ type fenced_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+ manage_lnk_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Allow read and write access to fenced semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fenced_rw_semaphores',`
+ gen_require(`
+ type fenced_t;
+ ')
+
+ allow $1 fenced_t:sem { rw_sem_perms destroy };
+')
+
+#####################################
+## <summary>
+## Execute a domain transition to run gfs_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_domtrans',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,gfs_controld_exec_t,gfs_controld_t)
+')
+
+###################################
+## <summary>
+## Manage gfs_controld tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_manage_tmpfs_files',`
+ gen_require(`
+ type gfs_controld_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+ manage_lnk_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+####################################
+## <summary>
+## Allow read and write access to gfs_controld semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_rw_semaphores',`
+ gen_require(`
+ type gfs_controld_t;
+ ')
+
+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+## Read and write to gfs_controld_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_t_rw_shm',`
+ gen_require(`
+ type gfs_controld_t;
+ ')
+
+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+')
+
+#####################################
+## <summary>
+## Connect to gfs_controld_t over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_stream_connect',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run qdiskd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qdiskd_domtrans',`
+ gen_require(`
+ type qdiskd_t, qdiskd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,qdiskd_exec_t,qdiskd_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.5/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/rhcs.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,410 @@
+
+policy_module(rhcs,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(fenced_can_network_connect, false)
+
+type dlm_controld_t;
+type dlm_controld_exec_t;
+init_daemon_domain(dlm_controld_t, dlm_controld_exec_t)
+
+# log files
+type dlm_controld_var_log_t;
+logging_log_file(dlm_controld_var_log_t)
+
+# pid files
+type dlm_controld_var_run_t;
+files_pid_file(dlm_controld_var_run_t)
+
+type dlm_controld_tmpfs_t;
+files_tmpfs_file(dlm_controld_tmpfs_t)
+
+
+type fenced_t;
+type fenced_exec_t;
+init_daemon_domain(fenced_t, fenced_exec_t)
+
+# tmp files
+type fenced_tmp_t;
+files_tmp_file(fenced_tmp_t)
+
+type fenced_tmpfs_t;
+files_tmpfs_file(fenced_tmpfs_t)
+
+# log files
+type fenced_var_log_t;
+logging_log_file(fenced_var_log_t)
+
+# pid files
+type fenced_var_run_t;
+files_pid_file(fenced_var_run_t)
+
+type gfs_controld_t;
+type gfs_controld_exec_t;
+init_daemon_domain(gfs_controld_t, gfs_controld_exec_t)
+
+# log files
+type gfs_controld_var_log_t;
+logging_log_file(gfs_controld_var_log_t)
+
+# pid files
+type gfs_controld_var_run_t;
+files_pid_file(gfs_controld_var_run_t)
+
+type gfs_controld_tmpfs_t;
+files_tmpfs_file(gfs_controld_tmpfs_t)
+
+
+type groupd_t;
+type groupd_exec_t;
+init_daemon_domain(groupd_t, groupd_exec_t)
+
+# log files
+type groupd_var_log_t;
+logging_log_file(groupd_var_log_t)
+
+# pid files
+type groupd_var_run_t;
+files_pid_file(groupd_var_run_t)
+
+type groupd_tmpfs_t;
+files_tmpfs_file(groupd_tmpfs_t)
+
+type qdiskd_t;
+type qdiskd_exec_t;
+init_daemon_domain(qdiskd_t, qdiskd_exec_t)
+
+type qdiskd_tmpfs_t;
+files_tmpfs_file(qdiskd_tmpfs_t)
+
+# var/lib files
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
+# log files
+type qdiskd_var_log_t;
+logging_log_file(qdiskd_var_log_t)
+
+# pid files
+type qdiskd_var_run_t;
+files_pid_file(qdiskd_var_run_t)
+
+#####################################
+#
+# dlm_controld local policy
+#
+
+allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource };
+allow dlm_controld_t self:process setsched;
+
+allow dlm_controld_t self:sem create_sem_perms;
+allow dlm_controld_t self:fifo_file rw_fifo_file_perms;
+allow dlm_controld_t self:unix_stream_socket { create_stream_socket_perms };
+allow dlm_controld_t self:unix_dgram_socket { create_socket_perms };
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file })
+
+# log files
+manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t)
+logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file })
+
+# pid files
+manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
+manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
+files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
+
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+aisexec_stream_connect(dlm_controld_t)
+ccs_stream_connect(dlm_controld_t)
+groupd_stream_connect(dlm_controld_t)
+
+kernel_read_system_state(dlm_controld_t)
+
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
+fs_manage_configfs_dirs(dlm_controld_t)
+
+init_rw_script_tmp_files(dlm_controld_t)
+
+libs_use_ld_so(dlm_controld_t)
+libs_use_shared_libs(dlm_controld_t)
+
+logging_send_syslog_msg(dlm_controld_t)
+
+miscfiles_read_localization(dlm_controld_t)
+
+#######################################
+#
+# fenced local policy
+#
+
+allow fenced_t self:capability { sys_nice sys_rawio sys_resource };
+allow fenced_t self:process { setsched getsched };
+
+allow fenced_t self:fifo_file rw_fifo_file_perms;
+allow fenced_t self:sem create_sem_perms;
+allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow fenced_t self:unix_dgram_socket create_socket_perms;
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
+
+can_exec(fenced_t,fenced_exec_t)
+
+# tmp files
+manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir })
+
+manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
+manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
+fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file })
+
+# log files
+manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t)
+logging_log_filetrans(fenced_t,fenced_var_log_t,{ file })
+
+# pid file
+manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t)
+manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
+manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
+files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+aisexec_stream_connect(fenced_t)
+ccs_stream_connect(fenced_t)
+
+corecmd_exec_bin(fenced_t)
+
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
+storage_raw_read_fixed_disk(fenced_t)
+storage_raw_write_fixed_disk(fenced_t)
+storage_raw_read_removable_device(fenced_t)
+
+term_use_ptmx(fenced_t)
+
+auth_use_nsswitch(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
+
+libs_use_ld_so(fenced_t)
+libs_use_shared_libs(fenced_t)
+
+logging_send_syslog_msg(fenced_t)
+
+miscfiles_read_localization(fenced_t)
+
+tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+')
+
+optional_policy(`
+ ccs_read_config(fenced_t)
+')
+
+optional_policy(`
+ corosync_stream_connect(fenced_t)
+')
+
+optional_policy(`
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
+')
+
+######################################
+#
+# gfs_controld local policy
+#
+
+allow gfs_controld_t self:capability { net_admin sys_nice sys_resource };
+allow gfs_controld_t self:process setsched;
+
+allow gfs_controld_t self:sem create_sem_perms;
+allow gfs_controld_t self:shm create_shm_perms;
+allow gfs_controld_t self:fifo_file rw_fifo_file_perms;
+allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms };
+allow gfs_controld_t self:unix_dgram_socket { create_socket_perms };
+allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file })
+
+# log files
+manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t)
+logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file })
+
+# pid files
+manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
+manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
+files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
+
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+
+aisexec_stream_connect(gfs_controld_t)
+ccs_stream_connect(gfs_controld_t)
+groupd_stream_connect(gfs_controld_t)
+
+kernel_read_system_state(gfs_controld_t)
+
+storage_getattr_removable_dev(gfs_controld_t)
+
+dev_manage_generic_chr_files(gfs_controld_t)
+#dev_read_sysfs(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
+
+libs_use_ld_so(gfs_controld_t)
+libs_use_shared_libs(gfs_controld_t)
+
+logging_send_syslog_msg(gfs_controld_t)
+
+miscfiles_read_localization(gfs_controld_t)
+
+optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+')
+
+#######################################
+#
+# groupd local policy
+#
+
+allow groupd_t self:capability { sys_nice sys_resource };
+allow groupd_t self:process setsched;
+
+allow groupd_t self:sem create_sem_perms;
+allow groupd_t self:shm create_shm_perms;
+allow groupd_t self:fifo_file rw_fifo_file_perms;
+allow groupd_t self:unix_stream_socket create_stream_socket_perms;
+allow groupd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
+manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
+fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file })
+
+# log files
+manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t)
+logging_log_filetrans(groupd_t,groupd_var_log_t,{ file })
+
+# pid files
+manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
+manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
+files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
+
+aisexec_stream_connect(groupd_t)
+
+dev_list_sysfs(groupd_t)
+
+files_read_etc_files(groupd_t)
+
+libs_use_ld_so(groupd_t)
+libs_use_shared_libs(groupd_t)
+
+logging_send_syslog_msg(groupd_t)
+
+miscfiles_read_localization(groupd_t)
+
+init_rw_script_tmp_files(groupd_t)
+
+logging_send_syslog_msg(groupd_t)
+
+######################################
+#
+# qdiskd local policy
+#
+
+allow qdiskd_t self:capability { sys_nice ipc_lock };
+allow qdiskd_t self:process setsched;
+
+allow qdiskd_t self:sem create_sem_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+allow qdiskd_t self:unix_dgram_socket create_socket_perms;
+allow qdiskd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
+manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
+logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file })
+
+manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
+manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
+fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file })
+
+# pid files
+manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
+files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
+
+aisexec_stream_connect(qdiskd_t)
+ccs_stream_connect(qdiskd_t)
+
+corecmd_getattr_sbin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+kernel_read_system_state(qdiskd_t)
+kernel_read_software_raid_state(qdiskd_t)
+kernel_getattr_core_if(qdiskd_t)
+
+dev_read_sysfs(qdiskd_t)
+dev_list_all_dev_nodes(qdiskd_t)
+dev_getattr_all_blk_files(qdiskd_t)
+dev_getattr_all_chr_files(qdiskd_t)
+dev_manage_generic_blk_files(qdiskd_t)
+dev_manage_generic_chr_files(qdiskd_t)
+
+storage_raw_read_removable_device(qdiskd_t)
+storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
+domain_dontaudit_getattr_all_pipes(qdiskd_t)
+domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+files_dontaudit_getattr_all_sockets(qdiskd_t)
+files_dontaudit_getattr_all_pipes(qdiskd_t)
+
+auth_use_nsswitch(qdiskd_t)
+
+files_read_etc_files(qdiskd_t)
+
+libs_use_ld_so(qdiskd_t)
+libs_use_shared_libs(qdiskd_t)
+
+logging_send_syslog_msg(qdiskd_t)
+
+miscfiles_read_localization(qdiskd_t)
+
+optional_policy(`
+ netutils_domtrans_ping(qdiskd_t)
+')
+
+optional_policy(`
+ udev_read_db(qdiskd_t)
+')
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.5/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ricci.te 2009-12-21 13:07:09.000000000 -0500
@@ -194,10 +194,13 @@
# ricci_modcluster local policy
#
-allow ricci_modcluster_t self:capability sys_nice;
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+
kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)
@@ -227,6 +230,10 @@
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
+')
+
+optional_policy(`
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
@@ -245,6 +252,10 @@
')
optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
@@ -264,6 +275,7 @@
allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
@@ -306,12 +318,20 @@
sysnet_dns_name_resolve(ricci_modclusterd_t)
optional_policy(`
+ aisexec_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
ccs_read_config(ricci_modclusterd_t)
')
optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
unconfined_use_fds(ricci_modclusterd_t)
')
@@ -440,6 +460,11 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
+files_create_default_dir(ricci_modstorage_t)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
@@ -457,6 +482,10 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
+')
+
+optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.5/policy/modules/services/rpc.fc
--- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rpc.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,6 +1,10 @@
#
# /etc
#
+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.5/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rpc.if 2009-12-21 13:07:09.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
+ allow $1_t self:udp_socket create_stream_socket_perms;
manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
@@ -99,6 +99,7 @@
files_read_etc_runtime_files($1_t)
files_search_var($1_t)
files_search_var_lib($1_t)
+ files_list_home($1_t)
auth_use_nsswitch($1_t)
@@ -109,6 +110,10 @@
userdom_dontaudit_use_unpriv_user_fds($1_t)
optional_policy(`
+ rpcbind_stream_connect($1_t)
+ ')
+
+ optional_policy(`
seutil_sigchld_newrole($1_t)
')
@@ -204,7 +209,7 @@
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
')
-########################################
+#######################################
## <summary>
## Execute domain in nfsd domain.
## </summary>
@@ -214,6 +219,24 @@
## </summary>
## </param>
#
+interface(`rpc_initrc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute domain in rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
interface(`rpc_domtrans_rpcd',`
gen_require(`
type rpcd_t, rpcd_exec_t;
@@ -223,6 +246,24 @@
allow rpcd_t $1:process signal;
')
+#######################################
+## <summary>
+## Execute domain in rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+')
+
########################################
## <summary>
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rpc.te 2009-12-22 08:26:50.000000000 -0500
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
+type rpcd_initrc_exec_t;
+init_script_file(rpcd_initrc_exec_t);
+
rpc_domain_template(nfsd)
+type nfsd_initrc_exec_t;
+init_script_file(nfsd_initrc_exec_t);
+
type nfsd_rw_t;
files_type(nfsd_rw_t)
@@ -53,7 +59,8 @@
# RPC local policy
#
-allow rpcd_t self:capability { chown dac_override setgid setuid };
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
@@ -67,6 +74,7 @@
kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
+kernel_request_load_module(gssd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
@@ -91,14 +99,21 @@
seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+
optional_policy(`
automount_signal(rpcd_t)
+ automount_dontaudit_write_pipes(rpcd_t)
')
optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
+optional_policy(`
+ domain_unconfined_signal(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -127,6 +142,7 @@
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
@@ -135,6 +151,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -151,6 +168,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
@@ -182,6 +200,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -189,8 +208,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
+fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
+files_dontaudit_write_var_dirs(gssd_t)
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
@@ -199,10 +220,14 @@
mount_signal(gssd_t)
+userdom_signal_all_users(gssd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
+ userdom_dontaudit_write_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.5/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rsync.te 2009-12-21 13:07:09.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
## <p>
+## Allow rsync to run as a client
+## </p>
+## </desc>
+gen_tunable(rsync_client, false)
+
+## <desc>
+## <p>
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
@@ -24,7 +31,6 @@
type rsync_t;
type rsync_exec_t;
-init_daemon_domain(rsync_t, rsync_exec_t)
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
@@ -126,4 +132,19 @@
auth_read_all_symlinks_except_shadow(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
+
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ corenet_tcp_connect_ssh_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+')
+
+optional_policy(`
+ tunable_policy(`rsync_client',`
+ ssh_exec(rsync_t)
+ ')
+')
+
auth_can_read_shadow_passwords(rsync_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.5/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rtkit.if 2009-12-21 13:07:09.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow rtkit to control scheduling for your process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtkit_daemon_system_domain',`
+ gen_require(`
+ type rtkit_daemon_t;
+ ')
+
+ ps_process_pattern(rtkit_daemon_t, $1)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.5/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/rtkit.te 2009-12-21 13:07:09.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+allow rtkit_daemon_t self:capability sys_nice;
kernel_read_system_state(rtkit_daemon_t)
+domain_getsched_all_domains(rtkit_daemon_t)
domain_read_all_domains_state(rtkit_daemon_t)
fs_rw_anon_inodefs_files(rtkit_daemon_t)
@@ -28,7 +30,7 @@
logging_send_syslog_msg(rtkit_daemon_t)
-miscfiles_read_localization(locale_t)
+miscfiles_read_localization(rtkit_daemon_t)
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.5/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/samba.fc 2009-12-21 13:07:09.000000000 -0500
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.5/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/samba.if 2009-12-21 13:07:09.000000000 -0500
@@ -62,6 +62,25 @@
########################################
## <summary>
+## Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
@@ -86,6 +105,50 @@
role $2 types samba_net_t;
')
+#######################################
+## <summary>
+## The role for the samba module.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_net domain.
+## </summary>
+## </param>
+#
+template(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ role $1 types smbd_t;
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_unconfined_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
+')
+
########################################
## <summary>
## Execute smbmount in the smbmount domain.
@@ -395,6 +458,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
@@ -530,6 +594,7 @@
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
@@ -577,6 +642,40 @@
allow $1 winbind_var_run_t:file read_file_perms;
')
+#######################################
+## <summary>
+## Allow domain to signal samba
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`samba_signal_nmbd',`
+ gen_require(`
+ type nmbd_t;
+ ')
+ allow $1 nmbd_t:process signal;
+')
+
+######################################
+## <summary>
+## Allow domain to signal samba
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`samba_signal_smbd',`
+ gen_require(`
+ type smbd_t;
+ ')
+ allow $1 smbd_t:process signal;
+')
+
########################################
## <summary>
## Connect to winbind.
@@ -610,6 +709,36 @@
########################################
## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ ')
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an samba environment
## </summary>
@@ -630,6 +759,7 @@
type nmbd_t, nmbd_var_run_t;
type smbd_t, smbd_tmp_t;
type smbd_var_run_t;
+ type smbd_initrc_exec_t, smbd_spool_t;
type samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t;
@@ -640,6 +770,7 @@
type winbind_var_run_t, winbind_tmp_t;
type winbind_log_t;
+ type samba_unconfined_script_t, samba_unconfined_script_exec_t;
type samba_initrc_exec_t;
')
@@ -649,6 +780,9 @@
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
+
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
@@ -674,6 +808,9 @@
admin_pattern($1, samba_var_t)
files_list_var($1)
+ admin_pattern($1, smbd_spool_t)
+ files_list_spool($1)
+
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
@@ -689,4 +826,5 @@
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/samba.te 2009-12-21 13:07:09.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
+## <desc>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_fusefs, false)
+
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
@@ -201,14 +208,16 @@
files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
-auth_read_cache(samba_net_t)
+auth_rw_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
miscfiles_read_localization(samba_net_t)
+samba_read_var_files(samba_net_t)
+
userdom_use_user_terminals(samba_net_t)
-userdom_dontaudit_search_user_home_dirs(samba_net_t)
+userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
pcscd_read_pub_files(samba_net_t)
@@ -275,6 +284,8 @@
allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+allow smbd_t winbind_t:process { signal signull };
+
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
@@ -325,6 +336,8 @@
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
@@ -338,9 +351,12 @@
userdom_use_unpriv_users_fds(smbd_t)
userdom_dontaudit_search_user_home_dirs(smbd_t)
+userdom_signal_all_users(smbd_t)
usermanage_read_crack_db(smbd_t)
+term_use_ptmx(smbd_t)
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -352,19 +368,19 @@
')
tunable_policy(`samba_domain_controller',`
+ gen_require(`
+ class passwd passwd;
+ ')
+
usermanage_domtrans_passwd(smbd_t)
usermanage_kill_passwd(smbd_t)
usermanage_domtrans_useradd(smbd_t)
usermanage_domtrans_groupadd(smbd_t)
+ allow smbd_t self:passwd passwd;
')
tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs(smbd_t)
- userdom_manage_user_home_content_files(smbd_t)
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+ userdom_manage_user_home_content(smbd_t)
')
# Support Samba sharing of NFS mount points
@@ -376,6 +392,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+ fs_manage_fusefs_dirs(smbd_t)
+ fs_manage_fusefs_files(smbd_t)
+',`
+ fs_search_fusefs(smbd_t)
+')
+
+
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
@@ -391,6 +416,11 @@
')
optional_policy(`
+ qemu_manage_tmp_dirs(smbd_t)
+ qemu_manage_tmp_files(smbd_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(smbd_t)
')
@@ -405,13 +435,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
- userdom_home_filetrans_user_home_dir(smbd_t)
')
+userdom_home_filetrans_user_home_dir(smbd_t)
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
+ auth_read_all_dirs_except_shadow(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
+ auth_read_all_dirs_except_shadow(nmbd_t)
auth_read_all_files_except_shadow(nmbd_t)
')
@@ -420,8 +452,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
')
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
########################################
#
@@ -525,6 +557,7 @@
allow smbcontrol_t winbind_t:process { signal signull };
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
@@ -536,6 +569,8 @@
miscfiles_read_localization(smbcontrol_t)
+userdom_use_user_terminals(smbcontrol_t)
+
########################################
#
# smbmount Local policy
@@ -638,6 +673,10 @@
allow swat_t smbd_var_run_t:file { lock unlink };
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
+
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
@@ -700,6 +739,8 @@
miscfiles_read_localization(swat_t)
+userdom_dontaudit_search_admin_dir(swat_t)
+
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -713,12 +754,23 @@
kerberos_use(swat_t)
')
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
+create_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
+manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+files_list_var_lib(swat_t)
+
########################################
#
# Winbind local policy
#
-allow winbind_t self:capability { dac_override ipc_lock setuid };
+allow winbind_t self:capability { sys_nice dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -866,6 +918,18 @@
#
optional_policy(`
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
+
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_user_terminals(samba_unconfined_net_t)
+')
+
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -876,9 +940,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ')
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.5/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sasl.te 2009-12-21 13:07:09.000000000 -0500
@@ -31,7 +31,7 @@
# Local policy
#
-allow saslauthd_t self:capability setuid;
+allow saslauthd_t self:capability { setgid setuid };
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +58,6 @@
corenet_tcp_connect_pop_port(saslauthd_t)
corenet_sendrecv_pop_client_packets(saslauthd_t)
-dev_read_sysfs(saslauthd_t)
dev_read_urand(saslauthd_t)
fs_getattr_all_fs(saslauthd_t)
@@ -66,8 +65,7 @@
selinux_compute_access_vector(saslauthd_t)
-auth_domtrans_chk_passwd(saslauthd_t)
-auth_use_nsswitch(saslauthd_t)
+auth_use_pam(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
@@ -79,15 +77,11 @@
init_dontaudit_stream_connect_script(saslauthd_t)
-logging_send_syslog_msg(saslauthd_t)
-
miscfiles_read_localization(saslauthd_t)
miscfiles_read_certs(saslauthd_t)
seutil_dontaudit_read_config(saslauthd_t)
-sysnet_read_config(saslauthd_t)
-
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
userdom_dontaudit_search_user_home_dirs(saslauthd_t)
@@ -99,7 +93,6 @@
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
- kerberos_manage_host_rcache(saslauthd_t)
')
optional_policy(`
@@ -108,10 +101,6 @@
')
optional_policy(`
- nis_authenticate(saslauthd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(saslauthd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.5/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sendmail.if 2009-12-21 13:07:09.000000000 -0500
@@ -59,20 +59,20 @@
########################################
## <summary>
-## Read and write sendmail TCP sockets.
+## Dontaudit Read and write sendmail TCP sockets.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain not allowed access.
## </summary>
## </param>
#
-interface(`sendmail_rw_tcp_sockets',`
+interface(`sendmail_dontaudit_rw_tcp_sockets',`
gen_require(`
type sendmail_t;
')
- allow $1 sendmail_t:tcp_socket { read write };
+ dontaudit $1 sendmail_t:tcp_socket { read write };
')
########################################
## <summary>
@@ -89,7 +89,25 @@
type sendmail_t;
')
- allow $1 sendmail_t:unix_stream_socket { read write };
+ allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## dontaudit Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
')
########################################
@@ -114,6 +132,26 @@
########################################
## <summary>
+## Manage sendmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_manage_tmp',`
+ gen_require(`
+ type sendmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete sendmail logs.
## </summary>
## <param name="domain">
@@ -149,3 +187,92 @@
logging_log_filetrans($1, sendmail_log_t, file)
')
+
+########################################
+## <summary>
+## Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the sendmail domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ sendmail_domtrans($1)
+ role $2 types sendmail_t;
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t, sendmail_exec_t;
+ ')
+
+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain, and
+## allow the specified role the unconfined sendmail domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the unconfined sendmail domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## sendmail unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sendmail_rw_pipes',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.5/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sendmail.te 2009-12-21 13:07:09.000000000 -0500
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t, sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
########################################
#
# Sendmail local policy
#
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -64,24 +69,29 @@
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
domain_use_interactive_fds(sendmail_t)
files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
init_use_fds(sendmail_t)
init_use_script_ptys(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
auth_use_nsswitch(sendmail_t)
@@ -89,23 +99,46 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_user_home_dirs(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
# Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+ cron_read_pipes(sendmail_t)
+')
optional_policy(`
clamav_search_lib(sendmail_t)
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
+ fail2ban_read_lib_files(sendmail_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(sendmail, sendmail_t)
')
optional_policy(`
@@ -113,13 +146,20 @@
')
optional_policy(`
- postfix_exec_master(sendmail_t)
+ munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_master(sendmail_t)
+ postfix_domtrans_postqueue(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
optional_policy(`
procmail_domtrans(sendmail_t)
+ procmail_rw_tmp_files(sendmail_t)
')
optional_policy(`
@@ -127,24 +167,29 @@
')
optional_policy(`
+ sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
udev_read_db(sendmail_t)
')
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+optional_policy(`
+ uucp_domtrans_uux(sendmail_t)
+')
+
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain_noaudit(unconfined_sendmail_t)
+')
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.5/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/setroubleshoot.fc 2009-12-21 13:07:09.000000000 -0500
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.5/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/setroubleshoot.if 2009-12-21 13:07:09.000000000 -0500
@@ -16,8 +16,8 @@
')
files_search_pids($1)
- allow $1 setroubleshoot_var_run_t:sock_file write;
- allow $1 setroubleshootd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
+ allow $1 setroubleshoot_var_run_t:sock_file read;
')
########################################
@@ -36,6 +36,124 @@
type setroubleshootd_t, setroubleshoot_var_run_t;
')
- dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_chat',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+ allow setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## dontaudit send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_dbus_chat',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 setroubleshootd_t:dbus send_msg;
+ dontaudit setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_chat_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+ allow setroubleshoot_fixit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ ')
+
+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an setroubleshoot environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the setroubleshoot domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`setroubleshoot_admin',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_log_t;
+ type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ ')
+
+ allow $1 setroubleshootd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, setroubleshootd_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, setroubleshoot_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, setroubleshoot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/setroubleshoot.te 2009-12-21 13:07:09.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
+type setroubleshoot_fixit_t;
+type setroubleshoot_fixit_exec_t;
+dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
########################################
#
# setroubleshootd local policy
#
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +58,10 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
+ kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+ kernel_dontaudit_list_all_proc(setroubleshootd_t)
+ kernel_read_unlabeled_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
@@ -68,16 +77,26 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
+ dev_getattr_all_blk_files(setroubleshootd_t)
+ dev_getattr_all_chr_files(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+domain_signull_all_domains(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+ files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
+ files_getattr_all_pipes(setroubleshootd_t)
+ files_getattr_all_sockets(setroubleshootd_t)
+ files_read_all_symlinks(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
+ fs_read_fusefs_symlinks(setroubleshootd_t)
+ fs_dontaudit_read_nfs_files(setroubleshootd_t)
+ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+ fs_list_inotifyfs(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -94,23 +113,77 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
+ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-
-sysnet_read_config(setroubleshootd_t)
+ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+ ')
+
+ optional_policy(`
dbus_system_bus_client(setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
optional_policy(`
+ rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
+
+########################################
+#
+# setroubleshoot_fixit local policy
+#
+allow setroubleshoot_fixit_t self:capability sys_nice;
+allow setroubleshoot_fixit_t self:process { setsched getsched };
+allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
+allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
+
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
+corecmd_exec_bin(setroubleshoot_fixit_t)
+corecmd_exec_shell(setroubleshoot_fixit_t)
+
+seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+
+files_read_usr_files(setroubleshoot_fixit_t)
+files_read_etc_files(setroubleshoot_fixit_t)
+files_list_tmp(setroubleshoot_fixit_t)
+
+kernel_read_system_state(setroubleshoot_fixit_t)
+
+auth_use_nsswitch(setroubleshoot_fixit_t)
+
+logging_send_audit_msgs(setroubleshoot_fixit_t)
+logging_send_syslog_msg(setroubleshoot_fixit_t)
+
+miscfiles_read_localization(setroubleshoot_fixit_t)
+
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
+ rpm_use_script_fds(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.5/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/snmp.if 2009-12-21 13:07:09.000000000 -0500
@@ -50,6 +50,24 @@
########################################
## <summary>
+## Append snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_append_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
## dontaudit Read snmpd libraries.
## </summary>
## <param name="domain">
@@ -85,6 +103,26 @@
dontaudit $1 snmpd_var_lib_t:file write;
')
+
+########################################
+## <summary>
+## Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.5/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/snmp.te 2009-12-21 13:07:09.000000000 -0500
@@ -27,7 +27,7 @@
#
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { getsched setsched };
+allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -72,6 +72,8 @@
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.5/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/snort.te 2009-12-21 13:07:09.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket { bind create getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.5/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/spamassassin.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
+
+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/spamassassin.if 2009-12-21 13:07:09.000000000 -0500
@@ -111,6 +111,27 @@
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
+## Manage spamc home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_manage_home_client',`
+ gen_require(`
+ type spamc_home_t;
+ ')
+
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
@@ -166,7 +187,9 @@
')
files_search_var_lib($1)
+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
')
########################################
@@ -225,3 +248,69 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
+
+########################################
+## <summary>
+## Connect to run spamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t, spamd_spool_t;
+ ')
+
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an spamassassin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the spamassassin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_spamd_admin',`
+ gen_require(`
+ type spamd_t, spamd_tmp_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
+ type spamd_initrc_exec_t;
+ ')
+
+ allow $1 spamd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, spamd_t, spamd_t)
+
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 spamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, spamd_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, spamd_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, spamd_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, spamd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.5/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/spamassassin.te 2009-12-21 13:07:09.000000000 -0500
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
+ifdef(`distro_redhat',`
+# spamassassin client executable
+type spamc_t;
+type spamc_exec_t;
+application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
+
+type spamd_etc_t;
+files_config_file(spamd_etc_t)
+
+typealias spamc_exec_t alias spamassassin_exec_t;
+typealias spamc_t alias spamassassin_t;
+
+type spamc_home_t;
+userdom_user_home_content(spamc_home_t)
+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+type spamc_tmp_t;
+files_tmp_file(spamc_tmp_t)
+typealias spamc_tmp_t alias spamassassin_tmp_t;
+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+', `
type spamassassin_t;
type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
@@ -51,10 +80,21 @@
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
files_tmp_file(spamc_tmp_t)
ubac_constrained(spamc_tmp_t)
+')
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
+can_exec(spamd_t, spamd_exec_t)
+
+type spamd_compiled_t;
+files_type(spamd_compiled_t)
+
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
+type spamd_log_t;
+logging_log_file(spamd_log_t)
type spamd_spool_t;
files_type(spamd_spool_t)
@@ -110,6 +150,7 @@
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
# this should probably be removed
corecmd_list_bin(spamassassin_t)
@@ -150,6 +191,8 @@
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
+ corenet_udp_bind_generic_node(spamassassin_t)
+ corenet_udp_bind_generic_port(spamassassin_t)
sysnet_read_config(spamassassin_t)
')
@@ -186,6 +229,8 @@
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
')
########################################
@@ -207,16 +252,33 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
+
+can_exec(spamc_t, spamc_exec_t)
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
+
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
@@ -246,9 +308,16 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
+files_list_var_lib(spamc_t)
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+fs_search_auto_mountpoints(spamc_t)
logging_send_syslog_msg(spamc_t)
+auth_use_nsswitch(spamc_t)
+
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
@@ -256,27 +325,40 @@
sysnet_read_config(spamc_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamc_t)
+ fs_manage_nfs_files(spamc_t)
+ fs_manage_nfs_symlinks(spamc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamc_t)
+ fs_manage_cifs_files(spamc_t)
+ fs_manage_cifs_symlinks(spamc_t)
+')
+
optional_policy(`
# Allow connection to spamd socket above
evolution_stream_connect(spamc_t)
')
optional_policy(`
- # Needed for pyzor/razor called from spamd
milter_manage_spamass_state(spamc_t)
')
optional_policy(`
- nis_use_ypbind(spamc_t)
-')
-
-optional_policy(`
- nscd_socket_use(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
')
optional_policy(`
+ mta_send_mail(spamc_t)
mta_read_config(spamc_t)
+ mta_read_queue(spamc_t)
sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
')
########################################
@@ -288,7 +370,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
@@ -304,10 +386,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(spamd_t, spamd_compiled_t)
+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
@@ -316,10 +405,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
@@ -369,22 +460,27 @@
init_dontaudit_rw_utmp(spamd_t)
+auth_use_nsswitch(spamd_t)
+
logging_send_syslog_msg(spamd_t)
miscfiles_read_localization(spamd_t)
-sysnet_read_config(spamd_t)
-sysnet_use_ldap(spamd_t)
-sysnet_dns_name_resolve(spamd_t)
-
userdom_use_unpriv_users_fds(spamd_t)
userdom_search_user_home_dirs(spamd_t)
+optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
fs_manage_nfs_files(spamd_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamd_t)
fs_manage_cifs_files(spamd_t)
')
@@ -402,23 +498,16 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
+ dcc_signal_client(spamd_t)
dcc_stream_connect_dccifd(spamd_t)
')
optional_policy(`
- milter_manage_spamass_state(spamd_t)
-')
-
-optional_policy(`
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
')
optional_policy(`
- nis_use_ypbind(spamd_t)
-')
-
-optional_policy(`
postfix_read_config(spamd_t)
')
@@ -433,6 +522,10 @@
optional_policy(`
razor_domtrans(spamd_t)
+ razor_read_lib_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(spamd_t)
+ ')
')
optional_policy(`
@@ -445,5 +538,9 @@
')
optional_policy(`
+ milter_manage_spamass_state(spamd_t)
+')
+
+optional_policy(`
udev_read_db(spamd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.5/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/squid.te 2009-12-21 13:07:09.000000000 -0500
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
@@ -118,6 +120,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
fs_list_inotifyfs(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
@@ -186,8 +190,3 @@
optional_policy(`
udev_read_db(squid_t)
')
-
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.5/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ssh.fc 2009-12-21 13:07:09.000000000 -0500
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.5/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ssh.if 2009-12-21 13:07:09.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+ type home_ssh_t;
')
##############################
@@ -47,9 +48,6 @@
application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t;
- type $1_home_ssh_t;
- files_type($1_home_ssh_t)
-
##############################
#
# Client local policy
@@ -65,8 +63,7 @@
allow $1_ssh_t self:sem create_sem_perms;
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
- allow $1_ssh_t self:tcp_socket create_socket_perms;
- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
# for rsync
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
@@ -93,20 +90,21 @@
ps_process_pattern($2, $1_ssh_t)
# user can manage the keys and config
- manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t)
- manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t)
- manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t)
+ manage_files_pattern($2, home_ssh_t, home_ssh_t)
+ manage_lnk_files_pattern($2, home_ssh_t, home_ssh_t)
+ manage_sock_files_pattern($2, home_ssh_t, home_ssh_t)
# ssh client can manage the keys and config
- manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
- read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
+ manage_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t)
+ read_lnk_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t)
# ssh servers can read the user keys and config
- allow ssh_server $1_home_ssh_t:dir list_dir_perms;
- read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t)
- read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t)
+ allow ssh_server home_ssh_t:dir list_dir_perms;
+ read_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+ read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
kernel_read_kernel_sysctls($1_ssh_t)
+ kernel_read_system_state($1_ssh_t)
corenet_all_recvfrom_unlabeled($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
@@ -115,6 +113,8 @@
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
+ corenet_tcp_bind_generic_node($1_ssh_t)
+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
dev_read_urand($1_ssh_t)
@@ -133,6 +133,8 @@
files_read_etc_files($1_ssh_t)
files_read_var_files($1_ssh_t)
+ auth_use_nsswitch($1_ssh_t)
+
logging_send_syslog_msg($1_ssh_t)
logging_read_generic_logs($1_ssh_t)
@@ -140,20 +142,9 @@
seutil_read_config($1_ssh_t)
- sysnet_read_config($1_ssh_t)
- sysnet_dns_name_resolve($1_ssh_t)
-
optional_policy(`
kerberos_use($1_ssh_t)
')
-
- optional_policy(`
- nis_use_ypbind($1_ssh_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_ssh_t)
- ')
')
#######################################
@@ -186,13 +177,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal setsched setrlimit setexec };
+ allow $1_t self:process { signal getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
@@ -206,6 +198,8 @@
allow $1_t sshd_key_t:file read_file_perms;
kernel_read_kernel_sysctls($1_t)
+ kernel_read_network_state($1_t)
+ kernel_request_load_module(ssh_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
@@ -221,7 +215,12 @@
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # -R qualifier
corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
fs_dontaudit_getattr_all_fs($1_t)
@@ -234,21 +233,28 @@
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
+ domain_dyntrans_type($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
+ files_read_usr_files($1_t)
+ # Required for FreeNX
+ files_read_var_lib_symlinks($1_t)
logging_search_logs($1_t)
miscfiles_read_localization($1_t)
- sysnet_read_config($1_t)
-
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_search_user_home_dirs($1_t)
+ userdom_read_user_home_content_files($1_t)
+
+ # Allow checking users mail at login
+ mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
')
tunable_policy(`use_samba_home_dirs',`
@@ -257,15 +263,11 @@
optional_policy(`
kerberos_use($1_t)
+ kerberos_manage_host_rcache($1_t)
')
optional_policy(`
- # Allow checking users mail at login
- mta_getattr_spool($1_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_t)
+ rlogin_read_home_content($1_t)
')
optional_policy(`
@@ -337,6 +339,7 @@
allow ssh_t $3:unix_stream_socket connectto;
# user can manage the keys and config
+ userdom_search_user_home_dirs($1_t)
manage_files_pattern($3, home_ssh_t, home_ssh_t)
manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
@@ -446,6 +449,24 @@
########################################
## <summary>
+## Send a generic signal to the ssh server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_signal',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process signal;
+')
+
+########################################
+## <summary>
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
@@ -461,6 +482,23 @@
allow $1 sshd_t:fifo_file { getattr read };
')
+########################################
+## <summary>
+## Read/write a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_pipes',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:fifo_file { write read getattr ioctl };
+')
########################################
## <summary>
@@ -603,3 +641,104 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
+
+#######################################
+## <summary>
+## Delete from the ssh temp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_delete_tmp',`
+ gen_require(`
+ type sshd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+')
+
+########################################
+## <summary>
+## Execute the ssh agent client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_agent_exec',`
+ gen_require(`
+ type ssh_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ssh_agent_exec_t)
+')
+
+
+########################################
+## <summary>
+## Read ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_user_home_files',`
+ gen_require(`
+ type home_ssh_t;
+ ')
+
+ allow $1 home_ssh_t:dir list_dir_perms;
+ read_files_pattern($1, home_ssh_t, home_ssh_t)
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
+
+######################################
+## <summary>
+## Manage ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_manage_user_home_files',`
+ gen_require(`
+ type home_ssh_t;
+ ')
+
+ allow $1 home_ssh_t:dir list_dir_perms;
+ manage_dirs_pattern($1, home_ssh_t, home_ssh_t)
+ manage_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of sshd key files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_setattr_key_files',`
+ gen_require(`
+ type sshd_key_t;
+ ')
+
+ allow $1 sshd_key_t:file setattr;
+ files_search_pids($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.5/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/ssh.te 2009-12-21 13:07:09.000000000 -0500
@@ -8,6 +8,31 @@
## <desc>
## <p>
+## Allow sftp to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_sftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_ssh_home_dir, false)
+
+## <desc>
+## <p>
## allow host key based authentication
## </p>
## </desc>
@@ -41,6 +66,13 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
+type sshd_tmpfs_t;
+files_tmpfs_file(sshd_tmpfs_t)
+
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
@@ -75,7 +107,7 @@
ubac_constrained(ssh_tmpfs_t)
type home_ssh_t;
-typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+typealias home_ssh_t alias { ssh_home_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)
@@ -95,8 +127,7 @@
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
-allow ssh_t self:tcp_socket create_socket_perms;
-allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
+allow ssh_t self:tcp_socket create_stream_socket_perms;
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
@@ -115,6 +146,7 @@
manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t)
manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
+userdom_stream_connect(ssh_t)
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -126,11 +158,13 @@
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
# ssh servers can read the user keys and config
-allow ssh_server home_ssh_t:dir list_dir_perms;
-read_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
-read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir)
kernel_read_kernel_sysctls(ssh_t)
+kernel_read_system_state(ssh_t)
corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
@@ -139,6 +173,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
dev_read_urand(ssh_t)
@@ -160,19 +196,19 @@
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
+auth_use_nsswitch(ssh_t)
+
miscfiles_read_localization(ssh_t)
seutil_read_config(ssh_t)
-sysnet_read_config(ssh_t)
-sysnet_dns_name_resolve(ssh_t)
-
userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
# needs to read krb tgt
userdom_read_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -194,18 +230,7 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
-')
-
-optional_policy(`
- kerberos_use(ssh_t)
-')
-
-optional_policy(`
- nis_use_ypbind(ssh_t)
-')
-
-optional_policy(`
- nscd_socket_use(ssh_t)
+ corenet_tcp_bind_generic_node(ssh_t)
')
optional_policy(`
@@ -294,6 +319,8 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
+allow sshd_t self:process setcurrent;
+
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -310,16 +337,30 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_search_admin_dir(sshd_t)
+
+manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t)
+fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
- userdom_spec_domtrans_all_users(sshd_t)
userdom_signal_all_users(sshd_t)
-',`
+')
+
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
+
+optional_policy(`
+ kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
')
optional_policy(`
@@ -331,6 +372,10 @@
')
optional_policy(`
+ nx_read_home_files(sshd_t)
+')
+
+optional_policy(`
rpm_use_script_fds(sshd_t)
')
@@ -341,10 +386,18 @@
')
optional_policy(`
- unconfined_domain(sshd_t)
+ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
+optional_policy(`
+ xserver_domtrans_xauth(sshd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -400,18 +453,63 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
+auth_use_nsswitch(ssh_keygen_t)
+
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`
udev_read_db(ssh_keygen_t)
')
+
+#######################################
+#
+# sftp Local policy
+#
+
+allow ssh_server sftpd_t:process dyntransition;
+
+ssh_sigchld(sftpd_t)
+
+files_read_all_files(sftpd_t)
+files_read_all_symlinks(sftpd_t)
+
+fs_read_noxattr_fs_files(sftpd_t)
+fs_read_nfs_files(sftpd_t)
+fs_read_cifs_files(sftpd_t)
+
+# allow access to /home by default
+userdom_manage_user_home_content_dirs(sftpd_t)
+userdom_manage_user_home_content_files(sftpd_t)
+userdom_manage_user_home_content_symlinks(sftpd_t)
+
+userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+
+tunable_policy(`allow_sftpd_anon_write',`
+ miscfiles_manage_public_files(sftpd_t)
+')
+
+tunable_policy(`allow_sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_ssh_home_dir',`
+ ssh_manage_user_home_files(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(sftpd_t)
+ fs_manage_nfs_files(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.5/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sssd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,6 +1,9 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.5/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sssd.if 2009-12-21 13:07:09.000000000 -0500
@@ -12,12 +12,32 @@
#
interface(`sssd_domtrans',`
gen_require(`
- type sssd_t, sssd_exec_t;
+ type sssd_t;
+ type sssd_exec_t;
')
domtrans_pattern($1, sssd_exec_t, sssd_t)
')
+
+########################################
+## <summary>
+## Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sssd_initrc_domtrans',`
+ gen_require(`
+ type sssd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1,sssd_initrc_exec_t)
+')
+
########################################
## <summary>
## Read sssd PID files.
@@ -77,6 +97,24 @@
########################################
## <summary>
+## Dontaudit search sssd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read sssd lib files.
## </summary>
## <param name="domain">
@@ -96,6 +134,25 @@
########################################
## <summary>
+## Read sssd config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_config_files',`
+ gen_require(`
+ type sssd_config_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_config_t, sssd_config_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## sssd lib files.
## </summary>
@@ -116,6 +173,27 @@
########################################
## <summary>
+## Manage sssd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_manage_var_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+ manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+ manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+')
+
+
+########################################
+## <summary>
## Send and receive messages from
## sssd over dbus.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.5/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sssd.te 2009-12-21 13:07:09.000000000 -0500
@@ -16,6 +16,9 @@
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
@@ -23,8 +26,8 @@
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setuid };
-allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -33,16 +36,24 @@
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+fs_list_inotifyfs(sssd_t)
+
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -58,6 +69,8 @@
miscfiles_read_localization(sssd_t)
+userdom_manage_tmp_role(system_t, sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.5/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/sysstat.te 2009-12-21 13:07:09.000000000 -0500
@@ -19,14 +19,15 @@
# Local policy
#
-allow sysstat_t self:capability { sys_resource sys_tty_config };
+allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
dontaudit sysstat_t self:capability sys_admin;
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
+manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.7.5/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/tftp.fc 2009-12-21 13:07:09.000000000 -0500
@@ -5,4 +5,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.5/policy/modules/services/tgtd.if
--- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/tgtd.if 2009-12-21 13:07:09.000000000 -0500
@@ -9,3 +9,20 @@
## </p>
## </desc>
+#####################################
+## <summary>
+## Allow read and write access to tgtd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tgtd_rw_semaphores',`
+ gen_require(`
+ type tgtd_t;
+ ')
+
+ allow $1 tgtd_t:sem { rw_sem_perms };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.5/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/tor.te 2009-12-21 13:07:09.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(tor_bind_all_unreserved_ports, false)
+
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
@@ -89,6 +97,7 @@
files_read_etc_files(tor_t)
files_read_etc_runtime_files(tor_t)
+files_read_usr_files(tor_t)
auth_use_nsswitch(tor_t)
@@ -97,3 +106,7 @@
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
+
+tunable_policy(`tor_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.5/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/tuned.te 2009-12-21 13:07:09.000000000 -0500
@@ -27,6 +27,7 @@
files_pid_filetrans(tuned_t, tuned_var_run_t, file)
corecmd_exec_shell(tuned_t)
+corecmd_exec_bin(tuned_t)
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.5/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/uucp.te 2009-12-21 13:07:09.000000000 -0500
@@ -90,17 +90,26 @@
fs_getattr_xattr_fs(uucpd_t)
corecmd_exec_bin(uucpd_t)
+corecmd_exec_shell(uucpd_t)
files_read_etc_files(uucpd_t)
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
+term_setattr_controlling_term(uucpd_t)
+
auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
miscfiles_read_localization(uucpd_t)
+mta_send_mail(uucpd_t)
+
+optional_policy(`
+ cron_system_entry(uucpd_t, uucpd_exec_t)
+')
+
optional_policy(`
kerberos_use(uucpd_t)
')
@@ -129,6 +138,7 @@
optional_policy(`
mta_send_mail(uux_t)
mta_read_queue(uux_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.5/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/vhostmd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
+/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.5/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/vhostmd.if 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,228 @@
+
+## <summary>policy for vhostmd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run vhostmd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vhostmd_domtrans',`
+ gen_require(`
+ type vhostmd_t, vhostmd_exec_t;
+ ')
+
+ domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
+')
+
+
+########################################
+## <summary>
+## Execute vhostmd server in the vhostmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`vhostmd_initrc_domtrans',`
+ gen_require(`
+ type vhostmd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, vhostmd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ dontaudit $1 vhostmd_tmpfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read, vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`vhostmd_read_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ allow $1 vhostmd_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to read and write vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`vhostmd_rw_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ read_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ write_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`vhostmd_manage_tmpfs',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ manage_dirs_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ manage_lnk_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read vhostmd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_read_pid_files',`
+ gen_require(`
+ type vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 vhostmd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage vhostmd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_manage_var_run',`
+ gen_require(`
+ type vhostmd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ manage_lnk_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to vhostmd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_stream_connect',`
+ gen_require(`
+ type vhostmd_t, vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit read and write to vhostmd
+## over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_rw_stream_connect',`
+ gen_require(`
+ type vhostmd_t;
+ ')
+
+ dontaudit $1 vhostmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an vhostmd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vhostmd_admin',`
+ gen_require(`
+ type vhostmd_t, vhostmd_initrc_exec_t;
+ ')
+
+ allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, vhostmd_t)
+
+ vhostmd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 vhostmd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ vhostmd_manage_tmpfs($1)
+
+ vhostmd_manage_var_run($1)
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.5/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/vhostmd.te 2009-12-21 13:07:09.000000000 -0500
@@ -0,0 +1,86 @@
+
+policy_module(vhostmd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vhostmd_t;
+type vhostmd_exec_t;
+init_daemon_domain(vhostmd_t, vhostmd_exec_t)
+
+permissive vhostmd_t;
+
+type vhostmd_initrc_exec_t;
+init_script_file(vhostmd_initrc_exec_t)
+
+type vhostmd_tmpfs_t;
+files_tmpfs_file(vhostmd_tmpfs_t)
+
+type vhostmd_var_run_t;
+files_pid_file(vhostmd_var_run_t)
+
+########################################
+#
+# vhostmd local policy
+#
+
+allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:process { setsched getsched };
+
+# internal communication is often done using fifo and unix sockets.
+allow vhostmd_t self:fifo_file rw_file_perms;
+allow vhostmd_t self:unix_stream_socket { create_stream_socket_perms connectto};
+
+manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir })
+
+manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
+corecmd_exec_bin(vhostmd_t)
+corecmd_exec_shell(vhostmd_t)
+
+kernel_read_system_state(vhostmd_t)
+kernel_read_network_state(vhostmd_t)
+kernel_write_xen_state(vhostmd_t)
+
+corenet_tcp_connect_soundd_port(vhostmd_t)
+
+files_read_etc_files(vhostmd_t)
+files_read_usr_files(vhostmd_t)
+files_read_generic_tmp_files(vhostmd_t)
+
+dev_read_sysfs(vhostmd_t)
+
+auth_use_nsswitch(vhostmd_t)
+
+logging_send_syslog_msg(vhostmd_t)
+
+libs_use_ld_so(vhostmd_t)
+libs_use_shared_libs(vhostmd_t)
+
+miscfiles_read_localization(vhostmd_t)
+
+optional_policy(`
+ hostname_exec(vhostmd_t)
+')
+
+optional_policy(`
+ rpm_exec(vhostmd_t)
+ rpm_read_db(vhostmd_t)
+')
+
+optional_policy(`
+ virt_stream_connect(vhostmd_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(vhostmd_t)
+ xen_stream_connect(vhostmd_t)
+ xen_stream_connect_xenstore(vhostmd_t)
+ xen_stream_connect_xm(vhostmd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.5/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/virt.fc 2009-12-21 13:07:09.000000000 -0500
@@ -8,5 +8,18 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.5/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/virt.if 2009-12-21 13:07:09.000000000 -0500
@@ -136,7 +136,7 @@
')
files_search_pids($1)
- allow $1 virt_var_run_t:file read_file_perms;
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
@@ -154,6 +154,7 @@
type virt_var_run_t;
')
+ files_search_pids($1)
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
@@ -193,6 +194,7 @@
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
@@ -287,15 +289,16 @@
#
interface(`virt_manage_images',`
gen_require(`
- type virt_image_t, virt_var_lib_t;
+ type virt_var_lib_t;
+ attribute virt_image_type;
')
virt_search_lib($1)
- allow $1 virt_image_t:dir list_dir_perms;
- manage_dirs_pattern($1, virt_image_t, virt_image_t)
- manage_files_pattern($1, virt_image_t, virt_image_t)
- read_lnk_files_pattern($1, virt_image_t, virt_image_t)
- rw_blk_files_pattern($1, virt_image_t, virt_image_t)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
@@ -304,8 +307,79 @@
')
tunable_policy(`virt_use_samba',`
- fs_manage_nfs_files($1)
fs_manage_cifs_files($1)
+ fs_manage_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_read_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_read_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_content_t:dir list_dir_perms;
+ list_dirs_pattern($1, virt_content_t, virt_content_t)
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+ read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
fs_read_cifs_symlinks($1)
')
')
@@ -346,3 +420,123 @@
virt_manage_log($1)
')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`virt_domain_template',`
+ gen_require(`
+ type virtd_t;
+ attribute virt_image_type;
+ attribute virt_domain;
+ ')
+
+ type $1_t, virt_domain;
+ domain_type($1_t)
+ role system_r types $1_t;
+
+ domain_user_exemption_target($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_image_t, virt_image_type;
+ files_type($1_image_t)
+ dev_node($1_image_t)
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
+ stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
+ manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file })
+ stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+ optional_policy(`
+ xserver_rw_shm($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## svirt cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_svirt_cache',`
+ gen_require(`
+ type svirt_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
+
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
+ type svirt_t;
+ ')
+
+ allow $1 svirt_t:process transition;
+ role $2 types svirt_t;
+
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.5/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/virt.te 2009-12-21 13:07:09.000000000 -0500
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
+## <desc>
+## <p>
+## Allow virt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
+## Allow virt to manage device configuration, (pci)
+## </p>
+## </desc>
+gen_tunable(virt_manage_sysfs, false)
+
+## <desc>
+## <p>
+## Allow virt to use serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
+
+attribute virt_domain;
attribute virt_image_type;
type virt_etc_t;
@@ -29,9 +51,14 @@
files_type(virt_etc_rw_t)
# virt Image files
-type virt_image_t, virt_image_type; # customizable
+type virt_image_t; # customizable
virt_image(virt_image_t)
+# virt Image files
+type virt_content_t; # customizable
+virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
+
type virt_log_t;
logging_log_file(virt_log_t)
@@ -48,27 +75,56 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh)
+')
+
+virt_domain_template(svirt)
+role system_r types svirt_t;
+
+type svirt_cache_t;
+files_type(svirt_cache_t)
+
########################################
#
# virtd local policy
#
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { getsched sigkill signal execmem };
-allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+
+allow virtd_t self:fifo_file rw_fifo_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
-allow virtd_t self:tun_socket create;
+allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+
manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file { relabelfrom relabelto };
+allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+
+mcs_process_set_categories(virtd_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -76,6 +132,7 @@
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
@@ -86,7 +143,8 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-kernel_load_module(virtd_t)
+kernel_request_load_module(virtd_t)
+kernel_search_debugfs(virtd_t)
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -97,40 +155,77 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
-#corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
-dev_read_sysfs(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_rw_mtrr(virtd_t)
+dev_rw_sysfs(virtd_t)
# Init script handling
domain_use_interactive_fds(virtd_t)
+domain_read_all_domains_state(virtd_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
+domain_read_all_domains_state(virtd_t)
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
-files_list_kernel_modules(virtd_t)
+files_read_kernel_modules(virtd_t)
+files_read_usr_src_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
+iptables_manage_config(virtd_t)
+files_manage_etc_files(virtd_t)
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
+fs_manage_cgroup_dirs(virtd_t)
+fs_rw_cgroup_files(virtd_t)
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
storage_raw_write_removable_device(virtd_t)
storage_raw_read_removable_device(virtd_t)
+seutil_read_default_contexts(virtd_t)
+
term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-miscfiles_read_localization(virtd_t)
miscfiles_read_certs(virtd_t)
+miscfiles_read_hwdata(virtd_t)
+miscfiles_read_localization(virtd_t)
+
+modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
+modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+
+userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -168,22 +263,36 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
+ dnsmasq_read_pid_files(virtd_t)
+ dnsmasq_signull(virtd_t)
')
optional_policy(`
iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
')
-#optional_policy(`
-# polkit_domtrans_auth(virtd_t)
-# polkit_domtrans_resolve(virtd_t)
-#')
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
optional_policy(`
- qemu_domtrans(virtd_t)
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
qemu_kill(virtd_t)
+ qemu_setsched(virtd_t)
')
optional_policy(`
@@ -196,8 +305,153 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+ udev_domtrans(virtd_t)
+ udev_read_db(virtd_t)
')
optional_policy(`
unconfined_domain(virtd_t)
')
+
+########################################
+#
+# svirt local policy
+#
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+dontaudit svirt_t virt_content_t:file write_file_perms;
+dontaudit svirt_t virt_content_t:dir write;
+
+userdom_search_user_home_content(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+allow svirt_t self:udp_socket create_socket_perms;
+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
+corenet_tcp_bind_all_ports(svirt_t)
+corenet_tcp_connect_all_ports(svirt_t)
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(svirt_t)
+ dev_rw_printer(svirt_t)
+')
+
+dev_read_sysfs(svirt_t)
+
+tunable_policy(`virt_manage_sysfs',`
+ dev_rw_sysfs(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_t)
+ fs_manage_nfs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(svirt_t)
+ fs_manage_cifs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(svirt_t)
+ fs_manage_dos_dirs(svirt_t)
+ fs_manage_dos_files(svirt_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+
+allow virt_domain self:capability { kill dac_read_search dac_override };
+allow virt_domain self:process { execstack execmem signal getsched signull };
+
+allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_system_state(virt_domain)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_all_recvfrom_unlabeled(virt_domain)
+corenet_all_recvfrom_netlabel(virt_domain)
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_rw_tun_tap_dev(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+
+dev_read_sound(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_etc_files(virt_domain)
+files_read_usr_files(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_tmpfs_files(virt_domain)
+
+term_use_all_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+auth_use_nsswitch(virt_domain)
+
+logging_send_syslog_msg(virt_domain)
+
+miscfiles_read_localization(virt_domain)
+
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.5/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/w3c.te 2009-12-21 13:07:09.000000000 -0500
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
+type httpd_w3c_validator_tmp_t;
+files_tmp_file(httpd_w3c_validator_tmp_t)
+
########################################
#
# Local policy
#
+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
+
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.5/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/xserver.fc 2009-12-21 13:07:09.000000000 -0500
@@ -3,12 +3,21 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
#
@@ -32,11 +41,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
#
# /opt
#
@@ -61,7 +65,9 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
@@ -89,17 +95,35 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
+
+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/xserver.if 2009-12-22 12:24:34.000000000 -0500
@@ -56,6 +56,13 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+ifdef(`hide_broken_symptoms', `
+ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
+ dontaudit iceauth_t $2:udp_socket rw_socket_perms;
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+')
+
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
@@ -96,7 +103,6 @@
miscfiles_read_fonts($2)
xserver_common_x_domain_template(user, $2)
- xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
@@ -162,7 +168,6 @@
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -197,7 +202,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
- allow $1 xserver_tmp_t:file { getattr read };
+ allow $1 xserver_tmp_t:file read_file_perms;
# Client read xserver shm
allow $1 xserver_t:fd use;
@@ -260,12 +265,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
- allow $1 xauth_home_t:file { getattr read };
- allow $1 iceauth_home_t:file { getattr read };
+ allow $1 xauth_home_t:file read_file_perms;
+ allow $1 iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
+ allow $1 xdm_t:fifo_file rw_fifo_file_perms;
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
@@ -445,6 +450,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
# X object manager
xserver_object_types_template($1)
@@ -514,6 +520,12 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
+ifdef(`hide_broken_symptoms', `
+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit xauth_t $1:tcp_socket rw_socket_perms;
+ dontaudit xauth_t $1:udp_socket rw_socket_perms;
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+')
')
########################################
@@ -567,6 +579,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
+ xserver_read_xdm_pid($1)
')
########################################
@@ -774,7 +787,7 @@
')
files_search_pids($1)
- allow $1 xdm_var_run_t:file read_file_perms;
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
')
########################################
@@ -1219,3 +1232,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Dontaudit append to .xsession-errors file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t;
+ type xserver_tmp_t;
+ ')
+
+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
+ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## append to .xsession-errors file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_append_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t;
+ type xserver_tmp_t;
+ ')
+
+ allow $1 xdm_home_t:file append_file_perms;
+ allow $1 xserver_tmp_t:file append_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Manage the xdm_spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_manage_spool',`
+ gen_require(`
+ type xdm_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow append the xdm
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_append_log',`
+ gen_require(`
+ type xdm_log_t;
+ attribute xdmhomewriter;
+ ')
+
+ typeattribute $1 xdmhomewriter;
+ append_files_pattern($1, xdm_log_t, xdm_log_t)
+')
+
+########################################
+## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ # Read .Iceauthority file
+ allow $1 iceauth_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+ gen_require(`
+ type user_fonts_t;
+ type user_fonts_config_t;
+ ')
+
+ allow $1 user_fonts_t:file rw_inherited_file_perms;
+ allow $1 user_fonts_t:file read_lnk_file_perms;
+
+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
+
+########################################
+## <summary>
+## Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+ gen_require(`
+ type xserver_exec_t;
+ ')
+
+ domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+#
+interface(`xserver_run',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ xserver_domtrans($1)
+ role $2 types xserver_t;
+')
+
+########################################
+## <summary>
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+#
+interface(`xserver_run_xauth',`
+ gen_require(`
+ type xauth_t;
+ ')
+
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
+')
+########################################
+## <summary>
+## Read user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
+ type user_fonts_t;
+ type user_fonts_config_t;
+ ')
+
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-22 09:44:04.000000000 -0500
@@ -36,6 +36,13 @@
## <desc>
## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem, false)
+
+## <desc>
+## <p>
## Allow xdm logins as sysadm
## </p>
## </desc>
@@ -48,6 +55,9 @@
## </desc>
gen_tunable(xserver_object_manager, false)
+attribute xdmhomewriter;
+attribute x_userdomain;
+
attribute x_domain;
# X Events
@@ -108,48 +118,48 @@
xserver_common_x_domain_template(remote,remote_t)
type user_fonts_t;
-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
-typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t };
+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
-typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t };
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
userdom_user_home_content(user_fonts_cache_t)
type user_fonts_config_t;
-typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t };
typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
userdom_user_home_content(user_fonts_config_t)
type iceauth_t;
type iceauth_exec_t;
-typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t };
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
-typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t };
files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
type xauth_t;
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
-typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t };
application_domain(xauth_t, xauth_exec_t)
ubac_constrained(xauth_t)
type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
-typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t };
files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
-typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t };
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
@@ -167,13 +177,15 @@
init_daemon_domain(xdm_t, xdm_exec_t)
xserver_object_types_template(xdm)
xserver_common_x_domain_template(xdm, xdm_t)
-xserver_unconfined(xdm_t)
type xdm_lock_t;
files_lock_file(xdm_lock_t)
type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
+files_config_file(xdm_rw_etc_t)
+
+type xdm_spool_t;
+files_type(xdm_spool_t)
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
@@ -181,13 +193,21 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
-type xdm_tmp_t;
-files_tmp_file(xdm_tmp_t)
-typealias xdm_tmp_t alias ice_tmp_t;
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
+type xdm_home_t;
+userdom_user_home_content(xdm_home_t)
+
+type xdm_log_t;
+logging_log_file(xdm_log_t)
+
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
@@ -200,15 +220,15 @@
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
-type xserver_tmp_t;
-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
+type xdm_tmp_t;
+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+files_tmp_file(xdm_tmp_t)
+ubac_constrained(xdm_tmp_t)
type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
@@ -238,9 +258,13 @@
allow xdm_t iceauth_home_t:file read_file_perms;
+dev_read_rand(iceauth_t)
+
fs_search_auto_mountpoints(iceauth_t)
userdom_use_user_terminals(iceauth_t)
+userdom_read_user_tmp_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
@@ -250,30 +274,47 @@
fs_manage_cifs_files(iceauth_t)
')
+ifdef(`hide_broken_symptoms', `
+ dev_dontaudit_rw_dri(iceauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+ fs_list_inotifyfs(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
+ ')
+')
+
########################################
#
# Xauth local policy
#
+allow xauth_t self:capability dac_override;
allow xauth_t self:process signal;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+allow xauth_t xdm_t:process sigchld;
+
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
-
domain_use_interactive_fds(xauth_t)
files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
-fs_getattr_xattr_fs(xauth_t)
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
@@ -283,6 +324,14 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
+
+ifdef(`hide_broken_symptoms', `
+ userdom_manage_user_home_content_files(xauth_t)
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
+')
xserver_rw_xdm_tmp_files(xauth_t)
@@ -294,6 +343,15 @@
fs_manage_cifs_files(xauth_t)
')
+ifdef(`hide_broken_symptoms', `
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
+')
+
+optional_policy(`
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
@@ -305,20 +363,31 @@
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
+allow xdm_t self:process { getattr getcap setcap };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -334,22 +403,39 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+fs_getattr_all_fs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
+files_search_spool(xdm_t)
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
@@ -363,6 +449,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
+read_files_pattern(xdm_t, xserver_t, xserver_t)
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -371,10 +458,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+logging_log_filetrans(xdm_t, xdm_log_t, file)
+
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
@@ -394,11 +485,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+dev_rwx_zero(xdm_t)
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
@@ -406,6 +499,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -418,14 +512,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
domain_use_interactive_fds(xdm_t)
# Do not audit denied probes of /proc.
domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
@@ -436,9 +533,15 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
+files_dontaudit_getattr_boot_dirs(xdm_t)
+files_dontaudit_write_usr_files(xdm_t)
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
@@ -447,6 +550,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_dontaudit_rw_fuse(xdm_t)
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
@@ -455,6 +559,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -465,10 +570,12 @@
logging_read_generic_logs(xdm_t)
+miscfiles_manage_fonts_cache(xserver_t)
+miscfiles_search_man_pages(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -477,6 +584,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
@@ -509,10 +620,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
optional_policy(`
consolekit_dbus_chat(xdm_t)
+ consolekit_read_log(xdm_t)
')
optional_policy(`
@@ -520,12 +633,48 @@
')
optional_policy(`
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
+ dbus_system_bus_client(xdm_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
+
+')
+
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
+ gnome_read_gconf_config(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
@@ -543,9 +692,42 @@
')
optional_policy(`
+ policykit_dbus_chat(xdm_t)
+ policykit_domtrans_auth(xdm_t)
+ policykit_read_lib(xdm_t)
+ policykit_read_reload(xdm_t)
+ policykit_signal_auth(xdm_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ plymouth_search_spool(xdm_t)
+ plymouth_exec_plymouth(xdm_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
+# On crash gdm execs gdb to dump stack
+optional_policy(`
+ rpm_exec(xdm_t)
+ rpm_read_db(xdm_t)
+ rpm_dontaudit_manage_db(xdm_t)
+')
+
+optional_policy(`
+ rtkit_daemon_system_domain(xdm_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
@@ -555,8 +737,9 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
+ unconfined_shell_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
+')
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -565,7 +748,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
-')
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
@@ -576,6 +758,10 @@
')
optional_policy(`
+ wm_exec(xdm_t)
+')
+
+optional_policy(`
xfs_stream_connect(xdm_t)
')
@@ -600,10 +786,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow xserver_t self:memprotect mmap_zero;
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
@@ -615,6 +800,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+allow x_domain xserver_t:x_screen getattr;
+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -634,12 +831,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
-allow xserver_t xauth_home_t:file read_file_perms;
+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
+
+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xserver_t, xserver_var_run_t, { dir file })
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t, file)
+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
@@ -673,7 +877,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
-dev_filetrans_dri(xserver_t)
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
@@ -683,9 +886,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
+dev_read_raw_memory(xserver_t)
+dev_write_raw_memory(xserver_t)
dev_rwx_zero(xserver_t)
-domain_mmap_low(xserver_t)
+domain_dontaudit_read_all_domains_state(xserver_t)
+domain_signal_all_domains(xserver_t)
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
@@ -700,8 +906,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
+fs_rw_tmpfs_files(xserver_t)
mls_xwin_read_to_clearance(xserver_t)
+mls_process_write_to_clearance(xserver_t)
+mls_file_read_to_clearance(xserver_t)
+mls_file_write_all_levels(xserver_t)
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
@@ -723,6 +933,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
+miscfiles_read_hwdata(xserver_t)
modutils_domtrans_insmod(xserver_t)
@@ -779,12 +990,20 @@
')
optional_policy(`
+ devicekit_signal_power(xserver_t)
+')
+
+optional_policy(`
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
@@ -811,7 +1030,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -832,9 +1051,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
+userdom_read_all_users_state(xserver_t)
xserver_use_user_fonts(xserver_t)
+optional_policy(`
+ userhelper_search_config(xserver_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
@@ -849,11 +1073,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
- hal_dbus_chat(xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(xserver_t)
+ ')
')
optional_policy(`
- resmgr_stream_connect(xdm_t)
+ mono_rw_shm(xserver_t)
')
optional_policy(`
@@ -1000,17 +1227,32 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-ifdef(`TODO',`
-tunable_policy(`allow_polyinstantiation',`
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
+optional_policy(`
+ unconfined_rw_shm(xserver_t)
+ unconfined_execmem_rw_shm(xserver_t)
+
+ # xserver signals unconfined user on startx
+ unconfined_signal(xserver_t)
+ unconfined_getpgid(xserver_t)
')
-#
-# Wants to delete .xsession-errors file
-#
-allow xdm_t user_home_type:file unlink;
-') dnl end TODO
+tunable_policy(`allow_xserver_execmem',`
+ allow xserver_t self:process { execheap execmem execstack };
+')
+
+# Hack to handle the problem of using the nvidia blobs
+tunable_policy(`allow_execmem',`
+ allow xdm_t self:process execmem;
+')
+
+tunable_policy(`allow_execstack',`
+ allow xdm_t self:process { execstack execmem };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files(xdmhomewriter)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.5/policy/modules/services/zebra.if
--- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/zebra.if 2009-12-21 13:07:09.000000000 -0500
@@ -24,6 +24,26 @@
########################################
## <summary>
+## Connect to zebra over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zebra_stream_connect',`
+ gen_require(`
+ type zebra_t, zebra_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 zebra_var_run_t:sock_file write;
+ allow $1 zebra_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an zebra environment
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.5/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/application.te 2009-12-21 13:07:09.000000000 -0500
@@ -7,6 +7,13 @@
# Executables to be run by user
attribute application_exec_type;
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_write_user_tmp_files(application_domain_type)
+logging_rw_all_logs(application_domain_type)
+
+files_dontaudit_search_all_dirs(application_domain_type)
+
optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.5/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/authlogin.fc 2009-12-21 13:07:09.000000000 -0500
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
@@ -42,6 +40,9 @@
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/authlogin.if 2009-12-21 13:07:09.000000000 -0500
@@ -40,17 +40,76 @@
## </summary>
## </param>
#
+interface(`auth_use_pam',`
+
+ # for SSP/ProPolice
+ dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
+
+ auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+ auth_rw_faillog($1)
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+ optional_policy(`
+ dbus_system_bus_client($1)
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
+ ')
+
+ optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified domain used for a login program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain type used for a login program domain.
+## </summary>
+## </param>
+#
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
')
domain_type($1)
+ domain_poly($1)
+
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # Needed for pam_selinux_permit to cleanup properly
+ domain_read_all_domains_state($1)
+ domain_kill_all_domains($1)
+
+ # pam_keyring
+ allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
+
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
@@ -62,8 +121,6 @@
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
- # for SSP/ProPolice
- dev_read_urand($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
@@ -86,27 +143,45 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
- auth_domtrans_chk_passwd($1)
- auth_domtrans_upd_passwd($1)
- auth_dontaudit_read_shadow($1)
- auth_read_login_records($1)
- auth_append_login_records($1)
- auth_rw_lastlog($1)
- auth_rw_faillog($1)
- auth_exec_pam($1)
- auth_use_nsswitch($1)
+ auth_manage_pam_pid($1)
+ auth_use_pam($1)
init_rw_utmp($1)
- logging_send_audit_msgs($1)
- logging_send_syslog_msg($1)
logging_set_loginuid($1)
+ logging_set_tty_audit($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
- tunable_policy(`allow_polyinstantiation',`
- files_polyinstantiate_all($1)
+ userdom_set_rlimitnh($1)
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
+
+ optional_policy(`
+ afs_rw_udp_sockets($1)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
+ ')
+
+ optional_policy(`
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
')
')
@@ -258,6 +333,7 @@
type auth_cache_t;
')
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t)
')
@@ -305,29 +381,50 @@
dev_read_rand($1)
dev_read_urand($1)
+ auth_use_nsswitch($1)
+ auth_rw_faillog($1)
+
logging_send_audit_msgs($1)
miscfiles_read_certs($1)
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
optional_policy(`
- kerberos_use($1)
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
')
optional_policy(`
- nis_use_ypbind($1)
- ')
-
- optional_policy(`
- pcscd_read_pub_files($1)
+ pcscd_manage_pub_files($1)
+ pcscd_manage_pub_pipes($1)
pcscd_stream_connect($1)
')
optional_policy(`
samba_stream_connect_winbind($1)
')
+ auth_domtrans_upd_passwd($1)
+')
+
+########################################
+## <summary>
+## Run unix_chkpwd to check a password.
+## Stripped down version to be called within boolean
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_chkpwd',`
+ gen_require(`
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ auth_domtrans_upd_passwd($1)
')
########################################
@@ -352,6 +449,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
+ auth_run_upd_passwd($1, $2)
')
########################################
@@ -1129,6 +1227,32 @@
########################################
## <summary>
+## rw all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain perfoming this action.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+
+interface(`auth_rw_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_rw_all_files($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
@@ -1254,6 +1378,25 @@
########################################
## <summary>
+## dontaudit read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to
## login records files.
## </summary>
@@ -1395,16 +1538,33 @@
')
optional_policy(`
+ ldap_stream_connect($1)
+ ')
+
+ optional_policy(`
+ kerberos_use($1)
+ ')
+
+ optional_policy(`
nis_use_ypbind($1)
')
optional_policy(`
- nscd_socket_use($1)
+ nscd_use($1)
+ ')
+
+ optional_policy(`
+ nslcd_stream_connect($1)
+ ')
+
+ optional_policy(`
+ sssd_stream_connect($1)
')
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/authlogin.te 2009-12-21 13:07:09.000000000 -0500
@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
+term_dontaudit_use_all_server_ptys(chkpwd_t)
auth_use_nsswitch(chkpwd_t)
@@ -125,9 +127,18 @@
')
optional_policy(`
+ # apache leaks file descriptors
+ apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+')
+
+optional_policy(`
kerberos_use(chkpwd_t)
')
+optional_policy(`
+ nis_authenticate(chkpwd_t)
+')
+
########################################
#
# PAM local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.5/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/fstools.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -22,7 +21,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/fstools.te 2009-12-21 13:07:09.000000000 -0500
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
+fs_manage_nfs_files(fsadm_t)
+fs_manage_cifs_files(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
@@ -148,8 +150,7 @@
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
-userdom_use_unpriv_users_fds(fsadm_t)
+term_use_all_terms(fsadm_t)
ifdef(`distro_redhat',`
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.5/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/init.fc 2009-12-21 13:07:09.000000000 -0500
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -44,6 +44,9 @@
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
#
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/init.if 2009-12-21 13:07:09.000000000 -0500
@@ -162,6 +162,7 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
+ type init_t;
role system_r;
attribute daemon;
')
@@ -174,6 +175,11 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
# daemons started from init will
# inherit fds from init for the console
@@ -272,6 +278,7 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -280,6 +287,36 @@
kernel_dontaudit_use_fds($1)
')
')
+
+ userdom_dontaudit_search_user_home_dirs($1)
+ userdom_dontaudit_rw_stream($1)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_user_ttys($1)
+ term_use_all_user_ptys($1)
+ ',`
+ term_dontaudit_use_all_user_ttys($1)
+ term_dontaudit_use_all_user_ptys($1)
+ ')
+
+ # these apps are often redirect output to random log files
+ logging_rw_all_logs($1)
+
+ optional_policy(`
+ cron_rw_pipes($1)
+ ')
+
+ optional_policy(`
+ xserver_dontaudit_append_xdm_home_files($1)
+ ')
+
+ optional_policy(`
+ unconfined_dontaudit_rw_pipes($1)
+ unconfined_dontaudit_rw_stream($1)
+ userdom_dontaudit_read_user_tmp_files($1)
+ ')
+
+ init_rw_script_stream_sockets($1)
')
########################################
@@ -546,7 +583,7 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 init_t:unix_dgram_socket sendto;
+ init_chat($1)
')
')
@@ -619,18 +656,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
')
files_list_etc($1)
- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
@@ -646,19 +684,39 @@
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
')
files_list_etc($1)
- domtrans_pattern($1, initrc_exec_t, initrc_t)
+ domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
')
+
+ corecmd_bin_domtrans($1, initrc_t)
')
########################################
@@ -923,6 +981,24 @@
allow $1 init_script_file_type:file read_file_perms;
')
+#######################################
+## <summary>
+## Dontaudit read all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dontaudit_init_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ dontaudit $1 init_script_file_type:file read_file_perms;
+')
+
########################################
## <summary>
## Execute all init scripts in the caller domain.
@@ -1142,7 +1218,7 @@
type initrc_t;
')
- allow $1 initrc_t:unix_stream_socket { read write };
+ allow $1 initrc_t:unix_stream_socket rw_socket_perms;
')
########################################
@@ -1310,6 +1386,25 @@
########################################
## <summary>
+## Read init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
## Create files in a init script
## temporary data directory.
## </summary>
@@ -1540,3 +1635,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
+
+########################################
+## <summary>
+## Transition to system_r when execute an init script
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ role_transition $1 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+## Send and receive unix_stream_messages with
+## init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_chat',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/init.te 2009-12-22 10:22:45.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -64,6 +78,7 @@
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
+corecmd_bin_entry_type(initrc_t)
type initrc_devpts_t;
term_pty(initrc_devpts_t)
@@ -88,7 +103,7 @@
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -101,7 +116,8 @@
# Re-exec itself
can_exec(init_t, init_exec_t)
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
@@ -140,6 +156,7 @@
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -167,6 +184,8 @@
miscfiles_read_localization(init_t)
+allow init_t self:process setsched;
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
@@ -189,6 +208,18 @@
')
optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
+optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
nscd_socket_use(init_t)
')
@@ -202,9 +233,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
+allow initrc_t self:key manage_key_perms;
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
@@ -217,7 +249,8 @@
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
+init_chat(initrc_t)
can_exec(initrc_t, init_script_file_type)
@@ -230,10 +263,16 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_manage_generic_pids_symlinks(initrc_t)
can_exec(initrc_t, initrc_tmp_t)
-allow initrc_t initrc_tmp_t:file manage_file_perms;
-allow initrc_t initrc_tmp_t:dir manage_dir_perms;
+allow initrc_t initrc_tmp_t:file relabel_file_perms;
+manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
@@ -246,13 +285,19 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
+kernel_request_load_module(initrc_t)
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
+kernel_stream_connect(initrc_t)
+files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
+files_read_var_lib_symlinks(initrc_t)
+files_setattr_pid_dirs(initrc_t)
files_read_kernel_symbol_table(initrc_t)
-
-corecmd_exec_all_executables(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
@@ -272,16 +317,66 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
+dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
-dev_read_lvm_control(initrc_t)
+dev_rw_lvm_control(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
+dev_delete_null(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
# Wants to remove udev.tbl:
dev_delete_generic_symlinks(initrc_t)
+dev_getattr_all_blk_files(initrc_t)
+dev_getattr_all_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
+
+fs_list_inotifyfs(initrc_t)
+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
+fs_rw_cgroup_files(initrc_t)
+fs_setattr_cgroup_files(initrc_t)
+fs_manage_cgroup_dirs(initrc_t)
+
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
+mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
+
+mls_file_read_all_levels(initrc_t)
+mls_file_write_all_levels(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+mls_rangetrans_source(initrc_t)
+mls_fd_share_all_levels(initrc_t)
+
+selinux_get_enforce_mode(initrc_t)
+
+storage_getattr_fixed_disk_dev(initrc_t)
+storage_setattr_fixed_disk_dev(initrc_t)
+storage_setattr_removable_dev(initrc_t)
+
+term_use_all_terms(initrc_t)
+term_reset_tty_labels(initrc_t)
+
+auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
+auth_rw_lastlog(initrc_t)
+auth_read_pam_pid(initrc_t)
+auth_delete_pam_pid(initrc_t)
+auth_delete_pam_console_data(initrc_t)
+
+corecmd_exec_all_executables(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -291,7 +386,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
+domain_ptrace_all_domains(initrc_t)
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -306,14 +401,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
+files_delete_root_file(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
files_manage_etc_runtime_files(initrc_t)
files_etc_filetrans_etc_runtime(initrc_t, file)
-files_manage_generic_locks(initrc_t)
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
@@ -324,48 +420,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
-fs_register_binary_executable_type(initrc_t)
-# rhgb-console writes to ramfs
-fs_write_ramfs_pipes(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-fs_mount_all_fs(initrc_t)
-fs_unmount_all_fs(initrc_t)
-fs_remount_all_fs(initrc_t)
-fs_getattr_all_fs(initrc_t)
-
-# initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
-mcs_killall(initrc_t)
-mcs_process_set_categories(initrc_t)
-
-mls_file_read_all_levels(initrc_t)
-mls_file_write_all_levels(initrc_t)
-mls_process_read_up(initrc_t)
-mls_process_write_down(initrc_t)
-mls_rangetrans_source(initrc_t)
-mls_fd_share_all_levels(initrc_t)
-
-selinux_get_enforce_mode(initrc_t)
-
-storage_getattr_fixed_disk_dev(initrc_t)
-storage_setattr_fixed_disk_dev(initrc_t)
-storage_setattr_removable_dev(initrc_t)
-
-term_use_all_terms(initrc_t)
-term_reset_tty_labels(initrc_t)
-
-auth_rw_login_records(initrc_t)
-auth_setattr_login_records(initrc_t)
-auth_rw_lastlog(initrc_t)
-auth_read_pam_pid(initrc_t)
-auth_delete_pam_pid(initrc_t)
-auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
+libs_exec_ld_so(initrc_t)
+logging_send_audit_msgs(initrc_t)
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
@@ -374,19 +438,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_certs(initrc_t)
+miscfiles_manage_cert_files(initrc_t)
modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
+userdom_read_admin_home_files(initrc_t)
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
+usermanage_domtrans_passwd(initrc_t)
+
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -422,16 +489,12 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
- logging_send_audit_msgs(initrc_t)
-
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
- sysnet_create_config(initrc_t)
- sysnet_write_config(initrc_t)
- sysnet_setattr_config(initrc_t)
+ sysnet_manage_config(initrc_t)
optional_policy(`
arpwatch_manage_data_files(initrc_t)
@@ -450,11 +513,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
- kernel_dontaudit_use_fds(initrc_t)
+ kernel_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
- selinux_set_enforce_mode(initrc_t)
-
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
@@ -464,6 +525,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
+ files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
@@ -492,15 +554,27 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ cgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
+ cgroup_cgrulesengd_stream_connect(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
')
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
+ rpc_manage_nfs_state_data(initrc_t)
')
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
+ sysnet_manage_config(initrc_t)
')
optional_policy(`
@@ -515,6 +589,33 @@
')
')
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_list_admin_dir(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_user_ttys(daemon)
+ term_use_all_user_ptys(daemon)
+',`
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_user_ttys(daemon)
+ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream(daemon)
+ userdom_dontaudit_read_user_tmp_files(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -567,10 +668,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(initrc_t)
+ ')
optional_policy(`
networkmanager_dbus_chat(initrc_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(initrc_t)
+ ')
')
optional_policy(`
@@ -590,6 +700,10 @@
')
optional_policy(`
+ hal_write_log(initrc_t)
+')
+
+optional_policy(`
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
@@ -646,20 +760,20 @@
')
optional_policy(`
+ iscsi_stream_connect(initrc_t)
+ iscsi_read_lib_files(initrc_t)
+')
+
+optional_policy(`
mailman_list_data(initrc_t)
mailman_read_data_symlinks(initrc_t)
')
optional_policy(`
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-# cjp: require doesnt work in the else of optionals :\
-# this also would result in a type transition
-# conflict if sendmail is enabled
-#optional_policy(`',`
-# mta_send_mail(initrc_t)
-#')
optional_policy(`
ifdef(`distro_redhat',`
@@ -668,6 +782,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
+ mysql_read_config(initrc_t)
')
optional_policy(`
@@ -700,7 +815,6 @@
')
optional_policy(`
- corecmd_shell_entry_type(initrc_t)
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -722,8 +836,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
- # why is this needed:
- rpm_manage_db(initrc_t)
')
optional_policy(`
@@ -736,13 +848,16 @@
squid_manage_logs(initrc_t)
')
+ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc, initrc_t, system_r)
')
+')
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
+ ssh_setattr_key_files(initrc_t)
')
optional_policy(`
@@ -751,6 +866,7 @@
optional_policy(`
udev_rw_db(initrc_t)
+ udev_manage_pid_files(initrc_t)
')
optional_policy(`
@@ -758,6 +874,15 @@
')
optional_policy(`
+ virt_manage_svirt_cache(initrc_t)
+')
+
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+')
+
+optional_policy(`
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
@@ -768,6 +893,21 @@
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
+
+ optional_policy(`
+ gen_require(`
+ type unconfined_execmem_t, execmem_exec_t;
+ ')
+ init_system_domain(unconfined_execmem_t, execmem_exec_t)
+ ')
+')
+
+optional_policy(`
+ rpm_delete_db(initrc_t)
')
optional_policy(`
@@ -793,3 +933,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
+
+userdom_inherit_append_user_home_content_files(daemon)
+userdom_inherit_append_user_tmp_files(daemon)
+userdom_dontaudit_rw_stream(daemon)
+
+logging_append_all_logs(daemon)
+
+optional_policy(`
+ # sudo service restart causes this
+ unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+ xserver_dontaudit_append_xdm_home_files(daemon)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(daemon)
+ ')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.5/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/ipsec.fc 2009-12-21 13:07:09.000000000 -0500
@@ -37,6 +37,8 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.5/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/ipsec.if 2009-12-21 13:07:09.000000000 -0500
@@ -39,6 +39,25 @@
########################################
## <summary>
+## Connect to racoon using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_stream_connect_racoon',`
+ gen_require(`
+ type racoon_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
+')
+
+########################################
+## <summary>
## Get the attributes of an IPSEC key socket.
## </summary>
## <param name="domain">
@@ -189,50 +208,50 @@
########################################
## <summary>
-## Execute racoon and allow the specified role the domain.
+## Execute setkey in the setkey domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`ipsec_run_racoon',`
+interface(`ipsec_domtrans_setkey',`
gen_require(`
- type racoon_t;
+ type setkey_t, setkey_exec_t;
')
- ipsec_domtrans_racoon($1)
- role $2 types racoon_t;
+ domtrans_pattern($1, setkey_exec_t, setkey_t)
')
########################################
## <summary>
-## Execute setkey in the setkey domain.
+## Execute setkey and allow the specified role the domains.
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the racoon and setkey domains.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`ipsec_domtrans_setkey',`
+interface(`ipsec_run_setkey',`
gen_require(`
- type setkey_t, setkey_exec_t;
+ type setkey_t;
')
- domtrans_pattern($1, setkey_exec_t, setkey_t)
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
')
########################################
## <summary>
-## Execute setkey and allow the specified role the domains.
+## Execute racoon and allow the specified role the domains.
## </summary>
## <param name="domain">
## <summary>
@@ -241,16 +260,16 @@
## </param>
## <param name="role">
## <summary>
-## The role to be allowed the racoon and setkey domains.
+## The role to be allowed the racoon and racoon domains.
## </summary>
## </param>
## <rolecap/>
#
-interface(`ipsec_run_setkey',`
+interface(`ipsec_run_racoon',`
gen_require(`
- type setkey_t;
+ type racoon_t;
')
- ipsec_domtrans_setkey($1)
- role $2 types setkey_t;
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.5/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/ipsec.te 2009-12-21 13:07:09.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
# Default type for IPSEC SPD entries
type ipsec_spd_t;
+type ipsec_tmp_t;
+files_tmp_file(ipsec_tmp_t)
+
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
@@ -66,7 +72,7 @@
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
+allow ipsec_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -85,6 +91,10 @@
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
@@ -171,8 +181,8 @@
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap };
+allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -182,6 +192,9 @@
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -259,6 +272,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -323,6 +337,7 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -362,6 +377,8 @@
sysnet_exec_ifconfig(racoon_t)
+auth_use_pam(racoon_t)
+
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -380,12 +397,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+kernel_request_load_module(setkey_t)
+
# allow setkey utility to set contexts on SA's and policy
domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
@@ -397,3 +417,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.5/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/iptables.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,13 +1,17 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/sysctl\.conf.* --
+gen_context(system_u:object_r:iptables_conf_t,s0)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.5/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/iptables.te 2009-12-21 13:07:09.000000000 -0500
@@ -30,6 +30,7 @@
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:fifo_file rw_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms;
@@ -63,6 +64,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
+term_use_all_terms(iptables_t)
domain_use_interactive_fds(iptables_t)
@@ -89,6 +91,7 @@
optional_policy(`
fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
')
optional_policy(`
@@ -122,5 +125,10 @@
')
optional_policy(`
+ shorewall_rw_var_lib(iptables_t)
+')
+
+optional_policy(`
udev_read_db(iptables_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.5/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/iscsi.te 2009-12-21 13:07:09.000000000 -0500
@@ -69,11 +69,18 @@
dev_rw_sysfs(iscsid_t)
domain_use_interactive_fds(iscsid_t)
+domain_dontaudit_read_all_domains_state(iscsid_t)
files_read_etc_files(iscsid_t)
+init_stream_connect_script(iscsid_t)
+
logging_send_syslog_msg(iscsid_t)
auth_use_nsswitch(iscsid_t)
miscfiles_read_localization(iscsid_t)
+
+optional_policy(`
+ tgtd_rw_semaphores(iscsid_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.5/policy/modules/system/kdump.te
--- nsaserefpolicy/policy/modules/system/kdump.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/kdump.te 2009-12-21 13:07:09.000000000 -0500
@@ -35,3 +35,5 @@
dev_read_sysfs(kdump_t)
term_use_console(kdump_t)
+
+permissive kdump_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-22 08:51:29.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
#
+/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
@@ -73,7 +76,6 @@
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -82,14 +84,18 @@
/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
')
+/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
ifdef(`distro_redhat',`
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
')
@@ -103,6 +109,7 @@
#
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -115,27 +122,43 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/cedega/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -143,14 +166,13 @@
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_debian',`
/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0)
@@ -168,12 +190,14 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -185,15 +209,10 @@
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -228,31 +247,18 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-# Flash plugin, Macromedia
-HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -267,9 +273,10 @@
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-# RPM Fusion, refpolicy ticket #48
-/usr/lib(64)?/libavfilter.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -295,6 +302,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
') dnl end distro_redhat
#
@@ -307,10 +316,111 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500
@@ -17,6 +17,7 @@
corecmd_search_bin($1)
domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
+ allow $1 ldconfig_t:process noatsecure;
')
########################################
@@ -247,7 +248,7 @@
type lib_t;
')
- files_search_usr($1)
+ files_list_usr($1)
list_dirs_pattern($1, lib_t, lib_t)
read_files_pattern($1, lib_t, lib_t)
read_lnk_files_pattern($1, lib_t, lib_t)
@@ -401,7 +402,7 @@
type lib_t, textrel_shlib_t;
')
- files_list_usr($1)
+ files_search_usr($1)
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/libraries.te 2009-12-21 13:07:09.000000000 -0500
@@ -58,11 +58,11 @@
# ldconfig local policy
#
-allow ldconfig_t self:capability sys_chroot;
+allow ldconfig_t self:capability { dac_override sys_chroot };
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
@@ -76,21 +76,27 @@
fs_getattr_xattr_fs(ldconfig_t)
+corecmd_search_bin(ldconfig_t)
+
domain_use_interactive_fds(ldconfig_t)
+files_search_home(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
+files_read_usr_files(ldconfig_t)
files_search_tmp(ldconfig_t)
files_search_usr(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)
init_use_script_ptys(ldconfig_t)
+init_read_script_tmp_files(ldconfig_t)
miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
+term_use_console(ldconfig_t)
userdom_use_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
@@ -100,6 +106,10 @@
')
')
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
@@ -127,3 +137,7 @@
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
+
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.5/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/locallogin.te 2009-12-21 13:07:09.000000000 -0500
@@ -33,7 +33,7 @@
# Local login local policy
#
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use;
@@ -74,6 +74,7 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
+dev_rw_generic_usb_dev(local_login_t)
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
@@ -152,6 +153,11 @@
fs_read_cifs_symlinks(local_login_t)
')
+tunable_policy(`allow_console_login',`
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
+')
+
optional_policy(`
alsa_domtrans(local_login_t)
')
@@ -181,7 +187,7 @@
')
optional_policy(`
- unconfined_domain(local_login_t)
+ unconfined_shell_domtrans(local_login_t)
')
optional_policy(`
@@ -198,6 +204,7 @@
# Sulogin local policy
#
+allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_file_perms;
@@ -220,6 +227,7 @@
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
+auth_use_nsswitch(sulogin_t)
init_getpgid_script(sulogin_t)
@@ -233,11 +241,21 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
+ifdef(`enable_mls',`
sysadm_shell_domtrans(sulogin_t)
+',`
+ optional_policy(`
+ unconfined_shell_domtrans(sulogin_t)
+ ')
+')
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
+ifdef(`distro_redhat',`
+ define(`sulogin_no_pam')
+ selinux_compute_user_contexts(sulogin_t)
+')
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
@@ -251,11 +269,3 @@
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
-
-optional_policy(`
- nis_use_ypbind(sulogin_t)
-')
-
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.5/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/logging.fc 2009-12-21 13:07:09.000000000 -0500
@@ -51,17 +51,21 @@
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
-/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
-/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
+/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/logging.if 2009-12-21 13:07:09.000000000 -0500
@@ -69,6 +69,20 @@
########################################
## <summary>
+## Set tty auditing
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_tty_audit',`
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
+')
+
+########################################
+## <summary>
## Set up audit
## </summary>
## <param name="domain">
@@ -624,7 +638,7 @@
')
files_search_var($1)
- append_files_pattern($1, var_log_t, logfile)
+ append_files_pattern($1, logfile, logfile)
')
########################################
@@ -707,7 +721,9 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
- read_lnk_files_pattern($1, logfile, logfile)
+ manage_lnk_files_pattern($1, logfile, logfile)
+ allow $1 logfile:dir { relabelfrom relabelto };
+ allow $1 logfile:file { relabelfrom relabelto };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/logging.te 2009-12-21 13:07:09.000000000 -0500
@@ -123,10 +123,10 @@
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process { signal_perms setpgid setsched };
+allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
allow auditd_t self:file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t self:fifo_file rw_fifo_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
@@ -179,6 +179,8 @@
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
+auth_use_nsswitch(auditd_t)
+
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
@@ -215,9 +217,9 @@
# audit dispatcher local policy
#
-allow audisp_t self:capability sys_nice;
-allow audisp_t self:process setsched;
-allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:capability { dac_override setpcap sys_nice };
+allow audisp_t self:process { getcap signal_perms setcap setsched };
+allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
@@ -226,13 +228,18 @@
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
-corecmd_search_bin(audisp_t)
+corecmd_exec_bin(audisp_t)
+corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
files_read_etc_files(audisp_t)
+files_read_etc_runtime_files(audisp_t)
mls_file_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
logging_send_syslog_msg(audisp_t)
@@ -240,6 +247,14 @@
sysnet_dns_name_resolve(audisp_t)
+optional_policy(`
+ dbus_system_bus_client(audisp_t)
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(audisp_t)
+ ')
+')
+
########################################
#
# Audit remote logger local policy
@@ -253,11 +268,16 @@
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)
+corenet_tcp_bind_audit_port(audisp_remote_t)
+corenet_tcp_sendrecv_all_ports(audisp_remote_t)
+corenet_tcp_bind_generic_node(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
logging_send_syslog_msg(audisp_remote_t)
+auth_use_nsswitch(audisp_remote_t)
+
miscfiles_read_localization(audisp_remote_t)
sysnet_dns_name_resolve(audisp_remote_t)
@@ -337,7 +357,7 @@
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -461,6 +481,10 @@
')
optional_policy(`
+ bind_search_cache(syslogd_t)
+')
+
+optional_policy(`
inn_manage_log(syslogd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.5/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/lvm.te 2009-12-21 13:07:09.000000000 -0500
@@ -142,6 +142,10 @@
')
optional_policy(`
+ aisexec_stream_connect(clvmd_t)
+')
+
+optional_policy(`
ccs_stream_connect(clvmd_t)
')
@@ -244,6 +248,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
@@ -253,6 +258,7 @@
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
+files_dontaudit_getattr_tmpfs_files(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
@@ -311,6 +317,10 @@
')
optional_policy(`
+ aisexec_stream_connect(lvm_t)
+')
+
+optional_policy(`
bootloader_rw_tmp_files(lvm_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.5/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.fc 2009-12-21 17:46:12.000000000 -0500
@@ -42,6 +42,7 @@
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -70,7 +71,7 @@
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.5/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.if 2009-12-22 12:15:10.000000000 -0500
@@ -73,7 +73,8 @@
#
interface(`miscfiles_read_fonts',`
gen_require(`
- type fonts_t;
+ type fonts_t, fonts_cache_t;
+
')
# cjp: fonts can be in either of these dirs
@@ -83,6 +84,10 @@
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
read_lnk_files_pattern($1, fonts_t, fonts_t)
+
+ allow $1 fonts_cache_t:dir list_dir_perms;
+ read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')
########################################
@@ -167,6 +172,32 @@
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
+ miscfiles_manage_fonts_cache($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fonts cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_fonts_cache',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ # cjp: fonts can be in either of these dirs
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
+ manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.5/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.te 2009-12-21 17:45:47.000000000 -0500
@@ -19,6 +19,9 @@
type fonts_t;
files_type(fonts_t)
+type fonts_cache_t;
+files_type(fonts_cache_t)
+
#
# type for /usr/share/hwdata
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/modutils.te 2009-12-21 13:07:09.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
role system_r types insmod_t;
# module loading config
@@ -56,12 +57,14 @@
domain_use_interactive_fds(depmod_t)
+files_delete_kernel_modules(depmod_t)
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
files_read_etc_runtime_files(depmod_t)
files_read_etc_files(depmod_t)
files_read_usr_src_files(depmod_t)
files_list_usr(depmod_t)
+files_read_boot_files(depmod_t)
fs_getattr_xattr_fs(depmod_t)
@@ -75,6 +78,7 @@
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
+userdom_manage_user_tmp_files(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -105,7 +109,7 @@
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@@ -143,6 +147,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
+dev_create_generic_chr_files(insmod_t)
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
@@ -160,11 +165,15 @@
files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_mount_rpc_pipefs(insmod_t)
init_rw_initctl(insmod_t)
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
+init_rw_script_tmp_files(insmod_t)
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
@@ -173,10 +182,13 @@
seutil_read_file_contexts(insmod_t)
-userdom_use_user_terminals(insmod_t)
-
+term_use_all_terms(insmod_t)
userdom_dontaudit_search_user_home_dirs(insmod_t)
+optional_policy(`
+ unconfined_domain(insmod_t)
+')
+
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t, insmod_exec_t)
}
@@ -230,7 +242,7 @@
')
optional_policy(`
- unconfined_domain(insmod_t)
+ unconfined_dontaudit_rw_pipes(insmod_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.5/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/mount.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.5/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-22 09:40:26.000000000 -0500
@@ -16,6 +16,7 @@
')
domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
')
########################################
@@ -84,9 +85,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
+ type unconfined_mount_t;
')
allow $1 mount_t:process signal;
+ allow $1 unconfined_mount_t:process signal;
')
########################################
@@ -177,3 +180,57 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
+
+########################################
+## <summary>
+## Execute fusermount in the mount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_fusermount',`
+ gen_require(`
+ type mount_t, fusermount_exec_t;
+ ')
+
+ domtrans_pattern($1, fusermount_exec_t, mount_t)
+')
+
+########################################
+## <summary>
+## Execute fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mount_exec_fusermount',`
+ gen_require(`
+ type fusermount_exec_t;
+ ')
+
+ can_exec($1, fusermount_exec_t)
+')
+
+########################################
+## <summary>
+## dontaudit Execute fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mount_dontaudit_exec_fusermount',`
+ gen_require(`
+ type fusermount_exec_t;
+ ')
+
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/mount.te 2009-12-21 13:07:09.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
+type fusermount_exec_t;
+domain_entry_file(mount_t, fusermount_exec_t)
+
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
+typealias mount_loopback_t alias mount_loop_t;
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
@@ -29,6 +36,10 @@
# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t, mount_exec_t)
+role system_r types unconfined_mount_t;
+
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
########################################
#
@@ -36,7 +47,11 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process { getsched ptrace signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
allow mount_t mount_loopback_t:file read_file_perms;
@@ -47,21 +62,38 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
+kernel_mount_unlabeled(mount_t)
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
+dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
files_search_all(mount_t)
files_read_etc_files(mount_t)
@@ -70,7 +102,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
@@ -80,15 +112,18 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
+fs_list_all(mount_t)
+fs_getattr_all_fs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
+fs_rw_anon_inodefs_files(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
@@ -99,6 +134,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
term_use_all_terms(mount_t)
@@ -107,6 +143,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
logging_send_syslog_msg(mount_t)
@@ -117,6 +155,7 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
ifdef(`distro_redhat',`
optional_policy(`
@@ -132,6 +171,10 @@
')
')
+corecmd_exec_shell(mount_t)
+
+modutils_domtrans_insmod(mount_t)
+
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
@@ -165,6 +208,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
+
+ rpc_domtrans_rpcd(mount_t)
')
optional_policy(`
@@ -172,6 +217,25 @@
')
optional_policy(`
+ cron_system_entry(mount_t, mount_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
+ hal_dbus_chat(mount_t)
+ ')
+')
+
+
+optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_dontaudit_rw_pipes(mount_t)
+')
+
+optional_policy(`
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -179,6 +243,11 @@
')
')
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+ lvm_domtrans(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
@@ -186,6 +255,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
+ samba_read_config(mount_t)
')
########################################
@@ -195,5 +265,8 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+ unconfined_domain_noaudit(unconfined_mount_t)
+
+ rpc_domtrans_rpcd(unconfined_mount_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.5/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/raid.te 2009-12-21 13:07:09.000000000 -0500
@@ -51,11 +51,13 @@
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
+dev_read_raw_memory(mdadm_t)
domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.5/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/selinuxutil.fc 2009-12-21 13:07:09.000000000 -0500
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
#
# /root
@@ -38,11 +38,20 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+#
+# /var/lib
+#
+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0)
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.5/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/selinuxutil.if 2009-12-21 13:07:09.000000000 -0500
@@ -351,6 +351,27 @@
########################################
## <summary>
+## Execute restorecond in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecond',`
+ gen_require(`
+ type restorecond_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, restorecond_exec_t)
+')
+
+########################################
+## <summary>
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
@@ -535,6 +556,53 @@
########################################
## <summary>
+## Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles_mac',`
+ gen_require(`
+ type setfiles_mac_t, setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles_mac domain, and
+## allow the specified role the setfiles_mac domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setfiles_mac domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setfiles_mac',`
+ gen_require(`
+ type setfiles_mac_t;
+ ')
+
+ seutil_domtrans_setfiles_mac($1)
+ role $2 types setfiles_mac_t;
+')
+
+########################################
+## <summary>
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
@@ -680,6 +748,7 @@
')
files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
@@ -999,6 +1068,26 @@
########################################
## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
+ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+')
+
+########################################
+## <summary>
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
@@ -1010,7 +1099,7 @@
## </param>
## <param name="role">
## <summary>
-## The role to be allowed the checkpolicy domain.
+## The role to be allowed the semanage domain.
## </summary>
## </param>
## <rolecap/>
@@ -1028,6 +1117,33 @@
########################################
## <summary>
+## Execute setsebool in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setsebool domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setsebool',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_setsebool($1)
+ role $2 types setsebool_t;
+')
+
+########################################
+## <summary>
## Full management of the semanage
## module store.
## </summary>
@@ -1139,3 +1255,194 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
+
+#######################################
+## <summary>
+## All rules necessary to run semanage command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_semanage_policy',`
+ gen_require(`
+ type semanage_tmp_t;
+ type policy_config_t;
+ ')
+ allow $1 self:capability { dac_override sys_resource };
+ dontaudit $1 self:capability sys_tty_config;
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
+ # Running genhomedircon requires this for finding all users
+ auth_use_nsswitch($1)
+
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
+ allow $1 semanage_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
+ fs_getattr_all_fs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
+
+ selinux_getattr_fs($1)
+ selinux_validate_context($1)
+ selinux_get_enforce_mode($1)
+
+ term_use_all_terms($1)
+
+ locallogin_use_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
+ seutil_use_newrole_fds($1)
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_user_home_content_files($1)
+
+')
+
+
+#######################################
+## <summary>
+## All rules necessary to run setfiles command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_setfiles',`
+
+allow $1 self:capability { dac_override dac_read_search fowner };
+dontaudit $1 self:capability sys_tty_config;
+allow $1 self:fifo_file rw_file_perms;
+dontaudit $1 self:dir relabelfrom;
+dontaudit $1 self:file relabelfrom;
+dontaudit $1 self:lnk_file relabelfrom;
+
+
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+
+logging_send_audit_msgs($1)
+
+kernel_read_system_state($1)
+kernel_relabelfrom_unlabeled_dirs($1)
+kernel_relabelfrom_unlabeled_files($1)
+kernel_relabelfrom_unlabeled_symlinks($1)
+kernel_relabelfrom_unlabeled_pipes($1)
+kernel_relabelfrom_unlabeled_sockets($1)
+kernel_use_fds($1)
+kernel_rw_pipes($1)
+kernel_rw_unix_dgram_sockets($1)
+kernel_dontaudit_list_all_proc($1)
+kernel_read_all_sysctls($1)
+kernel_read_network_state_symlinks($1)
+
+dev_relabel_all_dev_nodes($1)
+
+domain_use_interactive_fds($1)
+domain_read_all_domains_state($1)
+
+files_read_etc_runtime_files($1)
+files_read_etc_files($1)
+files_list_all($1)
+files_relabel_all_files($1)
+files_list_isid_type_dirs($1)
+files_read_isid_type_files($1)
+files_dontaudit_read_all_symlinks($1)
+
+fs_getattr_xattr_fs($1)
+fs_list_all($1)
+fs_getattr_all_files($1)
+fs_search_auto_mountpoints($1)
+fs_relabelfrom_noxattr_fs($1)
+
+mls_file_read_all_levels($1)
+mls_file_write_all_levels($1)
+mls_file_upgrade($1)
+mls_file_downgrade($1)
+
+selinux_validate_context($1)
+selinux_compute_access_vector($1)
+selinux_compute_create_context($1)
+selinux_compute_relabel_context($1)
+selinux_compute_user_contexts($1)
+
+term_use_all_terms($1)
+
+# this is to satisfy the assertion:
+auth_relabelto_shadow($1)
+
+init_use_fds($1)
+init_use_script_fds($1)
+init_use_script_ptys($1)
+init_exec_script_files($1)
+
+logging_send_syslog_msg($1)
+
+miscfiles_read_localization($1)
+
+seutil_libselinux_linked($1)
+
+userdom_use_all_users_fds($1)
+# for config files in a home directory
+userdom_read_user_home_content_files($1)
+
+ifdef(`distro_debian',`
+ # udev tmpfs is populated with static device nodes
+ # and then relabeled afterwards; thus
+ # /dev/console has the tmpfs type
+ fs_rw_tmpfs_chr_files($1)
+')
+
+ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files($1)
+ fs_rw_tmpfs_blk_files($1)
+ fs_relabel_tmpfs_blk_file($1)
+ fs_relabel_tmpfs_chr_file($1)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain($1)
+ ')
+')
+
+optional_policy(`
+ hotplug_use_fds($1)
+')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.5/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/selinuxutil.te 2009-12-21 13:07:09.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -58,8 +61,9 @@
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
-type policy_config_t;
-files_type(policy_config_t)
+#type policy_config_t;
+#files_type(policy_config_t)
+typealias semanage_store_t alias policy_config_t;
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -75,7 +79,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
@@ -89,9 +92,14 @@
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
type semanage_store_t;
files_type(semanage_store_t)
@@ -109,6 +117,11 @@
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
+type setfiles_mac_t;
+domain_type(setfiles_mac_t)
+domain_entry_file(setfiles_mac_t, setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_mac_t)
+
########################################
#
# Checkpolicy local policy
@@ -191,15 +204,6 @@
')
')
-ifdef(`hide_broken_symptoms',`
- # cjp: cover up stray file descriptors.
- dontaudit load_policy_t selinux_config_t:file write;
-
- optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
- ')
-')
-
########################################
#
# Newrole local policy
@@ -217,7 +221,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(newrole_t)
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
@@ -270,12 +274,14 @@
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
+logging_send_audit_msgs(newrole_t)
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
+userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
@@ -313,6 +319,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
+files_dontaudit_read_all_symlinks(restorecond_t)
+
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
@@ -336,6 +344,8 @@
seutil_libselinux_linked(restorecond_t)
+userdom_read_user_home_content_symlinks(restorecond_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
@@ -354,7 +364,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(run_init_t)
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -383,7 +393,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
-auth_domtrans_upd_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
@@ -406,6 +415,10 @@
')
')
+optional_policy(`
+ rpm_domtrans(run_init_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
@@ -421,61 +434,22 @@
# semodule local policy
#
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file rw_file_perms;
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
-domain_use_interactive_fds(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
selinux_set_all_booleans(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
@@ -484,12 +458,23 @@
files_read_var_lib_symlinks(semanage_t)
')
+optional_policy(`
+ setrans_initrc_domtrans(semanage_t)
+ domain_system_change_exemption(semanage_t)
+ consoletype_exec(semanage_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(semanage_t)
')
')
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -499,111 +484,43 @@
userdom_read_user_tmp_files(semanage_t)
')
-########################################
+userdom_search_admin_dir(semanage_t)
+
+####################################n####
#
-# Setfiles local policy
+# setsebool local policy
#
+seutil_semanage_policy(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
-allow setfiles_t self:fifo_file rw_file_perms;
-
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
-kernel_use_fds(setfiles_t)
-kernel_rw_pipes(setfiles_t)
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-
-term_use_all_user_ttys(setfiles_t)
-term_use_all_user_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
-
-seutil_libselinux_linked(setfiles_t)
-
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-')
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
-')
+########################################
+#
+# Setfiles local policy
+#
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
-')
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
+
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
-
- # cjp: cover up stray file descriptors.
- optional_policy(`
- unconfined_dontaudit_read_pipes(setfiles_t)
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
')
')
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-22 11:49:02.000000000 -0500
@@ -11,15 +11,22 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
#
@@ -51,9 +58,12 @@
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.5/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.if 2009-12-22 10:35:23.000000000 -0500
@@ -43,6 +43,36 @@
sysnet_domtrans_dhcpc($1)
role $2 types dhcpc_t;
+
+ sysnet_run_ifconfig(dhcpc_t, $2)
+
+ modutils_run_insmod(dhcpc_t, $2)
+
+ optional_policy(`
+ hostname_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ netutils_run_ping(dhcpc_t, $2)
+ ')
+ optional_policy(`
+ netutils_run(dhcpc_t, $2)
+ ')
+ optional_policy(`
+ networkmanager_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nis_run_ypbind(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nscd_run(dhcpc_t, $2)
+ ')
+ optional_policy(`
+ ntp_run(dhcpc_t, $2)
+ ')
+ seutil_run_setfiles(dhcpc_t, $2)
')
########################################
@@ -192,7 +222,25 @@
type dhcpc_state_t;
')
- allow $1 dhcpc_state_t:file read_file_perms;
+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+## Delete the dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
#######################################
@@ -230,7 +278,8 @@
')
files_search_etc($1)
- allow $1 net_conf_t:file read_file_perms;
+ allow $1 net_conf_t:dir list_dir_perms;
+ read_files_pattern($1, net_conf_t, net_conf_t)
')
#######################################
@@ -323,7 +372,8 @@
type net_conf_t;
')
- allow $1 net_conf_t:file manage_file_perms;
+ allow $1 net_conf_t:dir list_dir_perms;
+ manage_files_pattern($1, net_conf_t, net_conf_t)
')
#######################################
@@ -464,6 +514,7 @@
')
files_search_etc($1)
+ allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
')
@@ -541,6 +592,7 @@
type net_conf_t;
')
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@@ -557,6 +609,14 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1)
+ ')
')
########################################
@@ -586,6 +646,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
')
########################################
@@ -620,3 +682,49 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGCHLD.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_dhcpc_use_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an dhclient script
+## </summary>
+## <desc>
+## <p>
+## Execute dhclient script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+interface(`sysnet_role_transition_dhcpc',`
+ gen_require(`
+ type dhcpc_exec_t;
+ ')
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.5/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.te 2009-12-21 13:07:09.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
+type dhcpc_helper_exec_t;
+init_script_file(dhcpc_helper_exec_t)
+
type dhcpc_state_t;
files_type(dhcpc_state_t)
@@ -41,21 +44,23 @@
#
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:process { getcap setcap setfscreate ptrace signal_perms };
+
+allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+allow dhcpc_t dhcp_state_t:file read_file_perms;
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
@@ -66,6 +71,8 @@
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
allow dhcpc_t net_conf_t:file manage_file_perms;
+allow dhcpc_t net_conf_t:file relabel_file_perms;
+sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
# create temp files
@@ -81,6 +88,7 @@
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
+kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
@@ -107,14 +115,17 @@
# for SSP:
dev_read_urand(dhcpc_t)
+domain_obj_id_change_exemption(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
-domain_dontaudit_list_all_domains_state(dhcpc_t)
+domain_dontaudit_read_all_domains_state(dhcpc_t)
files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t)
+files_read_usr_files(dhcpc_t)
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
+files_getattr_generic_locks(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
@@ -146,7 +157,7 @@
')
optional_policy(`
- consoletype_domtrans(dhcpc_t)
+ consoletype_exec(dhcpc_t)
')
optional_policy(`
@@ -183,25 +194,23 @@
')
optional_policy(`
- nis_use_ypbind(dhcpc_t)
- nis_signal_ypbind(dhcpc_t)
- nis_read_ypbind_pid(dhcpc_t)
- nis_delete_ypbind_pid(dhcpc_t)
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+')
- # dhclient sometimes starts ypbind
- init_exec_script_files(dhcpc_t)
- nis_domtrans_ypbind(dhcpc_t)
+optional_policy(`
+ nis_ypbind_initrc_domtrans(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
')
optional_policy(`
+ nscd_initrc_domtrans(dhcpc_t)
nscd_domtrans(dhcpc_t)
nscd_read_pid(dhcpc_t)
')
optional_policy(`
- # dhclient sometimes starts ntpd
- init_exec_script_files(dhcpc_t)
- ntp_domtrans(dhcpc_t)
+ ntp_initrc_domtrans(dhcpc_t)
')
optional_policy(`
@@ -212,6 +221,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
+ seutil_domtrans_setfiles(dhcpc_t)
')
optional_policy(`
@@ -223,6 +233,10 @@
')
optional_policy(`
+ vmware_append_log(dhcpc_t)
+')
+
+optional_policy(`
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
@@ -235,7 +249,6 @@
#
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
-dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -249,6 +262,8 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
+allow ifconfig_t net_conf_t:file read_file_perms;
+
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
@@ -260,7 +275,9 @@
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
+kernel_request_load_module(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
+kernel_search_debugfs(ifconfig_t)
kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -269,15 +286,23 @@
# for IPSEC setup:
dev_read_urand(ifconfig_t)
-domain_use_interactive_fds(ifconfig_t)
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
files_read_etc_files(ifconfig_t)
+files_read_etc_runtime_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
+term_dontaudit_use_console(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
+term_dontaudit_use_generic_ptys(ifconfig_t)
+
+domain_use_interactive_fds(ifconfig_t)
files_dontaudit_read_root_files(ifconfig_t)
@@ -294,6 +319,8 @@
seutil_use_runinit_fds(ifconfig_t)
+sysnet_dns_name_resolve(ifconfig_t)
+
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
@@ -330,8 +357,22 @@
')
optional_policy(`
+ unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
+
+optional_policy(`
+ vmware_append_log(ifconfig_t)
+')
+
+optional_policy(`
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
+
+optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.5/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/udev.if 2009-12-21 13:07:09.000000000 -0500
@@ -186,6 +186,7 @@
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
+ allow $1 udev_tbl_t:file unlink;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.5/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/udev.te 2009-12-21 13:07:09.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+allow udev_t self:netlink_socket create_socket_perms;
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -210,6 +211,10 @@
')
optional_policy(`
+ consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
consoletype_exec(udev_t)
')
@@ -236,6 +241,7 @@
optional_policy(`
hal_dgram_send(udev_t)
+ hal_dontaudit_rw_dgram_sockets(udev_t)
')
optional_policy(`
@@ -263,7 +269,7 @@
')
optional_policy(`
- unconfined_signal(udev_t)
+ rpm_search_log(udev_t)
')
optional_policy(`
@@ -271,6 +277,10 @@
')
optional_policy(`
+ unconfined_signal(udev_t)
+')
+
+optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.5/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/unconfined.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-
-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/unconfined.if 2009-12-21 13:07:09.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
- type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
- allow $1 self:capability *;
+ allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
@@ -27,12 +26,13 @@
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
+ allow $1 self:dir rw_dir_perms;
# Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
+ allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -44,6 +44,16 @@
fs_unconfined($1)
selinux_unconfined($1)
+ domain_mmap_low_type($1)
+
+ mls_file_read_all_levels($1)
+
+ ubac_process_exempt($1)
+
+ tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low($1)
+ ')
+
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
@@ -57,8 +67,8 @@
tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect;
- # execstack implies execmem;
- allow $1 self:process { execstack execmem };
+ # execstack implies execmem; Bugzilla #211271
+ allow $1 self:process { execmem execstack };
# auditallow $1 self:process execstack;
')
@@ -69,6 +79,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
')
optional_policy(`
@@ -111,16 +122,16 @@
## </param>
#
interface(`unconfined_domain',`
+ gen_require(`
+ attribute unconfined_services;
+ ')
+
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
-# Turn off this audit for FC5
-# tunable_policy(`allow_execmem',`
-# auditallow $1 self:process execmem;
-# ')
')
########################################
@@ -173,411 +184,3 @@
refpolicywarn(`$0($1) has been deprecated.')
')
-########################################
-## <summary>
-## Transition to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_domtrans',`
- gen_require(`
- type unconfined_t, unconfined_exec_t;
- ')
-
- domtrans_pattern($1, unconfined_exec_t, unconfined_t)
-')
-
-########################################
-## <summary>
-## Execute specified programs in the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the unconfined domain.
-## </summary>
-## </param>
-#
-interface(`unconfined_run',`
- gen_require(`
- type unconfined_t;
- ')
-
- unconfined_domtrans($1)
- role $2 types unconfined_t;
-')
-
-########################################
-## <summary>
-## Transition to the unconfined domain by executing a shell.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_shell_domtrans',`
- gen_require(`
- type unconfined_t;
- ')
-
- corecmd_shell_domtrans($1, unconfined_t)
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Allow unconfined to execute the specified program in
-## the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Allow unconfined to execute the specified program in
-## the specified domain.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Domain entry point file.
-## </summary>
-## </param>
-#
-interface(`unconfined_domtrans_to',`
- gen_require(`
- type unconfined_t;
- ')
-
- domtrans_pattern(unconfined_t,$2,$1)
-')
-
-########################################
-## <summary>
-## Allow unconfined to execute the specified program in
-## the specified domain. Allow the specified domain the
-## unconfined role and use of unconfined user terminals.
-## </summary>
-## <desc>
-## <p>
-## Allow unconfined to execute the specified program in
-## the specified domain. Allow the specified domain the
-## unconfined role and use of unconfined user terminals.
-## </p>
-## <p>
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to execute in.
-## </summary>
-## </param>
-## <param name="entry_file">
-## <summary>
-## Domain entry point file.
-## </summary>
-## </param>
-#
-interface(`unconfined_run_to',`
- gen_require(`
- type unconfined_t;
- role unconfined_r;
- ')
-
- domtrans_pattern(unconfined_t,$2,$1)
- role unconfined_r types $1;
- userdom_use_user_terminals($1)
-')
-
-########################################
-## <summary>
-## Inherit file descriptors from the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_use_fds',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_sigchld',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a SIGNULL signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_signull',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process signull;
-')
-
-########################################
-## <summary>
-## Send generic signals to the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_signal',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:process signal;
-')
-
-########################################
-## <summary>
-## Read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_read_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fifo_file read_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_read_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:fifo_file read;
-')
-
-########################################
-## <summary>
-## Read and write unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_rw_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_pipes',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Connect to the unconfined domain using
-## a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_stream_connect',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## unconfined domain tcp sockets.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to read or write
-## unconfined domain tcp sockets.
-## </p>
-## <p>
-## This interface was added due to a broken
-## symptom in ldconfig.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_tcp_sockets',`
- gen_require(`
- type unconfined_t;
- ')
-
- dontaudit $1 unconfined_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-## Create keys for the unconfined domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_create_keys',`
- gen_require(`
- type unconfined_t;
- ')
-
- allow $1 unconfined_t:key create;
-')
-
-########################################
-## <summary>
-## Send messages to the unconfined domain over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_send',`
- gen_require(`
- type unconfined_t;
- class dbus send_msg;
- ')
-
- allow $1 unconfined_t:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## unconfined_t over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_chat',`
- gen_require(`
- type unconfined_t;
- class dbus send_msg;
- ')
-
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`unconfined_dbus_connect',`
- gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
- ')
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/unconfined.te 2009-12-21 13:07:09.000000000 -0500
@@ -5,227 +5,5 @@
#
# Declarations
#
+attribute unconfined_services;
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_role(unconfined_r, unconfined_t)
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
-
-type unconfined_execmem_t;
-type unconfined_execmem_exec_t;
-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
-role unconfined_r types unconfined_execmem_t;
-
-########################################
-#
-# Local policy
-#
-
-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
-
-files_create_boot_flag(unconfined_t)
-
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
-init_run_daemon(unconfined_t, unconfined_r)
-
-libs_run_ldconfig(unconfined_t, unconfined_r)
-
-logging_send_syslog_msg(unconfined_t)
-logging_run_auditctl(unconfined_t, unconfined_r)
-
-mount_run_unconfined(unconfined_t, unconfined_r)
-
-seutil_run_setfiles(unconfined_t, unconfined_r)
-seutil_run_semanage(unconfined_t, unconfined_r)
-
-unconfined_domain(unconfined_t)
-
-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-
-ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- ada_domtrans(unconfined_t)
-')
-
-optional_policy(`
- apache_run_helper(unconfined_t, unconfined_r)
- apache_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- bind_run_ndc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- bootloader_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- cron_unconfined_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
-')
-
-optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- inn_domtrans(unconfined_t)
-')
-
-optional_policy(`
- java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- mono_domtrans(unconfined_t)
-')
-
-optional_policy(`
- mta_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
-')
-
-optional_policy(`
- prelink_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
-
-optional_policy(`
- pyzor_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
-')
-
-optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- samba_run_net(unconfined_t, unconfined_r)
- samba_run_winbind_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- spamassassin_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r)
- sysnet_dbus_chat_dhcpc(unconfined_t)
-')
-
-optional_policy(`
- tzdata_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- vpn_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- webalizer_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- wine_domtrans(unconfined_t)
-')
-
-optional_policy(`
- xserver_domtrans(unconfined_t)
-')
-
-########################################
-#
-# Unconfined Execmem Local policy
-#
-
-allow unconfined_execmem_t self:process { execstack execmem };
-unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
-
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.5/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/userdomain.fc 2009-12-21 13:07:09.000000000 -0500
@@ -1,4 +1,9 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/userdomain.if 2009-12-21 13:07:09.000000000 -0500
@@ -30,8 +30,9 @@
')
attribute $1_file_type;
+ attribute $1_usertype;
- type $1_t, userdomain;
+ type $1_t, userdomain, $1_usertype;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
@@ -41,80 +42,93 @@
allow system_r $1_r;
term_user_pty($1_t, user_devpts_t)
-
term_user_tty($1_t, user_tty_device_t)
+ term_dontaudit_getattr_generic_ptys($1_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- allow $1_t self:context contains;
- dontaudit $1_t self:socket create;
+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_usertype $1_usertype:shm create_shm_perms;
+ allow $1_usertype $1_usertype:sem create_sem_perms;
+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
+ allow $1_usertype $1_usertype:msg { send receive };
+ allow $1_usertype $1_usertype:context contains;
+ dontaudit $1_usertype $1_usertype:socket create;
- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
- term_create_pty($1_t, user_devpts_t)
+ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
+ term_create_pty($1_usertype, user_devpts_t)
# avoid annoying messages on terminal hangup on role change
- dontaudit $1_t user_devpts_t:chr_file ioctl;
+ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
# avoid annoying messages on terminal hangup on role change
- dontaudit $1_t user_tty_device_t:chr_file ioctl;
+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
+
+ application_exec_all($1_usertype)
+
+ files_exec_usr_files($1_t)
- kernel_read_kernel_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+ kernel_read_kernel_sysctls($1_usertype)
+ kernel_read_all_sysctls($1_usertype)
+ kernel_dontaudit_list_unlabeled($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+ kernel_dontaudit_list_proc($1_usertype)
- dev_dontaudit_getattr_all_blk_files($1_t)
- dev_dontaudit_getattr_all_chr_files($1_t)
+ dev_dontaudit_getattr_all_blk_files($1_usertype)
+ dev_dontaudit_getattr_all_chr_files($1_usertype)
+ dev_getattr_mtrr_dev($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
- domain_dontaudit_read_all_domains_state($1_t)
- domain_dontaudit_getattr_all_domains($1_t)
- domain_dontaudit_getsession_all_domains($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_read_usr_files($1_t)
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
+ files_read_mnt_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
+ files_list_world_readable($1_usertype)
+ files_read_world_readable_files($1_usertype)
+ files_read_world_readable_symlinks($1_usertype)
+ files_read_world_readable_pipes($1_usertype)
+ files_read_world_readable_sockets($1_usertype)
# old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
- libs_exec_ld_so($1_t)
+ storage_rw_fuse($1_usertype)
- miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
+ auth_use_nsswitch($1_usertype)
- sysnet_read_config($1_t)
+ libs_exec_ld_so($1_usertype)
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
+ miscfiles_read_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
+ ssh_signal($1_t)
')
')
@@ -147,6 +161,7 @@
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
+ attribute userhomereader;
')
role $1 types { user_home_t user_home_dir_t };
@@ -157,6 +172,7 @@
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
+ typeattribute $2 userhomereader;
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
@@ -168,27 +184,6 @@
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs($2)
- fs_read_nfs_files($2)
- fs_read_nfs_symlinks($2)
- fs_read_nfs_named_sockets($2)
- fs_read_nfs_named_pipes($2)
- ',`
- fs_dontaudit_list_nfs($2)
- fs_dontaudit_read_nfs_files($2)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs($2)
- fs_read_cifs_files($2)
- fs_read_cifs_symlinks($2)
- fs_read_cifs_named_sockets($2)
- fs_read_cifs_named_pipes($2)
- ',`
- fs_dontaudit_list_cifs($2)
- fs_dontaudit_read_cifs_files($2)
- ')
')
#######################################
@@ -220,9 +215,10 @@
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
+ attribute user_home_type;
')
- role $1 types { user_home_t user_home_dir_t };
+ role $1 types { user_home_type user_home_dir_t };
##############################
#
@@ -232,17 +228,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
+ allow $2 user_home_t:dir mounton;
allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+
+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
@@ -250,25 +249,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs($2)
+ fs_mounton_nfs($2)
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
fs_manage_nfs_symlinks($2)
fs_manage_nfs_named_sockets($2)
fs_manage_nfs_named_pipes($2)
- ',`
- fs_dontaudit_manage_nfs_dirs($2)
- fs_dontaudit_manage_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs($2)
+ fs_mounton_cifs($2)
fs_manage_cifs_dirs($2)
fs_manage_cifs_files($2)
fs_manage_cifs_symlinks($2)
fs_manage_cifs_named_sockets($2)
fs_manage_cifs_named_pipes($2)
- ',`
- fs_dontaudit_manage_cifs_dirs($2)
- fs_dontaudit_manage_cifs_files($2)
')
')
@@ -303,6 +300,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ relabel_files_pattern($2, user_tmp_t, user_tmp_t)
')
#######################################
@@ -322,6 +320,7 @@
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
+ dontaudit $1 user_tmp_t:sock_file execute;
files_search_tmp($1)
')
@@ -368,51 +367,46 @@
#######################################
## <summary>
-## The template allowing the user basic
+## The interface allowing the user basic
## network permissions
## </summary>
-## <param name="userdomain_prefix">
+## <param name="userdomain">
## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The user domain
## </summary>
## </param>
## <rolebase/>
#
-template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
+interface(`userdom_basic_networking',`
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_udp_sendrecv_generic_if($1_t)
- corenet_tcp_sendrecv_generic_node($1_t)
- corenet_udp_sendrecv_generic_node($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_ports($1)
+ corenet_sendrecv_all_client_packets($1)
optional_policy(`
- init_tcp_recvfrom_all_daemons($1_t)
- init_udp_recvfrom_all_daemons($1_t)
+ init_tcp_recvfrom_all_daemons($1)
+ init_udp_recvfrom_all_daemons($1)
')
optional_policy(`
- ipsec_match_default_spd($1_t)
+ ipsec_match_default_spd($1)
')
+
')
#######################################
## <summary>
-## The template for creating a user xwindows client. (Deprecated)
+## The template for creating a user xwindows client.
## </summary>
## <param name="userdomain_prefix">
## <summary>
@@ -420,35 +414,58 @@
## is the prefix for user_t).
## </summary>
## </param>
-## <rolebase/>
+## <rolecap/>
#
-template(`userdom_xwindows_client_template',`
- refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
+interface(`userdom_xwindows_client',`
gen_require(`
- type $1_t, user_tmpfs_t;
+ type user_tmpfs_t;
')
- dev_rw_xserver_misc($1_t)
- dev_rw_power_management($1_t)
- dev_read_input($1_t)
- dev_read_misc($1_t)
- dev_write_misc($1_t)
+ dev_rwx_zero($1)
+ dev_rw_xserver_misc($1)
+ dev_rw_power_management($1)
+ dev_read_input($1)
+ dev_read_misc($1)
+ dev_write_misc($1)
# open office is looking for the following
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
+ dev_getattr_agp_dev($1)
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($1)
+ ',`
+ dev_dontaudit_rw_dri($1)
+ ')
+
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
+ dev_rw_usbfs($1)
+ dev_rw_generic_usb_dev($1)
+ dev_read_video_dev($1)
+ dev_write_video_dev($1)
+ dev_rw_wireless($1)
+
+ miscfiles_dontaudit_write_fonts($1)
+
+ optional_policy(`
+ udev_read_db($1)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_dbus_chat($1)
+ ')
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
+ optional_policy(`
+ xserver_user_client($1, user_tmpfs_t)
+ xserver_xsession_entry_type($1)
+ xserver_dontaudit_write_log($1)
# certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
+ xserver_read_xdm_pid($1)
# gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
+ xserver_create_xdm_tmp_sockets($1)
# Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ xserver_manage_xdm_tmp_files($1)
+ xserver_dbus_chat_xdm($1)
+ ')
+
')
#######################################
@@ -498,7 +515,7 @@
attribute unpriv_userdomain;
')
- userdom_basic_networking_template($1)
+ userdom_basic_networking($1_usertype)
##############################
#
@@ -508,182 +525,213 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_t self:socket create_socket_perms;
- allow $1_t unpriv_userdomain:fd use;
+ allow $1_usertype unpriv_userdomain:fd use;
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_net_sysctls($1_t)
+ kernel_read_system_state($1_usertype)
+ kernel_read_network_state($1_usertype)
+ kernel_read_net_sysctls($1_usertype)
# Very permissive allowing every domain to see every type:
- kernel_get_sysvipc_info($1_t)
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
- corenet_udp_bind_generic_node($1_t)
- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
- dev_read_rand($1_t)
- dev_write_sound($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
+ files_search_locks($1_usertype)
# Check to see if cdrom is mounted
- files_search_mnt($1_t)
+ files_search_mnt($1_usertype)
# cjp: perhaps should cut back on file reads:
- files_read_var_files($1_t)
- files_read_var_symlinks($1_t)
- files_read_generic_spool($1_t)
- files_read_var_lib_files($1_t)
+ files_read_var_files($1_usertype)
+ files_read_var_symlinks($1_usertype)
+ files_read_generic_spool($1_usertype)
+ files_read_var_lib_files($1_usertype)
# Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+ files_getattr_lost_found_dirs($1_usertype)
+ files_read_config_files($1_usertype)
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
# cjp: some of this probably can be removed
- selinux_get_fs_mount($1_t)
- selinux_validate_context($1_t)
- selinux_compute_access_vector($1_t)
- selinux_compute_create_context($1_t)
- selinux_compute_relabel_context($1_t)
- selinux_compute_user_contexts($1_t)
+ selinux_get_fs_mount($1_usertype)
+ selinux_validate_context($1_usertype)
+ selinux_compute_access_vector($1_usertype)
+ selinux_compute_create_context($1_usertype)
+ selinux_compute_relabel_context($1_usertype)
+ selinux_compute_user_contexts($1_usertype)
# for eject
- storage_getattr_fixed_disk_dev($1_t)
+ storage_getattr_fixed_disk_dev($1_usertype)
- auth_use_nsswitch($1_t)
- auth_read_login_records($1_t)
- auth_search_pam_console_data($1_t)
+ auth_read_login_records($1_usertype)
auth_run_pam($1_t,$1_r)
auth_run_utempter($1_t,$1_r)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
- seutil_read_file_contexts($1_t)
- seutil_read_default_contexts($1_t)
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
seutil_run_newrole($1_t,$1_r)
seutil_exec_checkpolicy($1_t)
- seutil_exec_setfiles($1_t)
+ seutil_exec_setfiles($1_usertype)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
seutil_dontaudit_signal_newrole($1_t)
tunable_policy(`user_direct_mouse',`
- dev_read_mouse($1_t)
+ dev_read_mouse($1_usertype)
')
- tunable_policy(`user_ttyfile_stat',`
- term_getattr_all_user_ttys($1_t)
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
')
optional_policy(`
- alsa_read_rw_config($1_t)
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ canna_stream_connect($1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
+ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
+ bluetooth_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
+ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_var_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
+ vpnc_dbus_chat($1_usertype)
')
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
+ locate_read_lib_files($1_usertype)
')
# for running depmod as part of the kernel packaging process
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
+ ')
+
+ optional_policy(`
+ mta_rw_spool($1_usertype)
+ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_usertype)
')
')
optional_policy(`
# to allow monitoring of pcmcia status
- pcmcia_read_pid($1_t)
+ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- pcscd_read_pub_files($1_t)
- pcscd_stream_connect($1_t)
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
optional_policy(`
- tunable_policy(`allow_user_postgresql_connect',`
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ resmgr_stream_connect($1_usertype)
')
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- resmgr_stream_connect($1_t)
+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
+ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
+ seunshare_run($1_t, $1_r)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
+ slrnpull_search_spool($1_usertype)
')
+
')
#######################################
@@ -711,13 +759,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
+ ')
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
+ ')
userdom_change_password_template($1)
@@ -735,70 +796,72 @@
allow $1_t self:context contains;
- kernel_dontaudit_read_system_state($1_t)
+ kernel_dontaudit_read_system_state($1_usertype)
- dev_read_sysfs($1_t)
- dev_read_urand($1_t)
+ dev_read_sysfs($1_usertype)
+ dev_read_urand($1_usertype)
- domain_use_interactive_fds($1_t)
+ domain_use_interactive_fds($1_usertype)
# Command completion can fire hundreds of denials
- domain_dontaudit_exec_all_entry_files($1_t)
+ domain_dontaudit_exec_all_entry_files($1_usertype)
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
+ files_dontaudit_list_default($1_usertype)
+ files_dontaudit_read_default_files($1_usertype)
# Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+ files_getattr_lost_found_dirs($1_usertype)
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
- fs_list_inotifyfs($1_t)
- fs_rw_anon_inodefs_files($1_t)
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
auth_dontaudit_write_login_records($1_t)
-
- application_exec_all($1_t)
+ auth_rw_cache($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
- init_dontaudit_rw_utmp($1_t)
+ init_dontaudit_rw_utmp($1_usertype)
# Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
- libs_exec_lib_files($1_t)
+ libs_exec_lib_files($1_usertype)
- logging_dontaudit_getattr_all_logs($1_t)
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
# for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
+ kerberos_use($1_usertype)
+ kerberos_connect_524($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
+ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
+ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
+ rpm_read_db($1_usertype)
+ rpm_dontaudit_manage_db($1_usertype)
+ rpm_read_cache($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
@@ -826,6 +889,8 @@
')
userdom_login_user_template($1)
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_t self:netlink_audit_socket create_socket_perms;
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -836,6 +901,26 @@
#
optional_policy(`
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
loadkeys_run($1_t,$1_r)
')
')
@@ -865,51 +950,83 @@
userdom_restricted_user_template($1)
+ userdom_xwindows_client($1_usertype)
+
##############################
#
# Local policy
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
+
+ xserver_role($1_r, $1_t)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
- dev_dontaudit_read_rand($1_t)
+ dev_dontaudit_read_rand($1_usertype)
+ # temporarily allow since openoffice requires this
+ dev_read_rand($1_usertype)
- logging_send_syslog_msg($1_t)
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
+ fs_manage_dos_dirs($1_usertype)
+ fs_manage_dos_files($1_usertype)
+ storage_raw_read_removable_device($1_usertype)
+ storage_raw_write_removable_device($1_usertype)
+ ')
+
+ logging_send_syslog_msg($1_usertype)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
+
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
- xserver_restricted_role($1_r, $1_t)
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
optional_policy(`
- alsa_read_rw_config($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
+ fprintd_dbus_chat($1_t)
+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
+ openoffice_role_template($1, $1_r, $1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
+ policykit_role($1_r, $1_usertype)
')
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
+ rtkit_daemon_system_domain($1_usertype)
')
optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
+ wm_role_template($1, $1_r, $1_t)
')
')
@@ -943,8 +1060,8 @@
# Declarations
#
+ userdom_restricted_xwindows_user_template($1)
# Inherit rules for ordinary users.
- userdom_restricted_user_template($1)
userdom_common_user_template($1)
##############################
@@ -953,58 +1070,71 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
+ corenet_tcp_bind_all_nodes($1_usertype)
- files_exec_usr_files($1_t)
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
+ storage_rw_fuse($1_t)
+
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
+ ')
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
+ ')
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- ',`
- storage_raw_read_removable_device($1_t)
+ optional_policy(`
+ cron_role($1_r, $1_t)
')
+
+ optional_policy(`
+ games_rw_data($1_usertype)
')
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
')
- # Allow users to run TCP servers (bind to ports and accept connection from
- # the same domain and outside users) disabling this forces FTP passive mode
- # and may change other protocols
- tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
+ gpm_stream_connect($1_usertype)
')
optional_policy(`
- postgresql_role($1_r,$1_t)
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
+ mount_run($1_t, $1_r)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ ')
+
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
@@ -1040,7 +1170,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
- class passwd { passwd chfn chsh rootok };
+ class passwd { passwd chfn chsh rootok crontab };
')
##############################
@@ -1049,8 +1179,7 @@
#
# Inherit rules for ordinary users.
- userdom_login_user_template($1)
- userdom_common_user_template($1)
+ userdom_unpriv_user_template($1)
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
@@ -1075,6 +1204,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
+
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1089,6 +1221,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
+ kernel_signal($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
@@ -1096,8 +1229,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
- # for lsof
- dev_getattr_mtrr_dev($1_t)
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
@@ -1124,12 +1255,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
+ fs_getattr_all_files($1_t)
+ fs_list_all($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
-
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
@@ -1152,20 +1282,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
- userdom_manage_user_home_content_dirs($1_t)
- userdom_manage_user_home_content_files($1_t)
- userdom_manage_user_home_content_symlinks($1_t)
- userdom_manage_user_home_content_pipes($1_t)
- userdom_manage_user_home_content_sockets($1_t)
- userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
-
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- ',`
- fs_read_noxattr_fs_files($1_t)
- ')
-
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1211,6 +1327,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
+ files_create_default_dir($1)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1276,11 +1393,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
+ attribute user_home_type;
')
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
+
+ files_poly_member($1)
+ typeattribute $1 user_home_type;
')
########################################
@@ -1391,12 +1512,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
files_search_home($1)
')
########################################
## <summary>
-## Search user home directories.
+## dontaudit Search user home directories.
## </summary>
## <param name="domain">
## <summary>
@@ -1429,6 +1551,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
')
########################################
@@ -1444,9 +1574,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
+ type user_home_t;
')
dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_t:dir list_dir_perms;
')
########################################
@@ -1503,6 +1635,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
+
+########################################
+## <summary>
+## Relabel to user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file relabelto;
+')
+########################################
+## <summary>
+## Relabel user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file { relabelto relabelfrom };
+')
+
########################################
## <summary>
## Create directories in the home dir root with
@@ -1577,6 +1745,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
')
########################################
@@ -1619,6 +1789,24 @@
########################################
## <summary>
+## Set the attributes of user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file setattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
@@ -1670,6 +1858,7 @@
type user_home_dir_t, user_home_t;
')
+ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
@@ -1686,11 +1875,11 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
- type user_home_t;
+ attribute user_home_type;
')
- dontaudit $1 user_home_t:dir list_dir_perms;
- dontaudit $1 user_home_t:file read_file_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
')
########################################
@@ -1797,19 +1986,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
')
files_search_home($1)
- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
+########################################
+## <summary>
+## Dontaudit Delete files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
')
+
+ allow $1 user_home_t:dir delete_file_perms;
')
########################################
@@ -1844,6 +2046,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
+ attribute userhomewriter;
')
manage_files_pattern($1, user_home_t, user_home_t)
@@ -2196,6 +2399,25 @@
########################################
## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
## Do not audit attempts to manage users
## temporary files.
## </summary>
@@ -2276,7 +2498,7 @@
########################################
## <summary>
## Create, read, write, and delete user
-## temporary symbolic links.
+## temporary chr files.
## </summary>
## <param name="domain">
## <summary>
@@ -2284,19 +2506,19 @@
## </summary>
## </param>
#
-interface(`userdom_manage_user_tmp_symlinks',`
+interface(`userdom_manage_user_tmp_chr_files',`
gen_require(`
type user_tmp_t;
')
- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
-## temporary named pipes.
+## temporary blk files.
## </summary>
## <param name="domain">
## <summary>
@@ -2304,19 +2526,19 @@
## </summary>
## </param>
#
-interface(`userdom_manage_user_tmp_pipes',`
+interface(`userdom_manage_user_tmp_blk_files',`
gen_require(`
type user_tmp_t;
')
- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## Create, read, write, and delete user
-## temporary named sockets.
+## temporary symbolic links.
## </summary>
## <param name="domain">
## <summary>
@@ -2324,12 +2546,52 @@
## </summary>
## </param>
#
-interface(`userdom_manage_user_tmp_sockets',`
+interface(`userdom_manage_user_tmp_symlinks',`
gen_require(`
type user_tmp_t;
')
- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -2391,7 +2653,7 @@
########################################
## <summary>
-## Read user tmpfs files.
+## Read/Write user tmpfs files.
## </summary>
## <param name="domain">
## <summary>
@@ -2399,19 +2661,21 @@
## </summary>
## </param>
#
-interface(`userdom_read_user_tmpfs_files',`
+interface(`userdom_rw_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
allow $1 user_tmpfs_t:dir list_dir_perms;
fs_search_tmpfs($1)
')
-########################################
+
+######################################
## <summary>
-## Read user tmpfs files.
+## Manage user tmpfs files.
## </summary>
## <param name="domain">
## <summary>
@@ -2419,15 +2683,14 @@
## </summary>
## </param>
#
-interface(`userdom_rw_user_tmpfs_files',`
+interface(`userdom_manage_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
')
- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
')
########################################
@@ -2749,7 +3012,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
@@ -2765,11 +3028,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## List users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_user_home_content',`
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
')
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
')
########################################
@@ -2897,7 +3182,43 @@
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Write all inherited users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_inherited_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Delete all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file delete_file_perms;
')
########################################
@@ -2934,6 +3255,7 @@
')
read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
kernel_search_proc($1)
')
@@ -3064,3 +3386,656 @@
allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_set_rlimitnh',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_usertype',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ attribute $1_usertype;
+ ')
+ typeattribute $2 $1_usertype;
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+
+ ubac_constrained($2)
+')
+
+
+#######################################
+## <summary>
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+## </summary>
+## <desc>
+## <p>
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+## </p>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_admin_login_user_template',`
+
+ userdom_admin_user_template($1)
+
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
+ domain_obj_id_change_exemption($1_t)
+
+ files_read_kernel_modules($1_t)
+
+ kernel_read_fs_sysctls($1_t)
+
+ modutils_read_module_config($1_t)
+ modutils_read_module_deps($1_t)
+
+ miscfiles_read_hwdata($1_t)
+
+ sudo_role_template($1, $1_r, $1_t)
+
+ seutil_run_newrole($1_t, $1_r)
+
+ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_stream_connect($1_t)
+ setroubleshoot_dbus_chat($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to users over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_stream_connect',`
+ gen_require(`
+ type user_tmp_t;
+ attribute userdomain;
+ ')
+
+ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
+')
+
+########################################
+## <summary>
+## Ptrace user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process ptrace;
+')
+
+########################################
+## <summary>
+## dontaudit Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## dontaudit list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## RW unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Add attrinute admin domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_admin',`
+ gen_require(`
+ attribute admin_userdomain;
+ ')
+
+ typeattribute $1 admin_userdomain;
+')
+
+########################################
+## <summary>
+## Send a message to unpriv users over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dgram_send',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
+######################################
+## <summary>
+## Send a message to users over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_users_dgram_send',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:unix_dgram_socket sendto;
+')
+
+#######################################
+## <summary>
+## Allow execmod on files in homedirectory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_execmod_user_home_files',`
+ gen_require(`
+ type user_home_type;
+ ')
+
+ allow $1 user_home_type:file execmod;
+')
+
+########################################
+## <summary>
+## Read admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Execute admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in the /root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:file { getattr append };
+')
+
+
+#######################################
+## <summary>
+## Manage all files/directories in the homedir
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_user_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+')
+
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_pattern',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ type_transition $1 user_home_dir_t:$2 user_home_t;
+')
+
+########################################
+## <summary>
+## Create objects in the /root directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_admin_home_dir_filetrans',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ filetrans_pattern($1, admin_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signull;
+')
+
+########################################
+## <summary>
+## Read user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Write all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Append files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_append_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ append_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Read files inherited
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_inherited_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file { getattr read };
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in a user tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Read system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_home_certs',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 home_cert_t:dir list_dir_perms;
+ read_files_pattern($1, home_cert_t, home_cert_t)
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
+########################################
+## <summary>
+## dontaudit Search getatrr /root files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file getattr;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/userdomain.te 2009-12-21 13:07:09.000000000 -0500
@@ -8,13 +8,6 @@
## <desc>
## <p>
-## Allow users to connect to mysql
-## </p>
-## </desc>
-gen_tunable(allow_user_mysql_connect, false)
-
-## <desc>
-## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
@@ -29,10 +22,10 @@
## <desc>
## <p>
-## Allow users to read system messages.
+## Allow regular users direct dri device access
## </p>
## </desc>
-gen_tunable(user_dmesg, false)
+gen_tunable(user_direct_dri, false)
## <desc>
## <p>
@@ -54,11 +47,20 @@
# all user domains
attribute userdomain;
+attribute userhomereader;
+attribute userhomewriter;
+
# unprivileged user domains
attribute unpriv_userdomain;
-attribute untrusted_content_type;
-attribute untrusted_content_tmp_type;
+# unprivileged user domains
+attribute user_home_type;
+
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
@@ -72,6 +74,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+typeattribute user_home_t user_home_type;
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
@@ -97,3 +100,29 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type home_cert_t, user_home_type;
+files_type(home_cert_t)
+ubac_constrained(home_cert_t)
+
+tunable_policy(`allow_console_login',`
+ term_use_console(userdomain)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(userhomereader)
+ fs_read_nfs_files(userhomereader)
+ fs_read_nfs_symlinks(userhomereader)
+ fs_read_nfs_named_sockets(userhomereader)
+ fs_read_nfs_named_pipes(userhomereader)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(userhomereader)
+ fs_read_cifs_files(userhomereader)
+ fs_read_cifs_symlinks(userhomereader)
+ fs_read_cifs_named_sockets(userhomereader)
+ fs_read_cifs_named_pipes(userhomereader)
+')
+
+allow userdomain userdomain:process signull;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.5/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/xen.if 2009-12-21 13:07:09.000000000 -0500
@@ -180,6 +180,25 @@
########################################
## <summary>
+## Connect to xm over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_stream_connect_xm',`
+ gen_require(`
+ type xm_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
+')
+
+########################################
+## <summary>
## Connect to xend over an unix domain stream socket.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.5/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/xen.te 2009-12-21 13:07:09.000000000 -0500
@@ -85,6 +85,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+role system_r types xenconsoled_t;
# pid files
type xenconsoled_var_run_t;
@@ -209,6 +210,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
@@ -421,6 +423,12 @@
xen_stream_connect_xenstore(xm_t)
optional_policy(`
+ vhostmd_rw_tmpfs_files(xm_t)
+ vhostmd_stream_connect(xm_t)
+ vhostmd_dontaudit_rw_stream_connect(xm_t)
+')
+
+optional_policy(`
virt_manage_images(xm_t)
virt_stream_connect(xm_t)
')
@@ -438,6 +446,8 @@
fs_manage_xenfs_dirs(xm_ssh_t)
fs_manage_xenfs_files(xm_ssh_t)
+userdom_search_admin_dir(xm_ssh_t)
+
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.5/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/support/obj_perm_sets.spt 2009-12-21 13:07:09.000000000 -0500
@@ -199,12 +199,14 @@
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
@@ -305,7 +307,8 @@
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write ioctl }')
+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
#
# Sockets
@@ -317,3 +320,14 @@
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# All
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.5/policy/users
--- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.5/policy/users 2009-12-21 13:07:09.000000000 -0500
@@ -6,7 +6,7 @@
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
-# Note: Identities without a prefix will not be listed
+# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
@@ -38,8 +35,4 @@
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
Reference in New Issue View Git Blame Copy Permalink